ElastAlert error #13324
ElastAlert error
#13324
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Version
2.4.80
Installation Method
Security Onion ISO image
Description
configuration
Installation Type
Distributed
Location
on-prem with Internet access
Hardware Specs
Exceeds minimum requirements
CPU
16
RAM
64
Storage for /
2.4TB
Storage for /nsm
2.4TB
Network Traffic Collection
span port
Network Traffic Speeds
Less than 1Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
No, there are no failures
Logs
Yes, there are additional clues in /opt/so/log/ (please provide detail below)
Detail
2024-07-10 21:51:07,883 INFO elastalert Queried rule LockerGoga Ransomware Activity -- 74db3488-fd28-480a-95aa-b7af626de068 from 2024-07-10 21:41 UTC to 2024-07-10 21:51 UTC: 0 / 0 hits
2024-07-10 21:51:07,887 INFO elastalert Ran LockerGoga Ransomware Activity -- 74db3488-fd28-480a-95aa-b7af626de068 from 2024-07-10 21:41 UTC to 2024-07-10 21:51 UTC: 0 query hits (0 already seen), 0 matches, 0 alerts sent
2024-07-10 21:51:07,887 INFO elastalert LockerGoga Ransomware Activity -- 74db3488-fd28-480a-95aa-b7af626de068 range 600
2024-07-10 21:51:07,887 INFO apscheduler.executors.default Job "Rule: LockerGoga Ransomware Activity -- 74db3488-fd28-480a-95aa-b7af626de068 (trigger: interval[0:03:00], next run at: 2024-07-10 21:54:09 UTC)" executed successfully
2024-07-10 21:51:08,088 INFO apscheduler.executors.default Running job "Rule: AWS IAM S3Browser LoginProfile Creation -- db014773-b1d3-46bd-ba26-133337c0ffee (trigger: interval[0:03:00], next run at: 2024-07-10 21:54:12 UTC)" (scheduled at 2024-07-10 21:51:08.088070+00:00)
2024-07-10 21:51:08,095 WARNING elasticsearch POST https://shrek:9200/.ds-logs-*/_eql/search?ignore_unavailable=true [status:400 request:0.006s]
2024-07-10 21:51:08,095 ERROR elastalert Error running query: RequestError(400, 'verification_exception', 'Found 3 problems\nline 1:12: Unknown column [eventName]\nline 1:75: Unknown column [eventSource]\nline 1:111: Unknown column [userAgent]')
2024-07-10 21:51:08,102 INFO elastalert Ran AWS IAM S3Browser LoginProfile Creation -- db014773-b1d3-46bd-ba26-133337c0ffee from 2024-07-10 21:41 UTC to 2024-07-10 21:51 UTC: 0 query hits (0 already seen), 0 matches, 0 alerts sent
2024-07-10 21:51:08,102 INFO elastalert AWS IAM S3Browser LoginProfile Creation -- db014773-b1d3-46bd-ba26-133337c0ffee range 600
2024-07-10 21:51:08,102 INFO apscheduler.executors.default Job "Rule: AWS IAM S3Browser LoginProfile Creation -- db014773-b1d3-46bd-ba26-133337c0ffee (trigger: interval[0:03:00], next run at: 2024-07-10 21:54:12 UTC)" executed successfully
2024-07-10 21:51:08,606 INFO apscheduler.executors.default Running job "Rule: UAC Bypass Using NTFS Reparse Point - Process -- 39ed3c80-e6a1-431b-9df3-911ac53d08a7 (trigger: interval[0:03:00], next run at: 2024-07-10 21:54:09 UTC)" (scheduled at 2024-07-10 21:51:08.606090+00:00)
2024-07-10 21:51:08,674 INFO elastalert Queried rule UAC Bypass Using NTFS Reparse Point - Process -- 39ed3c80-e6a1-431b-9df3-911ac53d08a7 from 2024-07-10 21:41 UTC to 2024-07-10 21:51 UTC: 0 / 0 hits
2024-07-10 21:51:08,679 INFO elastalert Ran UAC Bypass Using NTFS Reparse Point - Process -- 39ed3c80-e6a1-431b-9df3-911ac53d08a7 from 2024-07-10 21:41 UTC to 2024-07-10 21:51 UTC: 0 query hits (0 already seen), 0 matches, 0 alerts sent
2024-07-10 21:51:08,679 INFO elastalert UAC Bypass Using NTFS Reparse Point - Process -- 39ed3c80-e6a1-431b-9df3-911ac53d08a7 range 600
2024-07-10 21:51:08,679 INFO apscheduler.executors.default Job "Rule: UAC Bypass Using NTFS Reparse Point - Process -- 39ed3c80-e6a1-431b-9df3-911ac53d08a7 (trigger: interval[0:03:00], next run at: 2024-07-10 21:54:09 UTC)" executed successfully
