Script watcher for detecting brute force attacks (winlogbeat)

Hello everybody,

So I begin creating some watcher alerts, and my first script is for detecting brute force using winlogbeat. Here is my script:

PUT _watcher/watch/brute_force_winlogbeat
{
    "trigger": {
      "schedule": {
        "interval": "1m"
      }
    },
    "input": {
      "search": {
        "request": {
          "indices": "winlogbeat-*",
          "body": {
            "size": 0,
            "query": {
              "bool": {
                "filter": {
                  "range": {
                    "@timestamp": {
                      "from": "now-1h",
                      "to": "now"
                    }
                  }
                }
              }
            },
            "aggs": {
              "by_event_category": {
                "terms": {
                  "field": "event.category"
                },
                "aggs": {
                  "by_event_outcome": {
                    "terms": {
                      "field": "event.outcome"
                    },
                    "aggs": {
                      "by_user_name": {
                        "terms": {
                          "field": "user.name"
                        }
                      }
                    }
                  }
                }
              }
            }
          }
        }
      }
    },
    "condition": {
      "script":
      """
      for (int i=0; i < ctx.payload.aggregations.by_event_category.buckets.size(); i++)
      {
        if(ctx.payload.aggregations.by_event_category.buckets[i].key == "authentication")
        {
          for (int j=0; j < ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets.size(); j++)
         {
           if (ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].key == "failure")
           {
            for (int k=0; k < ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].by_user_name.size(); k++)
            {
              if (ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].by_user_name.buckets[k].doc_count > 3)
              {
                return true;
              }
            }
           }
          }
        }
      }
      """
    },
    "transform": {
      "script":

      """
      String[] brut_forced_users= new String[5];
      int[] number_of_tries= new int[5];
      int count=0;


    for (int i=0; i < ctx.payload.aggregations.by_event_category.buckets.size(); i++)
      {
        if(ctx.payload.aggregations.by_event_category.buckets[i].size() !=0 && ctx.payload.aggregations.by_event_category.buckets[i].key == "authentication")
        {
          for (int j=0; j < ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets.size(); j++)
         {
           if (ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].size() != 0  && ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].key == "failure")
           {
            for (int k=0; k < ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].by_user_name.buckets.size(); k++)
            {
              if (ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].by_user_name.buckets[k].size() !=0 && ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].by_user_name.buckets[k].doc_count > 3)
              {
                if (count < 5)
                {
                brut_forced_users[count] = ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].by_user_name.buckets[k].key;
                number_of_tries[count] = ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].by_user_name.buckets[k].doc_count;
                count++;
                }
              }
            }
           }
          }
        }
      }
     return [brut_forced_users,number_of_tries,count];
          """
    },
    "actions": {
      "email_admin": {
        "throttle_period": "15m",
        "email": {
          "to": "adresse_mail@gmail.com",
          "subject": "Brute force attack detected",
          "body": "\n ============================ BRUT FORCE DETECTED ============================\n - Number of brut force detected: {{ctx.payload._value.2}} \n - User's name brut forced: {{ctx.payload._value.0}}\n - Number of tries for each user: {{ctx.payload._value.1}}"
        }
      }
    }
}

This script working perfectly and detect the brute force in the last 1 hour.
As it's my first script I wanted to share it, to tell me if I made some mistakes, even if it's working !

And I want to ask some questions:

  • Now I receive more than 1 mail for the same brute force, is there a solution to receive just 1 mail for each alerte ?
  • When I edited the script and clicked on it, I had this response :
{
  "_id" : "brute_force_winlogbeat",
  "_version" : 852,
  "_seq_no" : 851,
  "_primary_term" : 1,
  "created" : false
}

As it's the first time I edit it I think I shoud see version: 2, so why I am seeing version 852 or I understood it wrong.

Thanks for your help :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.