Last active
September 22, 2020 17:43
-
-
Save bornatalebi/92f004ff2faf84647418438d72b06261 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"_id" : "winlogs_ca23891f-7176-461c-bb9e-3843a634dfc1-2020-09-22T08:56:59.856268Z", | |
"watch_record" : { | |
"watch_id" : "winlogs", | |
"node" : "eXtEY0w5QVeHHEL_ZYk9Cg", | |
"state" : "executed", | |
"user" : "elastic", | |
"status" : { | |
"state" : { | |
"active" : true, | |
"timestamp" : "2020-09-22T08:56:48.107Z" | |
}, | |
"last_checked" : "2020-09-22T08:56:59.856Z", | |
"last_met_condition" : "2020-09-22T08:56:59.856Z", | |
"actions" : { | |
"index_payload" : { | |
"ack" : { | |
"timestamp" : "2020-09-22T08:56:48.107Z", | |
"state" : "awaits_successful_execution" | |
} | |
} | |
}, | |
"execution_state" : "executed", | |
"version" : 1 | |
}, | |
"trigger_event" : { | |
"type" : "manual", | |
"triggered_time" : "2020-09-22T08:56:59.856Z", | |
"manual" : { | |
"schedule" : { | |
"scheduled_time" : "2020-09-22T08:56:59.856Z" | |
} | |
} | |
}, | |
"input" : { | |
"search" : { | |
"request" : { | |
"search_type" : "query_then_fetch", | |
"indices" : [ | |
"winlogbeat-*" | |
], | |
"rest_total_hits_as_int" : true, | |
"body" : { | |
"query" : { | |
"bool" : { | |
"must" : [ | |
{ | |
"range" : { | |
"@timestamp" : { | |
"gte" : "now-{{ctx.metadata.window_period}}" | |
} | |
} | |
} | |
], | |
"should" : [ | |
{ | |
"terms" : { | |
"event.code" : [ | |
"4720", | |
"4726", | |
"4624" | |
] | |
} | |
} | |
] | |
} | |
}, | |
"aggs" : { | |
"event_types" : { | |
"filters" : { | |
"filters" : { | |
"add" : { | |
"term" : { | |
"event.code" : { | |
"value" : "4720" | |
} | |
} | |
}, | |
"remove" : { | |
"term" : { | |
"event.code" : { | |
"value" : "4726" | |
} | |
} | |
}, | |
"login" : { | |
"term" : { | |
"event.code" : { | |
"value" : "4624" | |
} | |
} | |
} | |
} | |
}, | |
"aggs" : { | |
"users" : { | |
"terms" : { | |
"field" : "winlog.event_data.TargetUserName", | |
"size" : 1000 | |
} | |
} | |
} | |
} | |
}, | |
"size" : 0 | |
} | |
} | |
} | |
}, | |
"condition" : { | |
"script" : { | |
"source" : """ | |
def removes=ctx.payload.aggregations.event_types.buckets.remove.users.buckets.stream().map(p -> p.key).collect(Collectors.toList()); | |
def logins=ctx.payload.aggregations.event_types.buckets.login.users.buckets.stream().map(p -> p.key).collect(Collectors.toList()); | |
return ctx.payload.aggregations.event_types.buckets.add.users.buckets.stream().map(p -> p.key).filter(p -> removes.contains(p)).filter(p -> logins.contains(p)).toArray().length > 0; | |
""", | |
"lang" : "painless" | |
} | |
}, | |
"metadata" : { | |
"window_period" : "2d" | |
}, | |
"result" : { | |
"execution_time" : "2020-09-22T08:56:59.856Z", | |
"execution_duration" : 4555, | |
"input" : { | |
"type" : "search", | |
"status" : "success", | |
"payload" : { | |
"_shards" : { | |
"total" : 1, | |
"failed" : 0, | |
"successful" : 1, | |
"skipped" : 0 | |
}, | |
"hits" : { | |
"hits" : [ ], | |
