Hello,
I am currently creating a watcher, which should trigger everytime a specific action (Azure NSG change) is detected within the logs.
My watcher is never fired if I try to use the value provided by Azure to detect a NSG change (Microsoft.Network/networkSecurityGroups/securityRules/write), but will trigger systematically if I only specify one or two characters in the matching condition.
Here is the watcher code:
{
"trigger": {
"schedule": {
"interval": "24h"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"sec_azure_activity_logs*"
],
"types": [],
"body": {
"query": {
"bool": {
"filter":
{
"range": {
"@timestamp": {
"gte": "now-24h"
}
}
}
}
}
}
}
}
},
"condition": {
"script": {
"source": "return ctx.payload.hits.hits.get(0)._source.message.contains('Microsoft.Network/networkSecurityGroups/securityRules/write')",
"lang": "painless"
}
},
"actions": {
"send_email": {
"email": {
"profile": "standard",
"to": [
"XXXXXXXXXXXXXXXX"
],
"subject": "Watcher Notification",
"body": {
"text": "An operation on NSG has been performed"
}
}
}
}
}
Yes, I confirm I have some correct logs in my base.
Another information : my message field is a big json. Azure is quite verbose and json is the default output format.
Do you have any idea why my watcher only fire for 1-2 characters matching, but never for a larger string ?
Thanks for your help.