2024-07-10 21:51:08,811 INFO apscheduler.executors.default Running job "Rule: Exchange Exploitation CVE-2021-28480 -- a2a9d722-0acb-4096-bccc-daaf91a5037b (trigger: interval[0:03:00], next run at: 2024-07-10 21:54:09 UTC)" (scheduled at 2024-07-10 21:51:08.811139+00:00)
2024-07-10 21:51:08,820 WARNING elasticsearch POST https://shrek:9200/.ds-logs-*/_eql/search?ignore_unavailable=true [status:400 request:0.008s]
2024-07-10 21:51:08,820 ERROR elastalert Error running query: RequestError(400, 'verification_exception', 'Found 5 problems\nline 1:35: Unknown column [cs]\nline 1:38: Unknown column [uri]\nline 1:42: Unknown column [query]\nline 1:78: Unknown column [sc]\nline 1:81: Unknown column [status]')
2024-07-10 21:51:08,826 INFO elastalert Ran Exchange Exploitation CVE-2021-28480 -- a2a9d722-0acb-4096-bccc-daaf91a5037b from 2024-07-10 21:41 UTC to 2024-07-10 21:51 UTC: 0 query hits (0 already seen), 0 matches, 0 alerts sent
2024-07-10 21:51:08,826 INFO elastalert Exchange Exploitation CVE-2021-28480 -- a2a9d722-0acb-4096-bccc-daaf91a5037b range 600
2024-07-10 21:51:08,827 INFO apscheduler.executors.default Job "Rule: Exchange Exploitation CVE-2021-28480 -- a2a9d722-0acb-4096-bccc-daaf91a5037b (trigger: interval[0:03:00], next run at: 2024-07-10 21:54:09 UTC)" executed successfully
2024-07-10 21:51:08,893 INFO apscheduler.executors.default Running job "Rule: Weak Encryption Enabled and Kerberoast -- f6de9536-0441-4b3f-a646-f4e00f300ffd (trigger: interval[0:03:00], next run at: 2024-07-10 21:54:09 UTC)" (scheduled at 2024-07-10 21:51:08.892352+00:00)
2024-07-10 21:51:08,903 INFO apscheduler.executors.default Running job "Rule: Invoke-Obfuscation STDIN+ Launcher - Powershell -- 779c8c12-0eb1-11eb-adc1-0242ac120002 (trigger: interval[0:03:00], next run at: 2024-07-10 21:54:12 UTC)" (scheduled at 2024-07-10 21:51:08.903015+00:00)
2024-07-10 21:51:08,906 WARNING elasticsearch POST https://shrek:9200/.ds-logs-*/_eql/search?ignore_unavailable=true [status:400 request:0.002s]
2024-07-10 21:51:08,906 ERROR elastalert Error running query: RequestError(400, 'parsing_exception', 'line 1:280: token recognition error at: '"cmd.{0,5}(?:\/'')
2024-07-10 21:51:08,911 INFO elastalert Ran Invoke-Obfuscation STDIN+ Launcher - Powershell -- 779c8c12-0eb1-11eb-adc1-0242ac120002 from 2024-07-10 21:41 UTC to 2024-07-10 21:51 UTC: 0 query hits (0 already seen), 0 matches, 0 alerts sent
2024-07-10 21:51:08,911 INFO elastalert Invoke-Obfuscation STDIN+ Launcher - Powershell -- 779c8c12-0eb1-11eb-adc1-0242ac120002 range 600
2024-07-10 21:51:08,911 INFO apscheduler.executors.default Job "Rule: Invoke-Obfuscation STDIN+ Launcher - Powershell -- 779c8c12-0eb1-11eb-adc1-0242ac120002 (trigger: interval[0:03:00], next run at: 2024-07-10 21:54:12 UTC)" executed successfully
2024-07-10 21:51:08,931 INFO elastalert Queried rule Weak Encryption Enabled and Kerberoast -- f6de9536-0441-4b3f-a646-f4e00f300ffd from 2024-07-10 21:41 UTC to 2024-07-10 21:51 UTC: 0 / 0 hits
2024-07-10 21:51:08,935 INFO elastalert Ran Weak Encryption Enabled and Kerberoast -- f6de9536-0441-4b3f-a646-f4e00f300ffd from 2024-07-10 21:41 UTC to 2024-07-10 21:51 UTC: 0 query hits (0 already seen), 0 matches, 0 alerts sent
2024-07-10 21:51:08,935 INFO elastalert Weak Encryption Enabled and Kerberoast -- f6de9536-0441-4b3f-a646-f4e00f300ffd range 600
2024-07-10 21:51:08,935 INFO apscheduler.executors.default Job "Rule: Weak Encryption Enabled and Kerberoast -- f6de9536-0441-4b3f-a646-f4e00f300ffd (trigger: interval[0:03:00], next run at: 2024-07-10 21:54:09 UTC)" executed successfully
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions