Send Email from watcher when the system get specify log

mord · November 26, 2019, 6:55pm

Hello Everyone.
My Elasticsearch getting logs of "Security risk found" in Event Name(field).
I want to get details of this log to my email.
In my watcher I create a new alert with this text:

 {
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "*sepm*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "query": {
            "bool": {
              "must": [
                {
                  "match": {
                    "EventName.keyword": "Security risk found"
                  }
                },
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-1m",
                      "lte": "now"
                    }
                  }
                }
              ]
            }
          },
          "sort": [
            {
              "@timestamp": {
                "order": "desc"
              }
            }
          ]
        }
      }
    }
  },
  "condition": {
    "always": {}
  },
  "actions": {
    "send_email": {
      "email": {
        "profile": "standard",
        "to": [
          "mymail@mycompany.com"
        ],
        "subject": "ALERT: {{ctx.payload.hits.hits.0._source.EventName}}",
        "body": {
          "text": "Time: {{ctx.payload.hits.hits.0._source.TimeStamp}}\n\nEvent Name: {{ctx.payload.hits.hits.0._source.EventName}}\nDomainSEP: {{ctx.payload.hits.hits.0._source.DomainSEP}}\nGroup: {{ctx.payload.hits.hits.0._source.Group}}\nHostName: {{ctx.payload.hits.hits.0._source.HostName}}\nUserName: {{ctx.payload.hits.hits.0._source.UserName}}\nIPAddress: {{ctx.payload.hits.hits.0._source.IPAddress}}\n\nRisk Name: {{ctx.payload.hits.hits.0._source.RiskName}}\nSHA256: {{ctx.payload.hits.hits.0._source.SHA256}}\nAction: {{ctx.payload.hits.hits.0._source.Action}}\nPath: {{ctx.payload.hits.hits.0._source.Path}}\n\nPayload:\n{{ctx.payload.hits.hits.0._source.Message}}\nTimes:Scheduled{{ctx.trigger.scheduled_time}}||-1m\nTriggered{{ctx.trigger.triggered_time}}-------------\n\n"
        }
      }
    }
  }
}

spinscale · November 28, 2019, 9:13am

do you care to explain what the current problem is in order to be better able to help? In your example an email would get send, even if no document matched the query, as the condition triggers always. This might already be a problem.

Otherwise please take the time to be clear what you expect and what is not working as expected.

Thanks!

system · December 26, 2019, 9:13am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Config mails to send me notification of a watcher alert Elasticsearch elastic-stack-monitoring , elastic-stack-alerting	1	748	December 22, 2020
Need help with watcher to send the correct fields of result in the email Elasticsearch elastic-stack-alerting	6	1285	June 23, 2020
How to get data from watcher Elasticsearch	4	1345	May 27, 2017
Send _doc field values in email via watcher Elasticsearch elastic-stack-alerting	2	372	June 19, 2019
I want to configure threshold alert if totaltime exceeds 500 then mail should sent to the User Elasticsearch elastic-stack-reporting , elastic-stack-alerting	8	821	October 9, 2020

Send Email from watcher when the system get specify log

Related Topics