Dear All,
I have a csv (UTF-8 encoded) file as shown below
"Command","Rank","Category"
"tasklist","1","Attacker Investigation"
"ver","2","Attacker Investigation"
"ipconfig","3","Attacker Investigation"
"net time","4","Attacker Investigation"
"systeminfo","5","Attacker Investigation"
I have set the data adapter key to be the Command field and the lookup to be the Rank,Category.
Now I have logs with a CommandLine parameter which shows the commands that have been run on my Windows system which are coming into Graylog via a GELF input.
I want to use a pipeline function similar too below to query the lookup table and add one / two fields in to the log if there is a match or not
hack_command_run = true / false for match no match
hack_command_lookup = lookup results
My function code is as follows.
// function to check Commandline field in logs against a lookup table in a stream
rule "check_for_bad_command"
when
// To save CPU cycles, only run on this field in stream
has_field("CommandLine")
then
set_fields(hack_command_run,"false");
let hack_command_lookup = lookup_value(to_string("Command", $message.CommandLine), " CommandLine");
set_fields(hack_command_lookup);
set_fields(hack_command_run,"true");
end
My expected add fields i want to achieve are
No match (tasklist)
hack_command_run=false
Match
hack_command_run=true
hack_command_lookup=1,Attack Investigation
Any helps appreciated
Jake