Hi everyone,
I’m working with several pipeline rules in Graylog that match different conditions, but sometimes they apply to the same log message. This happens because some log entries contain multiple indicators that are relevant for different rules.
Here’s an example of one of the rules I’m using. It checks if the SeDebugPrivilege was enabled by a process located in a typical user directory (like Downloads or Desktop):
rule "SeDebugPrivilege from user path // [ALERT_TAG=sedebug_priv_from_userpath] // (EventID: 4703)"
when
to_long($message.EventID) == 4703 &&
contains(lowercase(to_string($message.EnabledPrivilegeList)), "sedebugprivilege") &&
(
contains(lowercase(to_string($message.ProcessName)), "\\users\\") &&
(
contains(lowercase(to_string($message.ProcessName)), "\\downloads\\") ||
contains(lowercase(to_string($message.ProcessName)), "\\desktop\\") ||
contains(lowercase(to_string($message.ProcessName)), "\\documents\\") ||
contains(lowercase(to_string($message.ProcessName)), "\\temp\\")
)
)
then
remove_field("Opcode");
set_field("alert_tag", "sedebug_priv_from_userpath");
route_to_stream(" Logs");
end
I have other rules that also match on the same EventID or similar indicators. These rules also use set_field("alert_tag", "...") to label the log. The issue is that set_field overwrites the field, so if multiple rules match the same log, only one tag remains.
What I’m trying to achieve:
I would like to store multiple alert tags in the same field if more than one rule matches. For example:
"alert_tag": ["sedebug_priv_from_userpath", "another_detection"]
I’ve tried to use array logic with functions like to_string_list, append, or concat, but it seems like Graylog’s pipeline rule language has limitations (e.g., no let keyword, limited list handling).
My question:
Is there a recommended or working way to collect multiple tags into a single field (like alert_tags) from different pipeline rules—without one rule wiping out the result of another?
Also, is there a best practice for handling such overlapping detection scenarios, aside from appending tags to the message field (which I’ve used before but would prefer to avoid)?
P.S.: You may notice that in the example above I’m removing the Opcode field. This is because the index mapping was hitting the 1,000-field limit, and I couldn’t afford to add a new field just for tagging. If there is a viable solution to the main question (storing multiple tags), I’m also interested in whether such a method would require creating an additional field—and whether it would be possible to replace or reuse an existing field instead of adding a new one.
Thanks in advance
Best regards