Right now the output in correlation rules is limited to the fields that are used for filtering.
It would be nice to be able to 1. add new fields to see their output and 2. be able to rename the field names in order to use the same convention as the other rules. (like the details field)
As this is not part of the sigma specification, I need to think about the best way to configure this.
Right now the output in correlation rules is limited to the fields that are used for filtering. It would be nice to be able to 1. add new fields to see their output and 2. be able to rename the field names in order to use the same convention as the other rules. (like the
detailsfield)As this is not part of the sigma specification, I need to think about the best way to configure this.