I have the following Request body:
{“size”:10000,“query”:{“bool”:{“must”:[{“terms”:{“rule.id”:[“3357”,“3335”,“43432”]}}],“filter”:[{“range”:{“timestamp”:{“gte”:“now-1h/h”,“lte”:“now”}}}]}}}
And I get the following responses in general, so I am pasting one of them:
{“_index”:“wazuh-alerts-4.x-2022.08.11”,“_type”:“_doc”,“_id”:“wFQ8ioIBYHxB5SnZCXlm”,“_score”:1,“_source”:{“agent”:{“name”:“Site”,“id”:“000”},“data”:{“srcip”:“5.34.207.52”},“rule”:{“mail”:false,“level”:10,“pci_dss”:[“10.2.4”,“10.2.5”,“11.4”],“hipaa”:[“164.312.b”],“tsc”:[“CC6.1”,“CC6.8”,“CC7.2”,“CC7.3”],“description”:“Postfix: Multiple SASL authentication failures.”,“groups”:[“syslog”,“postfix”,“authentication_failures”],“nist_800_53”:[“AU.14”,“AC.7”,“SI.4”],“frequency”:8,“gdpr”:[“IV_35.7.d”,“IV_32.2”],“firedtimes”:29,“mitre”:{“technique”:[“Brute Force”],“id”:[“T1110”],“tactic”:[“Credential Access”]},“id”:“3357”},“full_log”:“Aug 11 00:09:19 cyberessence postfix/smtpd[1761345]: warning: unknown[5.34.207.52]: SASL LOGIN authentication failed: Connection lost to authentication server”,“id”:“1660176561.253793”,“timestamp”:“2022-08-11T00:09:21.355+0000”,“predecoder”:{“hostname”:“cyberessence”,“program_name”:“postfix/smtpd”,“timestamp”:“Aug 11 00:09:19”},“previous_output”:“Aug 11 00:09:16 cyberessence postfix/smtpd[1761270]: warning: unknown[5.34.207.52]: SASL LOGIN authentication failed: Connection lost to authentication server\nAug 11 00:09:12 cyberessence postfix/smtpd[1761575]: warning: unknown[5.34.207.52]: SASL LOGIN authentication failed: Connection lost to authentication server\nAug 11 00:09:11 cyberessence postfix/smtpd[1761342]: warning: unknown[5.34.207.52]: SASL LOGIN authentication failed: Connection lost to authentication server\nAug 11 00:09:07 cyberessence postfix/smtpd[1761405]: warning: unknown[5.34.207.52]: SASL LOGIN authentication failed: Connection lost to authentication server\nAug 11 00:09:04 cyberessence postfix/smtpd[1761590]: warning: unknown[5.34.207.52]: SASL LOGIN authentication failed: Connection lost to authentication server\nAug 11 00:09:01 cyberessence postfix/smtpd[1761233]: warning: unknown[5.34.207.52]: SASL LOGIN authentication failed: Connection lost to authentication server\nAug 11 00:08:58 cyberessence postfix/smtpd[1761270]: warning: unknown[5.34.207.52]: SASL LOGIN authentication failed: Connection lost to authentication server”,“manager”:{“name”:“Site”},“decoder”:{“parent”:“postfix”,“name”:“postfix”},“input”:{“type”:“log”},“@timestamp”:“2022-08-11T00:09:21.355Z”,“location”:“/var/log/syslog”,“GeoLocation”:{“city_name”:“Tehran”,“country_name”:“Iran”,“region_name”:“Ostan-e Tehran”,“location”:{“lon”:51.3304,“lat”:35.7261}}}}
What I am trying to do is the following. There is a key called agent.name. I want to be able to search a list of specific rule.id but only receive up to 3 results of each different rule.id per agent. This means that an x rule.id can have more than ex. 2000 documents for agent x and 1000 for agent y. Also for y rule.id i can have 100 for agent x and 2 for agent y. So I only need to fetch for x rule.id, maximum 3 for each individual agent, as well as the same for y rule.id. In that list there might be 500 rule.id’s