Hi is it possible to add "post processing" to an mutate operation within the same filter?
i have a filter that works but i want to add a field if specific conditions are full filled, to mark the logged event as a possible indicator of compromise.
the log file is sysmon output with event id 1
if [event_id] == 1 {
mutate {
add_field => { "action" => "processcreate" }
rename => {
"[event_data][CommandLine]" => "process_command_line"
"[event_data][CurrentDirectory]" => "process_current_directory"
"[event_data][ParentImage]" => "process_parent_path"
"[event_data][ParentCommandLine]" => "process_parent_command_line"
"[event_data][IntegrityLevel]" => "process_integrity_level"
"[event_data][LogonGuid]" => "user_logon_guid"
"[event_data][ParentProcessGuid]" => "process_parent_guid"
"[event_data][ParentProcessId]" => "process_parent_id"
"[event_data][TerminalSessionId]" => "user_terminal_session_id"
"[event_data][FileVersion]" => "file_version"
"[event_data][Description]" => "file_description"
"[event_data][Product]" => "file_product"
"[event_data][Company]" => "file_company"
}
gsub => ["process_parent_guid","[{}]",""]
gsub => ["user_logon_guid","[{}]",""]
}
now the IOC data i want to add is the following
IOC
if [event_id] == 1 {
and ( ([event_data][process_parent_path] =~ /(?i)(OUTLOOK.EXE)/ ) or (##if i put it after the renaming do i have to use [process_parent_path] or can i just use [parentImage] still?###)
([event_data][ParentImage] =~ /(?i)(OUTLOOK.EXE)/
and ([event_data][Image] =~ /(?i)(iexplore.exe|chrome.exe|firefox.exe|edge.exe)/ ) )
{
mutate {
add_field => { "IOC" => "Browser Launched From Outlook Sysmon 1" } }}
}
How do i add this mutate statement into the existing event_id:1 filter ? this must be possible to do in an elegant way?
i cant get it to parse the IOC section if i but the mutate either after the first mutate, meaning within the IF statement nor if i place it within the mutate section. individually the configs work fine?