I have tried to create a pipeline rule to check if the user agent is on a list of suspicious user agents.
In the pipeline rule below I have only added the ‘Microsoft+WinRM+Client’ user agent as a test.
I have verified that we are getting logs in with the test user agent, however
the BadUserAgent field isn’t being set to ‘Yes’.
Can anyone explain to me why this rule doesn’t work?
rule "Suspicious User Agent" when to_bool(regex("Microsoft+WinRM+Client", to_string($message.UserAgent))) then set_field("BadUserAgent", "Yes"); end
Thankyou in advance