Watcher detect number of ip blocked and generate alert by email

Xor44 · November 15, 2021, 12:56pm

i'm trying to create a Watcher alert , every time an IP is blocked by a security device . The alert must be based on the number of the logs generated by this device . If there is more than 10 logs per minute on a specific region Alert must be triggered . Please find below my watcher , I'm need on ELK so I need ,some help .
Im expected to have in the alert the folowing information

Region IP blocked Total alert
example

EU, 192.168.1.1, 10 logs genered by the device

{
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "cef*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-1h",
                      "lt": "now"
                    }
                  },
                  
                    "bool": {
                      "filter": [
                        {
                          "bool": {
                            "should": [
                              {
                                "bool": {
                                  "should": [
                                    {
                                      "match": {
                                        "sourceAddress": "192.168.1.0/24"
                                      }
                                    }
                                  ],
                                  "minimum_should_match": 1
                                }
                              },
                              {
                                "bool": {
                                  "should": [
                                    {
                                      "match": {
                                        "sourceAddress": "192.168.2.0/22"
                                      }
                                    }
                                  ],
                                  "minimum_should_match": 1
                                }
                              }
                            ],
                            "minimum_should_match": 1
                          }
                        },
                        {
                          "bool": {
                            "should": [
                              {
                                "match": {
                                  "region": "EU"
                                }
                              }
                            ],
                            "minimum_should_match": 1
                          }
                        },
                        {
                          "bool": {
                            "must_not": {
                              "bool": {
                                "should": [
                                  {
                                    "match": {
                                      "Attack_Categeory": "Filter List"
                                    }
                                  }
                                ],
                                "minimum_should_match": 1
                              }
                            }
                          }
                        }
                      ]
                    }
                  }
                 
              ]
            }
          },
          
          
          "aggs": {
            "sources": {
              "terms": {
                "field": "sourceAddress",
                "min_doc_count": 10
              }
            }
          }
        }
      }
    }
  },
"condition": {
  "script": {
    "source": "return ctx.payload.aggregations.sources.buckets.size() > 0",
    "lang": "painless"
  }
  },

"actions": {
    "email_1": {
      "email": {
        "profile": "standard",
        "to": [
          "test@test.intra"
        ],
        "subject": "{{ctx.payload.aggregations.sources.buckets.0.key}} generated *{{ctx.payload.aggregations.sources.buckets.0.doc_count}}* logs in the last minute"
      }
    }
  }
}

After simulating the rules I get the errors below

 "result": {
    "execution_time": "2021-11-15T12:47:38.314Z",
    "execution_duration": 1,
    "input": {
      "type": "search",
      "status": "failure",
      "error": {
        "root_cause": [
          {
            "type": "parsing_exception",
            "reason": "[range] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
            "line": 1,
            "col": 81
          }
        ],
        "type": "x_content_parse_exception",
        "reason": "[1:81] [bool] failed to parse field [filter]",
        "caused_by": {
          "type": "parsing_exception",
          "reason": "[range] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
          "line": 1,
          "col": 81
        }
      },

system · December 13, 2021, 12:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Watcher alert when specific event logged against unique IP Elasticsearch	1	398	December 23, 2019
Watcher: IP abuse Elasticsearch elastic-stack-alerting	7	1033	November 28, 2019
Need help with watcher Elasticsearch elastic-stack-alerting	2	346	June 7, 2021
Create a watcher to check that the IP address of device is same or changing Kibana elastic-stack-alerting	5	612	June 24, 2022
Email alert per sourceip Elasticsearch	6	518	November 17, 2020

Watcher detect number of ip blocked and generate alert by email

Related topics