Need Help Configuring Alert Actions to Include Log Data in OpenSearch

joseraeiro2 · March 29, 2024, 4:13pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

2.12.0

Describe the issue:

Configuration:

Hi OpenSearch Community,

I’m currently working on setting up alerting in OpenSearch and I’m facing a challenge with configuring alert actions to include specific data from logs in the alert notifications.

I have successfully configured the alert rules and triggers, and the alerts are being generated when the conditions are met. However, I need assistance with including relevant log data in the alert notifications to provide more context to the recipients.

Here’s a simplified version of what I’m trying to achieve:

When an alert is triggered, I want the alert notification to include certain fields from the log documents that triggered the alert.
I’m using the Handlebars template language to customize the alert notification body, but I’m unsure how to reference the log data fields within the template.

I’ve searched through the documentation and forums but haven’t found a clear example or guidance on how to accomplish this. Can someone please provide some pointers or examples on how to achieve this?

Any help or advice would be greatly appreciated. Thank you in advance for your assistance!

Relevant Logs or Screenshots:

joseraeiro2 · April 2, 2024, 8:18am

By the way, this is my query:

{
    "query": {
        "bool": {
            "must": [
                {
                    "terms": {
                        "data.win.system.eventID": [
                            "4720",
                            "4722"
                        ],
                        "boost": 1
                    }
                },
                {
                    "range": {
                        "@timestamp": {
                            "from": "now-9m",
                            "to": "now",
                            "include_lower": true,
                            "include_upper": true,
                            "boost": 1
                        }
                    }
                }
            ],
            "adjust_pure_negative": true,
            "boost": 1
        }
    }
}

And this is my trigger condition:

// Create sets to store targetUserNames for each event ID
Set enabled_users = new HashSet();
Set created_users = new HashSet();

// Loop through each log entry in the search results
for (int i = 0; i < ctx.results[0].hits.hits.length; i++) {
    String eventID = ctx.results[0].hits.hits[i]._source.data.win.system.eventID;
    String targetUserName = ctx.results[0].hits.hits[i]._source.data.win.eventdata.targetUserName;

    // Exclude usernames that end with '$'
    if (targetUserName.endsWith("$")) {
        continue;
    }

    if (eventID.equals("4720")) {
        created_users.add(targetUserName);
    } else if (eventID.equals("4722")) {
        enabled_users.add(targetUserName);
    }
}

// Check if there are any users that are in the 'enabled_users' set but not in the 'created_users' set
for (String user : enabled_users) {
    if (!created_users.contains(user)) {
        return true;  // Trigger the alert
    }
}

return false;  // Do not trigger the alert

I would like to pass along the data.win.eventdata.targetUserName field in the Alert Action.

joseraeiro2 · April 5, 2024, 3:25pm

Perhaps something along these lines?

{
    "size": 500,
    "query": {
        "bool": {
            "must": [
                {
                    "terms": {
                        "data.win.system.eventID": [
                            "4720",
                            "4722"
                        ],
                        "boost": 1
                    }
                },
                {
                    "range": {
                        "@timestamp": {
                            "from": "now-9m",
                            "to": "now",
                            "include_lower": true,
                            "include_upper": true,
                            "boost": 1
                        }
                    }
                }
            ],
            "adjust_pure_negative": true,
            "boost": 1
        }
    },
    "_source": ["data.win.eventdata.targetUserName", "data.win.system.eventID", "@timestamp"],
    "stored_fields": ["data.win.eventdata.targetUserName", "data.win.system.eventID", "@timestamp"],
    "docvalue_fields": [
        {
            "field": "@timestamp",
            "format": "date_time"
        },
        {
            "field": "data.win.eventdata.targetUserName"
        }
    ],
    "sort": [
        {
            "@timestamp": {
                "order": "desc",
                "unmapped_type": "boolean"
            }
        }
    ]
}

And this?

Monitor {{ctx.monitor.name}} just entered ALERT status. Please investigate the issue.
- Alert time: {{ctx.periodStart}}

> User Name: {{_source.data.win.eventdata.targetUserName}}

Gsmitt · April 10, 2024, 2:08am

Hey @joseraeiro2

Correct me if I’m wrong, but you would like more details about the alert in the Notification sent?

Example:
I found that adding this to my query

 "exists": {
"field": "winlog.event_data.SubjectUserName",
"boost": 1
}

Then I would add that field to my Message section…

Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.
  - Trigger: {{ctx.trigger.name}}
  - Severity: {{ctx.trigger.severity}}
  - Period start: {{ctx.periodStart}}
  - Period end: {{ctx.periodEnd}}
 -  username: {{_source.winlog.event_data.SubjectUserName}}

Email Results:

> 2 
>  gsmith.domain.com
>  greg.smith

This post might help.

joseraeiro2 · April 10, 2024, 8:28am

No, you are absolutely correct, Sir!

Are you suggesting that I use something like:

{
    "query": {
        "bool": {
            "must": [
                {
                    "terms": {
                        "data.win.system.eventID": [
                            "4720",
                            "4722"
                        ],
                        "boost": 1
                    }
                },
                {
                    "range": {
                        "@timestamp": {
                            "from": "now-9m",
                            "to": "now",
                            "include_lower": true,
                            "include_upper": true,
                            "boost": 1
                        }
                    }
                },
                {
                    "exists": {
                        "field": "data.win.eventdata.targetUserName",
                        "boost": 1
                    }
                }
            ],
            "adjust_pure_negative": true,
            "boost": 1
        }
    }
}

And then this:

Monitor {{ctx.monitor.name}} just entered ALERT status. Please investigate the issue.
- Alert time: {{ctx.periodStart}}

> User Name: {{_source.data.win.eventdata.targetUserName}}

Topic		Replies	Views
Monitor Alerting Query OpenSearch configure	1	104	February 7, 2024
Different results in "Discover" and "Alerting" Tab for same Index Pattern OpenSearch troubleshoot , configure , alerting , index-management	0	41	April 10, 2024
Setting up alert/trigger against static list of values Alerting	2	287	September 8, 2023
Opensearch Alerting OpenSearch discuss	1	236	April 12, 2023
How to create alerts based on numeric data in log OpenSearch alerting	2	316	May 3, 2023

Need Help Configuring Alert Actions to Include Log Data in OpenSearch

Related Topics