puhua.net

View My GitHub Profile

3 November 2020

Graylog Alert Event Definitions

Details
    Title:绕过堡垒机进行RDP远程登录
    Description:每隔5分钟,查询5分钟内是否有RDP登录成功(源IP地址不是Jumpserver)的日志,如有则告警。
    Priority:Normal
Filter & Aggregation
    Type:Filter
    Search Query:winlogbeat_event_id:4624 AND winlogbeat_event_data_LogonType:10 AND NOT winlogbeat_event_data_IpAddress:<jumpserver>
    Streams:
    Search within:5 minutes
    Execute search every:5 minutes
Details
    Title:网络登录失败次数超过阈值 by Account
    Description:每隔15分钟查询一次。查询15分钟内登录失败且登录类型为网络登录的日志,按Account聚合,如果记录数超过15,则告警。
    Priority:Normal
Filter & Aggregation
    Type:Aggregation
    Search Query:winlogbeat_event_id:4625 AND winlogbeat_event_data_LogonType:3 AND NOT winlogbeat_event_data_TargetUserName:*$
    Streams:
    Search within:15 minutes
    Execute search every:15 minutes
    Group by Field(s):winlogbeat_event_data_TargetUserName
    Create Events if:count(winlogbeat_event_data_TargetUserName) > 15
Details
    Title:域帐户的身份验证失败超过阈值 by Workstation
    Description:每隔15分钟查询一次。查询15分钟内域账号登录发生错误的日志,按workstation名称聚合,如果记录数超过15,则告警。
    Priority:Normal    
Filter & Aggregation
    Type:Aggregation
    Search Query:winlogbeat_event_id:4776 AND NOT winlogbeat_event_data_Status:0x0 AND NOT winlogbeat_event_data_TargetUserName:*$
    Streams:
    Search within:15 minutes
    Execute search every:15 minutes
    Group by Field(s):winlogbeat_event_data_Workstation
    Create Events if:count(winlogbeat_event_data_Workstation) > 15    
Details
    Title:活动目录异常操作
    Description:每隔15分钟查询一次。查询15分钟内域对象的创建、修改、移动和删除操作的记录,按对象类型聚合,如果数量超过15,则告警。
    Priority:Normal    
Filter & Aggregation
    Type:Aggregation
    Search Query:winlogbeat_event_id:(5136 OR 5137 OR 5139 OR 5141) AND winlogbeat_event_data_ObjectClass:(computer OR user)
    Streams:
    Search within:15 minutes
    Execute search every:15 minutes
    Group by Field(s):winlogbeat_event_data_ObjectClass
    Create Events if:count(winlogbeat_event_data_ObjectClass) > 15