I am attempting to build a exporting field that ArcSight can use to properly categorize. Here what I got:
transform.conf
[devClassName]
REGEX = ($m)EventCode=(\d+)
FORMAT = devClassID::Microsoft-Windows-security-auditing:$1
WRITE_META = true
props.conf
[WinEventLog:Security]
TRANSFORMS-DevExtract = devClassName
fields.conf
[devClassID]
INDEXED = true
I need the result to be: Microsoft-Windows-security-auditing:4663 were as 4663 is pulled from EventCode in Splunk.
I have tried to build the transform just on my search forwarder, but it does not allow me to use the var $1
↧