Hi,
I have one watcher which is checking for user login events after every 1 minute. Now i have issues in filtering the results in following manner,
- I want to get only the failed login events (exclude successful login) . Here the "event.type" field gives the event message that is either Authentication success or authentication failed.
- Alert only if the login request is from outside host country ( example: alert if the request source country is other than US). In below watcher "source.geo.country_name" field gives the value of country.
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"auditbeat-*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"from": "now-1m",
"to": "now"
}
}
},
{
"term": {
"event.action": "user_login"
}
}
]
}
},
"aggs": {
"authmsg": {
"terms": {
"field": "event.type",
"size": 5
},
"aggs": {
"country": {
"terms": {
"field": "source.geo.country_name",
"size": 5
}
}
}
}
}
}
}
}
}
below is the response for above query
"aggregations" : {
"authmsg" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 0,
"buckets" : [
{
"country" : {
"doc_count_error_upper_bound" : 0,
"sum_other_doc_count" : 0,
"buckets" : [
{
"doc_count" : 1,
"key" : "Canada"
}
]
},
"doc_count" : 1,
"key" : "authentication_failed"
}
]
}
}
}
I tried few solutions from other post but no luck. Can anyone help me to fix this or point to example similar above request.