How can I access log data in alert message for Per document monitor?
In the documentation I was able to find only one example of such monitor and its message included only reference to finding and document.
I’d like to add some document fields jut like Per query monitor allows via ctx.results.0.hits.hits.
I cannot use Per query monitor since I’m interested in action per alert, not per execution at the same time Per document monitor doesn’t seem to include ctx.results.0.hits.hits. Also I don’t know how can I introspect structure of context available, I tried to run Per document monitor _execute via DevTools, but it doesn’t match the ctx structure (e.g. there were no ctx.alerts.0.related_doc_ids path, although the data was present just under different path) and _execute result also doesn’t seem to include any document data similar to how it is done for _execute of Per query monitor ctx.results.0.hits.hits - nor path nor data.
hey @qwertyuiop
This helped me out and I was able to imporve on what I wanted.
I have similar query as @qwertyuiop . Not sure how the solution you linked to solves the issue.
Hey @nikhil
Include message fields in the Alert Action Message for Per document monitor.
As the link above shows I went to Discover and filtered out what I need. As the Link also shows how to copy the JSON configuration Inspect → Request. This gives an overview and a good starter
to configure “Per query Monitor”. So, let’s say I want User failed to logon /w Event ID 4625 also I want to narrow it down a little more like the message/event.original field with “An account failed to logon” I would have this…
"size": 500,
"query": {
"bool": {
"filter": [
{
"match_all": {
"boost": 1
}
},
{
"match_phrase": {
"event.original": {
"query": "An account failed to logon",
"slop": 0,
"zero_terms_query": "NONE",
"boost": 1
}
}
},
{
"match_phrase": {
"event.code": {
"query": "4625",
"slop": 0,
"zero_terms_query": "NONE",
"boost": 1
}
}
},
I needed to add the user/s name that failed logon.
So, I added the following which was from my previous query in Discover.
{
"exists": {
"field": "winlog.event_data.TargetUserName",
"boost": 1
}
},
Action
You must have open and close comment as shown below.
{{#ctx.results.0.hits.hits}} <-----START
> User: {{_source.winlog.event_data.TargetUserName}}
> Event ID: {{_source.event.code}}
{{/ctx.results.0.hits.hits}}<-----END
If the fields are not in “Define extraction query” it will not show up in Actions
Hope that helps.
I get this one but how does it help in case of per-document monitor that doesn’t allow ctx to access hits or the document itself and rather it gives reference to document using findings. Maybe I’m missing the context but the original question was based on per document monitor which currently has limitations.
Hey @nikhil
I went off the title of this post
How do i include message fields in the Alert Action Message for Per document monitor
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.