Last active
September 22, 2020 17:43
-
-
Save bornatalebi/92f004ff2faf84647418438d72b06261 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "_id" : "winlogs_ca23891f-7176-461c-bb9e-3843a634dfc1-2020-09-22T08:56:59.856268Z", | |
| "watch_record" : { | |
| "watch_id" : "winlogs", | |
| "node" : "eXtEY0w5QVeHHEL_ZYk9Cg", | |
| "state" : "executed", | |
| "user" : "elastic", | |
| "status" : { | |
| "state" : { | |
| "active" : true, | |
| "timestamp" : "2020-09-22T08:56:48.107Z" | |
| }, | |
| "last_checked" : "2020-09-22T08:56:59.856Z", | |
| "last_met_condition" : "2020-09-22T08:56:59.856Z", | |
| "actions" : { | |
| "index_payload" : { | |
| "ack" : { | |
| "timestamp" : "2020-09-22T08:56:48.107Z", | |
| "state" : "awaits_successful_execution" | |
| } | |
| } | |
| }, | |
| "execution_state" : "executed", | |
| "version" : 1 | |
| }, | |
| "trigger_event" : { | |
| "type" : "manual", | |
| "triggered_time" : "2020-09-22T08:56:59.856Z", | |
| "manual" : { | |
| "schedule" : { | |
| "scheduled_time" : "2020-09-22T08:56:59.856Z" | |
| } | |
| } | |
| }, | |
| "input" : { | |
| "search" : { | |
| "request" : { | |
| "search_type" : "query_then_fetch", | |
| "indices" : [ | |
| "winlogbeat-*" | |
| ], | |
| "rest_total_hits_as_int" : true, | |
| "body" : { | |
| "query" : { | |
| "bool" : { | |
| "must" : [ | |
| { | |
| "range" : { | |
| "@timestamp" : { | |
| "gte" : "now-{{ctx.metadata.window_period}}" | |
| } | |
| } | |
| } | |
| ], | |
| "should" : [ | |
| { | |
| "terms" : { | |
| "event.code" : [ | |
| "4720", | |
| "4726", | |
| "4624" | |
| ] | |
| } | |
| } | |
| ] | |
| } | |
| }, | |
| "aggs" : { | |
| "event_types" : { | |
| "filters" : { | |
| "filters" : { | |
| "add" : { | |
| "term" : { | |
| "event.code" : { | |
| "value" : "4720" | |
| } | |
| } | |
| }, | |
| "remove" : { | |
| "term" : { | |
| "event.code" : { | |
| "value" : "4726" | |
| } | |
| } | |
| }, | |
| "login" : { | |
| "term" : { | |
| "event.code" : { | |
| "value" : "4624" | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "aggs" : { | |
| "users" : { | |
| "terms" : { | |
| "field" : "winlog.event_data.TargetUserName", | |
| "size" : 1000 | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "size" : 0 | |
| } | |
| } | |
| } | |
| }, | |
| "condition" : { | |
| "script" : { | |
| "source" : """ | |
| def removes=ctx.payload.aggregations.event_types.buckets.remove.users.buckets.stream().map(p -> p.key).collect(Collectors.toList()); | |
| def logins=ctx.payload.aggregations.event_types.buckets.login.users.buckets.stream().map(p -> p.key).collect(Collectors.toList()); | |
| return ctx.payload.aggregations.event_types.buckets.add.users.buckets.stream().map(p -> p.key).filter(p -> removes.contains(p)).filter(p -> logins.contains(p)).toArray().length > 0; | |
| """, | |
| "lang" : "painless" | |
| } | |
| }, | |
| "metadata" : { | |
| "window_period" : "2d" | |
| }, | |
| "result" : { | |
| "execution_time" : "2020-09-22T08:56:59.856Z", | |
| "execution_duration" : 4555, | |
| "input" : { | |
| "type" : "search", | |
| "status" : "success", | |
| "payload" : { | |
| "_shards" : { | |
| "total" : 1, | |
| "failed" : 0, | |
| "successful" : 1, | |
| "skipped" : 0 | |
| }, | |
| "hits" : { | |
| "hits" : [ ], | |
