Skip to content

Feature: Processing of threshold detection events #88632

New issue
New issue
Open
Open
Feature: Processing of threshold detection events#88632

Description

@ansell

ansell
openedon Jan 18, 2021

Describe the feature:

I would like a way to enrich detection events using processors. In particular, I would like to enrich detection events generated from threshold rules, where only a single source field is passed through to the detection event from the original document set.

Describe a specific use case for the feature:

In my specific case, I would like to process threshold detection events that rely on a single IP address field to add geoip processed fields to the event so that I can triage the threshold detection events more efficiently based on noticing geoip related patterns, as I do already with non-threshold IP events.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    Feature:Threshold RuleSecurity Solution Threshold Rule featureTeam: SecuritySolutionSecurity Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.Team:Detection EngineSecurity Solution Detection Engine AreaTeam:Detections and RespSecurity Detection Response TeamTeam:SIEMenhancementNew value added to drive a business resulttriage_needed

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions