Hello experts, the following watcher should be executed when five failed logins occur in five minutes.
{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"nalseg-winlogbeat-*"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"from": "now-5m",
"to": "now"
}
}
}
],
"filter": [
{
"bool": {
"filter": [
{
"bool": {
"should": [
{
"bool": {
"should": [
{
"match_phrase": {
"agent.hostname": "XXXXXXX"
}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{
"match_phrase": {
"agent.hostname": "XXXXXXX"
}
}
],
"minimum_should_match": 1
}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{
"match": {
"winlog.event_id": 4625
}
}
],
"minimum_should_match": 1
}
}
]
}
}
],
"should": [],
"must_not": []
}
},
"aggs": {
"userid": {
"terms": {
"field": "winlog.event_data.TargetUserName"
}
}
}
}
}
}
},
"condition" : {
"script" : {
"source" : "return ctx.payload.userid.buckets.size() > 0 && ctx.payload.userid.by.buckets.0.doc_count > 5"
}
},
"actions": {
"send_email": {
"email": {
"profile": "gmail",
"attachments": {
"XXXXXXXX.csv": {
"reporting": {
"url": XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX,
"retries": 80,
"interval": "4s",
"auth": {
"basic": {
"username": XXXXXXX,
"password": XXXXXXX
}
}
}
}
},
"to": [
"XXXX@xxx"
],
"subject": "XXXXXXXXXXXXXXXXXXXXXXXxx",
"body": {
"text": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX."
}
}
}
}
}
When executing, I have the following error
"exception": {
"type": "script_exception",
"reason": "runtime error",
"script_stack": [
"return ctx.payload.userid.buckets.size() > 0 && ctx.payload.userid.by.buckets.0.doc_count > 5",
" ^---- HERE"
],
"script": "return ctx.payload.userid.buckets.size() > 0 && ctx.payload.userid.by.buckets.0.doc_count > 5",
"lang": "painless",
"position": {
"offset": 25,
"start": 0,
"end": 93
},
"caused_by": {
"type": "null_pointer_exception",
"reason": "Cannot invoke \"Object.getClass()\" because \"callArgs[0]\" is null",
"stack_trace": "java.lang.NullPointerException: Cannot invoke \"Object.getClass()\" because \"callArgs[0]\" is null\n\tat org.elasticsearch.painless.DefBootstrap$PIC.fallback(DefBootstrap.java:206)\n\tat org.elasticsearch.painless.PainlessScript$Script.execute(return ctx.payload.userid.buckets.size() > 0 && ctx.payload.userid.by.buckets.0.doc_count > 5:26)\n\tat org.elasticsearch.xpack.watcher.condition.ScriptCondition.doExecute(ScriptCondition.java:60)\n\tat org.elasticsearch.xpack.watcher.condition.ScriptCondition.execute(ScriptCondition.java:55)\n\tat org.elasticsearch.xpack.watcher.execution.ExecutionService.executeInner(ExecutionService.java:512)\n\tat org.elasticsearch.xpack.watcher.execution.ExecutionService.execute(ExecutionService.java:319)\n\tat org.elasticsearch.xpack.watcher.transport.actions.execute.TransportExecuteWatchAction$1.doRun(TransportExecuteWatchAction.java:159)\n\tat org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)\n\tat org.elasticsearch.xpack.watcher.execution.ExecutionService$WatchExecutionTask.run(ExecutionService.java:626)\n\tat org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:651)\n\tat java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)\n\tat java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)\n\tat java.base/java.lang.Thread.run(Thread.java:832)\n"
},
"stack_trace": "ScriptException[runtime error]; nested: NullPointerException[Cannot invoke \"Object.getClass()\" because \"callArgs[0]\" is null];\n\tat org.elasticsearch.painless.PainlessScript.convertToScriptException(PainlessScript.java:96)\n\tat org.elasticsearch.painless.PainlessScript$Script.execute(return ctx.payload.userid.buckets.size() > 0 && ctx.payload.userid.by.buckets.0.doc_count > 5:80)\n\tat org.elasticsearch.xpack.watcher.condition.ScriptCondition.doExecute(ScriptCondition.java:60)\n\tat org.elasticsearch.xpack.watcher.condition.ScriptCondition.execute(ScriptCondition.java:55)\n\tat org.elasticsearch.xpack.watcher.execution.ExecutionService.executeInner(ExecutionService.java:512)\n\tat org.elasticsearch.xpack.watcher.execution.ExecutionService.execute(ExecutionService.java:319)\n\tat org.elasticsearch.xpack.watcher.transport.actions.execute.TransportExecuteWatchAction$1.doRun(TransportExecuteWatchAction.java:159)\n\tat org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37)\n\tat org.elasticsearch.xpack.watcher.execution.ExecutionService$WatchExecutionTask.run(ExecutionService.java:626)\n\tat org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:651)\n\tat java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)\n\tat java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)\n\tat java.base/java.lang.Thread.run(Thread.java:832)\nCaused by: java.lang.NullPointerException: Cannot invoke \"Object.getClass()\" because \"callArgs[0]\" is null\n\tat org.elasticsearch.painless.DefBootstrap$PIC.fallback(DefBootstrap.java:206)\n\tat org.elasticsearch.painless.PainlessScript$Script.execute(return ctx.payload.userid.buckets.size() > 0 && ctx.payload.userid.by.buckets.0.doc_count > 5:26)\n\t... 11 more\n"
}
}