Hello
I have the following message getting from Qradar: ( I have changed some things like ID, logon etc...)
A network share object was accessed. Subject: Security ID: ELK\\test-test$ Account Name: test-test$ Account Domain: ELASTIC Logon ID: xxxxxx Network Information: Object Type: File Source Address: 8.8.8.8 Source Port: 88888 Share Information: Share Name: \\\\*\\IPC$ Share Path: Access Request Information: Access Mask: 0x1 Accesses: ReadData (or ListDirectory)
I wanted to use KV Filter to see create Key values automatically
This is my config for key Value
kv{
source => "Message"
field_split => "((?:[A-Za-z0-9_-] ?)+): +([^ ]*?) " value_split => ":"
}
Unfortunately it doesn't set write it in the index.
I tested my Regex. It should be working.
Now i've tried the new feature Ingest Node Pipelines. There i can see an error with no information.
Can anybody help me?