Add the capability to have generic configurable search-based correlations. We currently have a different analysis module for every splunk/elk search we want to run, but they all do basically the same thing.
This will require a bit of re-work with the engine. Currently each module that is loaded is a different class, but this will require being able to load the same class multiple times with different configurations.
requirements:
ability to use multiple instances of the same analysis module
search text with interpolation
mapping from result field to observable type/value (with optional condition to decide if it should be included)
Add the capability to have generic configurable search-based correlations. We currently have a different analysis module for every splunk/elk search we want to run, but they all do basically the same thing.
This will require a bit of re-work with the engine. Currently each module that is loaded is a different class, but this will require being able to load the same class multiple times with different configurations.
requirements: