ElastAlert2 frequency rule getting no hits - elastalert

I am new to elasticsearch and elastic alert, and I am facing the following issue.
I am trying to create my first rule and alert. I configure a frequency alert, but I did not get an hit.
The rule configuration file is this:
name: Email Auto download
type: frequency
index: gr-winlogbeat-*
num_events: 3
timeframe:
hours: 1
timestamp_field: "#timestamp"
filter:
- term:
winlog.provider_name: "Email Auto Download Service"
alert:
- "email"
email:
- "myalert#gmail.com"
Here is my kibana dashboard
kibana
And the elastalert output:
output1
output2

Related

Metricbeat gcp module to capture bigquery metrics is not working as expected

I have added bigquery metrics configuration in modules.d/gcp.yml file
But getting an error below
"2021-12-06T09:51:10.206Z ERROR [gcp.metrics] metrics/metricset.go:294 bigquery.googleapis.com/storage/table_count" metric descriptor is empty, this metric will not be collected
Below is the code which I have used
module: gcp
region: "us-central1"
metricsets:
metrics
project_id: "ProjectName"
credentials_file_path: "/root/xyz.json"
exclude_labels: false
period: 1h
metrics:
aligner: ALIGN_NONE
service: bigquery
service_metric_prefix: bigquery.googleapis.com/
metric_types:
"bigquery.googleapis.com/storage/table_count"
Let me know if there is any changes needed in code.
I have also tried extracting compute and billing metrics . We can see the column names populating in Kibana discovery filter area , but we do not have any data available
Please find the code given below
module: gcp
region: "us-central1"
metricsets:
metrics
project_id: "projectname"
credentials_file_path: "/root/xyz.json"
exclude_labels: false
period: 1
metrics:
aligner: ALIGN_NONE
service: compute
metric_types:
"instance/cpu/reserved_cores"
"instance/cpu/usage_time"
"instance/cpu/utilization"
"instance/uptime"
Thanks
The code below is worked well for me.
- module: gcp
metricsets:
- metrics
project_id: "YOUR_PROJECT_ID"
credentials_file_path: "your JSON credentials file path"
exclude_labels: false
period: 1800s # 1800s is recommended
metrics:
- aligner: ALIGN_NONE
service: bigquery
service_metric_prefix: bigquery.googleapis.com/ # This is not required as already "bigquery.googleapis.com/" is default value
metric_types:
- "storage/table_count" #only "storage/table_count" here
It seems that you should edit your metric_type attribute only.
I recommend the collection period of table_count metric to 1800s as GCP sampled this every 1800 seconds.
Refer here for the information about that.
This works well at my kibana too.

Splunk - duration between two different messages by guid

Splunk:
{ [-]
guid: ABC
level: warn
message: Analytics Audit: analyticsLoaded
source: client
timestamp: 2017-08-07T16:38:38+00:00 }
{ [-]
guid: BAC
level: warn
message: Analytics Audit: doneWithAnalytics
source: client
timestamp: 2017-08-07T16:38:38+00:00 }
These messages show up for each guid. I would like to get duration between the first mesage " Analytics Audit: analyticsLoaded" showing up and the second message "Analytics Audit: doneWithAnalytics" by guid. And get the average duration for both messages showing up after the two messages to a guid.
Do basically, get the duration per guid. Get the average duration.
How can I do that in splunk?
Try this
index=blah | transaction guid startswith="analyticsLoaded" endswith="doneWithAnalytics" | timechart avg(duration)

Error with NSURLSessionDataTask in iOS 10

I am having an issue with NSURLSessionDataTask , while trying to upload a JSON object , I am getting the following message in console .
[] __tcp_connection_write_eof_block_invoke Write close callback received
[error: [89] Operation canceled]
How to solve this issue ?
May be it is related to OS_ACTIVITY_MODE settings for Schemes.
disable OS_ACTIVITY_MODE mode by following steps and check:
--- Go in Product ---> Scheme ---> Edit Scheme
--- in Run Section on the left, select Argument Tab and in Environment Variable Change value as below:
Name: OS_ACTIVITY_MODE
Value: disable

EventLog & ConvertFrom-String

i am trying to objectify the security event log by using the ConvertFrom-String PowerShell cmdlet, but am not able to work it out.
First i am getting the event/s from my DC.
$events = Get-WinEvent -ComputerName $comp FilterHashtable #{logname='security';id=4727}
Next i define my template.
$tmpl = #'
{Event:A security-enabled global group was created.}
Subject:
Security ID: S-1-5*
{SubjectName:Account Name: andrew}
Account Domain: DOMAIN
Logon ID: 0x16D280EB
New Group:
Security ID: S-1-5*
{GroupName:Group Name: test1}
Group Domain: DOMAIN
Attributes:
SAM Account Name: test1
SID History: -
Additional Information:
Privileges: -
'#
Finally i try to turn it into objects.
($events).message | ConvertFrom-String -TemplateContent $tmpl
But my output is only
Event: A security-enabled global group was created.
Instead, I want to get something like;
Event: A security-enabled global group was created
SubjectName: andrew
GroupName: test1
And i would like this to be compatible to loop through many similar events to pull out the right bits??
I posted the same question in the Microsoft forums and got an immediate answer, and so for those interested, here it is.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/42f8e6a3-4304-4215-b521-d611e3216e1c/eventlog-convertfromstring?forum=winserverpowershell

Active directory azure, handle sign in "access_denied" error using custom error page?

I have got below error while sign in the user who is not assign to the webapp. I want to display custom error page instead of this.
An error of type 'access_denied' occurred during the login process: 'xyz121': User account is disabled.
Trace ID: xyz121
Correlation ID: xyz
Timestamp: 2015-05-18 05:51:16