I have created a pipeline rule and it does appear to work however, I’m not 100% sure on whether I am using the correct or best method in achieving my goal.
I was having issue with using
contains(to_string($message.sysmon_event_id),"3") within my pipeline rule as it was matching on messages where the
sysmon_event_id was ‘13’ - Of course, due to the string 13 containing ‘3’.
My rule is as shown in the below screenshot:
From the screenshot above, I am performing an exact match check against the returned value of
to_string($message.sysmon_event_id) - At least, as far as I can see, it does seem to be working as I expected.
This is more of a query as to whether this is a correct method for performing an exact match or whether the rule is just matching on the message(s) because the check against the
sysmon_data_process field is matching and my final line within the
when section of the rule is being ignored.