Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
2 contributors

Users who have contributed to this file

@gingerwizard @adriansr
111 lines (109 sloc) 3.13 KB
{
"watch": {
"trigger": {
"schedule": {
"interval": "15m"
}
},
"input": {
"search": {
"request": {
"indices": "packetbeat-*",
"body": {
"query": {
"bool": {
"filter": {
"range": {
"@timestamp": {
"from": "now-4h"
}
}
},
"must_not": {
"terms": {
"dns.question.etld_plus_one": [
"akadns.net.",
"amazonaws.com.",
"apple.com.",
"apple-dns.net.",
"cloudfront.net.",
"icloud.com.",
"in-addr.arpa.",
"google.com.",
"yahoo.com."
]
}
}
}
},
"size": 0,
"aggs": {
"by_domain": {
"terms": {
"size": 1000,
"field": "dns.question.etld_plus_one"
},
"aggs": {
"unique_hostnames": {
"cardinality": {
"field": "dns.question.name"
}
},
"total_bytes_in": {
"sum": {
"field": "bytes_in"
}
},
"total_bytes_out": {
"sum": {
"field": "bytes_out"
}
},
"high_num_hostnames": {
"bucket_selector": {
"buckets_path": {
"unique_hostnames": "unique_hostnames"
},
"script": "params.unique_hostnames > 200"
}
}
}
}
}
}
}
}
},
"condition": {
"script": {
"inline": "ctx.payload.aggregations.by_domain.buckets.size() > 0"
}
},
"transform": {
"script": {
"source": "def alerts = ctx.payload.aggregations.by_domain.buckets.stream().collect(Collectors.toMap(p->p.key,item->[
\"total_requests\" : item.doc_count,
\"unique_hostnames\" : item.unique_hostnames.value,
\"total_bytes_in\" : item.total_bytes_in.value,
\"total_bytes_out\" : item.total_bytes_out.value,
\"total_bytes\" : item.total_bytes_in.value + item.total_bytes_out.value
]));
return [\"alerts\":alerts];"
}
},
"actions": {
"log_domains": {
"logging": {
"text": "The following domain(s) have a high number of unique hostnames: {{ctx.payload.alerts}}"
}
},
"email_alert": {
"email": {
"to": "'John Doe <john.doe@example.com>'",
"subject": "Suspected DNS Tunnel Alert",
"body": "The following domain(s) have a high number of unique hostnames: {{ctx.payload.alerts}}"
}
}
}
}
}
You can’t perform that action at this time.