Closed dstaulcu closed 1 year ago
shoot -- my fork of your repo is too far ahead (with new features being too unstable) to issue a pull request. here is the code block that needs to change within process_create_whitelist.xml
| eval input_host_fqdn = COALESCE(if(trim($host_fqdn|s$)="", "*", trim($host_fqdn|s$)), "*")
| eval input_user_name = COALESCE(if(trim($user_name|s$)="", "*", trim($user_name|s$)), "*")
| eval input_mitre_technique_id = COALESCE(if(trim($mitre_technique_id|s$)="", "*", trim($mitre_technique_id|s$)), "*")
| eval input_process_command_line = COALESCE(if(trim($process_command_line|s$)="", "*", trim($process_command_line|s$)), "*")
| eval input_process_path = COALESCE(if(trim($process_path|s$)="", "*", trim($process_path|s$)), "*")
| eval input_process_parent_path = COALESCE(if(trim($process_parent_path|s$)="", "*", trim($process_parent_path|s$)), "*")
| eval input_hash_sha256 = COALESCE(if(trim($hash_sha256|s$)="", "*", trim($hash_sha256|s$)), "*")
while you're in there you might want to update the following option in each row of the dashboard to remove some copy/paste aggravation:
<option name="drilldown">none</option>
again thanks for those! appreciate the support! added them
this issue happens in cases where inputs have special characters such as quotes. for me this occurs most often in command_line oriented inputs.
the simple xml reference describes an option to overcome this sort of problem with use of the "|s$" token filter which transforms the value of a field to string.
credit goes to slack user daljeanis who pointed this feature out to me in the dashboards_simple_xml channel.