Hi,
We want to create an alert when there has been over three failed logon events. Our query looks like this:
POST /logstash-test-2019-11/_search
{
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "message: \"authentication failure\" AND \"sshd\""
}
}
],
"filter": {
"range": {
"@timestamp": {
"gte": "now-30m"
}
}
}
}
}
}
And our whole watch:
{
"trigger": {
"schedule": {
"interval": "10m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"logstash-test-*"
],
"types": [],
"body": {
"query": {
"bool": {
"must": [
{
"query_string": {
"query": "message: \"authentication failure\" AND \"sshd\""
}
}
],
"filter": {
"range": {
"@timestamp": {
"gte": "now-30m"
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 3
}
}
},
"actions": {
"send_email": {
"email": {
"profile": "standard",
"to": [
"user@example.com"
],
"subject": "test-subject",
"body": {
"text": "test-text"
}
}
}
}
}
This successfully alerts whenever we get three hits of the query in last 30 minutes. However, it also creates an alert if there are three separate failed logons for separate devices. We want to make it so that it should only alert if there are at least three hits of the same device. We save the FQDN of each device in a field called FQDN, so could we somehow use that?
Thanks