{ "monitor": { "type": "monitor", "schema_version": 0, "name": "OLD_Monitor", "monitor_type": "query_level_monitor", "user": { "name": "admin", "backend_roles": [ "admin" ], "roles": [ "own_index", "all_access" ], "custom_attribute_names": [], "user_requested_tenant": null }, "enabled": true, "enabled_time": 1713870004480, "schedule": { "period": { "interval": 1, "unit": "MINUTES" } }, "inputs": [ { "search": { "indices": [ "serveurs-windows-*" ], "query": { "size": 0, "query": { "bool": { "filter": [ { "bool": { "should": [ { "match": { "winlog.event_data.TargetUserName": { "query": "aaa", "operator": "OR", "prefix_length": 0, "max_expansions": 50, "fuzzy_transpositions": true, "lenient": false, "zero_terms_query": "NONE", "auto_generate_synonyms_phrase_query": true, "boost": 1.0 } } }, { "query_string": { "query": "winlog.event_data.ObjectDN:aaa", "fields": [], "type": "best_fields", "default_operator": "and", "max_determinized_states": 10000, "enable_position_increments": true, "fuzziness": "AUTO", "fuzzy_prefix_length": 0, "fuzzy_max_expansions": 50, "phrase_slop": 0, "escape": false, "auto_generate_synonyms_phrase_query": true, "fuzzy_transpositions": true, "boost": 1.0 } } ], "adjust_pure_negative": true, "minimum_should_match": "1", "boost": 1.0 } }, { "range": { "@timestamp": { "from": "now-2m", "to": null, "include_lower": true, "include_upper": true, "boost": 1.0 } } } ], "adjust_pure_negative": true, "boost": 1.0 } }, "version": true, "stored_fields": [ "winlog.event_data.TargetUserName", "winlog.event_data.ObjectDN", "@timestamp" ], "aggregations": { "2": { "date_histogram": { "field": "@timestamp", "fixed_interval": "30m", "offset": 0, "order": { "_key": "asc" }, "keyed": false, "min_doc_count": 1 } } } } } } ], "triggers": [ { "query_level_trigger": { "id": "0yGcCo8Bt6v4fkmf4TkA", "name": "OLD_Trigger", "severity": "1", "condition": { "script": { "source": "ctx.results[0].hits.total.value > 0", "lang": "painless" } }, "actions": [ { "id": "notification441208", "name": "OLD_Action", "destination_id": "BmCPSX8Bs7zXcdaKGA2i", "message_template": { "source": "old_monitor\n{{#toJson}}ctx.results[0]{{/toJson}}", "lang": "mustache" }, "throttle_enabled": false, "subject_template": { "source": "Alerting Notification action", "lang": "mustache" } } ] } } ], "last_update_time": 1713870004480, "ui_metadata": { "schedule": { "cronExpression": "0 */1 * * *", "period": { "unit": "MINUTES", "interval": 1 }, "timezone": null, "daily": 0, "monthly": { "type": "day", "day": 1 }, "weekly": { "tue": false, "wed": false, "thur": false, "sat": false, "fri": false, "mon": false, "sun": false }, "frequency": "interval" }, "search": { "searchType": "query", "bucketValue": 1, "timeField": "", "bucketUnitOfTime": "h", "groupBy": [], "filters": [], "aggregations": [] }, "triggers": { "OLD_Trigger": { "value": 10000, "enum": "ABOVE" } }, "monitor_type": "query_level_monitor" }, "data_sources": { "query_index": ".opensearch-alerting-queries", "findings_index": ".opensearch-alerting-finding-history-write", "findings_index_pattern": "<.opensearch-alerting-finding-history-{now/d}-1>", "alerts_index": ".opendistro-alerting-alerts", "alerts_history_index": ".opendistro-alerting-alert-history-write", "alerts_history_index_pattern": "<.opendistro-alerting-alert-history-{now/d}-1>", "query_index_mappings_by_type": {}, "findings_enabled": false }, "owner": "alerting" } }