Watcher detect number of ip blocked and generate alert by email

Xor44 · November 15, 2021, 12:56pm

i'm trying to create a Watcher alert , every time an IP is blocked by a security device . The alert must be based on the number of the logs generated by this device . If there is more than 10 logs per minute on a specific region Alert must be triggered . Please find below my watcher , I'm need on ELK so I need ,some help .
Im expected to have in the alert the folowing information

Region IP blocked Total alert
example

EU, 192.168.1.1, 10 logs genered by the device

{
  "trigger": {
    "schedule": {
      "interval": "1m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "cef*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-1h",
                      "lt": "now"
                    }
                  },
                  
                    "bool": {
                      "filter": [
                        {
                          "bool": {
                            "should": [
                              {
                                "bool": {
                                  "should": [
                                    {
                                      "match": {
                                        "sourceAddress": "192.168.1.0/24"
                                      }
                                    }
                                  ],
                                  "minimum_should_match": 1
                                }
                              },
                              {
                                "bool": {
                                  "should": [
                                    {
                                      "match": {
                                        "sourceAddress": "192.168.2.0/22"
                                      }
                                    }
                                  ],
                                  "minimum_should_match": 1
                                }
                              }
                            ],
                            "minimum_should_match": 1
                          }
                        },
                        {
                          "bool": {
                            "should": [
                              {
                                "match": {
                                  "region": "EU"
                                }
                              }
                            ],
                            "minimum_should_match": 1
                          }
                        },
                        {
                          "bool": {
                            "must_not": {
                              "bool": {
                                "should": [
                                  {
                                    "match": {
                                      "Attack_Categeory": "Filter List"
                                    }
                                  }
                                ],
                                "minimum_should_match": 1
                              }
                            }
                          }
                        }
                      ]
                    }
                  }
                 
              ]
            }
          },
          
          
          "aggs": {
            "sources": {
              "terms": {
                "field": "sourceAddress",
                "min_doc_count": 10
              }
            }
          }
        }
      }
    }
  },
"condition": {
  "script": {
    "source": "return ctx.payload.aggregations.sources.buckets.size() > 0",
    "lang": "painless"
  }
  },

"actions": {
    "email_1": {
      "email": {
        "profile": "standard",
        "to": [
          "test@test.intra"
        ],
        "subject": "{{ctx.payload.aggregations.sources.buckets.0.key}} generated *{{ctx.payload.aggregations.sources.buckets.0.doc_count}}* logs in the last minute"
      }
    }
  }
}

After simulating the rules I get the errors below

 "result": {
    "execution_time": "2021-11-15T12:47:38.314Z",
    "execution_duration": 1,
    "input": {
      "type": "search",
      "status": "failure",
      "error": {
        "root_cause": [
          {
            "type": "parsing_exception",
            "reason": "[range] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
            "line": 1,
            "col": 81
          }
        ],
        "type": "x_content_parse_exception",
        "reason": "[1:81] [bool] failed to parse field [filter]",
        "caused_by": {
          "type": "parsing_exception",
          "reason": "[range] malformed query, expected [END_OBJECT] but found [FIELD_NAME]",
          "line": 1,
          "col": 81
        }
      },

system · December 13, 2021, 12:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.