The watcher script should be able to calculate the total.hits for each user and show the count based on it. Right now my query is flooding with too many duplicate entries.
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"winlogbeat-*"
],
"types": [],
"body": {
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"from": "now-5m",
"to": "now"
}
}
},
{
"match": {
"winlog.event_id": "4624"
}
}
]
}
},
"aggs": {
"users": {
"terms": {
"field": "winlog.event_data.TargetUserName.keyword",
"size": 5
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 2
}
}
}
,
"actions": {
"webhook_1": {
"transform": {
"script": {
"source": "['items': ctx.payload.hits.hits.collect(hit -> [ 'User': hit._source.winlog.event_data.TargetUserName, 'Host': hit._source.host.name, 'color': 'danger'])]",
"lang": "painless"
}
},
"webhook": {
"scheme": "https",
"host": "api.telegram.org",
"port": 443,
"method": "post",
"path": "/bot1083[hidden]/sendMessage",
"params": {},
"headers": {
"Content-Type": "application/x-www-form-urlencoded"
},
"body": "chat_id=-[hidden]&text={{#toJson}}ctx.payload{{/toJson}}"
}
}
}
}```