Watcher Use Source Fields

Elastic Stack Elasticsearch
1

I'm hoping to get source fields to notify for bruteforce attempts. Any recommendations? My results beyond attempts are blank.

{
  "trigger": {
    "schedule": {
      "interval": "10s"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "*"
        ],
        "types": [],
        "body": {
          "query": {
            "bool": {
              "must": [
                {
                  "query_string": {
                    "query": "event_id:4625",
                    "analyze_wildcard": true,
                    "default_field": "*"
                  }
                },
                {
                  "range": {
                    "@timestamp": {
                      "from": "now-5m",
                      "to": "now"
                    }
                  }
                }
              ],
              "filter": [],
              "should": [],
              "must_not": []
            }
          },
          "aggs": {
            "User": {
              "terms": {
                "field": "event_data.TargetUserName"
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gt": 10
      }
    }
  },
  "actions": {
    "notify-slack": {
      "throttle_period_in_millis": 300000,
      "slack": {
        "account": "ELKBot",
        "message": {
          "from": "ELKBot",
          "to": [
            "#NOC"
          ],
          "text": "BRUTEFORCE ATTEMPT DETECTED",
          "attachments": [
            {
              "color": "danger",
              "title": "BRUTEFORCE",
              "text": "Number of Attempts: {{ctx.payload.hits.total}} Host: {{ctx._source.host.name}} User: {{ctx._source.event_data.TargetUserName}} Details: {{ctx._source.message}}"
            }
          ]
        }
      }
    }
  }
}
2

The syntax to access the source is ctx.payload.hits.hits.0._source.host.name to access the first field. The payload just resembles a regular search response in this case.

--Alex

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.