30. 07. 2019 Angelo Rosace Log-SIEM, NetEye, Unified Monitoring

How To: Using the Elastic Watcher Feature to React to Failed Logon Attempts (Part 1)

The introduction of the new Elastic Features (formerly, X-Pack packages) for the Elastic Stack added many new functionalities to the previous implementation in Net-Eye. One of them is the Watcher feature.

Let’s discuss a use case based on this feature.

Imagine you as a user want to somehow trigger a webhook alert every time something happens on the system. For the purpose of this example let’s pretend we want to trigger it anytime a failed login attempt happens on the NetEye server.

Assume also that you do not have any previous Elastic Features installed on your machine. In this case the first thing you would do would be to install the feature module NetEye SIEM which is provided by NetEye with an add-on subscription.

This module provides the extended Elastic Features for Elasticsearch, Logstash and Kibana. You can easily install the packages yourself by following our NetEye user guide at User Guide > Initial Configuration > Installing additional modules to install both the Log Manager module and the NetEye SIEM module. The Elastic Stack features are included OEM support in the module.

After activating the packages licenses, the next thing you will need to do is create the actual watch.

You can do this under Management → Elasticsearch → Watcher → Create advanced watch.

The advanced watch consists of a JSON file. In our specific case, it would look something like this:

{
  "trigger": {
    "schedule": {
      "interval": "20s"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "logstash-*"
        ],
        "types": [],
        "body": {
          "query": {
            "bool": {
              "filter": [
                {
                  "range": {
                    "@timestamp": {
                      "gte": "now-20s",
                      "lte": "now"
                    }
                  }
                }
              ],
              "must": {
                "match": {
                  "message": "Failed password for"
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 1
      }
    }
  },
  "actions": {
    "send_to_tornado": {
      "webhook": {
        "scheme": "http",
        "host": "localhost",
        "port": 4748,
        "method": "post",
        "path": "/failed_passwords/",
        "params": {
          "token": "abc"
        },
        "headers": {},
        "body": "{{#toJson}}ctx.payload{{/toJson}}"
      }
    }
  }
}

First, the trigger section sets the frequency for the watch to be triggered.

Second, the input section defines which input we expect. In this case we would expect something that contains the string “Failed password for”. Then, the condition section declares under which circumstances the action the watch implements should be performed.

Finally, the action section describes the action that is performed when the desired scenario occurs. In our case the action would be sending a webhook alert.

The interesting thing about the watch is that we can actually make it interact with our new Tornado module. You could for instance send the webhook to Tornado and it will collect the information related to the failed login alert.

To be sure your Webhook is working properly, you can install netcat:

yum install nc -y

and then use netcat to listen on the port you specified.

And that’s how you can set up a watcher for the first time through the new features implemented with the introduction of Elastic Features, and make it interact with Tornado.