Hello everybody,
I am trying to create a field called "Threat" just if I have a log from the "Microsoft-Windows-Sysmon" provider, but the "if" condition never works, could you guys give me an idea about it?
Tks
########################### logstash .conf file ########################
input {
beats {
port => 5044
}
}
filter {
if "Microsoft-Windows-Sysmon" in [provider_name] {
#if [provider_name] == "Microsoft-Windows-Sysmon" {
mutate { add_field => {"Threat" => "Test"} } }
}
output {
stdout { codec => rubydebug }
}
############################ Logstash output #############################
"@version" => "1",
"winlog" => {
"channel" => "Microsoft-Windows-Sysmon/Operational",
"record_id" => 9921,
"task" => "File created (rule: FileCreate)",
"process" => {
"thread" => {
"id" => 3064
},
"pid" => 2392
},
"api" => "wineventlog",
"opcode" => "Info",
"computer_name" => "MyVm",
"provider_guid" => "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
"user" => {
"identifier" => "S-1-5-18",
"name" => "SYSTEM",
"type" => "User",
"domain" => "NT AUTHORITY"
},
"event_id" => 11,
"provider_name" => "Microsoft-Windows-Sysmon",
"event_data" => {
"RuleName" => "technique_id=T1044,technique_name=File System Permissions Weakness",
"CreationUtcTime" => "2020-04-15 03:14:58.941"
},
"version" => 2
},
"@timestamp" => 2020-04-15T03:14:58.941Z,
"event" => {
"created" => "2020-04-15T03:15:00.766Z",
"code" => 11,
"provider" => "Microsoft-Windows-Sysmon",
"action" => "File created (rule: FileCreate)",
"module" => "sysmon",