StreamAlert is a serverless, realtime data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using datasources and alerting logic you define.
One issue we've encountered by using Normalization v2 internally is that we have rules that listen on normalized fields that are not interesting to extract into Artifacts, so that we'll be collecting huge numbers of Artifacts that provide no value.
For example, we would normalization network connection protocol, port number among different data sources, however, those values are not interesting and they should not be exacted to the Artifacts.
Desired Change
Add a new configuration for each normalizer that allows you to opt-out of sending a normalized field to the Artifacts Firehose.
Background
One issue we've encountered by using Normalization v2 internally is that we have rules that listen on normalized fields that are not interesting to extract into Artifacts, so that we'll be collecting huge numbers of Artifacts that provide no value.
For example, we would normalization network connection protocol, port number among different data sources, however, those values are not interesting and they should not be exacted to the Artifacts.
Desired Change
Add a new configuration for each normalizer that allows you to opt-out of sending a normalized field to the Artifacts Firehose.