syscollector events (ID 221) are not stored by default, but if they are, they contains a lot of useful information, like process executions and open sockets (including non-listening if configured to do so). Include these fields in search and enrichment.
syscollector events (ID 221) are not stored by default, but if they are, they contains a lot of useful information, like process executions and open sockets (including non-listening if configured to do so). Include these fields in search and enrichment.