"total" : 10000, | |
"max_score" : null | |
}, | |
"took" : 4490, | |
"timed_out" : false, | |
"aggregations" : { | |
"event_types" : { | |
"buckets" : { | |
"add" : { | |
"doc_count" : 6, | |
"users" : { | |
"doc_count_error_upper_bound" : 0, | |
"sum_other_doc_count" : 0, | |
"buckets" : [ | |
{ | |
"doc_count" : 1, | |
"key" : "borbor" | |
}, | |
{ | |
"doc_count" : 1, | |
"key" : "ddd" | |
}, | |
{ | |
"doc_count" : 1, | |
"key" : "mehdi" | |
}, | |
{ | |
"doc_count" : 1, | |
"key" : "mehdi2" | |
}, | |
{ | |
"doc_count" : 1, | |
"key" : "mehmeh" | |
}, | |
{ | |
"doc_count" : 1, | |
"key" : "talebi" | |
} | |
] | |
} | |
}, | |
"login" : { | |
"doc_count" : 6308, | |
"users" : { | |
"doc_count_error_upper_bound" : 0, | |
"sum_other_doc_count" : 0, | |
"buckets" : [ | |
{ | |
"doc_count" : 5419, | |
"key" : "AD$" | |
}, | |
{ | |
"doc_count" : 495, | |
"key" : "SYSTEM" | |
}, | |
{ | |
"doc_count" : 314, | |
"key" : "RASS$" | |
}, | |
{ | |
"doc_count" : 29, | |
"key" : "ANONYMOUS LOGON" | |
}, | |
{ | |
"doc_count" : 16, | |
"key" : "Administrator" | |
}, | |
{ | |
"doc_count" : 10, | |
"key" : "MSDIsatis" | |
}, | |
{ | |
"doc_count" : 4, | |
"key" : "LOCAL SERVICE" | |
}, | |
{ | |
"doc_count" : 4, | |
"key" : "NETWORK SERVICE" | |
}, | |
{ | |
"doc_count" : 3, | |
"key" : "administrator" | |
}, | |
{ | |
"doc_count" : 2, | |
"key" : "DWM-1" | |
}, | |
{ | |
"doc_count" : 2, | |
"key" : "DWM-2" | |
}, | |
{ | |
"doc_count" : 2, | |
"key" : "UMFD-2" | |
}, | |
{ | |
"doc_count" : 2, | |
"key" : "borbor" | |
}, | |
{ | |
"doc_count" : 2, | |
"key" : "ddd" | |
}, | |
{ | |
"doc_count" : 1, | |
"key" : "MSSQLSERVER" | |
}, | |
{ | |
"doc_count" : 1, | |
"key" : "SQLTELEMETRY" | |
}, | |
{ | |
"doc_count" : 1, | |
"key" : "UMFD-0" | |
}, | |
{ | |
"doc_count" : 1, | |
"key" : "UMFD-1" | |
} | |
] | |
} | |
}, | |
"remove" : { | |
"doc_count" : 4, | |
"users" : { | |
"doc_count_error_upper_bound" : 0, | |
"sum_other_doc_count" : 0, | |
"buckets" : [ | |
{ | |
"doc_count" : 1, | |
"key" : "borbor" | |
}, | |
{ | |
"doc_count" : 1, | |
"key" : "mehdi" | |
}, | |
{ | |
"doc_count" : 1, | |
"key" : "mehdi2" | |
}, | |
{ | |
"doc_count" : 1, | |
"key" : "talebi" | |
} | |
] | |
} | |
} | |
} | |
} | |
} | |
}, | |
"search" : { | |
"request" : { | |
"search_type" : "query_then_fetch", | |
"indices" : [ | |
"winlogbeat-*" | |
], | |
"rest_total_hits_as_int" : true, | |
"body" : { | |
"query" : { | |
"bool" : { | |
"must" : [ | |
{ | |
"range" : { | |
"@timestamp" : { | |
"gte" : "now-2d" | |
} | |
} | |
} | |
], | |
"should" : [ | |
{ | |
"terms" : { | |
"event.code" : [ | |
"4720", | |
"4726", | |
"4624" | |
] | |
} | |
} | |
] | |
} | |
}, | |
"aggs" : { | |
"event_types" : { | |
"filters" : { | |
"filters" : { | |
"add" : { | |
"term" : { | |
"event.code" : { | |
"value" : "4720" | |
} | |
} | |
}, | |
"remove" : { | |
"term" : { | |
"event.code" : { | |
"value" : "4726" | |
} | |
} | |
}, | |
"login" : { | |
