Creating watcher on windows event id 4625 with multiple conditions

tahseen_fatima · May 9, 2020, 4:10pm

Hi,

I want to create alert for Windows Security Event Log
and when the event matches EventID (custom) is any of 4625
and when at least 3 events are seen with the same Username in 24 hour(s).

Here is my watcher.

{
  "trigger": {
    "schedule": {
      "interval": "20s"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "siem-os-*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 1,
          "query": {
            "bool": {
              "must": [
                {
                  "term": {
                    "EventID": {
                      "value": "4625"
                    }
                  }
                },
                {
                  "exists": {
                    "field": "EventID"
                  }
                }
              ],
              "filter": {
                "range": {
                  "@timestamp": {
                    "gte": "now-24h"
                  }
                }
              }
            }
          },
          "aggs": {
            "user_name": {
              "terms": {
                "field": "UserName.keyword"
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 0
      }
    }
  },
  "actions": {
    "index_1": {
      "index": {
        "index": "alert-for-4625"
      }
    }
  }
}

Kindly help me with writing condition.

Kindly help,
Tahseen

tahseen_fatima · May 9, 2020, 4:12pm

I m stuck in writing condition for

when at least 3 events are seen with the same Username in 24 hour(s).
Please have a look on it and reply to it.

Thanks

spinscale · May 11, 2020, 1:47pm

please take a little bit more time to help us understand where your problem is. You need to use a script condition that checks your buckets. You could add the min_doc_count to your terms agg and then check for the existence of a bucket.

You can basically do a ctx.payload.aggs.user_name.buckets.size() > 0 (on top of my head without verifying).

tahseen_fatima · May 12, 2020, 7:11am

Hi,
This is working fine, but i want to specify the size of doc count inside of bucket . There are multiple doc count inside buckets.

"condition": {
    "script": {
      "source": "if (ctx.payload.aggregations.user_name.buckets.size() > 3) return true; else return false;",
      "lang": "painless"
    }
  },

given below is the output of above condition,
But I want to apply condition on the doc count inside of this bucket

aggregations.user_name.buckets	
{
  "doc_count": 154,
  "key": "xyz"
},
{
  "doc_count": 92,
  "key": "abc"
},
{
  "doc_count": 80,
  "key": "Administrator"
},

waiting for response
Thanks in advance

Tahseen

system · June 9, 2020, 7:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
It is possible to create an alert when an event 4652 appears? Beats elastic-stack-alerting , winlogbeat	3	336	May 28, 2019
Watcher alerting for winlogbeat Elasticsearch elastic-stack-alerting	2	1097	March 29, 2018
Chain input Watcher multi result Elasticsearch elastic-stack-alerting	2	1869	February 5, 2020
Alerting on documents with 2 conditions Elasticsearch elastic-stack-alerting	7	1365	January 25, 2019
Need help creating advanced watcher Kibana	2	231	September 5, 2023

Creating watcher on windows event id 4625 with multiple conditions

Related topics