Watcher: Conditional action for failed login event

Tirtharaj_Karbotkar · May 28, 2020, 5:14am

Hi,

I have one watcher which is checking for user login events after every 1 minute. Now i have issues in filtering the results in following manner,

I want to get only the failed login events (exclude successful login) . Here the "event.type" field gives the event message that is either Authentication success or authentication failed.
Alert only if the login request is from outside host country ( example: alert if the request source country is other than US). In below watcher "source.geo.country_name" field gives the value of country.

        {
          "trigger": {
            "schedule": {
              "interval": "1m"
            }
          },
          "input": {
            "search": {
              "request": {
                "search_type": "query_then_fetch",
                "indices": [
                  "auditbeat-*"
                ],
                "rest_total_hits_as_int": true,
                "body": {
                  "size": 0,
                  "query": {
                    "bool": {
                      "filter": [
                        {
                          "range": {
                            "@timestamp": {
                              "from": "now-1m",
                              "to": "now"
                            }
                          }
                        },
                        {
                          "term": {
                            "event.action": "user_login"
                          }
                        }
                      ]
                    }
                  },
                  "aggs": {
                    "authmsg": {
                      "terms": {
                        "field": "event.type",
                        "size": 5
                      },
                      "aggs": {
                        "country": {
                          "terms": {
                            "field": "source.geo.country_name",
                            "size": 5
                          }
                        }
                      }
                    }
                  }
                }
              }
            }
          }

         below is the response for above query 

        "aggregations" : {
                "authmsg" : {
                  "doc_count_error_upper_bound" : 0,
                  "sum_other_doc_count" : 0,
                  "buckets" : [
                    {
                      "country" : {
                        "doc_count_error_upper_bound" : 0,
                        "sum_other_doc_count" : 0,
                        "buckets" : [
                          {
                            "doc_count" : 1,
                            "key" : "Canada"
                          }
                        ]
                      },
                      "doc_count" : 1,
                      "key" : "authentication_failed"
                    }
                  ]
                }
              }
            }

I tried few solutions from other post but no luck. Can anyone help me to fix this or point to example similar above request.

Tirtharaj_Karbotkar · May 29, 2020, 6:16am

hello...
i was able to achieve first requirement i.e. "alerts for only failed login attempts" by adding below filter after the event.action filter..

{
                  "terms": {
                    "event.type": [
                      "authentication_failure"
                    ]
                  }
                }

can anyone help me with the second point: i.e. Alert only if the login request is from outside host country.

Tirtharaj_Karbotkar · June 3, 2020, 11:10am

Hi,

It will be great if anyone help me out here. Kindly let me know if anyone requires more info.

Tirtharaj_Karbotkar · June 5, 2020, 7:37am

Hi Admins,

Can anyone please help me here.

system · July 3, 2020, 7:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.