Lookup Table contains Value?


(Ionstorm) #1

I’d like to create a pipeline rule that queries a lookup table to see if a $message.sysmon_cmd_event contains the lookup_value command

I am replacing:

contains(to_string($message.sysmon_cmd_event), "vssadmin.exe Delete Shadows", true)

with

(lookup_value("cmd-lookup", to_string($message.sysmon_cmd_event)))

How do I get $message.sysmon_cmd_event to see if any part of it contains a value from cmd-lookup data adapter?


(Jochen) #2

The lookup tables in Graylog currently only support an exact lookup (similar to a dictionary or hash map).


(system) #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.