I created a Watcher in Kibana to send email notification when malware is detected on one of the monitored hosts.
Maleware detection event has a Windows Event Log ID 1116 and it is generated by Winlog channel "Microsoft-Windows-Windows Defender/Operational". As there is at least one more event with the same ID (generated by "Microsoft-Windows-PushNotifications-Platform" channel), I needed the watcher to look for two conditions: event message must be generated by "Microsoft-Windows-Windows Defender/Operational" channel AND event ID must be 1116.
I also specified the time range based on timestamp. I want to be notified only when a new malware detection event appears within the last 9 minutes. All older event messsages must be ignored.
I would appreciate if you could review my code and let me know if it will do what I need and contains no errors.
{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"md-kraken-winevent-alias"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"must": [
{
"match": {
"winlog.channel": "Microsoft-Windows-Windows Defender/Operational"
}
},
{
"match": {
"winlog.event_id": "1116"
}
},
{
"range": {
"@timestamp": {
"gte": "now-9m",
"lt": "now"
}
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"email_administrator": {
"email": {
"profile": "standard",
"to": [
"john.doe@acme.com"
],
"subject": "Windows Malware Detected",
"body": {
"text": ""Windows malware detected.
{{#ctx.payload.hits.hits.0}}
Affected node's hostname: {{_source.host.name}}
Event timestamp: {{_source.@timestamp}}
{{/ctx.payload.hits.hits.0}}
Please consult Kibana dashboards for more details.
"""
}
}
}
}
}