Is it possible to use conditionals inside a processor Chain?
I use a copySubjectUser processor chain in order to copy the SubjectUser information in windows events. For most of the events Subject user information comes from winlog.event_data.Subject* , but in some events like 1102 (Clear audit log) the information is in winlog.user_data.Subject* , so either I write a new processor copySubjectUserFromUserData to be use in events like 1102 or somehow depending on the event data I decide which conversion use
I could write I function in order to evt.Get and evt.Put the fields and decide which one to copy but I think it is less efficient. In this way is more efficient but I'm doing a kind of "duplication" of the copySubjectUser
@andrewkroh What do you think?