"term" : { | |
"event.code" : { | |
"value" : "4624" | |
} | |
} | |
} | |
} | |
}, | |
"aggs" : { | |
"users" : { | |
"terms" : { | |
"field" : "winlog.event_data.TargetUserName", | |
"size" : 1000 | |
} | |
} | |
} | |
} | |
}, | |
"size" : 0 | |
} | |
} | |
} | |
}, | |
"condition" : { | |
"type" : "script", | |
"status" : "success", | |
"met" : true | |
}, | |
"transform" : { | |
"type" : "script", | |
"status" : "failure", | |
"reason" : "runtime error", | |
"error" : { | |
"root_cause" : [ | |
{ | |
"type" : "script_exception", | |
"reason" : "runtime error", | |
"script_stack" : [ | |
"o -> o.host.ip).filter(", | |
" ^---- HERE" | |
], | |
"script" : """ | |
def docs = []; | |
def removes=ctx.payload.aggregations.event_types.buckets.remove.users.buckets.stream().map(p -> p.key).collect(Collectors.toList()); | |
def logins=ctx.payload.aggregations.event_types.buckets.login.users.buckets.stream().map(p -> p.key).collect(Collectors.toList()); | |
def hits = ctx.payload.aggregations.event_types.buckets.add.users.buckets; | |
for (hit in hits){ | |
def document = [ | |
'@timestamp':ctx.execution_time, | |
'origin host': ctx.payload.aggregations.event_types.buckets.add.users.buckets.stream().map(o -> o.host.ip).filter(o -> removes.contains(o)).filter(oo -> logins.contains(oo)).toArray(), | |
'usernames' : ctx.payload.aggregations.event_types.buckets.add.users.buckets.stream().map(u -> u.key).filter(u -> removes.contains(u)).filter(uu -> logins.contains(uu)).toArray() | |
]; | |
docs.add(document); | |
} | |
return ['_doc':docs]; | |
""", | |
"lang" : "painless", | |
"position" : { | |
"offset" : 632, | |
"start" : 621, | |
"end" : 644 | |
} | |
} | |
], | |
"type" : "script_exception", | |
"reason" : "runtime error", | |
"script_stack" : [ | |
"o -> o.host.ip).filter(", | |
" ^---- HERE" | |
], | |
"script" : """ | |
def docs = []; | |
def removes=ctx.payload.aggregations.event_types.buckets.remove.users.buckets.stream().map(p -> p.key).collect(Collectors.toList()); | |
def logins=ctx.payload.aggregations.event_types.buckets.login.users.buckets.stream().map(p -> p.key).collect(Collectors.toList()); | |
def hits = ctx.payload.aggregations.event_types.buckets.add.users.buckets; | |
for (hit in hits){ | |
def document = [ | |
'@timestamp':ctx.execution_time, | |
'origin host': ctx.payload.aggregations.event_types.buckets.add.users.buckets.stream().map(o -> o.host.ip).filter(o -> removes.contains(o)).filter(oo -> logins.contains(oo)).toArray(), | |
'usernames' : ctx.payload.aggregations.event_types.buckets.add.users.buckets.stream().map(u -> u.key).filter(u -> removes.contains(u)).filter(uu -> logins.contains(uu)).toArray() | |
]; | |
docs.add(document); | |
} | |
return ['_doc':docs]; | |
""", | |
"lang" : "painless", | |
"position" : { | |
"offset" : 632, | |
"start" : 621, | |
"end" : 644 | |
}, | |
"caused_by" : { | |
"type" : "null_pointer_exception", | |
"reason" : null | |
} | |
} | |
}, | |
"actions" : [ ] | |
