Hello everybody,
I just began using elastic watcher to alert when I detect a port scanner (I wanna build my own one to understand how the watcher works that's why I didn't use the one in elastic Github )
so my watcher configuration looks like that:
POST _watcher/watch/_execute
{
"watch": {
"trigger": {
"schedule": {
"interval": "30s"
}
},
"input": {
"search": {
"request": {
"indices": "firewall-*",
"body": {
"size": 0,
"query": {
"bool": {
"filter": {
"range": {
"@timestamp": {
"from": "now-1h",
"to": "now"
}
}
}
}
},
"aggs": {
"by_source_ip": {
"terms": {
"size": 100,
"field": "source.ip"
},
"aggs": {
"by_destination_ip": {
"terms": {
"size": 100,
"field": "destination.ip"
},
"aggs": {
"by_port_number": {
"terms": {
"size": 100,
"field": "destination.port",
"order": {
"_count": "asc"
}
}
}
}
}
}
}
}
}
}
}
},
"condition": {
"script":
"""
for (int i=0; i < ctx.payload.aggregations.by_source_ip.buckets.size(); i++)
{
for (int j=0; j < ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets.size() ; j++ )
{
if (ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets[j].by_port_number.buckets.size() > 50)
{
return true;
}
}
}
"""
},
"transform":
{
"script":
"""
for (int i=0; i < ctx.payload.aggregations.by_source_ip.buckets.size(); i++)
{
for (int j=0; j < ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets.size() ; j++ )
{
if (ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets[j].by_port_number.buckets.size() > 20)
{
return ['source': ctx.payload.aggregations.by_source_ip.buckets[i].key,
'destination': ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets[j].key,
'ports': ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets[j].by_port_number.buckets.size()]
}
}
}
"""
},
"actions": {
"log": {
"logging": {
"text": "*********************Port scanner detected****************** \n - Addresse IP source: {{ctx.payload.source}} \n - Addresse IP destination: {{ctx.payload.destination}} \n - Number of ports scanned: {{ctx.payload.ports}}"
}
}
}
}
}
The problem now is that I can log just 1 @IP source and 1 @IP destination withe the number of ports between these 2 addresses, but what if that IP source scanned multiple IP addresses or there are multiple IP source who scanned my hosts.
could someone please tell me how can I do to output all the addresses that match the condition
Thanks for your help