I am new to Watchers and Elasticsearch API.
I need to create an email alert that will notify me if someone inserts an unauthorized mass storage device into a USB slot of Windows machines. The watcher needs to query events collected by winlogbeat from Windows Event Logs of several machines.
The watcher needs to do the following:
- Run every 5 minutes.
- Query only events that took place between now and 15 minutes ago, ignoring any older events.
- Initiates action (email alert) if the following condition is met: "winlog.channel.keyword" field contains "Microsoft-Windows-Kernel-PnP/Configuration" AND "winlog.event_id.keyword" field contains "402".
The watcher runs every 5 minutes and reports that the condition was met every time it runs, although the insertion of unauthorized USB mass storage took place over 2 weeks ago and no new insertions took place since.
I therefore wonder:
- Is my time range specified correctly? Could it be that the watcher picks up that old event every time it runs.
- Is the watcher only looking for ""Microsoft-Windows-Kernel-PnP/Configuration" value in "winlog.channel.keyword" field, instead of checking also "winlog.event_id.keyword" field?
Below is the code of the advanced watcher I created and would appreciate your help in correcting the below code.
{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"md-winevent-alias"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"filter": {
"range": {
"@timestamp": {
"gte": "now-30m"
}
}
},
"must": [
{
"match": {
"winlog.channel": "Microsoft-Windows-Kernel-PnP/Configuration"
}
},
{
"match": {
"winlog.event_id": "402"
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 0
}
}
},
"actions": {
"email_administrator": {
"email": {
"profile": "standard",
"to": [
"john.doe@somewhere.com"
],
"subject": "KRAKEN - USB Insertion Detected",
"body": {
Unauthorized USB insertion reported. Please consult KRAKEN Kibana dashboards.
"""
}
}
}
}
}