Watcher transform assistance

Elastic Stack Elasticsearch
1

Hi,

Below is my watcher alert. I have the index section working with it creating multi docs based on the few fields ive fed it in the transform.

The next challenge is to access the relevent data within the teams action. ctx.metadata.title is the only thing that is working at the moment, the ctx.payload.hits.total did work until i added the transforms in, now that shows no value.

I have tried a number of permutations but run out of ideas now. Any suggestions on how to change the format to access the relevent fields?

{
"trigger": {
"schedule": {
"interval": "30m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"winlogbeat-*"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"filter": [
{
"query_string": {
"query": "(process.name:cmdkey.exe AND process.args:"/list")"
}
},
{
"range": {
"@timestamp": {
"gte": "now-90m"
}
}
}
]
}
},
"size": 100,
"_source": [
"host.name",
"process.name",
"process.args",
"@timestamp"
]
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"teams_webhook": {
"webhook": {
"scheme": "https",
"host": "outlook.office.com",
"port": 443,
"method": "post",
"path": "/webhook/",
"params": {},
"headers": {
"Content-Type": "application/json"
},
"body": "{"text": "{{ctx.payload.hits.total}} hits {{ctx.payload.hits.hits.0._source.process.args}} on {{ctx.payload.hits.hits.0._source['host.name']}} {{ctx.metadata.title}} "}"
}
},
"index_payload": {
"transform": {
"script": {
"source": "return ['_doc':ctx.payload._value];",
"lang": "painless"
}
},
"index": {
"index": "alerts",
"doc_type": "watch_alert",
"execution_time_field": "execution_time_timestamp"
}
}
},
"metadata": {
"query": "(process.name:cmdkey.exe AND process.args:/list)",
"description": "Detects usage of cmdkey to look for cached credentials",
"title": "Cmdkey Cached Credentials Recon",
"tags": [
"attack.credential_access",
"attack.t1003"
]
},
"transform": {
"script": {
"source": "return ctx.payload.hits.hits.stream().map(d -> ['@timestamp':d._source['@timestamp'],'process.args':d._source.process.args,'host.name':d._source['host.name']]).collect(Collectors.toList());",
"lang": "painless"
}
}
}

2

Hi,

I figured it out, ctx.payload._doc or ctx.payload._doc.0['host.name'] as an example
Would be nice to cycle though all of the docs and the individual fields rather than dumping all

Thanks
Phil

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.