如何解决脚本观察器,用于检测暴力攻击winlogbeat
因此,我开始创建一些观察者警报,而我的第一个脚本是使用winlogbeat检测暴力行为。这是我的脚本:
PUT _watcher/watch/brute_force_winlogbeat
{
"trigger": {
"schedule": {
"interval": "1m"
}
},"input": {
"search": {
"request": {
"indices": "winlogbeat-*","body": {
"size": 0,"query": {
"bool": {
"filter": {
"range": {
"@timestamp": {
"from": "now-1h","to": "now"
}
}
}
}
},"aggs": {
"by_event_category": {
"terms": {
"field": "event.category"
},"aggs": {
"by_event_outcome": {
"terms": {
"field": "event.outcome"
},"aggs": {
"by_user_name": {
"terms": {
"field": "user.name"
}
}
}
}
}
}
}
}
}
}
},"condition": {
"script":
"""
for (int i=0; i < ctx.payload.aggregations.by_event_category.buckets.size(); i++)
{
if(ctx.payload.aggregations.by_event_category.buckets[i].key == "authentication")
{
for (int j=0; j < ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets.size(); j++)
{
if (ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].key == "failure")
{
for (int k=0; k < ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].by_user_name.size(); k++)
{
if (ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].by_user_name.buckets[k].doc_count > 3)
{
return true;
}
}
}
}
}
}
"""
},"transform": {
"script":
"""
String[] brut_forced_users= new String[5];
int[] number_of_tries= new int[5];
int count=0;
for (int i=0; i < ctx.payload.aggregations.by_event_category.buckets.size(); i++)
{
if(ctx.payload.aggregations.by_event_category.buckets[i].size() !=0 && ctx.payload.aggregations.by_event_category.buckets[i].key == "authentication")
{
for (int j=0; j < ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets.size(); j++)
{
if (ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].size() != 0 && ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].key == "failure")
{
for (int k=0; k < ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].by_user_name.buckets.size(); k++)
{
if (ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].by_user_name.buckets[k].size() !=0 && ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].by_user_name.buckets[k].doc_count > 3)
{
if (count < 5)
{
brut_forced_users[count] = ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].by_user_name.buckets[k].key;
number_of_tries[count] = ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].by_user_name.buckets[k].doc_count;
count++;
}
}
}
}
}
}
}
return [brut_forced_users,number_of_tries,count];
"""
},"actions": {
"email_admin": {
"throttle_period": "15m","email": {
"to": "adresse_mail@gmail.com","subject": "Brute force attack detected","body": "\n ============================ BRUT FORCE DETECTED ============================\n - Number of brut force detected: {{ctx.payload._value.2}} \n - User's name brut forced: {{ctx.payload._value.0}}\n - Number of tries for each user: {{ctx.payload._value.1}}"
}
}
}
}
此脚本可以完美运行,并在最近1小时内检测到暴力破解。 因为这是我的第一个脚本,所以我想分享它,以告诉我是否犯了一些错误,即使它在起作用!
我想问一些问题:
- 现在我以相同的蛮力收到多于1封邮件,是否有解决方案,每个警报对象仅收到1封邮件?
- 当我编辑脚本并单击它时,我收到了以下回复:
{
"_id" : "brute_force_winlogbeat","_version" : 852,"_seq_no" : 851,"_primary_term" : 1,"created" : false
}
因为这是我第一次编辑它,所以我应该看到以下版本:2,那么为什么我看到852版本,或者我误解了该字段的含义?
感谢您的帮助:)
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。