| "total" : 10000, | |
| "max_score" : null | |
| }, | |
| "took" : 4490, | |
| "timed_out" : false, | |
| "aggregations" : { | |
| "event_types" : { | |
| "buckets" : { | |
| "add" : { | |
| "doc_count" : 6, | |
| "users" : { | |
| "doc_count_error_upper_bound" : 0, | |
| "sum_other_doc_count" : 0, | |
| "buckets" : [ | |
| { | |
| "doc_count" : 1, | |
| "key" : "borbor" | |
| }, | |
| { | |
| "doc_count" : 1, | |
| "key" : "ddd" | |
| }, | |
| { | |
| "doc_count" : 1, | |
| "key" : "mehdi" | |
| }, | |
| { | |
| "doc_count" : 1, | |
| "key" : "mehdi2" | |
| }, | |
| { | |
| "doc_count" : 1, | |
| "key" : "mehmeh" | |
| }, | |
| { | |
| "doc_count" : 1, | |
| "key" : "talebi" | |
| } | |
| ] | |
| } | |
| }, | |
| "login" : { | |
| "doc_count" : 6308, | |
| "users" : { | |
| "doc_count_error_upper_bound" : 0, | |
| "sum_other_doc_count" : 0, | |
| "buckets" : [ | |
| { | |
| "doc_count" : 5419, | |
| "key" : "AD$" | |
| }, | |
| { | |
| "doc_count" : 495, | |
| "key" : "SYSTEM" | |
| }, | |
| { | |
| "doc_count" : 314, | |
| "key" : "RASS$" | |
| }, | |
| { | |
| "doc_count" : 29, | |
| "key" : "ANONYMOUS LOGON" | |
| }, | |
| { | |
| "doc_count" : 16, | |
| "key" : "Administrator" | |
| }, | |
| { | |
| "doc_count" : 10, | |
| "key" : "MSDIsatis" | |
| }, | |
| { | |
| "doc_count" : 4, | |
| "key" : "LOCAL SERVICE" | |
| }, | |
| { | |
| "doc_count" : 4, | |
| "key" : "NETWORK SERVICE" | |
| }, | |
| { | |
| "doc_count" : 3, | |
| "key" : "administrator" | |
| }, | |
| { | |
| "doc_count" : 2, | |
| "key" : "DWM-1" | |
| }, | |
| { | |
| "doc_count" : 2, | |
| "key" : "DWM-2" | |
| }, | |
| { | |
| "doc_count" : 2, | |
| "key" : "UMFD-2" | |
| }, | |
| { | |
| "doc_count" : 2, | |
| "key" : "borbor" | |
| }, | |
| { | |
| "doc_count" : 2, | |
| "key" : "ddd" | |
| }, | |
| { | |
| "doc_count" : 1, | |
| "key" : "MSSQLSERVER" | |
| }, | |
| { | |
| "doc_count" : 1, | |
| "key" : "SQLTELEMETRY" | |
| }, | |
| { | |
| "doc_count" : 1, | |
| "key" : "UMFD-0" | |
| }, | |
| { | |
| "doc_count" : 1, | |
| "key" : "UMFD-1" | |
| } | |
| ] | |
| } | |
| }, | |
| "remove" : { | |
| "doc_count" : 4, | |
| "users" : { | |
| "doc_count_error_upper_bound" : 0, | |
| "sum_other_doc_count" : 0, | |
| "buckets" : [ | |
| { | |
| "doc_count" : 1, | |
| "key" : "borbor" | |
| }, | |
| { | |
| "doc_count" : 1, | |
| "key" : "mehdi" | |
| }, | |
| { | |
| "doc_count" : 1, | |
| "key" : "mehdi2" | |
| }, | |
| { | |
| "doc_count" : 1, | |
| "key" : "talebi" | |
| } | |
| ] | |
| } | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "search" : { | |
| "request" : { | |
| "search_type" : "query_then_fetch", | |
| "indices" : [ | |
| "winlogbeat-*" | |
| ], | |
| "rest_total_hits_as_int" : true, | |
| "body" : { | |
| "query" : { | |
| "bool" : { | |
| "must" : [ | |
| { | |
| "range" : { | |
| "@timestamp" : { | |
| "gte" : "now-2d" | |
| } | |
| } | |
| } | |
| ], | |
| "should" : [ | |
| { | |
| "terms" : { | |
| "event.code" : [ | |
| "4720", | |
| "4726", | |
| "4624" | |
| ] | |
| } | |
| } | |
| ] | |
| } | |
| }, | |
| "aggs" : { | |
| "event_types" : { | |
| "filters" : { | |
| "filters" : { | |
| "add" : { | |
| "term" : { | |
| "event.code" : { | |
| "value" : "4720" | |
| } | |
| } | |
| }, | |
| "remove" : { | |
