问题描述
因此,我开始创建一些观察者警报,而我的第一个脚本是使用winlogbeat检测暴力行为。这是我的脚本:
PUT _watcher/watch/brute_force_winlogbeat
{
"trigger": {
"schedule": {
"interval": "1m"
}
},"input": {
"search": {
"request": {
"indices": "winlogbeat-*","body": {
"size": 0,"query": {
"bool": {
"filter": {
"range": {
"@timestamp": {
"from": "Now-1h","to": "Now"
}
}
}
}
},"aggs": {
"by_event_category": {
"terms": {
"field": "event.category"
},"aggs": {
"by_event_outcome": {
"terms": {
"field": "event.outcome"
},"aggs": {
"by_user_name": {
"terms": {
"field": "user.name"
}
}
}
}
}
}
}
}
}
}
},"condition": {
"script":
"""
for (int i=0; i < ctx.payload.aggregations.by_event_category.buckets.size(); i++)
{
if(ctx.payload.aggregations.by_event_category.buckets[i].key == "authentication")
{
for (int j=0; j < ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets.size(); j++)
{
if (ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].key == "failure")
{
for (int k=0; k < ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].by_user_name.size(); k++)
{
if (ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].by_user_name.buckets[k].doc_count > 3)
{
return true;
}
}
}
}
}
}
"""
},"transform": {
"script":
"""
String[] brut_forced_users= new String[5];
int[] number_of_tries= new int[5];
int count=0;
for (int i=0; i < ctx.payload.aggregations.by_event_category.buckets.size(); i++)
{
if(ctx.payload.aggregations.by_event_category.buckets[i].size() !=0 && ctx.payload.aggregations.by_event_category.buckets[i].key == "authentication")
{
for (int j=0; j < ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets.size(); j++)
{
if (ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].size() != 0 && ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].key == "failure")
{
for (int k=0; k < ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].by_user_name.buckets.size(); k++)
{
if (ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].by_user_name.buckets[k].size() !=0 && ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].by_user_name.buckets[k].doc_count > 3)
{
if (count < 5)
{
brut_forced_users[count] = ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].by_user_name.buckets[k].key;
number_of_tries[count] = ctx.payload.aggregations.by_event_category.buckets[i].by_event_outcome.buckets[j].by_user_name.buckets[k].doc_count;
count++;
}
}
}
}
}
}
}
return [brut_forced_users,number_of_tries,count];
"""
},"actions": {
"email_admin": {
"throttle_period": "15m","email": {
"to": "adresse_mail@gmail.com","subject": "Brute force attack detected","body": "\n ============================ BRUT FORCE DETECTED ============================\n - Number of brut force detected: {{ctx.payload._value.2}} \n - User's name brut forced: {{ctx.payload._value.0}}\n - Number of tries for each user: {{ctx.payload._value.1}}"
}
}
}
}
此脚本可以完美运行,并在最近1小时内检测到暴力破解。 因为这是我的第一个脚本,所以我想分享它,以告诉我是否犯了一些错误,即使它在起作用!
我想问一些问题:
{
"_id" : "brute_force_winlogbeat","_version" : 852,"_seq_no" : 851,"_primary_term" : 1,"created" : false
}
因为这是我第一次编辑它,所以我应该看到以下版本:2,那么为什么我看到852版本,或者我误解了该字段的含义?
感谢您的帮助:)
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)