Alerting on documents with 2 conditions

Hello,

I'm trying to build an alert that matches 2 fields - an event_id and a keyword.

I need to trigger an action (which is working) if there are 4 counts in 5 minutes of:

  • event_id = 4776 AND keyword = "Audit Failure"

but I'm struggling with the syntax (Just noob things :grinning:)

Could anyone point me to examples or the most up to date docs on how to do this?

Elasticstack is ver. 6.5.4, CentOS installed from repositories and up to date.

It would be very similar to this example except you will need 2 must clauses - one for event_id and another one for keyword. The actual query would depend on how event_id and keyword are mapped. Assuming that they have integer and keyword types something like this might work:

          "bool" : {
              "must" : [{
                "match": {
                   "event_id": 4776
                }
              }], {
                "match": {
                   "keyword": "Audit Failure"
                }
              }]
          }

You will also need to change condition to match 4 hits instead of 0. If this doesn't work for you, please show the complete watch that doesn't work together with index mapping and some sample record.

1 Like

Thanks for the reply Igor! I think that is exactly what I'm looking for, I'm just running into syntax errors now.

"bool" : {
          "must" : [{
            "match": {
               "event_id": 4776
            }
          }], { **<--- Marked as bad string**
            "match": {
               "keyword": "Audit Failure"
            }
          }]          
}

I'll keep troubleshooting, I'm sure its a JSON syntax error somewhere.

Sorry, I made a typo (extra ]) after the first clause. It should be

          "bool" : {
              "must" : [{
                "match": {
                   "event_id": 4776
                }
              }, {
                "match": {
                   "keyword": "Audit Failure"
                }
              }]
          }
1 Like

Here is my watch as it stands. Whenever I add a time filter per the linked example above, it says that it errors out and can't process the Watch.

{
"trigger": {
"schedule": {
  "interval": "2m"
}
},
"input": {
"search": {
  "request": {
    "search_type": "query_then_fetch",
    "indices": [
      "winlogbeat*"
    ],
    "types": [],
    "body": {
      "query": {
        "bool": {
          "must": [
            {
              "match": {
                "event_id": 4776
              }
            },
            {
              "match": {
                "keyword": "Audit Failure"
              }
            }
          ]
        }
      },
      "filter": {
        "range": {
          "@timestamp": {
            "from": "{{ctx.trigger.scheduled_time}}||-5m",
            "to": "{{ctx.trigger.triggered_time}}"
          }
        }
      }
    }
  }
}
},
"condition": {
"compare": {
  "ctx.payload.hits.total": {
    "gt": 4
  }
}
},
"actions": {
"slack_1": {
  "slack": {
    "message": {
      "to": [
        "elasticsearch"
      ],
      "text": "There were [{{ctx.payload.hits.total}}] failed login attempts in the last 5 minutes"
    }
  }
}
}
}

When the alert triggers, the following is my error:

"result": {
"execution_time": "2018-12-27T18:37:34.228Z",
"execution_duration": 1,
"input": {
  "type": "search",
  "status": "failure",
  "error": {
    "root_cause": [
      {
        "type": "parsing_exception",
        "reason": "Unknown key for a START_OBJECT in [filter].",
        "line": 1,
        "col": 105
      }
    ],
    "type": "parsing_exception",
    "reason": "Unknown key for a START_OBJECT in [filter].",
    "line": 1,
    "col": 105
  },

Update: Looks like filter doesn't exist how I was using it anymore, according to this post:

So I guess I have to fix that.

I fixed it, in case anyone is interested. My use case here is to grab Kerberos authentications logs from our DC and alert on potential brute force attacks. This search will match documents from the last 5 minutes with the following criteria:

  1. Keyword field matching "Audit Failure"

  2. The name of the AD Server, "AD1"

  3. The Windows event ID for authentication attempt, "4776"

Hope this helps!

    "body": {
      "query": {
        "bool": {
          "must": [
            {
              "match_phrase": {
                "keywords": {
                  "query": "Audit Failure"
                }
              }
            },
            {
              "match_phrase": {
                "event_id": {
                  "query": 4776
                }
              }
            },
            {
              "match_phrase": {
                "host.name": {
                  "query": "AD1"
                }
              }
            },
            {
              "range": {
                "@timestamp": {
                  "gte": "now-5m",
                  "to": "now"
                }
              }
            }
          ],

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.