Hi There,
Am trying to split the fileds and values of this field
winlog.event_data.RuleName: technique_id=T1036,technique_name=Masquerading
in two other separate fields where I can have technique id separately and technique name separately
filter {
if "winlogbeat" in [tags] and [log_name] == "Microsoft-Windows-Sysmon/Operational" {
kv { source => "[winlog][event_data][RuleName]" target => "[winlog][event_data][RuleName]" field_split => "," }
}
}
Could you please tell me what error am I making , I could'nt split these
Hi Raj,
There a couple of things you need to change in your filter syntax to achieve the results you are looking for, try replacing your filter with this following one:
filter {
if ([winlog][channel] == "Microsoft-Windows-Sysmon/Operational") {
if ([winlog][event_data][RuleName]) {
kv {
source => "[winlog][event_data][RuleName]"
field_split => ","
value_split => "="
prefix => "mitre_"
transform_key => "lowercase"
}
}
}
}
I have tested the filter above and it works, you will get the new fields with the information from the RuleName field. Feel feel to share any questions or thoughts.