From 6c1a1f31d224820bdefc75ee7fcb9e9bd4f8992b Mon Sep 17 00:00:00 2001
From: ts <thomashaw@localhost.localdomain>
Date: Fri, 21 Sep 2018 12:07:18 +0100
Subject: [PATCH] ELK watcher WIP

---
 .../logging/watcher/manifests/configure.pp    | 23 +++++++++
 .../unix/logging/watcher/secgen_metadata.xml  | 34 +++++++++++++
 .../logging/watcher/templates/watch.json.erb  | 50 +++++++++++++++++++
 .../utilities/unix/logging/watcher/watcher.pp |  1 +
 4 files changed, 108 insertions(+)
 create mode 100644 modules/utilities/unix/logging/watcher/manifests/configure.pp
 create mode 100644 modules/utilities/unix/logging/watcher/secgen_metadata.xml
 create mode 100644 modules/utilities/unix/logging/watcher/templates/watch.json.erb
 create mode 100644 modules/utilities/unix/logging/watcher/watcher.pp

diff --git a/modules/utilities/unix/logging/watcher/manifests/configure.pp b/modules/utilities/unix/logging/watcher/manifests/configure.pp
new file mode 100644
index 000000000..4d667d64d
--- /dev/null
+++ b/modules/utilities/unix/logging/watcher/manifests/configure.pp
@@ -0,0 +1,23 @@
+class watcher::configure {
+
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $elasticsearch_ip = $secgen_parameters['elasticsearch_ip'][0]
+  $elasticsearch_port = 0 + $secgen_parameters['elasticsearch_port'][0]
+
+  # Search string within kibana for a successful login on account: 'test'
+  # "event.category : user-login and event.type : user_login and auditd.result : success and user.name_map.auid : test"
+
+
+  # TODO: Need some automated curl script that utilises a template to generate "create watcher" request
+
+  # Need to send a request to: "172.16.0.2":9200  [ $elasticsearch_ip:$elasticsearch_port ]
+  # PUT _xpack/watcher/watch/my-watch
+  # templates('watcher/watch.json.erb')
+
+  # First: Get it working within Kibana, there is a testing tool within 'Dev tools' section
+  # Second: Create a way to detect whether the watcher is registered correctly, we can GET the watcher endpoint in kibana to check
+  # Third: Implement functionality so the watcher fires a HTTP request to 172.16.0.2:8080
+  # Fourth: Implement a dummy webserver running on 8080 that can recieve requests + displays their contents on the screen.
+  # Fifth: Look into adding SSL to this whole process.
+
+}
\ No newline at end of file
diff --git a/modules/utilities/unix/logging/watcher/secgen_metadata.xml b/modules/utilities/unix/logging/watcher/secgen_metadata.xml
new file mode 100644
index 000000000..fcb8b8106
--- /dev/null
+++ b/modules/utilities/unix/logging/watcher/secgen_metadata.xml
@@ -0,0 +1,34 @@
+<?xml version="1.0"?>
+
+<utility xmlns="http://www.github/cliffe/SecGen/utility"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://www.github/cliffe/SecGen/utility">
+  <name>Watcher</name>
+  <author>Thomas Shaw</author>
+  <author>Elastic</author>
+  <module_license>Apache v2</module_license>
+  <description>TODO</description>
+
+  <type>log_tool</type>
+  <platform>linux</platform>
+
+  <read_fact>elasticsearch_ip</read_fact>
+  <read_fact>elasticsearch_port</read_fact>
+
+  <default_input into="elasticsearch_ip">
+    <value>localhost</value>
+  </default_input>
+
+  <default_input into="elasticsearch_port">
+    <value>9200</value>
+  </default_input>
+
+  <requires>
+    <type>update</type>
+  </requires>
+
+  <requires>
+    <module_path>.*elasticsearch</module_path>
+  </requires>
+
+</utility>
diff --git a/modules/utilities/unix/logging/watcher/templates/watch.json.erb b/modules/utilities/unix/logging/watcher/templates/watch.json.erb
new file mode 100644
index 000000000..223755142
--- /dev/null
+++ b/modules/utilities/unix/logging/watcher/templates/watch.json.erb
@@ -0,0 +1,50 @@
+{
+  "trigger": {
+    "schedule": {
+      "cron": "0 0/1 * * * ?"
+    }
+  },
+  "input": {
+    "search": {
+      "request": {
+        "indices": [
+          "logstash*"
+        ],
+        "body": {
+          "query": {
+            "bool": {
+              "must": {
+                "match": {
+                  "response": 404
+                }
+              },
+              "filter": {
+                "range": {
+                  "@timestamp": {
+                    "from": "{{ctx.trigger.scheduled_time}}||-5m",
+                    "to": "{{ctx.trigger.triggered_time}}"
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  },
+  "condition": {
+    "compare": {
+      "ctx.payload.hits.total": {
+        "gt": 0
+      }
+    }
+  },
+  "actions": {
+    "email_admin": {
+      "email": {
+        "to": "admin@domain.host.com",
+        "subject": "404 recently encountered"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/modules/utilities/unix/logging/watcher/watcher.pp b/modules/utilities/unix/logging/watcher/watcher.pp
new file mode 100644
index 000000000..812b7ba24
--- /dev/null
+++ b/modules/utilities/unix/logging/watcher/watcher.pp
@@ -0,0 +1 @@
+include watcher::configure
\ No newline at end of file