Lookup Table contains Value?

I’d like to create a pipeline rule that queries a lookup table to see if a $message.sysmon_cmd_event contains the lookup_value command

I am replacing:

contains(to_string($message.sysmon_cmd_event), "vssadmin.exe Delete Shadows", true)


(lookup_value("cmd-lookup", to_string($message.sysmon_cmd_event)))

How do I get $message.sysmon_cmd_event to see if any part of it contains a value from cmd-lookup data adapter?

The lookup tables in Graylog currently only support an exact lookup (similar to a dictionary or hash map).

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.