I wonder is someone could help me out.
I want to write a pipeline rule checks two conditions and sets a field.
// function to detect bad things rule "lets detect bad stuff" when // To save CPU cycles, only run on this field in stream has_field("sysmon_event_id") AND then set_field("BadDetected", "true"); end
The logic in the when condition is something similar to below
If sysmon_eventid=11 and granted-access=0x100 then set field
Both sysmon_event_id and granted access are fields and can be searched on inn the search bar with this
(sysmon_event_id:11 AND GrantedAccess:“0x100”)
Does this logic work in functions?