Hi All,
On the below watcher I am getting a error:
Watcher: An internal server error occurred
My guess it is in the condition where I execute a piece of painless code but I cannot seem to figure out what I am doing wrong. I basicly have 2 questions.
1. If such error occures, where is this logged?
2. Could someone help me with the below watcher?
{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"clog-*"
],
"types": [],
"body": {
"size": 0,
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "tags:cmgw AND action:P6* AND _exists_:hdr_subject AND cm_score: [0 TO 90] AND NOT dkim:pass* AND NOT dmarc:pass*",
"analyze_wildcard": true
}
},
{
"range": {
"@timestamp": {
"gte": "now-5m",
"lte": "now"
}
}
}
],
"must_not": [
{
"bool": {
"should": [
{
"match_phrase": {
"hdr_from": "gruppiotthon"
}
},
{
"match_phrase": {
"hdr_from": "gruppi.hu"
}
},
{
"match_phrase": {
"hdr_from": "gruppiajandek.hu"
}
},
{
"match_phrase": {
"hdr_from": "telekom.hu"
}
},
{
"match_phrase": {
"hdr_from": "szallas.hu"
}
},
{
"match_phrase": {
"hdr_from": "hvg.hu"
}
},
{
"match_phrase": {
"hdr_from": "kreativhobby.hu"
}
},
{
"match_phrase": {
"hdr_from": "spartoo.hu"
}
},
{
"match_phrase": {
"hdr_from": "vizionet.cz"
}
},
{
"match_phrase": {
"hdr_from": "mango.com"
}
}
],
"minimum_should_match": 1
}
}
]
}
},
"aggs": {
"subjectsAggs": {
"terms": {
"field": "hdr_subject.keyword",
"size": 10,
"min_doc_count": 10,
"order": {
"_count": "desc"
}
},
"aggs": {
"sourceIpsAggs": {
"terms": {
"field": "ip",
"size": 10,
"order": {
"_count": "desc"
}
}
}
}
}
}
}
}
}
},
"condition": {
"script": {
"lang": "painless",
"source": "if (ctx.payload.hits.total < 1) return false; for (int i=0; i < ctx.payload.aggregations.subjectsAggs.buckets.size(); i++) { if ((ctx.payload.aggregations.subjectsAggs.buckets[i].doc_count > 10) && (ctx.payload.aggregations.subjectsAggs.buckets.[i].sourceIpsAggs.[i].buckets.size() > 10)) { return true; }}",
"params": {
"ip.threshold": 10,
"subject.threshold": 10
}
}
},
"actions": {
"email_1": {
"email": {
"profile": "standard",
"to": [
"paujanzen@xxxx.com"
],
"subject": "Watch [{{ctx.metadata.name}}] has exceeded the threshold",
"body": {
"html": "Found events : <br><br>{{ctx.payload.aggregations}}"
}
}
}
},
"metadata": {
"name": "eSRD"
}
}