[Detection Rule for Security]: Extract fields from {{context.alerts}} in the Kibana Connector Message Service

Hi Everyone,

Basically, I was simulating the Password spraying Attack using Kibana Detection Rule (in the Security Tab). For the End-to-End pipeline, I have used WinLog Beat to directly ingest windows log events into the ElasticSearch and will automatically Split the fields.

Pipeline: Windows Event Logs --> WinLogBeat --> ElasticSearch --> Kibana Detection Rule --> Get Notified When alert is generated.

Issue: After We get an index of winlogbeat-*, in the Detection Rules Action Tab, we cannot able to access all the necessary fields. Here is a Step by Step process, I had done:

  1. For the Definition of Detection rule, have used Threshold Rule type, filtered out the failed login activity by custom query, then Group by agent.name OR source.ip and find count of user.name. (Simple meaning: If we have different user.name (threshold: 2), form the same machine (agent.name) having failed logging activity then will generate an alert on targeted platform.)

See the attached SS:

  1. For the Action, I have used the Kibana Connectors, and the issue is that I cannot able to see the desired fields desired fields to include them into the message. There are some fields but, I want list of usernames on which same password was tried, agent.name and source.ip.

[Note: Just noticed that, the fields which are Group by can only be available in the {{context.alerts}}. For example, If I will Group by agent.name and source.ip, then both fields are available in the {{context.alerts}}. And If I need list of users, then we cannot group by user.name, because it breaks the detection rule of Password Spraying Attack.]

Output of {{context.alerts}} - Only Group by agent.name:

{
  "_id": "fafba5e6252722adac5449136423f654f229e89768f6b21b86ab69b1d0aedb03",
  "_index": ".siem-signals-default-000001",
  "@timestamp": "2021-07-05T06:39:35.039Z",
  "agent.name": "WIN-7KFLSAU7QM1",
  "event": {
    "kind": "signal"
  },
  "signal": {
    "_meta": {
      "version": 25
    },
    "parents": [
      {
        "id": "40afd13b-e0a9-5d7c-a35b-456a623af12c",
        "type": "event",
        "index": "winlogbeat-*",
        "depth": 0
      }
    ],
    "ancestors": [
      {
        "id": "40afd13b-e0a9-5d7c-a35b-456a623af12c",
        "type": "event",
        "index": "winlogbeat-*",
        "depth": 0
      }
    ],
    "status": "open",
    "rule": {
      "id": "70c2ed20-da6f-11eb-a52d-67761976b9cf",
      "rule_id": "1fa1c0b9-b664-4381-ba1c-3264e5a22bec",
      "actions": [
        {
          "group": "default",
          "params": {
            "subject": "Password Spraying Attack | Security",
            "to": [
              "demo.com"
            ],
            "message": "Date : {{date}}\n\nRule {{context.rule.name}} generated {{state.signals_count}} alerts.\n\nAlert name: {{alertName}}\n\nAlert Details: {{context.alerts}}\n"
          },
          "actionTypeId": ".email",
          "actionRef": "action_0"
        },
        {
          "group": "default",
          "params": {
            "subActionParams": {
              "incident": {
                "severity": "1",
                "short_description": "Password Spraying Attack | Security",
                "urgency": "2",
                "impact": "1",
                "description": "Security Alert"
              },
              "comments": [
                {
                  "commentId": "1",
                  "comment": "Date : {{date}}\n\nRule {{context.rule.name}} generated {{state.signals_count}} alerts.\n\nAlert name: {{alertName}}\n\nAlert Details: {{context.alerts}}\n"
                }
              ]
            },
            "subAction": "pushToService"
          },
          "actionTypeId": ".servicenow",
          "actionRef": "action_1"
        }
      ],
      "author": [],
      "building_block_type": null,
      "false_positives": [],
      "saved_id": null,
      "timeline_id": null,
      "timeline_title": null,
      "meta": {
        "from": "1m",
        "kibana_siem_app_url": "http://XX.XX.XX.XX:5601/app/security"
      },
      "max_signals": 100,
      "risk_score": 73,
      "risk_score_mapping": [],
      "output_index": ".siem-signals-default",
      "description": "Multiple Users tried to attempt login with same password, from same host.",
      "note": null,
      "from": "now-180s",
      "immutable": false,
      "index": [
        "winlogbeat-*"
      ],
      "interval": "2m",
      "language": "kuery",
      "license": "",
      "name": "Password Spraying Attack",
      "query": "event.code: \"4625\" and winlog.event_data.SubStatus : \"0xc000006a\" ",
      "references": [],
      "rule_name_override": null,
      "severity": "high",
      "severity_mapping": [],
      "tags": [
        "security attack"
      ],
      "type": "threshold",
      "to": "now",
      "enabled": true,
      "filters": [],
      "created_by": "elastic",
      "updated_by": "elastic",
      "threat": [],
      "threat_filters": null,
      "timestamp_override": null,
      "throttle": null,
      "version": 10,
      "created_at": "2021-07-01T13:22:53.942Z",
      "updated_at": "2021-07-05T06:37:32.455Z",
      "exceptions_list": [],
      "threshold": {
        "field": [
          "agent.name"
        ],
        "value": 1,
        "cardinality": [
          {
            "field": "user.name",
            "value": 3
          }
        ]
      }
    },
    "depth": 1,
    "parent": {
      "id": "40afd13b-e0a9-5d7c-a35b-456a623af12c",
      "type": "event",
      "index": "winlogbeat-*",
      "depth": 0
    },
    "original_time": "2021-07-05T06:39:14.352Z",
    "threshold_result": {
      "terms": [
        {
          "field": "agent.name",
          "value": "WIN-7KFLSAU7QM1"
        }
      ],
      "cardinality": [
        {
          "field": "user.name",
          "value": 3
        }
      ],
      "count": 4,
      "from": "2021-07-05T06:36:34.018Z"
    }
  }
}

Also, mustache template will create problem, if we have to access {{context.alerts.agent.name}}.

[Short]: I need some of the fields that are available in the winlogbeat-* index during Action messaging service, without using those fields into Group by clouse. Required fields are: list of user.name, agent.name and source.ip.

Can anyone please help me OR suggest some methods?

Thanks !!

Hi, which version of Winlogbeat is this, and which version of Kibana? Also, can you provide your winlogbeat.yml file? With any sensitive information removed, of course.

I am not personally very familiar with Winlogbeat. My hunch is there may be an issue with the way Winlogbeat was set up that doesn't align with the way detection rule searches for data. The setup steps have the admin specify the list of event logs to monitor:

Another thing that stands out to me is your custom query:
event.code: "4625" amd winlog.event_data.SubStatus: "0x0000006a" references fields that I do not see in the list of Winlogbeat fields: