elasticsearch,Flask,Webhooks,Elk" />
elasticsearch,flask,webhooks,elk,Python,Python webhook API
我正在尝试创建一个python webhook来接收来自ELastic SIEM(JSON格式)的数据,当我尝试它时,我得到了以下错误:(很抱歉,这是我第一次使用python,所以不知道是什么问题) webhook配置:Python webhook API,python,
elasticsearch,flask,webhooks,elk,Python,
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from flask import json # To read json data
from flask import request # To receive headers
from flask import Flask # To be able to start the application
app = Flask(__name__)
@app.route('/')
def api_root():
return 'Welcome guys'
@app.route('/webhook', methods=['POST'])
def api_webhook_messages():
my_info = json.loads(request.data)
print(json.dumps(my_info))
return 'Connection sucessful'
if __name__=='__main__':
app.run(port=8080, host='10.10.13.135',debug=True)
POST _watcher/watch/_execute
{
"watch": {
"trigger": {
"schedule": {
"interval": "1h"
}
},
"input": {
"search": {
"request": {
"indices": "firewall-*",
"body": {
"size": 0,
"query": {
"bool": {
"filter": {
"range": {
"@timestamp": {
"from": "now-1h",
"to": "now"
}
}
}
}
},
"aggs": {
"by_source_ip": {
"terms": {
"size": 100,
"field": "source.ip"
},
"aggs": {
"by_destination_ip": {
"terms": {
"size": 100,
"field": "destination.ip"
},
"aggs": {
"by_port_number": {
"terms": {
"size": 100,
"field": "destination.port",
"order": {
"_count": "asc"
}
}
}
}
}
}
}
}
}
}
}
},
"condition": {
"script":
"""
for (int i=0; i < ctx.payload.aggregations.by_source_ip.buckets.size(); i++)
{
for (int j=0; j < ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets.size() ; j++ )
{
if (ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets[j].by_port_number.buckets.size() > 15 ) // l'action ne sera exécuté seulement s'il y a un scan de 20 port par @IP source / @IP destination
{
return true;
}
}
}
"""
},
"transform":
{
"script":
"""
String[] source= new String[5]; // Un vercteur qui contient les addresse IP source des scan
String[] destination= new String[5]; // Un vercteur qui contient les adresse IP destination qui ont été scanné
int[] nombre_port= new int[5]; // Un vecteur qui contient le nombre de ports scanné pour (IP source / IP destination)
int n=0;
for (int i=0; i < ctx.payload.aggregations.by_source_ip.buckets.size(); i++)
{
for (int j=0; j < ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets.size() ; j++ )
{
if (ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets[j].by_port_number.buckets.size() > 15) // Pour entregistrer seulement les addresse IP source/destinations qui ont déclenché l'alarme
{
if (n<5) // Pour s'assurer qu'on dépasse pas 5 cases qu'on a alloué
{
source[n] = ctx.payload.aggregations.by_source_ip.buckets[i].key;
destination[n] = ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets[j].key;
nombre_port[n] = ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets[j].by_port_number.buckets.size();
n++;
}
}
}
}
return [source,destination,nombre_port];
"""
},
"actions": {
"my_webhook": {
"webhook": {
"method": "POST",
"host": "10.10.13.135",
"path": "/webhook",
"port": 8080,
"body": "test"
}
}
}
}
}
POST_watcher/watch/_execute
{
“手表”:{
“触发器”:{
“附表”:{
“间隔时间”:“1h”
}
},
“输入”:{
“搜索”:{
“请求”:{
“索引”:“防火墙-*”,
“正文”:{
“大小”:0,
“查询”:{
“布尔”:{
“过滤器”:{
“范围”:{
“@timestamp”:{
“from”:“now-1h”,
“到”:“现在”
}
}
}
}
},
“aggs”:{
“按来源ip”:{
“条款”:{
“尺寸”:100,
“字段”:“source.ip”
},
“aggs”:{
“按目的地ip”:{
“条款”:{
“尺寸”:100,
“字段”:“destination.ip”
},
“aggs”:{
“按端口号”:{
“条款”:{
“尺寸”:100,
“字段”:“destination.port”,
“命令”:{
_计数“:“asc”
}
}
}
}
}
}
}
}
}
}
}
},
“条件”:{
“脚本”:
"""
对于(inti=0;i15)//Pour entregister seulen les address ip source/destinations qui ont déclenchél'alarme
{
如果(n那么我刚刚发现发送的数据不是json格式,我使用了:
def api_webhook_消息():
data=request.data
打印(数据)
感谢您的帮助您发送的数据可能不是JSON,但您没有提供足够的信息来重现任何有意义的问题。感谢您的回答@Ken,我已经更新了我的帖子,并添加了我正在使用的观察者的配置
POST _watcher/watch/_execute
{
"watch": {
"trigger": {
"schedule": {
"interval": "1h"
}
},
"input": {
"search": {
"request": {
"indices": "firewall-*",
"body": {
"size": 0,
"query": {
"bool": {
"filter": {
"range": {
"@timestamp": {
"from": "now-1h",
"to": "now"
}
}
}
}
},
"aggs": {
"by_source_ip": {
"terms": {
"size": 100,
"field": "source.ip"
},
"aggs": {
"by_destination_ip": {
"terms": {
"size": 100,
"field": "destination.ip"
},
"aggs": {
"by_port_number": {
"terms": {
"size": 100,
"field": "destination.port",
"order": {
"_count": "asc"
}
}
}
}
}
}
}
}
}
}
}
},
"condition": {
"script":
"""
for (int i=0; i < ctx.payload.aggregations.by_source_ip.buckets.size(); i++)
{
for (int j=0; j < ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets.size() ; j++ )
{
if (ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets[j].by_port_number.buckets.size() > 15 ) // l'action ne sera exécuté seulement s'il y a un scan de 20 port par @IP source / @IP destination
{
return true;
}
}
}
"""
},
"transform":
{
"script":
"""
String[] source= new String[5]; // Un vercteur qui contient les addresse IP source des scan
String[] destination= new String[5]; // Un vercteur qui contient les adresse IP destination qui ont été scanné
int[] nombre_port= new int[5]; // Un vecteur qui contient le nombre de ports scanné pour (IP source / IP destination)
int n=0;
for (int i=0; i < ctx.payload.aggregations.by_source_ip.buckets.size(); i++)
{
for (int j=0; j < ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets.size() ; j++ )
{
if (ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets[j].by_port_number.buckets.size() > 15) // Pour entregistrer seulement les addresse IP source/destinations qui ont déclenché l'alarme
{
if (n<5) // Pour s'assurer qu'on dépasse pas 5 cases qu'on a alloué
{
source[n] = ctx.payload.aggregations.by_source_ip.buckets[i].key;
destination[n] = ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets[j].key;
nombre_port[n] = ctx.payload.aggregations.by_source_ip.buckets[i].by_destination_ip.buckets[j].by_port_number.buckets.size();
n++;
}
}
}
}
return [source,destination,nombre_port];
"""
},
"actions": {
"my_webhook": {
"webhook": {
"method": "POST",
"host": "10.10.13.135",
"path": "/webhook",
"port": 8080,
"body": "test"
}
}
}
}
}