Please why isnt this working? I want to get a field after a successful windows login.
rule "successful logons"
when
has_field(“externalId : 4624”)
then
let success = concat(to_string($message.externalId), “-”);
set_field(field:“successful”, value: success);
end
The has_field() function only checks if the specified message field exists. I doubt that you’re really trying to check for a field named “externalId: 4624”. You probably want to check the value of the message field named “externalId”.
Example:
when
has_field("externalId") &&
to_long($message.externalId) == 4624
then
// ...
end
Maybe take a look at the following blog post for some inspiration:
https://www.graylog.org/blog/83-back-to-basics-enhance-windows-security-with-sysmon-and-graylog
Thanks J. I checked the link you sent and it was helpful. What happens if i want to set a new field inside the “then” part of the above code. can this work?? I already tried it but didnt see it amongst d searched field
rule "successful logons"
when
has_field(“externalId”) &&
to_long($message.externalId) == 4624
then
set_field(field:“successful”, value: 4624);
end
Yes, this would work.
So J, you are saying this should work and i should see the new field i created?
rule "successful logons"
when
has_field(“externalId”) &&
to_long($message.externalId) == 4624
then
set_field(field:“successful”, value: 4624);
end
Yes, that’s what I wrote.
Thanks J…I tried it and it worked.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.