Brute Force Watcher and Alert

Hi,

I am looking at support/advice on modifying a watcher to accomplish:

  1. A single email and alert output for each occurrence where there a user has failed logins x times in x minutes.
  2. The alert and email to contain a combination of Username, Source IP, Hostname (all of which are available in the records. (Only 1 alert per combination, if a second username is failing this should be a unique alert/email)

Currently we have the following which was created by a 3rd Party which did not satisfy the requirement.

{
"trigger":
{
"schedule":
{
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"acme-dbauth--v2"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"filter": [
{
"match": {
"event.action": "database_login"
}
},
{
"match": {
"event.outcome": "failure"
}
},
{
"range": {
"@timestamp": {
"gte": "now-5m"
}
}
}
]
}
},
"aggs": {
"failed_logins": {
"terms": {
"field": "user.name",
"size": 10
}
}
}
}
}
}
},
"condition": {
"script": {
"source": " def users = [];\n for (def uname : ctx.payload.aggregations.failed_logins.buckets) {\n if (uname.doc_count>2) {\n users.add(uname.key);\n }\n }\n \n ctx.payload.users = users;\n \n ctx.payload._doc = [\n '@timestamp': ctx.execution_time,\n 'alert_id': ctx.watch_id,\n 'cause_index': 'acme-dbauth-
-v2',\n 'plain_reason': 'Multiple failed logins from same user(s)',\n 'info1_key': 'user_names',\n 'info1_val': users\n ];\n \n return users.size()>0;",
"lang": "painless"
}
},
"actions": {
"send_email": {
"throttle_period_in_millis": 1800000,
"email": {
"account": "exchange_account",
"profile": "standard",
"to": [
"coyote@acme.com"
],
"subject": "Elastic Alert: dba_brute_force",
"body": {
"text": "Detected multiple failed logins from users: {{ctx.payload.users}}"
}
}
},
"index_alert": {
"index": {
"index": "acme-dbauth-alerts"
}
}
}
}

Hi, you could try to iterate through hits with a transform script with a for loop for each item then you have to parse it as you need.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.