Hi Experts,
Currently I have an error that I have not been able to solve in a watcher, I am making some failed logins, so that when more than 3 attempts are detected per user it is activated and sends a notification by mail. However I have an error that appears when executing the watcher. This is my code and my mistake. I tried using a size: 50 or higher values but I don't really know how it works, previously it was in size: 0
{
"trigger": {
"schedule": {
"interval": "15m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"o365beat-*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 50,
"query": {
"bool": {
"must": [],
"filter": [
{
"bool": {
"filter": [
{
"bool": {
"should": [
{
"match_phrase": {
"Workload": "AzureActiveDirectory"
}
}
],
"minimum_should_match": 1
}
},
{
"bool": {
"should": [
{
"match_phrase": {
"event.action": "UserLoginFailed"
}
}
],
"minimum_should_match": 1
}
}
]
}
},
{
"range": {
"@timestamp": {
"gte": "now-15m",
"lte": "now"
}
}
}
],
"should": [],
"must_not": []
}
},
"aggs": {
"by": {
"terms": {
"field": "user.id.keyword"
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.aggregations.by.buckets.0.doc_count": {
"gt": 3
}
}
},
"actions": {
"send_email": {
"email": {
"profile": "gmail",
"attachments": {
"loginfailde.csv": {
"reporting": {
"url": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"retries": 80,
"interval": "4s",
"auth": {
"basic": {
"username": "XXXXXXXXXXXXXX",
"password": "XXXXXXXXXXXXXX"
}
}
}
}
},
"to": [
"parami@paramiotravez"
],
"subject": "New Event",
"body": {
"text": "Se han detectado {{ctx.payload.aggregations.by.buckets.0.doc_count}} evento(s) relacionado(s) con Intentos de Inicio de Sesión Fallidos"
}
}
}
}
}
And the error is the following
"actions": []
},
"exception": {
"type": "index_out_of_bounds_exception",
"reason": "Index 0 out of bounds for length 0"
}
}