Please help me parse this message

tmacgbay · February 1, 2021, 6:25pm

I know I answered you individually but posting here so others searching can find it.:

This is related to a previous post here.

Not all codes are in the tables on that post - specifically not 0xE so:

All the codes including 0xE are here.

Pipeline Code to use tables for kerberos TGT event 4771 (and 4820) NOTE: this builds fields for the potential/eventual e-mail notification.

rule "AP3-WinSec-BadPw-Kerberos"
when
    to_string($message.winlogbeat_event_id) == "4771" ||
    to_string($message.winlogbeat_event_id) == "4820"
then
    // Build Alert structures
    // Create subject of (e-mail) alert
    let requestingIP = replace(to_string($message.winlogbeat_event_data_IpAddress),"::ffff:");
    let requestingName = lookup_value("THE_DNS_table", to_string(requestingIP));
    set_field("THE_requestingName", requestingName);  //so we can make quick values
    let subject_0 = concat("-G| Kerb-FAIL: ", to_string($message.winlogbeat_event_data_TargetUserName));
    let subject_1 = concat(subject_0, " connecting from ");
    let subject_fin = concat(subject_1, to_string(requestingName));
    set_field("cmg_subject", subject_fin);
    //
    // create detail of (e-mail) alert
    let LogonTypeResult = "TGT";
    let LogonTypeErr    = lookup_value("WinLogonErr" ,to_string($message.winlogbeat_event_data_Status), 0);
    let build_mess_0    = concat("Failed Password Attemept - ",  to_string($message.winlogbeat_event_data_TargetUserName));
    let build_mess_1    = concat(build_mess_0, " attempting a log in from ");
    let build_mess_2    = concat(build_mess_1, requestingIP);
    let build_mess_3    = concat(build_mess_2, " ");
    let build_mess_4    = concat(build_mess_3, to_string(requestingName));
    let build_mess_5    = concat(build_mess_4, " Logon Type: ");
    let build_mess_6    = concat(build_mess_5, to_string(LogonTypeResult));
    let build_mess_7    = concat(build_mess_6, ". Attempt registered on: ");
    let build_mess_8    = concat(build_mess_7, to_string($message.winlogbeat_host_name));
    let build_mess_9    = concat(build_mess_8, ".  ERROR: ");
    let build_mess_fin  = concat(build_mess_9, to_string(LogonTypeErr));
    set_field("cmg_body", build_mess_fin);
    route_to_stream("S5-IncidentReporting");
end

Topic		Replies	Views
Noob ISO Pipeline Help Graylog Central (peer support) pipeline-rules	7	553	August 6, 2020
Pipeline Rule + Regex Graylog Central (peer support) pipeline-rules	5	1562	May 17, 2022
Pipeline rule key/value with specific delimiter not working Graylog Central (peer support) pipeline-rules	3	645	September 21, 2023
Extracting message using GROK Patern Graylog Central (peer support)	2	564	August 31, 2022
Output regex result to a field in a rule Graylog Central (peer support) sidecar , winlogbeat	3	787	September 14, 2018

Please help me parse this message

Related topics