Pipeline rules from example broken (back-to-basics-enhance-windows-security-with-sysmon-and-graylog)

Hello everyone :slight_smile:

I was wondering if there are some missing/ broken when-conditions in the following example (pipeline rules):
https://www.graylog.org/post/back-to-basics-enhance-windows-security-with-sysmon-and-graylog

In the rule sysmon threatintel is only the when-condition:

 has
 ip")

And in the rule sysmon threatintel inflate is only the when-condition:

 to
  indicated)

Also, after the pipeline rules there are those sentences:

The rules will now need to be added to a new Pipeline. We will name it Windows-Sysmon. In this Pipeline, we will have the following Stages containing rules:

Please note, due to the amount of messages produced by sysmon, you should enable the delivery to Graylog in batches so that you are able to scale and size the environment.

It looks like the stages and their descriptions are also missing there right?

Best regards
:wink:

Good catch - Bumped over to “Documentation Campfire” for @dulanism :smiley:

3 Likes

Agree,
Nice catch @hollowdew :+1:

1 Like

Thanks, all. The team will tend to this and follow up after we conclude some work cycles. We’ll be in touch.

2 Likes

Thank you for your help.
I also detected that the dashboard which is referenced on the site
(https://s3.amazonaws.com/graylogblog/basic_sidecar_sysmon/sysmon_content_pack.json)
is not importable in graylog.
It says that the content pack is incompatible, I am using the latest graylog version.

Best regards

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.