I apologize, I might miss your response. I will explain my intention
I'm trying to write a rule to match a value in the $
syscheck.path$ field for events from the
syscheck_registry_key_added decoder, but it wasn't working. To troubleshoot, I tried displaying the log in the rule description using
$(full_log) which also produced by same decoder. I noticed on the dashboard that the $
syscheck.path$ field was empty(the same with $
full_log$), which I think is why my rule was failing. Could you please explain why this field is empty for this type of event? Thanks.
Vào lúc 03:59:52 UTC+7 ngày Thứ Ba, 14 tháng 10, 2025, Olamilekan Abdullateef Ajani đã viết: