Home Explore Help
Sign In
SMusatov
/
ydb
mirror of https://github.com/ydb-platform/ydb.git
1
0
Fork 0
Files
Tree: 686cf76645
Branches Tags
ydb
/
yql
/
essentials
/
tests
/
sql
/
suites
/
match_recognize
/
alerts.sql

alerts.sql 3.6 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465 
  1. $osquery_data = [
    2. 

  2. <|dt:1688910000, host:"fqdn1", ev_type:"someEv",     ev_status:"",        user:"",       vpn:false, |>,
    3. 

  3. <|dt:1688910050, host:"fqdn2", ev_type:"login",      ev_status:"success", user:"",       vpn:true,  |>,
    4. 

  4. <|dt:1688910100, host:"fqdn1", ev_type:"login",      ev_status:"success", user:"",       vpn:true,  |>,
    5. 

  5. <|dt:1688910220, host:"fqdn1", ev_type:"login",      ev_status:"success", user:"",       vpn:false, |>,
    6. 

  6. <|dt:1688910300, host:"fqdn1", ev_type:"delete_all", ev_status:"",        user:"",       vpn:false, |>,
    7. 

  7. <|dt:1688910400, host:"fqdn2", ev_type:"delete_all", ev_status:"",        user:"",       vpn:false, |>,
    8. 

  8. <|dt:1688910500, host:"fqdn1", ev_type:"login",      ev_status:"failed",  user:"user1",  vpn:false, |>,
    9. 

  9. <|dt:1688910500, host:"fqdn1", ev_type:"login",      ev_status:"failed",  user:"user2",  vpn:false, |>,
    10. 

  10. <|dt:1688910600, host:"fqdn",  ev_type:"someEv",     ev_status:"",        user:"user1",  vpn:false, |>,
    11. 

  11. <|dt:1688910800, host:"fqdn2", ev_type:"login",      ev_status:"failed",  user:"user1",  vpn:false, |>,
    12. 

  12. <|dt:1688910900, host:"fqdn2", ev_type:"login",      ev_status:"failed",  user:"user2",  vpn:false, |>,
    13. 

  13. <|dt:1688911000, host:"fqdn2", ev_type:"login",      ev_status:"success", user:"user1",  vpn:false, |>,
    14. 

  14. <|dt:1688911001, host:"fqdn2", ev_type:"login",      ev_status:"success", user:"user1",  vpn:false, |>,
    15. 

  15. ];
    16. 

  16. 

  17. pragma FeatureR010="prototype";
    18. 

  18. pragma config.flags("MatchRecognizeStream", "disable");
    19. 

  19. 

  20. SELECT *
    21. 

  21. FROM AS_TABLE($osquery_data) MATCH_RECOGNIZE(
    22. 

  22.     ORDER BY CAST(dt as Timestamp)
    23. 

  23.     MEASURES
    24. 

  24.       LAST(LOGIN_SUCCESS_REMOTE.host) as remote_login_host,
    25. 

  25.       LAST(LOGIN_SUCCESS_REMOTE.user) as remote_login_user,
    26. 

  26.       LAST(LOGIN_SUCCESS_REMOTE.dt) as remote_login_dt,
    27. 

  27.       LAST(SUSPICIOUS_ACTION_SOON.dt) as suspicious_action_dt,
    28. 

  28.       FIRST(LOGIN_FAILED_SAME_USER.dt) as brutforce_begin,
    29. 

  29.       FIRST(LOGIN_SUCCESS_SAME_USER.dt) as brutforce_end,
    30. 

  30.       LAST(LOGIN_SUCCESS_SAME_USER.user) as brutforce_login
    31. 

  31. 

  32.     ONE ROW PER MATCH
    33. 

  33.     AFTER MATCH SKIP TO NEXT ROW
    34. 

  34.     PATTERN (
    35. 

  35.       LOGIN_SUCCESS_REMOTE ANY_ROW1* SUSPICIOUS_ACTION_SOON |
    36. 

  36.       (LOGIN_FAILED_SAME_USER ANY_ROW2*){2,} LOGIN_SUCCESS_SAME_USER
    37. 

  37.     )
    38. 

  38.     DEFINE
    39. 

  39.         LOGIN_SUCCESS_REMOTE as
    40. 

  40.             LOGIN_SUCCESS_REMOTE.ev_type = "login" and
    41. 

  41.             LOGIN_SUCCESS_REMOTE.ev_status = "success" and
    42. 

  42.             LOGIN_SUCCESS_REMOTE.vpn = true and
    43. 

  43.             COALESCE(LOGIN_SUCCESS_REMOTE.dt - FIRST(LOGIN_FAILED_SAME_USER.dt) <= 500, TRUE),
    44. 

  44.         ANY_ROW1 as
    45. 

  45.             COALESCE(ANY_ROW1.dt - FIRST(LOGIN_SUCCESS_REMOTE.dt) <= 500, TRUE),
    46. 

  46.         SUSPICIOUS_ACTION_SOON as
    47. 

  47.             SUSPICIOUS_ACTION_SOON.host = LAST(LOGIN_SUCCESS_REMOTE.host) and
    48. 

  48.             SUSPICIOUS_ACTION_SOON.ev_type = "delete_all" and
    49. 

  49.             COALESCE(SUSPICIOUS_ACTION_SOON.dt - FIRST(LOGIN_SUCCESS_REMOTE.dt) <= 500, TRUE),
    50. 

  50.         LOGIN_FAILED_SAME_USER as
    51. 

  51.             LOGIN_FAILED_SAME_USER.ev_type = "login" and
    52. 

  52.             LOGIN_FAILED_SAME_USER.ev_status <> "success" and
    53. 

  53.             (LAST(LOGIN_FAILED_SAME_USER.user) IS NULL
    54. 

  54.                 or LAST(LOGIN_FAILED_SAME_USER.user) = LOGIN_FAILED_SAME_USER.user
    55. 

  55.             ) and COALESCE(LOGIN_FAILED_SAME_USER.dt - FIRST(LOGIN_FAILED_SAME_USER.dt) <= 500, TRUE),
    56. 

  56.         ANY_ROW2 as
    57. 

  57.             COALESCE(ANY_ROW2.dt - FIRST(LOGIN_FAILED_SAME_USER.dt) <= 500, TRUE),
    58. 

  58.         LOGIN_SUCCESS_SAME_USER as
    59. 

  59.             LOGIN_SUCCESS_SAME_USER.ev_type = "login" and
    60. 

  60.             LOGIN_SUCCESS_SAME_USER.ev_status = "success" and
    61. 

  61.             LOGIN_SUCCESS_SAME_USER.user = LAST(LOGIN_FAILED_SAME_USER.user) and
    62. 

  62.             COALESCE(LOGIN_SUCCESS_SAME_USER.dt - FIRST(LOGIN_FAILED_SAME_USER.dt) <= 500, TRUE)
    63. 

  63. ) AS MATCHED
    64. 

  64. ;
    65. 

  65.