Hello I am hoping someone can assist with this JSON watcher alert. I am simply trying to create an alert the triggers when any monitored host experiences 5 failed logon attempts within 1 minute. Thanks in advance for your help
{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"winlogbeat-*"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-20s",
"lte": "now"
}
}
}
],
"must": {
"match": {
"message": "An account failed to log on"
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 5
}
}
},
"actions": {
"email_1": {
"email": {
"profile": "standard",
"to": [
"xxxx@xxxxxxx.xxx"
],
"subject": "Watch [{{ctx.metadata.name}}] has exceeded the threshold",
"body": {
"text": "Failed Logon exceeds threshold"
}
}
}
}
}