sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

Error with Failed Logins with Different Accounts from Single Source System rule

Open cmiscloni opened this issue 5 years ago • 2 comments

Hi all,

I have an error when itry to simulate the rule (name in the subject) I started with sigma, so maybe it's an newbie problem but i haven't any problems with the others

ELK 7.6.1 on centOS 7 with xpack-watcher

"exception": {
   "type": "index_out_of_bounds_exception",
   "reason": "Index 0 out of bounds for length 0"
 }

cmiscloni avatar Mar 06 '20 21:03 cmiscloni

can you provide the converted rule’s query

neu5ron avatar Mar 17 '20 23:03 neu5ron

Yes, see below:

When I change ctx.payload.aggregations.by.buckets.0.agg.buckets.0.doc_count by ctx.payload.aggregations.by.buckets.0.doc_count the error disappear but i don't know if it's right.

{
  "trigger": {
    "schedule": {
      "interval": "24h"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "winlogbeat-*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "must": [
                {
                  "query_string": {
                    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4776\" AND user.name.keyword:* AND source.domain.keyword:*)",
                    "analyze_wildcard": true
                  }
                }
              ],
              "filter": {
                "range": {
                  "timestamp": {
                    "gte": "now-30m/m"
                  }
                }
              }
            }
          },
          "aggs": {
            "by": {
              "terms": {
                "field": "source.domain.keyword",
                "size": 10,
                "order": {
                  "_count": "desc"
                },
                "min_doc_count": 4
              },
              "aggs": {
                "agg": {
                  "terms": {
                    "field": "user.name.keyword",
                    "size": 10,
                    "order": {
                      "_count": "desc"
                    },
                    "min_doc_count": 4
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      	  "ctx.payload.aggregations.by.buckets.0.agg.buckets.0.doc_count": {
        "gt": 3
      }
    }
  },
  "actions": {
    "send_email": {
      "email": {
        "profile": "standard",
        "attachments": {
          "data.json": {
            "data": {
              "format": "json"
            }
          }
        },
        "to": [
          "xxxxxxxxxxxxxxxxxxx"
        ],
        "subject": "Sigma Rule 'Failed Logins with Different Accounts from Single Source System'",
        "body": {
          "text": "Hits:\n{{#aggregations.agg.buckets}}\n {{key}} {{doc_count}}\n\n{{#by.buckets}}\n-- {{key}} {{doc_count}}\n{{/by.buckets}}\n\n{{/aggregations.agg.buckets}}\n"
        }
      }
    }
  },
  "metadata": {
    "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4776\" AND user.name.keyword:* AND source.domain.keyword:*)",
    "description": "Detects suspicious failed logins with different user accounts from a single source system",
    "title": "Failed Logins with Different Accounts from Single Source System",
    "tags": [
      "attack.persistence",
      "attack.privilege_escalation",
      "attack.t1078"
    ]
  }
}

cmiscloni avatar Mar 18 '20 06:03 cmiscloni