Details
Title:绕过堡垒机进行RDP远程登录
Description:每隔5分钟,查询5分钟内是否有RDP登录成功(源IP地址不是Jumpserver)的日志,如有则告警。
Priority:Normal
Filter & Aggregation
Type:Filter
Search Query:winlogbeat_event_id:4624 AND winlogbeat_event_data_LogonType:10 AND NOT winlogbeat_event_data_IpAddress:<jumpserver>
Streams:
Search within:5 minutes
Execute search every:5 minutes
Details
Title:网络登录失败次数超过阈值 by Account
Description:每隔15分钟查询一次。查询15分钟内登录失败且登录类型为网络登录的日志,按Account聚合,如果记录数超过15,则告警。
Priority:Normal
Filter & Aggregation
Type:Aggregation
Search Query:winlogbeat_event_id:4625 AND winlogbeat_event_data_LogonType:3 AND NOT winlogbeat_event_data_TargetUserName:*$
Streams:
Search within:15 minutes
Execute search every:15 minutes
Group by Field(s):winlogbeat_event_data_TargetUserName
Create Events if:count(winlogbeat_event_data_TargetUserName) > 15
Details
Title:域帐户的身份验证失败超过阈值 by Workstation
Description:每隔15分钟查询一次。查询15分钟内域账号登录发生错误的日志,按workstation名称聚合,如果记录数超过15,则告警。
Priority:Normal
Filter & Aggregation
Type:Aggregation
Search Query:winlogbeat_event_id:4776 AND NOT winlogbeat_event_data_Status:0x0 AND NOT winlogbeat_event_data_TargetUserName:*$
Streams:
Search within:15 minutes
Execute search every:15 minutes
Group by Field(s):winlogbeat_event_data_Workstation
Create Events if:count(winlogbeat_event_data_Workstation) > 15
Details
Title:活动目录异常操作
Description:每隔15分钟查询一次。查询15分钟内域对象的创建、修改、移动和删除操作的记录,按对象类型聚合,如果数量超过15,则告警。
Priority:Normal
Filter & Aggregation
Type:Aggregation
Search Query:winlogbeat_event_id:(5136 OR 5137 OR 5139 OR 5141) AND winlogbeat_event_data_ObjectClass:(computer OR user)
Streams:
Search within:15 minutes
Execute search every:15 minutes
Group by Field(s):winlogbeat_event_data_ObjectClass
Create Events if:count(winlogbeat_event_data_ObjectClass) > 15