Hello everyone
I was wondering if there are some missing/ broken when-conditions in the following example (pipeline rules):
https://www.graylog.org/post/back-to-basics-enhance-windows-security-with-sysmon-and-graylog
In the rule sysmon threatintel
is only the when-condition:
has
ip")
And in the rule sysmon threatintel inflate
is only the when-condition:
to
indicated)
Also, after the pipeline rules there are those sentences:
The rules will now need to be added to a new Pipeline. We will name it Windows-Sysmon. In this Pipeline, we will have the following Stages containing rules:
Please note, due to the amount of messages produced by sysmon, you should enable the delivery to Graylog in batches so that you are able to scale and size the environment.
It looks like the stages and their descriptions are also missing there right?
Best regards