Hi,
I am currnetly working on a watcher that send out an alert when a user has too many failed login attempts. I am aggregating the documents first based on the realm then based on the username.
Now within the compare clause within my watcher script I want to get the doc_count of the usernames and compare that to the threshold set (in this case an arbitrary number of 20).
Is there any way I can do this? I was researching if array_compare was a viable solution but according to another thread that does not support nested aggregations.
Thank you for assisting me
This is my current watcher:
{
"trigger": {
"schedule": {
"interval": "10s"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"XXXXXXXXX"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "XXXXXXXXX:LOGIN_ERROR"
}
},
{
"range": {
"@timestamp": {
"gte": "now-10m",
"lte": "now"
}
}
}
]
}
},
"aggs": {
"group_by_realm": {
"terms": {
"field": "XXXXXXXX.realmId",
"size": 5
},
"aggs": {
"group_by_username": {
"terms": {
"field": "XXXXXXXX.username",
"size": 5
},
"aggs": {
"get_latest": {
"terms": {
"field": "@timestamp",
"size": 1,
"order": {
"_key": "desc"
}
}
}
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 50
}
}
}
}