Created
August 6, 2018 23:45
-
-
Save ppf2/445a208a74eefbb44d4e71e2c7a1c8fe to your computer and use it in GitHub Desktop.
Case 00240888
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| PUT _xpack/watcher/watch/alex_watch | |
| { | |
| "trigger": { | |
| "schedule": { | |
| "interval": "5s" | |
| } | |
| }, | |
| "input": { | |
| "search": { | |
| "request": { | |
| "indices": [ | |
| "*wineventlog*" | |
| ], | |
| "body": { | |
| "_source": [ | |
| "@timestamp", | |
| "host", | |
| "event_data.IpAddress", | |
| "event_data.TargetUserName" | |
| ], | |
| "aggs": { | |
| "byUser": { | |
| "terms": { | |
| "field": "event_data.TargetUserName.keyword", | |
| "min_doc_count": 3 | |
| }, | |
| "aggs": { | |
| "ip": { | |
| "terms": { | |
| "field": "event_data.IpAddress.keyword" | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "condition": { | |
| "array_compare": { | |
| "ctx.payload.aggregations.byUser.buckets": { | |
| "path": "doc_count", | |
| "gte": { | |
| "value": 3 | |
| } | |
| } | |
| } | |
| }, | |
| "actions": { | |
| "index_payload": { | |
| "transform": { | |
| "script": "String test='\n'; for (HashMap o : ctx.payload.aggregations.byUser.buckets) { test += o.get('key') + ':\n'; for (HashMap i: o.ip.buckets) { test += i.get('key') + '\n'; }} return test;" | |
| }, | |
| "logging": { | |
| "text": "{{ctx.payload._value}}" | |
| } | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment