Checking condition in a pipeline


(Jake Smith) #1

HI All,

I wonder is someone could help me out.

I want to write a pipeline rule checks two conditions and sets a field.

Example

// function to detect bad things

rule "lets detect bad stuff"
when
   // To save CPU cycles, only run on this field in stream
   
   has_field("sysmon_event_id") AND 
  
   then

	set_field("BadDetected", "true");
	
end

The logic in the when condition is something similar to below

If sysmon_eventid=11 and granted-access=0x100 then set field

Both sysmon_event_id and granted access are fields and can be searched on inn the search bar with this

(sysmon_event_id:11 AND GrantedAccess:“0x100”)

Does this logic work in functions?

Cheers Jake


(Jochen) #2

Yes, it does. You can use various boolean operators (AND, OR, NOT) to chain conditions in the when clause of your rules.

See http://docs.graylog.org/en/2.4/pages/pipelines/rules.html for details.


(Jake Smith) #3

Hi Jochen,

So something like this.

// function to detect bad things

rule "lets detect bad stuff"
when
      
   // sets check for the presence of both fields
   
   has_field("sysmon_event_id") && has_field("GrantedAccess") 
  
   then
        contains(to_string($message.sysmon_event_id","11") && (to_string($message.GrantedAccess","0x100");
	set_field("BadDetected", "true");
	
end

Would this work?

Cheers Jake


(Jan Doberstein) #4

it should be more like:

// function to detect bad things

rule “lets detect bad stuff”
when
  // sets check for the presence of both fields
  has_field(“sysmon_event_id”) AND
  has_field(“GrantedAccess”) AND
  contains(to_string($message.sysmon_event_id,“11”) AND
  contains(to_string($message.GrantedAccess,“0x100”)
then
  set_field(“BadDetected”, “true”);
end

(Jake Smith) #5

Hi Jochen,

I get an incompatable types error see

So I tried

Am i missing a semi colon or something somewhere?

Cheers
Jake


(Jan Doberstein) #6

Hej Jake,

actually I just wrote the rule direct in the Forum - not in the editor. That is just missing ) and wrong " and I missed the order of contains (first value then the string)

rule "lets detect bad stuff"
when
  // sets check for the presence of both fields
  has_field("sysmon_event_id") AND
  has_field("GrantedAccess") AND
  contains("11",to_string($message.sysmon_event_id)) AND
  contains("0x100", to_string($message.GrantedAccess))
then
  set_field("BadDetected", "true");
end

Functions not working
(Jake Smith) #7

Hi Jochen,

Cheers for your help once again, I have Graylog doing something special.

Cheers

Jake


(system) #8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.