Hi Everyone,
Basically, I was simulating the Password spraying Attack using Kibana Detection Rule (in the Security Tab). For the End-to-End pipeline, I have used WinLog Beat to directly ingest windows log events into the ElasticSearch and will automatically Split the fields.
Pipeline: Windows Event Logs --> WinLogBeat --> ElasticSearch --> Kibana Detection Rule --> Get Notified When alert is generated.
Issue: After We get an index of winlogbeat-*, in the Detection Rules Action Tab, we cannot able to access all the necessary fields. Here is a Step by Step process, I had done:
- For the Definition of Detection rule, have used Threshold Rule type, filtered out the failed login activity by custom query, then Group by agent.name OR source.ip and find count of user.name. (Simple meaning: If we have different user.name (threshold: 2), form the same machine (agent.name) having failed logging activity then will generate an alert on targeted platform.)
See the attached SS:
- For the Action, I have used the Kibana Connectors, and the issue is that I cannot able to see the desired fields desired fields to include them into the message. There are some fields but, I want list of usernames on which same password was tried, agent.name and source.ip.
[Note: Just noticed that, the fields which are Group by can only be available in the {{context.alerts}}. For example, If I will Group by agent.name and source.ip, then both fields are available in the {{context.alerts}}. And If I need list of users, then we cannot group by user.name, because it breaks the detection rule of Password Spraying Attack.]
Output of {{context.alerts}} - Only Group by agent.name:
{
"_id": "fafba5e6252722adac5449136423f654f229e89768f6b21b86ab69b1d0aedb03",
"_index": ".siem-signals-default-000001",
"@timestamp": "2021-07-05T06:39:35.039Z",
"agent.name": "WIN-7KFLSAU7QM1",
"event": {
"kind": "signal"
},
"signal": {
"_meta": {
"version": 25
},
"parents": [
{
"id": "40afd13b-e0a9-5d7c-a35b-456a623af12c",
"type": "event",
"index": "winlogbeat-*",
"depth": 0
}
],
"ancestors": [
{
"id": "40afd13b-e0a9-5d7c-a35b-456a623af12c",
"type": "event",
"index": "winlogbeat-*",
"depth": 0
}
],
"status": "open",
"rule": {
"id": "70c2ed20-da6f-11eb-a52d-67761976b9cf",
"rule_id": "1fa1c0b9-b664-4381-ba1c-3264e5a22bec",
"actions": [
{
"group": "default",
"params": {
"subject": "Password Spraying Attack | Security",
"to": [
"demo.com"
],
"message": "Date : {{date}}\n\nRule {{context.rule.name}} generated {{state.signals_count}} alerts.\n\nAlert name: {{alertName}}\n\nAlert Details: {{context.alerts}}\n"
},
"actionTypeId": ".email",
"actionRef": "action_0"
},
{
"group": "default",
"params": {
"subActionParams": {
"incident": {
"severity": "1",
"short_description": "Password Spraying Attack | Security",
"urgency": "2",
"impact": "1",
"description": "Security Alert"
},
"comments": [
{
"commentId": "1",
"comment": "Date : {{date}}\n\nRule {{context.rule.name}} generated {{state.signals_count}} alerts.\n\nAlert name: {{alertName}}\n\nAlert Details: {{context.alerts}}\n"
}
]
},
"subAction": "pushToService"
},
"actionTypeId": ".servicenow",
"actionRef": "action_1"
}
],
"author": [],
"building_block_type": null,
"false_positives": [],
"saved_id": null,
"timeline_id": null,
"timeline_title": null,
"meta": {
"from": "1m",
"kibana_siem_app_url": "http://XX.XX.XX.XX:5601/app/security"
},
"max_signals": 100,
"risk_score": 73,
"risk_score_mapping": [],
"output_index": ".siem-signals-default",
"description": "Multiple Users tried to attempt login with same password, from same host.",
"note": null,
"from": "now-180s",
"immutable": false,
"index": [
"winlogbeat-*"
],
"interval": "2m",
"language": "kuery",
"license": "",
"name": "Password Spraying Attack",
"query": "event.code: \"4625\" and winlog.event_data.SubStatus : \"0xc000006a\" ",
"references": [],
"rule_name_override": null,
"severity": "high",
"severity_mapping": [],
"tags": [
"security attack"
],
"type": "threshold",
"to": "now",
"enabled": true,
"filters": [],
"created_by": "elastic",
"updated_by": "elastic",
"threat": [],
"threat_filters": null,
"timestamp_override": null,
"throttle": null,
"version": 10,
"created_at": "2021-07-01T13:22:53.942Z",
"updated_at": "2021-07-05T06:37:32.455Z",
"exceptions_list": [],
"threshold": {
"field": [
"agent.name"
],
"value": 1,
"cardinality": [
{
"field": "user.name",
"value": 3
}
]
}
},
"depth": 1,
"parent": {
"id": "40afd13b-e0a9-5d7c-a35b-456a623af12c",
"type": "event",
"index": "winlogbeat-*",
"depth": 0
},
"original_time": "2021-07-05T06:39:14.352Z",
"threshold_result": {
"terms": [
{
"field": "agent.name",
"value": "WIN-7KFLSAU7QM1"
}
],
"cardinality": [
{
"field": "user.name",
"value": 3
}
],
"count": 4,
"from": "2021-07-05T06:36:34.018Z"
}
}
}
Also, mustache template will create problem, if we have to access {{context.alerts.agent.name}}.
[Short]: I need some of the fields that are available in the winlogbeat-* index during Action messaging service, without using those fields into Group by clouse. Required fields are: list of user.name, agent.name and source.ip.
Can anyone please help me OR suggest some methods?
Thanks !!