Parse if MAC address is random

giveen · January 4, 2023, 6:30pm

rule "ParseMACForRandomization"
when
  has_field("source_mac") AND (contains("2", substring(to_string($message.source_mac),1,2),true) OR contains("6", substring(to_string($message.source_mac),1,2),true) OR contains("a", substring(to_string($message.source_mac),1,2), true) OR contains("e", substring(to_string($message.source_mac),1,2), true))
then
  set_field("source_mac_randomized", "True");
end

Topic		Replies	Views
Help combing these rules Graylog Central (peer support) pipeline-rules	5	323	January 18, 2023
Pipeline regex arrya for mac addresses don't work Graylog Central (peer support) pipeline-rules	13	441	June 29, 2023
Matching Field Contents with Regex (Pipeline Processing) Graylog Central (peer support)	7	6651	October 26, 2017
Index error in pipeline rule Graylog Central (peer support)	6	487	January 24, 2023
Pipeline Rule If/else Trick Graylog Central (peer support) pipeline-rules	2	5873	November 6, 2018

Parse if MAC address is random

Related topics