streamalert [Improvement] Add a new configuration for each normalizer that allows you to opt-out of sending a normalized field to the Artifacts Firehose

[Improvement] Add a new configuration for each normalizer that allows you to opt-out of sending a normalized field to the Artifacts Firehose

Open chunyong-lin opened this issue 4 years ago • 0 comments

Background

One issue we've encountered by using Normalization v2 internally is that we have rules that listen on normalized fields that are not interesting to extract into Artifacts, so that we'll be collecting huge numbers of Artifacts that provide no value.

For example, we would normalization network connection protocol, port number among different data sources, however, those values are not interesting and they should not be exacted to the Artifacts.

Desired Change

Add a new configuration for each normalizer that allows you to opt-out of sending a normalized field to the Artifacts Firehose.

Jun 24 '20 00:06 chunyong-lin

streamalert streamalert copied to clipboard

[Improvement] Add a new configuration for each normalizer that allows you to opt-out of sending a normalized field to the Artifacts Firehose

Background

Desired Change

streamalert
streamalert copied to clipboard