Hi Jochen,
The documentation says the following
contains(value: string, search: string, [ignore_case: boolean])
Checks if value contains search, optionally ignoring the case of the search pattern.
So this would mean a contains statement should be
contains(to_string($message.sysmon_cmd_parent_file,“EXCEL.EXE”))
This would search for the “EXCEL.EXE” within the string of the field message.sysmon_cmd_parent_file ie “C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE” with the option to ignore case
This makes sense, however it is in oppostion to my earlier conversation with Jan here at Checking condition in a pipeline
I think I have figured it out.
In the example above the strings are searching for identical matches as the fields can only contain “11” for sysmon_event_id so the order does not matter, where as in my example I am looking for a partial match so it matters?
Cheers
Jake