| "term" : { | |
| "event.code" : { | |
| "value" : "4726" | |
| } | |
| } | |
| }, | |
| "login" : { | |
| "term" : { | |
| "event.code" : { | |
| "value" : "4624" | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "aggs" : { | |
| "users" : { | |
| "terms" : { | |
| "field" : "winlog.event_data.TargetUserName", | |
| "size" : 1000 | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "size" : 0 | |
| } | |
| } | |
| } | |
| }, | |
| "condition" : { | |
| "type" : "script", | |
| "status" : "success", | |
| "met" : true | |
| }, | |
| "transform" : { | |
| "type" : "script", | |
| "status" : "failure", | |
| "reason" : "runtime error", | |
| "error" : { | |
| "root_cause" : [ | |
| { | |
| "type" : "script_exception", | |
| "reason" : "runtime error", | |
| "script_stack" : [ | |
| "o -> o.host.ip).filter(", | |
| " ^---- HERE" | |
| ], | |
| "script" : """ | |
| def docs = []; | |
| def removes=ctx.payload.aggregations.event_types.buckets.remove.users.buckets.stream().map(p -> p.key).collect(Collectors.toList()); | |
| def logins=ctx.payload.aggregations.event_types.buckets.login.users.buckets.stream().map(p -> p.key).collect(Collectors.toList()); | |
| def hits = ctx.payload.aggregations.event_types.buckets.add.users.buckets; | |
| for (hit in hits){ | |
| def document = [ | |
| '@timestamp':ctx.execution_time, | |
| 'origin host': ctx.payload.aggregations.event_types.buckets.add.users.buckets.stream().map(o -> o.host.ip).filter(o -> removes.contains(o)).filter(oo -> logins.contains(oo)).toArray(), | |
| 'usernames' : ctx.payload.aggregations.event_types.buckets.add.users.buckets.stream().map(u -> u.key).filter(u -> removes.contains(u)).filter(uu -> logins.contains(uu)).toArray() | |
| ]; | |
| docs.add(document); | |
| } | |
| return ['_doc':docs]; | |
| """, | |
| "lang" : "painless", | |
| "position" : { | |
| "offset" : 632, | |
| "start" : 621, | |
| "end" : 644 | |
| } | |
| } | |
| ], | |
| "type" : "script_exception", | |
| "reason" : "runtime error", | |
| "script_stack" : [ | |
| "o -> o.host.ip).filter(", | |
| " ^---- HERE" | |
| ], | |
| "script" : """ | |
| def docs = []; | |
| def removes=ctx.payload.aggregations.event_types.buckets.remove.users.buckets.stream().map(p -> p.key).collect(Collectors.toList()); | |
| def logins=ctx.payload.aggregations.event_types.buckets.login.users.buckets.stream().map(p -> p.key).collect(Collectors.toList()); | |
| def hits = ctx.payload.aggregations.event_types.buckets.add.users.buckets; | |
| for (hit in hits){ | |
| def document = [ | |
| '@timestamp':ctx.execution_time, | |
| 'origin host': ctx.payload.aggregations.event_types.buckets.add.users.buckets.stream().map(o -> o.host.ip).filter(o -> removes.contains(o)).filter(oo -> logins.contains(oo)).toArray(), | |
| 'usernames' : ctx.payload.aggregations.event_types.buckets.add.users.buckets.stream().map(u -> u.key).filter(u -> removes.contains(u)).filter(uu -> logins.contains(uu)).toArray() | |
| ]; | |
| docs.add(document); | |
| } | |
| return ['_doc':docs]; | |
| """, | |
| "lang" : "painless", | |
| "position" : { | |
| "offset" : 632, | |
| "start" : 621, | |
| "end" : 644 | |
| }, | |
| "caused_by" : { | |
| "type" : "null_pointer_exception", | |
| "reason" : null | |
| } | |
| } | |
| }, | |
