I have tried to create a pipeline rule to check if the user agent is on a list of suspicious user agents.
In the pipeline rule below I have only added the ‘Microsoft+WinRM+Client’ user agent as a test.
I have verified that we are getting logs in with the test user agent, however
the BadUserAgent field isn’t being set to ‘Yes’.
Can anyone explain to me why this rule doesn’t work?
rule "Suspicious User Agent"
when
to_bool(regex("Microsoft+WinRM+Client", to_string($message.UserAgent)))
then
set_field("BadUserAgent", "Yes");
end
The + character is a reserved character in regular expressions. Additionally, the regex() function returns the matching parts of the input string, not a boolean value.