I have pipeline rule created in graylog to give alert to rule level higher that 11. but still i am getting alert for image loaded alerts why?

61609 i have a rule created like this for dll loaded. i have pipeline rule created in graylog to give alert to rule level higher that 11. but still i am getting alert for image loaded alerts why? pipeline rules in graylog:

rule "WINDOWS SYSMON EVENT 1 - SOFTWARE VENDORS "
when
$message.rule_group1 == “windows” AND $message.rule_group3 == “sysmon_event1” AND $message.agent_labels_customer == “00001” AND has_field(“data_win_eventdata_company”)
then
let ldata = lookup_value(
lookup_table: “software-vendors”,
key: to_string($message.data_win_eventdata_company,“no”)
);
set_field(“software_approved”, ldata);
end

rule “WAZUH CREATE FIELD SYSLOG LEVEL - ALERT”
when to_long($message.rule_level) > 11
then
set_field(“syslog_level”, “ALERT”);
end

Hey @adiya_v

Your when statement try something like this…

when
contains(to_string($message.rule_group1), "windows")
then

You can add debug to your pipline to see whats going on then check you Graylog log file

 debug();

Maybe this might help

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.