}, | |
"messages" : [ | |
"failed to execute watch transform" | |
] | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PUT _watcher/watch/winlogs | |
{ | |
"metadata": { | |
"window_period": "15m" | |
}, | |
"trigger": { | |
"schedule": { | |
"interval": "5m" | |
} | |
}, | |
"input": { | |
"search": { | |
"request": { | |
"indices": "winlogbeat-*", | |
"body": { | |
"query": { | |
"bool": { | |
"must": [ | |
{ | |
"range": { | |
"@timestamp": { | |
"gte": "now-{{ctx.metadata.window_period}}" | |
} | |
} | |
} | |
], | |
"should": [ | |
{ | |
"terms": { | |
"event.code": [ | |
"4720", | |
"4726", | |
"4624" | |
] | |
} | |
} | |
] | |
} | |
}, | |
"aggs": { | |
"event_types": { | |
"filters": { | |
"filters": { | |
"add": { | |
"term": { | |
"event.code": { | |
"value": "4720" | |
} | |
} | |
}, | |
"remove": { | |
"term": { | |
"event.code": { | |
"value": "4726" | |
} | |
} | |
}, | |
"login": { | |
"term": { | |
"event.code": { | |
"value": "4624" | |
} | |
} | |
} | |
} | |
}, | |
"aggs": { | |
"users": { | |
"terms": { | |
"field": "winlog.event_data.TargetUserName", | |
"size": 1000 | |
} | |
} | |
} | |
} | |
}, | |
"size": 0 | |
} | |
} | |
} | |
}, | |
"condition": { | |
"script": { | |
"source": """ | |
def removes=ctx.payload.aggregations.event_types.buckets.remove.users.buckets.stream().map(p -> p.key).collect(Collectors.toList()); | |
def logins=ctx.payload.aggregations.event_types.buckets.login.users.buckets.stream().map(p -> p.key).collect(Collectors.toList()); | |
return ctx.payload.aggregations.event_types.buckets.add.users.buckets.stream().map(p -> p.key).filter(p -> removes.contains(p)).filter(p -> logins.contains(p)).toArray().length > 0; | |
""", | |
"lang": "painless" | |
} | |
}, | |
"transform": { | |
"script": { | |
"source": """ | |
def docs = []; | |
def removes=ctx.payload.aggregations.event_types.buckets.remove.users.buckets.stream().map(p -> p.key).collect(Collectors.toList()); | |
def logins=ctx.payload.aggregations.event_types.buckets.login.users.buckets.stream().map(p -> p.key).collect(Collectors.toList()); | |
def hits = ctx.payload.aggregations.event_types.buckets.add.users.buckets; | |
for (hit in hits){ | |
def document = [ | |
'@timestamp':ctx.execution_time, | |
'origin host': ctx.payload.aggregations.event_types.buckets.add.users.buckets.stream().map(o -> o.host.ip).filter(o -> removes.contains(o)).filter(o -> logins.contains(o)).toArray(), | |
'usernames' : ctx.payload.aggregations.event_types.buckets.add.users.buckets.stream().map(u -> u.key).filter(u -> removes.contains(u)).filter(u -> logins.contains(u)).toArray() | |
]; | |
docs.add(document); | |
} | |
return ['_doc':docs]; | |
""", | |
"lang": "painless" | |
} | |
}, | |
"throttle_period": "15m", | |
"actions": { | |
"index_payload": { | |
"foreach": "ctx.payload._doc", | |
"max_iterations": 100, | |
"index": { | |
"index": "winlogtest" | |
} | |
} | |
} | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment