I’d like to create a pipeline rule that queries a lookup table to see if a $message.sysmon_cmd_event
contains the lookup_value command
I am replacing:
contains(to_string($message.sysmon_cmd_event), "vssadmin.exe Delete Shadows", true)
with
(lookup_value("cmd-lookup", to_string($message.sysmon_cmd_event)))
How do I get $message.sysmon_cmd_event
to see if any part of it contains a value from cmd-lookup data adapter?