Hello Everyone.
My Elasticsearch getting logs of "Security risk found" in Event Name(field).
I want to get details of this log to my email.
In my watcher I create a new alert with this text:
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"*sepm*"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"must": [
{
"match": {
"EventName.keyword": "Security risk found"
}
},
{
"range": {
"@timestamp": {
"gte": "now-1m",
"lte": "now"
}
}
}
]
}
},
"sort": [
{
"@timestamp": {
"order": "desc"
}
}
]
}
}
}
},
"condition": {
"always": {}
},
"actions": {
"send_email": {
"email": {
"profile": "standard",
"to": [
"mymail@mycompany.com"
],
"subject": "ALERT: {{ctx.payload.hits.hits.0._source.EventName}}",
"body": {
"text": "Time: {{ctx.payload.hits.hits.0._source.TimeStamp}}\n\nEvent Name: {{ctx.payload.hits.hits.0._source.EventName}}\nDomainSEP: {{ctx.payload.hits.hits.0._source.DomainSEP}}\nGroup: {{ctx.payload.hits.hits.0._source.Group}}\nHostName: {{ctx.payload.hits.hits.0._source.HostName}}\nUserName: {{ctx.payload.hits.hits.0._source.UserName}}\nIPAddress: {{ctx.payload.hits.hits.0._source.IPAddress}}\n\nRisk Name: {{ctx.payload.hits.hits.0._source.RiskName}}\nSHA256: {{ctx.payload.hits.hits.0._source.SHA256}}\nAction: {{ctx.payload.hits.hits.0._source.Action}}\nPath: {{ctx.payload.hits.hits.0._source.Path}}\n\nPayload:\n{{ctx.payload.hits.hits.0._source.Message}}\nTimes:Scheduled{{ctx.trigger.scheduled_time}}||-1m\nTriggered{{ctx.trigger.triggered_time}}-------------\n\n"
}
}
}
}
}