Separating fields with Key Pairs/Seperators #177
-
Is there any capability to separate keypair values when creating a chainsaw rule? I am trying to create a chainsaw rule for PowerShell EventID 400 Events however the output is quite messy as it is all under the Data Field. I have already specified an array index Event.EventData.Data[2] but it would be nice to be able to do something like Event.EventData.Data[2].HostApplication= on key pairs inside the fields if they are consistent. There are other logs that would use : instead of = so if there is a way to do this for them as well that would be helpful to know! What I am aiming to do is split the fields out further so instead of NewEngineState=Available HostApplication=powershell -WindowStyle hidden Invoke-WebRequest -URI URL -outfile EXE etc in a single field. They would be split into their own separate columns. So a NewEngineState Column would have Available in it and a Host Application Column would have powershell -WindowStyle hidden Invoke-WebRequest -URI URL -outfile EXE in it. Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 13 replies
-
Okay, so to clarify is it that we have something like this:
Then the request is to allow for parsing of the string at index
If so that should be doable we just need clear rules on how to split the string as splitting on space will not be sufficient and cause erroneous results. |
Beta Was this translation helpful? Give feedback.
Okay
beta.1
is up and fixes the issue. I have also added the option to trim whitespace.