I'm hoping to get source fields to notify for bruteforce attempts. Any recommendations? My results beyond attempts are blank.
{
"trigger": {
"schedule": {
"interval": "10s"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"*"
],
"types": [],
"body": {
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "event_id:4625",
"analyze_wildcard": true,
"default_field": "*"
}
},
{
"range": {
"@timestamp": {
"from": "now-5m",
"to": "now"
}
}
}
],
"filter": [],
"should": [],
"must_not": []
}
},
"aggs": {
"User": {
"terms": {
"field": "event_data.TargetUserName"
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 10
}
}
},
"actions": {
"notify-slack": {
"throttle_period_in_millis": 300000,
"slack": {
"account": "ELKBot",
"message": {
"from": "ELKBot",
"to": [
"#NOC"
],
"text": "BRUTEFORCE ATTEMPT DETECTED",
"attachments": [
{
"color": "danger",
"title": "BRUTEFORCE",
"text": "Number of Attempts: {{ctx.payload.hits.total}} Host: {{ctx._source.host.name}} User: {{ctx._source.event_data.TargetUserName}} Details: {{ctx._source.message}}"
}
]
}
}
}
}
}