Checking condition in a pipeline

Magneton · March 9, 2018, 1:07pm

HI All,

I wonder is someone could help me out.

I want to write a pipeline rule checks two conditions and sets a field.

Example

// function to detect bad things

rule "lets detect bad stuff"
when
   // To save CPU cycles, only run on this field in stream
   
   has_field("sysmon_event_id") AND 
  
   then

	set_field("BadDetected", "true");
	
end

The logic in the when condition is something similar to below

If sysmon_eventid=11 and granted-access=0x100 then set field

Both sysmon_event_id and granted access are fields and can be searched on inn the search bar with this

(sysmon_event_id:11 AND GrantedAccess:“0x100”)

Does this logic work in functions?

Cheers Jake

jochen · March 9, 2018, 1:33pm

Yes, it does. You can use various boolean operators (AND, OR, NOT) to chain conditions in the when clause of your rules.

See http://docs.graylog.org/en/2.4/pages/pipelines/rules.html for details.

Magneton · March 9, 2018, 1:51pm

Hi Jochen,

So something like this.

// function to detect bad things

rule "lets detect bad stuff"
when
      
   // sets check for the presence of both fields
   
   has_field("sysmon_event_id") && has_field("GrantedAccess") 
  
   then
        contains(to_string($message.sysmon_event_id","11") && (to_string($message.GrantedAccess","0x100");
	set_field("BadDetected", "true");
	
end

Would this work?

Cheers Jake

jan · March 9, 2018, 1:55pm

it should be more like:

// function to detect bad things

rule “lets detect bad stuff”
when
  // sets check for the presence of both fields
  has_field(“sysmon_event_id”) AND
  has_field(“GrantedAccess”) AND
  contains(to_string($message.sysmon_event_id,“11”) AND
  contains(to_string($message.GrantedAccess,“0x100”)
then
  set_field(“BadDetected”, “true”);
end

Magneton · March 9, 2018, 2:17pm

Hi Jochen,

I get an incompatable types error see

So I tried

Am i missing a semi colon or something somewhere?

Cheers
Jake

jan · March 9, 2018, 2:31pm

Hej Jake,

actually I just wrote the rule direct in the Forum - not in the editor. That is just missing ) and wrong " and I missed the order of contains (first value then the string)

rule "lets detect bad stuff"
when
  // sets check for the presence of both fields
  has_field("sysmon_event_id") AND
  has_field("GrantedAccess") AND
  contains("11",to_string($message.sysmon_event_id)) AND
  contains("0x100", to_string($message.GrantedAccess))
then
  set_field("BadDetected", "true");
end

Magneton · March 9, 2018, 4:17pm

Hi Jochen,

Cheers for your help once again, I have Graylog doing something special.

Cheers

Jake

system · March 23, 2018, 4:17pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Pipeline condition not correct Graylog Central (peer support) pipeline-rules , debuggingpl	6	894	October 13, 2020
Pipeline Rules - Exact Match on Field Graylog Central (peer support) pipeline-rules	5	5362	June 6, 2018
Graylog pipeline rule syntax errors (I guess?) Graylog Central (peer support) pipeline-rules , debuggingpl , sidecar , winlogbeat	4	1324	October 1, 2018
Boolean value, boolean operators and boolean expression in pipeline condition Graylog Central (peer support)	3	2184	April 11, 2018
Pipeline rule - additional test within then clause Graylog Central (peer support) pipeline-rules	1	1417	May 4, 2017

Checking condition in a pipeline

Related topics