Hi all,
I am collecting logs from different windows channels, and for different EventID I want to use different filter files.
For example:
If 'channel' is 'sysmon':
If 'EventID' is 1:
use sysmon1_filter file
If 'EventID' is 2:
use sysmon2_filter file
....
elif 'channel' is 'security':
If 'EventID' is 4624:
use security4624_filter file
If 'EventID' is 4625:
use security4625_filter
....
What I am trying to do is to use different fields normalization depending on the event channel & EventId, and i want to separate this filters in different files because it will be a very long file if I do the normalization process only in one.
I am also open for suggestions how to achieve this in a different way