Skip to content

Instantly share code, notes, and snippets.

@cdahlqvist

cdahlqvist/painless_transform_script_debug.txt

Last active January 6, 2017 15:00
Show Gist options
  • Save cdahlqvist/3df00255f1742ef8575432ce20022c84 to your computer and use it in GitHub Desktop.
Save cdahlqvist/3df00255f1742ef8575432ce20022c84 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
painless_transform_script_debug.txt
## Painless transform script:
POST _scripts/painless/alerting_index_transform
{
"script": "def triggered_time = ctx.trigger.triggered_time; def failure_counts = new HashMap(); ctx.payload.failed_auth_users.aggregations.users.buckets.stream().map(p -> failure_counts.put(p.key,p.doc_count)); def successful_users = ctx.payload.success_auth_users.aggregations.users.buckets.stream().map(p -> p.key).collect(Collectors.toList()); def failure_only_records = ctx.payload.failed_auth_users.aggregations.users.buckets.stream().filter(p -> !successful_users.contains(p.key)).map(e -> ['@timestamp':triggered_time,'user':e.key,'severity':'MEDIUM','failed_auths':e.doc_count]).collect(Collectors.toList()); def success_and_failure_records = ctx.payload.success_auth_users.aggregations.users.buckets.stream().map(e -> ['@timestamp':triggered_time,'user':e.key,'severity':'HIGH','successful_auths':e.doc_count,'failed_auths':failure_counts.get(e.key)]).collect(Collectors.toList()); success_and_failure_records.addAll(failure_only_records); return ['_doc': success_and_failure_records];"
}
## Painless transform script in prettier format:
def triggered_time = ctx.trigger.triggered_time;
def failure_counts = new HashMap();
ctx.payload.failed_auth_users.aggregations.users.buckets.stream().map(p -> failure_counts.put(p.key,p.doc_count));
def successful_users = ctx.payload.success_auth_users.aggregations.users.buckets.stream().map(p -> p.key).collect(Collectors.toList());
def failure_only_records = ctx.payload.failed_auth_users.aggregations.users.buckets.stream().filter(p -> !successful_users.contains(p.key)).map(e -> ['@timestamp':triggered_time,'user':e.key,'severity':'MEDIUM','failed_auths':e.doc_count]).collect(Collectors.toList());
def success_and_failure_records = ctx.payload.success_auth_users.aggregations.users.buckets.stream().map(e -> ['@timestamp':triggered_time,'user':e.key,'severity':'HIGH','successful_auths':e.doc_count,'failed_auths':failure_counts.get(e.key)]).collect(Collectors.toList());
success_and_failure_records.addAll(failure_only_records);
return ['_doc': success_and_failure_records];
## Watcher record containing config and data:
{
"took": 1,
"timed_out": false,
"_shards": {
"total": 1,
"successful": 1,
"failed": 0
},
"hits": {
"total": 1,
"max_score": 1,
"hits": [
{
"_index": ".watcher-history-2-2017.01.06",
"_type": "watch_record",
"_id": "audit_log_watch_47-2017-01-06T14:28:32.931Z",
"_score": 1,
"_source": {
"watch_id": "audit_log_watch",
"state": "executed",
"trigger_event": {
"type": "schedule",
"triggered_time": "2017-01-06T14:28:32.931Z",
"schedule": {
"scheduled_time": "2017-01-06T14:28:32.459Z"
}
},
"input": {
"chain": {
"inputs": [
{
"failed_auth_users": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"<.security_audit_log-{now-1h}>",
"<.security_audit_log-{now}>"
],
"types": [],
"body": {
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-{{ctx.metadata.window_period}}"
}
}
},
{
"term": {
"event_type": {
"value": "authentication_failed"
}
}
}
]
}
},
"aggs": {
"users": {
"terms": {
"field": "principal",
"size": 1000
}
}
},
"size": 0
}
}
}
}
},
{
"success_auth_users": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"<.security_audit_log-{now-1h}>",
"<.security_audit_log-{now}>"
],
"types": [],
"body": {
"query": {
"bool": {
"must": [
{
"terms": {
"principal": [
"{{#ctx.payload.failed_auth_users.aggregations.users.buckets}}{{key}}",
"{{/ctx.payload.failed_auth_users.aggregations.users.buckets}}{{key}}"
]
}
},
{
"range": {
"@timestamp": {
