Elastic watcher, log multiple fields

Hello everybody,

I just began using elastic watcher to alert when I detect a port scanner (I wanna build my own one to understand how the watcher works that's why I didn't use the one in elastic Github )

so my watcher configuration looks like that:

POST _watcher/watch/_execute
{
  "watch": {
    "trigger": {
      "schedule": {
        "interval": "30s"
      }
    },
    "input": {
      "search": {
        "request": {
          "indices": "firewall-*",
          "body": {
            "size": 0,
            "query": {
              "bool": {
                "filter": {
                  "range": {
                    "@timestamp": {
                      "from": "now-1h",
                      "to": "now"
                    }
                  }
                }
              }
            },
            "aggs": {
              "by_source_ip": {
                "terms": {
                  "size": 100,
                  "field": "source.ip"
                },
                "aggs": {
                  "by_destination_ip": {
                    "terms": {
                      "size": 100,
                      "field": "destination.ip"
                    },
                    "aggs": {
                      "by_port_number": {
                        "terms": {
                          "size": 100,
                          "field": "destination.port",
                          "order": {
                            "_count": "asc"
                          }
                        }
                      }
                    }
                  }
                }
              }
            }
          }
        }
      }
    },
    "condition": {
      "script": 
      """ 
      for (int i=0; i < ctx.payload.aggregations.by_source_ip.buckets.size(); i++) 
      { 
        for (int j=0; j < ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets.size() ; j++ )
        {
          if (ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets[j].by_port_number.buckets.size() > 50)
          {
            return true;
          }
        }
      }
      
        """
    },
    "transform":
    {
      "script":
      """
      for (int i=0; i < ctx.payload.aggregations.by_source_ip.buckets.size(); i++) 
      { 
        for (int j=0; j < ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets.size() ; j++ )
        {
          if (ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets[j].by_port_number.buckets.size() > 20)
          {
           return ['source': ctx.payload.aggregations.by_source_ip.buckets[i].key,
                   'destination': ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets[j].key, 
                   'ports': ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets[j].by_port_number.buckets.size()]
          }
        }
      }
      """
    },
    "actions": {
      "log": {
        "logging": {
          "text": "*********************Port scanner detected****************** \n - Addresse IP source: {{ctx.payload.source}} \n - Addresse IP destination: {{ctx.payload.destination}} \n - Number of ports scanned: {{ctx.payload.ports}}"
        }
      }
    }
  }
}

The problem now is that I can log just 1 @IP source and 1 @IP destination withe the number of ports between these 2 addresses, but what if that IP source scanned multiple IP addresses or there are multiple IP source who scanned my hosts.

could someone please tell me how can I do to output all the addresses that match the condition

Thanks for your help

I tried the mustache trying to output all @IP source that scanned my hosts but it giving me an empty output

 "actions": {
      "log": {
        "throttle_period": "1m",
        "logging": {
          "text": " Found Events matching: {{#ctx.payload.aggregations.by_source_ip.buckets}}{{key}}{{/ctx.payload.aggregations.by_source_ip.buckets}}"
        }
      }
    }

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.