Juan C. Tello
Juan C. Tello
Alternatively an implicit decoder (like the one for `json`) could be created for the `CEF` and `LEEF` formats given that all fields have a given name. This has been requested...
This also affects Wazuh's native [Azure integration](https://documentation.wazuh.com/current/azure) which can produce alerts such as: ``` {"timestamp":"2022-05-18T14:36:53.672+0000","rule":{"level":3,"description":"Azure: AD ","id":"87802","firedtimes":1,"mail":false,"groups":["azure"]},"agent":{"id":"000","name":"wazuhmanager"},"manager":{"name":"wazuhmanager"},"id":"1652884613.107394","decoder":{"name":"json"},"data":{"id":"Directory_11111111-1111-1111-1111-111111111111_Y9GLM_86734990","category":"UserManagement","correlationId":"11111111-1111-1111-1111-111111111111","result":"success","activityDisplayName":"Delete user","activityDateTime":"2022-05-18T14:35:30.5989483Z","loggedByService":"Core Directory","operationType":"Delete","initiatedBy":{"app":"null","user":{"id":"11111111-1111-1111-1111-111111111111","displayName":"null","userPrincipalName":"[email protected]","ipAddress":"111.111.111.111","userType":"null","homeTenantId":"null","homeTenantName":"null"}},"targetResources":[{"id":"11111111-1111-1111-1111-111111111111","displayName":null,"type":"User","userPrincipalName":"11111111111111111111111111111111anotheruser_company.com#EXT#@company.onmicrosoft.com","groupType":null,"modifiedProperties":[{"displayName":"Is Hard Deleted","oldValue":null,"newValue":"\"False\""}]}],"additionalDetails":[],"azure_tag":"azure-ad-graph","azure_aad_tag":"azure-active_directory"},"location":"Azure"} ``` and ``` {"timestamp":"2022-05-18T07:20:57.015+0000","rule":{"level":3,"description":"Azure: AD ","id":"87802","firedtimes":1,"mail":false,"groups":["azure"]},"agent":{"id":"000","name":"wazuhmanager"},"manager":{"name":"wazuhmanager"},"id":"1652858457.5919","decoder":{"name":"json"},"data":{"id":"Sync_11111111-1111-1111-1111-111111111111_AAAAA_111111111","category":"ProvisioningManagement","correlationId":"11111111-1111-1111-1111-111111111111","result":"success","resultReason":"This app role assignment...
Hi @aderumier, You may collect multiline Crowdstrike logs with the following configuration: ``` multi-line-regex /var/log/crowdstrike/falconhoseclient/output ^{ ``` Variable multiline log collection was added on Wazuh 4.2.0 and in this configuration...