61609
i have a rule created like this for dll loaded. i have pipeline rule created in graylog to give alert to rule level higher that 11. but still i am getting alert for image loaded alerts why?
pipeline rules in graylog:
rule "WINDOWS SYSMON EVENT 1 - SOFTWARE VENDORS "
when
$message.rule_group1 == “windows” AND $message.rule_group3 == “sysmon_event1” AND $message.agent_labels_customer == “00001” AND has_field(“data_win_eventdata_company”)
then
let ldata = lookup_value(
lookup_table: “software-vendors”,
key: to_string($message.data_win_eventdata_company,“no”)
);
set_field(“software_approved”, ldata);
end
rule “WAZUH CREATE FIELD SYSLOG LEVEL - ALERT”
when to_long($message.rule_level) > 11
then
set_field(“syslog_level”, “ALERT”);
end