Creating watcher on windows event id 4625 with multiple conditions

tahseen_fatima · May 9, 2020, 4:10pm

Hi,

I want to create alert for Windows Security Event Log
and when the event matches EventID (custom) is any of 4625
and when at least 3 events are seen with the same Username in 24 hour(s).

Here is my watcher.

{
  "trigger": {
    "schedule": {
      "interval": "20s"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "siem-os-*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 1,
          "query": {
            "bool": {
              "must": [
                {
                  "term": {
                    "EventID": {
                      "value": "4625"
                    }
                  }
                },
                {
                  "exists": {
                    "field": "EventID"
                  }
                }
              ],
              "filter": {
                "range": {
                  "@timestamp": {
                    "gte": "now-24h"
                  }
                }
              }
            }
          },
          "aggs": {
            "user_name": {
              "terms": {
                "field": "UserName.keyword"
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 0
      }
    }
  },
  "actions": {
    "index_1": {
      "index": {
        "index": "alert-for-4625"
      }
    }
  }
}

Kindly help me with writing condition.

Kindly help,
Tahseen

tahseen_fatima · May 9, 2020, 4:12pm

I m stuck in writing condition for

when at least 3 events are seen with the same Username in 24 hour(s).
Please have a look on it and reply to it.

Thanks

spinscale · May 11, 2020, 1:47pm

please take a little bit more time to help us understand where your problem is. You need to use a script condition that checks your buckets. You could add the min_doc_count to your terms agg and then check for the existence of a bucket.

You can basically do a ctx.payload.aggs.user_name.buckets.size() > 0 (on top of my head without verifying).

tahseen_fatima · May 12, 2020, 7:11am

Hi,
This is working fine, but i want to specify the size of doc count inside of bucket . There are multiple doc count inside buckets.

"condition": {
    "script": {
      "source": "if (ctx.payload.aggregations.user_name.buckets.size() > 3) return true; else return false;",
      "lang": "painless"
    }
  },

given below is the output of above condition,
But I want to apply condition on the doc count inside of this bucket

aggregations.user_name.buckets	
{
  "doc_count": 154,
  "key": "xyz"
},
{
  "doc_count": 92,
  "key": "abc"
},
{
  "doc_count": 80,
  "key": "Administrator"
},

waiting for response
Thanks in advance

Tahseen

system · June 9, 2020, 7:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.