The MitreRef field is created and value assigned in a pipeline and is then routed into the stream which this alert condition is attached to.
I can see the messages in the system and the field/value has been assigned as expected however, the alert condition is still not triggering…
Example Message:
The time of the Graylog system and the Source system are the same. I have managed to get a Message Count Alert Condition to trigger successfully, it just appears to be the Field Content Alert Conditions that are failing for me.
Software Version
Graylog Version: 2.4.6+ceaa7e4
Elasticsearch Version: 5.6.14
MongoDB Version: 3.6.10
I have built a new box, imported everything I need. I can see that all my streams and pipelines are working as expected but, the same issue is persisting.
Looking at the graylog-server log file after setting the Subsystem: Graylog logging value to Debug, I can see lines like the following when the alert conditions are being checked.
2019-02-12T11:09:51.744Z DEBUG [AlertScanner] Alert condition [ca06ab3b-6042-42b9-8a4e-0109adca5edb:field_content_value={field: MitreRef, value: T1070, grace: 0, repeat notifications: true}, stream:={5a5393300061f42d271a7145: “Threat Hunt”}] is not triggered and is marked as resolved. Nothing to do.
I’m pretty much just scraping the barrel for ideas as to why this is no longer working but should the content of field_content_value not be like the below:
