Hi,
I am looking at support/advice on modifying a watcher to accomplish:
- A single email and alert output for each occurrence where there a user has failed logins x times in x minutes.
- The alert and email to contain a combination of Username, Source IP, Hostname (all of which are available in the records. (Only 1 alert per combination, if a second username is failing this should be a unique alert/email)
Currently we have the following which was created by a 3rd Party which did not satisfy the requirement.
{
"trigger":
{
"schedule":
{
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"acme-dbauth--v2"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"filter": [
{
"match": {
"event.action": "database_login"
}
},
{
"match": {
"event.outcome": "failure"
}
},
{
"range": {
"@timestamp": {
"gte": "now-5m"
}
}
}
]
}
},
"aggs": {
"failed_logins": {
"terms": {
"field": "user.name",
"size": 10
}
}
}
}
}
}
},
"condition": {
"script": {
"source": " def users = [];\n for (def uname : ctx.payload.aggregations.failed_logins.buckets) {\n if (uname.doc_count>2) {\n users.add(uname.key);\n }\n }\n \n ctx.payload.users = users;\n \n ctx.payload._doc = [\n '@timestamp': ctx.execution_time,\n 'alert_id': ctx.watch_id,\n 'cause_index': 'acme-dbauth--v2',\n 'plain_reason': 'Multiple failed logins from same user(s)',\n 'info1_key': 'user_names',\n 'info1_val': users\n ];\n \n return users.size()>0;",
"lang": "painless"
}
},
"actions": {
"send_email": {
"throttle_period_in_millis": 1800000,
"email": {
"account": "exchange_account",
"profile": "standard",
"to": [
"coyote@acme.com"
],
"subject": "Elastic Alert: dba_brute_force",
"body": {
"text": "Detected multiple failed logins from users: {{ctx.payload.users}}"
}
}
},
"index_alert": {
"index": {
"index": "acme-dbauth-alerts"
}
}
}
}