"gte": "now-{{ctx.metadata.window_period}}"
}
}
},
{
"term": {
"event_type": {
"value": "authentication_success"
}
}
}
]
}
},
"aggs": {
"users": {
"terms": {
"field": "principal",
"size": 1000
}
}
},
"size": 0
}
}
}
}
}
]
}
},
"condition": {
"compare": {
"ctx.payload.success_auth_users.hits.total": {
"gt": 0
}
}
},
"metadata": {
"window_period": "1m"
},
"result": {
"execution_time": "2017-01-06T14:28:32.931Z",
"execution_duration": 59,
"input": {
"type": "chain",
"status": "success",
"payload": {
"failed_auth_users": {
"_shards": {
"total": 5,
"failed": 0,
"successful": 5
},
"hits": {
"hits": [],
"total": 9,
"max_score": 0
},
"took": 5,
"timed_out": false,
"aggregations": {
"users": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"doc_count": 4,
"key": "test1"
},
{
"doc_count": 4,
"key": "test2"
},
{
"doc_count": 1,
"key": "elastic"
}
]
}
}
},
"success_auth_users": {
"_shards": {
"total": 5,
"failed": 0,
"successful": 5
},
"hits": {
"hits": [],
"total": 55,
"max_score": 0
},
"took": 2,
"timed_out": false,
"aggregations": {
"users": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"doc_count": 55,
"key": "elastic"
}
]
}
}
}
},
"chain": {
"failed_auth_users": {
"type": "search",
"status": "success",
"payload": {
"_shards": {
"total": 5,
"failed": 0,
"successful": 5
},
"hits": {
"hits": [],
"total": 9,
"max_score": 0
},
"took": 5,
"timed_out": false,
"aggregations": {
"users": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"doc_count": 4,
"key": "test1"
},
{
"doc_count": 4,
"key": "test2"
},
{
"doc_count": 1,
"key": "elastic"
}
]
}
}
},
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"<.security_audit_log-{now-1h}>",
"<.security_audit_log-{now}>"
],
"types": [],
"body": {
"query": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-1m"
}
}
},
{
"term": {
"event_type": {
"value": "authentication_failed"
}
}
}
]
}
},
"aggs": {
"users": {
"terms": {
"field": "principal",
"size": 1000
}
}
},
"size": 0
}
}
}
},
"success_auth_users": {
"type": "search",
"status": "success",
"payload": {
"_shards": {
"total": 5,
"failed": 0,
"successful": 5
},
"hits": {
"hits": [],
"total": 55,
"max_score": 0
},
"took": 2,
"timed_out": false,
"aggregations": {
"users": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"doc_count": 55,
"key": "elastic"
}
]
}
}
},
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"<.security_audit_log-{now-1h}>",
"<.security_audit_log-{now}>"
],
"types": [],
"body": {
"query": {
"bool": {
"must": [
{
"terms": {
"principal": [
"test1",
"test2",
"elastic",
""
]
}
},
{
"range": {
"@timestamp": {
"gte": "now-1m"
}
}
},
{
"term": {
"event_type": {
"value": "authentication_success"
}
}
}
]
}
},
"aggs": {
"users": {
"terms": {
"field": "principal",
"size": 1000
}
}
},
"size": 0
}
}
}
}
}
},
"condition": {
"type": "compare",
"status": "success",
"met": true,
"compare": {
"resolved_values": {
"ctx.payload.success_auth_users.hits.total": 55
}
}
},
"actions": [
{
"id": "index_payload",
"type": "index",
"status": "success",
"transform": {
"type": "script",
"status": "success",
"payload": {
"_doc": [
{
"severity": "HIGH",
"@timestamp": "2017-01-06T14:28:32.931Z",
"failed_auths": null,
"user": "elastic",
"successful_auths": 55
},
{
"severity": "MEDIUM",
"@timestamp": "2017-01-06T14:28:32.931Z",
"failed_auths": 4,
"user": "test1"
},
{
"severity": "MEDIUM",
"@timestamp": "2017-01-06T14:28:32.931Z",
"failed_auths": 4,
"user": "test2"
}
]
}
},
"index": {
"response": [
{
"created": true,
"result": "created",
"id": "AVl0Ll5XTy14VBfLkbFu",
"version": 1,
"type": "audit",
"index": "alert_index"
},
{
"created": true,
"result": "created",
"id": "AVl0Ll5XTy14VBfLkbFv",
"version": 1,
"type": "audit",
"index": "alert_index"
},
{
"created": true,
"result": "created",
"id": "AVl0Ll5XTy14VBfLkbFw",
"version": 1,
"type": "audit",
"index": "alert_index"
}
]
}
}
]
},
"messages": []
}
}
]
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment