Send Email from watcher when the system get specify log

Hello Everyone.
My Elasticsearch getting logs of "Security risk found" in Event Name(field).
I want to get details of this log to my email.
In my watcher I create a new alert with this text:

 {
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "*sepm*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "query": {
            "bool": {
              "must": [
                {
                  "match": {
                    "EventName.keyword": "Security risk found"
                  }
                },
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-1m",
                      "lte": "now"
                    }
                  }
                }
              ]
            }
          },
          "sort": [
            {
              "@timestamp": {
                "order": "desc"
              }
            }
          ]
        }
      }
    }
  },
  "condition": {
    "always": {}
  },
  "actions": {
    "send_email": {
      "email": {
        "profile": "standard",
        "to": [
          "mymail@mycompany.com"
        ],
        "subject": "ALERT: {{ctx.payload.hits.hits.0._source.EventName}}",
        "body": {
          "text": "Time: {{ctx.payload.hits.hits.0._source.TimeStamp}}\n\nEvent Name: {{ctx.payload.hits.hits.0._source.EventName}}\nDomainSEP: {{ctx.payload.hits.hits.0._source.DomainSEP}}\nGroup: {{ctx.payload.hits.hits.0._source.Group}}\nHostName: {{ctx.payload.hits.hits.0._source.HostName}}\nUserName: {{ctx.payload.hits.hits.0._source.UserName}}\nIPAddress: {{ctx.payload.hits.hits.0._source.IPAddress}}\n\nRisk Name: {{ctx.payload.hits.hits.0._source.RiskName}}\nSHA256: {{ctx.payload.hits.hits.0._source.SHA256}}\nAction: {{ctx.payload.hits.hits.0._source.Action}}\nPath: {{ctx.payload.hits.hits.0._source.Path}}\n\nPayload:\n{{ctx.payload.hits.hits.0._source.Message}}\nTimes:Scheduled{{ctx.trigger.scheduled_time}}||-1m\nTriggered{{ctx.trigger.triggered_time}}-------------\n\n"
        }
      }
    }
  }
}

do you care to explain what the current problem is in order to be better able to help? In your example an email would get send, even if no document matched the query, as the condition triggers always. This might already be a problem.

Otherwise please take the time to be clear what you expect and what is not working as expected.

Thanks!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.