Watcher alerts not triggered

VietCong · June 25, 2018, 9:14am

Hi,

I have my basic watch to alert of log on failures. When I stimulated the watch it worked and generated a Slack message but the watch never triggered even though the conditions are met. Please find my alert below.

{
  "trigger": {
    "schedule": {
      "interval": "60m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "auth.log"
        ],
        "types": [],
        "body": {
          "query": {
            "bool": {
              "must": {
                "match": {
                  "message": "failure"
                }
              },
              "filter": {
                "range": {
                  "@timestamp": {
                    "from": "now-5m",
                    "to": "now"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 3
      }
    }
  },
  "actions": {
    "notify-slack": {
      "slack": {
        "message": {
          "to": [
            "#slack-alert-from-siem"
          ],
          "text": "there is multiple logon failures within the last 3 mins"
        }
      }
    }
  }
}

spinscale · June 25, 2018, 10:02am

Hey,

please format your messages properly using markdown. Just pasting JSON makes it super hard to read.

Can you include the watch history for this watch? The query below allows you to query the last watch exeuctions. Should be sufficient to only the most recent one for now by using "size": 1 in the query as well.

GET .watcher-history-*/_search
{
  "query": {
    "bool": {
      "filter": [
        {
          "term": {
            "watch_id": "my_watch"
          }
        }
      ]
    }
  },
  "sort": [
    {
      "trigger_event.triggered_time": {
        "order": "desc"
      }
    }
  ]
}

VietCong · June 27, 2018, 11:50pm

Hi,

My apologies for the messy code. I edited my initial question. Please find the picture below for the watch history. It is the last very bottom watch and hasn't triggered at all.

spinscale · June 29, 2018, 8:42am

Hey,

that screenshot does not really help, please include the output from the query that I asked for. There is one watch marked as disabled - I have n idea however if that is the watch you are talking about. Did you maybe deactivate it? You can either activate it, or just delete it and put it again and see if that makes the watch trigger.

Hope this helps.

--Alex

VietCong · June 29, 2018, 9:07am

Hi Alex,

The watch I am talking about is the very last one.

VietCong · July 3, 2018, 4:17am

I found out it is the problem with the logic. I should have had my "Interval" : "1m" instead of "60m" --> interval refers to how often I want my watch to run

system · July 31, 2018, 4:17am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.