How to approach file rename alerting (Sysmon)

I’d like to be alerted when one field doesn’t contain the value of a different field, but don’t know how to approach it at all.

For example if Image: field does not contain what OriginalFileName contains I’d like to have an alert, dashboard showing these results.
This is based on: https://twitter.com/cyb3rops/status/1411454217512960003?s=20

In this example OriginalFileName would be CertUtil.exe, but Image: wouldn’t contain CertUtil.exe.

I’m thinking PipeLines would be the best fit, but I don’t know how to write such a query, can anyone help me out?

Hello,
The link below have many examples you can use. I’m still learning how to write pipeline/s and I get most of my information here when I need to write one.

Hope that helps

EDIT:
I tried to create these pipelines rules for you. If anything I maybe on the right track.

@shoothub is more skilled at this then I am.

rule "Fields that DO match"
when
	has_field("my_field") AND contains(to_string($message.my_field),"CertUtil.exe") == has_field("some_other_field") AND contains(to_string($message.some_other_field),"bob")
then
	set_field("new_field","true");
end

rule "Fields that DONT match"
when
	has_field("my_field") AND contains(to_string($message.my_field),"CertUtil.exe") == has_field("some_other_field") AND contains(to_string($message.does_not_exist),"bob")
then
	set_field("new_field","alert");
end

Rule "route to stream"
when
    has_field("new_field")AND contains(to_string($message.new_field),"alert")
then
    route_to_stream(id:"5d8acba383d72e04cba96317");
end

Hi @gsmith,
I would suggest to use rather examples from master graylog2-server repo, not obsoleted plugin:

Oh nice , Thanks man

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.