Hello everybody,
So I begin creating some watcher alerts, and my first script is for detecting brute force using winlogbeat. Here is my script:
PUT _watcher/watch/brute_force_winlogbeat
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"indices": "winlogbeat-*",
"body": {
"size": 0,
"query": {
"bool": {
"filter": {
"range": {
"@timestamp": {
"from": "now-1h",
"to": "now"
}
}
}
}
},
"aggs": {
"by_event_category": {
"terms": {
"field": "event.category"
},
"aggs": {
"by_event_outcome": {
"terms": {
"field": "event.outcome"
},
"aggs": {
"by_user_name": {
"terms": {
"field": "user.name"
}
}
}
}
}
}
}
}
}
}
},
"condition": {
"script":
"""
for (int i=0; i < ctx.payload.aggregations.by_event_category.buckets.size(); i++)
{
if(ctx.payload.aggregations.by_event_category.buckets[i].key == "authentication")
{
for (int j=0; j < ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets.size(); j++)
{
if (ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].key == "failure")
{
for (int k=0; k < ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].by_user_name.size(); k++)
{
if (ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].by_user_name.buckets[k].doc_count > 3)
{
return true;
}
}
}
}
}
}
"""
},
"transform": {
"script":
"""
String[] brut_forced_users= new String[5];
int[] number_of_tries= new int[5];
int count=0;
for (int i=0; i < ctx.payload.aggregations.by_event_category.buckets.size(); i++)
{
if(ctx.payload.aggregations.by_event_category.buckets[i].size() !=0 && ctx.payload.aggregations.by_event_category.buckets[i].key == "authentication")
{
for (int j=0; j < ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets.size(); j++)
{
if (ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].size() != 0 && ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].key == "failure")
{
for (int k=0; k < ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].by_user_name.buckets.size(); k++)
{
if (ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].by_user_name.buckets[k].size() !=0 && ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].by_user_name.buckets[k].doc_count > 3)
{
if (count < 5)
{
brut_forced_users[count] = ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].by_user_name.buckets[k].key;
number_of_tries[count] = ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].by_user_name.buckets[k].doc_count;
count++;
}
}
}
}
}
}
}
return [brut_forced_users,number_of_tries,count];
"""
},
"actions": {
"email_admin": {
"throttle_period": "15m",
"email": {
"to": "adresse_mail@gmail.com",
"subject": "Brute force attack detected",
"body": "\n ============================ BRUT FORCE DETECTED ============================\n - Number of brut force detected: {{ctx.payload._value.2}} \n - User's name brut forced: {{ctx.payload._value.0}}\n - Number of tries for each user: {{ctx.payload._value.1}}"
}
}
}
}
This script working perfectly and detect the brute force in the last 1 hour.
As it's my first script I wanted to share it, to tell me if I made some mistakes, even if it's working !
And I want to ask some questions:
- Now I receive more than 1 mail for the same brute force, is there a solution to receive just 1 mail for each alerte ?
- When I edited the script and clicked on it, I had this response :
{
"_id" : "brute_force_winlogbeat",
"_version" : 852,
"_seq_no" : 851,
"_primary_term" : 1,
"created" : false
}
As it's the first time I edit it I think I shoud see version: 2, so why I am seeing version 852 or I understood it wrong.
Thanks for your help 