kevinlin
(Kevin)
November 6, 2024, 10:10am
1
There is a log with field "winlog.logon.failure.sub_status" and content is "User logon with misspelled or bad password"
Refer to Index connector and action | Kibana Guide [8.15] | Elastic
I created a rule that using index connector and setting of "Document to index" is:
{
"failedreason": "{{winlog.logon.failure.sub_status}}"
}
"failedreason" field exist in index that index connector link to but content is empty.
What can I do?
lesio
(Leszek Kubik)
November 6, 2024, 11:36am
2
kevinlin
(Kevin)
November 7, 2024, 3:38am
3
Thank you for reply.
I think the problem is not described correctly, I will describe it again
strawgate
(William Easton)
November 8, 2024, 9:13pm
4
I couldn't find any good examples of this but I believe you'll need to do something like
{
"failedreason": "{{#context.hits}}{{winlog.logon.failure.sub_status}}{{/context.hits}}"
}
Patrick_Mueller
(Patrick Mueller (Kibana Alerting))
November 13, 2024, 3:05pm
5
You should try {{_source.winlog.logon.failure.sub_status}}
see: {{winlog.logon.failure.sub_status}}
1 Like
kevinlin
(Kevin)
November 26, 2024, 7:20am
6
Unlucky, It doesn't work.
failedreason is empty
kevinlin
(Kevin)
November 26, 2024, 7:21am
7
Unlucky, It doesn't work.
failedreason is empty.