Greetings!
I'm using basic setup that uses Winlogbeat with configured sysmon.
I'm writing some correlation rules and I would like to detect whether powershell command is suspiciously long. The command itself is in "message" field stored using key:value -
What is the easiest way to check "length" of that field? I tried 'between' and 'lenght' functions in EQL (now working, because cannot operate on [text] field). Is there a way to write it in KQL or should I use some kind of grok in logstash or processors in winlogbeat.yml file? Or another way?
Also process.command_line is empty 