So I’m trying my hand at rules and pipelines. I know how to implement another’s rules (did successfully with ionstorm’s Sysmon threat intel), but I’m having dificulties trying my own. Like this:
rule "test"
when
has_field("event_app")
then
let lc_event_app = lowercase(to_string($message.event_app));
let regexPattern = to_string("\w*\.(\w){3}$");
let event_app_name = regex(regexPattern,lc_event_app);
set_fields(event_app_name);
end
Pretty basic - extract and lowercase app names from a full path field. But it gives me NPE when trying to save. What am I doing wrong - that even searching the web I couldn’t find out?