Watcher only fires with single character matching

medal · June 11, 2020, 9:21am

Hello,

I am currently creating a watcher, which should trigger everytime a specific action (Azure NSG change) is detected within the logs.
My watcher is never fired if I try to use the value provided by Azure to detect a NSG change (Microsoft.Network/networkSecurityGroups/securityRules/write), but will trigger systematically if I only specify one or two characters in the matching condition.

Here is the watcher code:

{
  "trigger": {
    "schedule": {
      "interval": "24h"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "sec_azure_activity_logs*"
        ],
        "types": [],
        "body": {
          "query": {
            "bool": {
              "filter": 
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-24h"
                    }
                  }
                }
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": {
      "source": "return ctx.payload.hits.hits.get(0)._source.message.contains('Microsoft.Network/networkSecurityGroups/securityRules/write')",
      "lang": "painless"
    }
  },
  "actions": {
    "send_email": {
      "email": {
        "profile": "standard",
        "to": [
          "XXXXXXXXXXXXXXXX"
        ],
        "subject": "Watcher Notification",
        "body": {
          "text": "An operation on NSG has been performed"
        }
      }
    }
  }
}

Yes, I confirm I have some correct logs in my base.
Another information : my message field is a big json. Azure is quite verbose and json is the default output format.

Do you have any idea why my watcher only fire for 1-2 characters matching, but never for a larger string ?

Thanks for your help.

spinscale · June 30, 2020, 8:08am

This is not the best approach to solve this issue. The issue is your search. You are searching for any document in the past 24h hours in that index. However, you are only checking for the first of your hits, if the message field contains some data. The condition check needs to be moved in the query and your condition should only consist of the fact if there are more than zero hits.

system · July 28, 2020, 8:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.