| "actions" : [ ] | |
| }, | |
| "messages" : [ | |
| "failed to execute watch transform" | |
| ] | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| PUT _watcher/watch/winlogs | |
| { | |
| "metadata": { | |
| "window_period": "15m" | |
| }, | |
| "trigger": { | |
| "schedule": { | |
| "interval": "5m" | |
| } | |
| }, | |
| "input": { | |
| "search": { | |
| "request": { | |
| "indices": "winlogbeat-*", | |
| "body": { | |
| "query": { | |
| "bool": { | |
| "must": [ | |
| { | |
| "range": { | |
| "@timestamp": { | |
| "gte": "now-{{ctx.metadata.window_period}}" | |
| } | |
| } | |
| } | |
| ], | |
| "should": [ | |
| { | |
| "terms": { | |
| "event.code": [ | |
| "4720", | |
| "4726", | |
| "4624" | |
| ] | |
| } | |
| } | |
| ] | |
| } | |
| }, | |
| "aggs": { | |
| "event_types": { | |
| "filters": { | |
| "filters": { | |
| "add": { | |
| "term": { | |
| "event.code": { | |
| "value": "4720" | |
| } | |
| } | |
| }, | |
| "remove": { | |
| "term": { | |
| "event.code": { | |
| "value": "4726" | |
| } | |
| } | |
| }, | |
| "login": { | |
| "term": { | |
| "event.code": { | |
| "value": "4624" | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "aggs": { | |
| "users": { | |
| "terms": { | |
| "field": "winlog.event_data.TargetUserName", | |
| "size": 1000 | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "size": 0 | |
| } | |
| } | |
| } | |
| }, | |
| "condition": { | |
| "script": { | |
| "source": """ | |
| def removes=ctx.payload.aggregations.event_types.buckets.remove.users.buckets.stream().map(p -> p.key).collect(Collectors.toList()); | |
| def logins=ctx.payload.aggregations.event_types.buckets.login.users.buckets.stream().map(p -> p.key).collect(Collectors.toList()); | |
| return ctx.payload.aggregations.event_types.buckets.add.users.buckets.stream().map(p -> p.key).filter(p -> removes.contains(p)).filter(p -> logins.contains(p)).toArray().length > 0; | |
| """, | |
| "lang": "painless" | |
| } | |
| }, | |
| "transform": { | |
| "script": { | |
| "source": """ | |
| def docs = []; | |
| def removes=ctx.payload.aggregations.event_types.buckets.remove.users.buckets.stream().map(p -> p.key).collect(Collectors.toList()); | |
| def logins=ctx.payload.aggregations.event_types.buckets.login.users.buckets.stream().map(p -> p.key).collect(Collectors.toList()); | |
| def hits = ctx.payload.aggregations.event_types.buckets.add.users.buckets; | |
| for (hit in hits){ | |
| def document = [ | |
| '@timestamp':ctx.execution_time, | |
| 'origin host': ctx.payload.aggregations.event_types.buckets.add.users.buckets.stream().map(o -> o.host.ip).filter(o -> removes.contains(o)).filter(o -> logins.contains(o)).toArray(), | |
| 'usernames' : ctx.payload.aggregations.event_types.buckets.add.users.buckets.stream().map(u -> u.key).filter(u -> removes.contains(u)).filter(u -> logins.contains(u)).toArray() | |
| ]; | |
| docs.add(document); | |
| } | |
| return ['_doc':docs]; | |
| """, | |
| "lang": "painless" | |
| } | |
| }, | |
| "throttle_period": "15m", | |
| "actions": { | |
| "index_payload": { | |
| "foreach": "ctx.payload._doc", | |
| "max_iterations": 100, | |
| "index": { | |
| "index": "winlogtest" | |
| } | |
| } | |
| } | |
| } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment