Open
Description
openedon Jan 18, 2021
Describe the feature:
I would like a way to enrich detection events using processors. In particular, I would like to enrich detection events generated from threshold rules, where only a single source field is passed through to the detection event from the original document set.
Describe a specific use case for the feature:
In my specific case, I would like to process threshold detection events that rely on a single IP address field to add geoip processed fields to the event so that I can triage the threshold detection events more efficiently based on noticing geoip related patterns, as I do already with non-threshold IP events.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment