Need Help Configuring Alert Actions to Include Log Data in OpenSearch

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

2.12.0

Describe the issue:

Configuration:

Hi OpenSearch Community,

I’m currently working on setting up alerting in OpenSearch and I’m facing a challenge with configuring alert actions to include specific data from logs in the alert notifications.

I have successfully configured the alert rules and triggers, and the alerts are being generated when the conditions are met. However, I need assistance with including relevant log data in the alert notifications to provide more context to the recipients.

Here’s a simplified version of what I’m trying to achieve:

  • When an alert is triggered, I want the alert notification to include certain fields from the log documents that triggered the alert.
  • I’m using the Handlebars template language to customize the alert notification body, but I’m unsure how to reference the log data fields within the template.

I’ve searched through the documentation and forums but haven’t found a clear example or guidance on how to accomplish this. Can someone please provide some pointers or examples on how to achieve this?

Any help or advice would be greatly appreciated. Thank you in advance for your assistance!

Relevant Logs or Screenshots:

By the way, this is my query:

{
    "query": {
        "bool": {
            "must": [
                {
                    "terms": {
                        "data.win.system.eventID": [
                            "4720",
                            "4722"
                        ],
                        "boost": 1
                    }
                },
                {
                    "range": {
                        "@timestamp": {
                            "from": "now-9m",
                            "to": "now",
                            "include_lower": true,
                            "include_upper": true,
                            "boost": 1
                        }
                    }
                }
            ],
            "adjust_pure_negative": true,
            "boost": 1
        }
    }
}

And this is my trigger condition:

// Create sets to store targetUserNames for each event ID
Set enabled_users = new HashSet();
Set created_users = new HashSet();

// Loop through each log entry in the search results
for (int i = 0; i < ctx.results[0].hits.hits.length; i++) {
    String eventID = ctx.results[0].hits.hits[i]._source.data.win.system.eventID;
    String targetUserName = ctx.results[0].hits.hits[i]._source.data.win.eventdata.targetUserName;

    // Exclude usernames that end with '$'
    if (targetUserName.endsWith("$")) {
        continue;
    }

    if (eventID.equals("4720")) {
        created_users.add(targetUserName);
    } else if (eventID.equals("4722")) {
        enabled_users.add(targetUserName);
    }
}

// Check if there are any users that are in the 'enabled_users' set but not in the 'created_users' set
for (String user : enabled_users) {
    if (!created_users.contains(user)) {
        return true;  // Trigger the alert
    }
}

return false;  // Do not trigger the alert

I would like to pass along the data.win.eventdata.targetUserName field in the Alert Action.

Perhaps something along these lines?

{
    "size": 500,
    "query": {
        "bool": {
            "must": [
                {
                    "terms": {
                        "data.win.system.eventID": [
                            "4720",
                            "4722"
                        ],
                        "boost": 1
                    }
                },
                {
                    "range": {
                        "@timestamp": {
                            "from": "now-9m",
                            "to": "now",
                            "include_lower": true,
                            "include_upper": true,
                            "boost": 1
                        }
                    }
                }
            ],
            "adjust_pure_negative": true,
            "boost": 1
        }
    },
    "_source": ["data.win.eventdata.targetUserName", "data.win.system.eventID", "@timestamp"],
    "stored_fields": ["data.win.eventdata.targetUserName", "data.win.system.eventID", "@timestamp"],
    "docvalue_fields": [
        {
            "field": "@timestamp",
            "format": "date_time"
        },
        {
            "field": "data.win.eventdata.targetUserName"
        }
    ],
    "sort": [
        {
            "@timestamp": {
                "order": "desc",
                "unmapped_type": "boolean"
            }
        }
    ]
}

And this?

Monitor {{ctx.monitor.name}} just entered ALERT status. Please investigate the issue.
- Alert time: {{ctx.periodStart}}

> User Name: {{_source.data.win.eventdata.targetUserName}}


Hey @joseraeiro2

Correct me if I’m wrong, but you would like more details about the alert in the Notification sent?

Example:
I found that adding this to my query

 "exists": {
"field": "winlog.event_data.SubjectUserName",
"boost": 1
}

Then I would add that field to my Message section…

Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.
  - Trigger: {{ctx.trigger.name}}
  - Severity: {{ctx.trigger.severity}}
  - Period start: {{ctx.periodStart}}
  - Period end: {{ctx.periodEnd}}
 -  username: {{_source.winlog.event_data.SubjectUserName}}

Email Results:

> 2 
>  gsmith.domain.com
>  greg.smith

This post might help.

No, you are absolutely correct, Sir!

Are you suggesting that I use something like:

{
    "query": {
        "bool": {
            "must": [
                {
                    "terms": {
                        "data.win.system.eventID": [
                            "4720",
                            "4722"
                        ],
                        "boost": 1
                    }
                },
                {
                    "range": {
                        "@timestamp": {
                            "from": "now-9m",
                            "to": "now",
                            "include_lower": true,
                            "include_upper": true,
                            "boost": 1
                        }
                    }
                },
                {
                    "exists": {
                        "field": "data.win.eventdata.targetUserName",
                        "boost": 1
                    }
                }
            ],
            "adjust_pure_negative": true,
            "boost": 1
        }
    }
}

And then this:

Monitor {{ctx.monitor.name}} just entered ALERT status. Please investigate the issue.
- Alert time: {{ctx.periodStart}}

> User Name: {{_source.data.win.eventdata.targetUserName}}

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.