The processor policy language currently defines three different action values: alert, tag and hash. However, the code makes no different between these values: If the condition matches, a policies object is added to the event (only an invalid action value disables this enrichment). We need to decide
Which of these values do we want to support? How do they affect the rule outcome?
Is there a relationship between the policy engine mode (alert, filter, bypass) and the rules action value. If so, which combinations are allowed?
ECS has a central attribute event.kind that is currently always set to event. if would make sense setting it to alert for alerts resulting from policy matches. Does the action have to be alert for this to happen?
The processor policy language currently defines three different action values:
alert,tagandhash. However, the code makes no different between these values: If the condition matches, a policies object is added to the event (only an invalid action value disables this enrichment). We need to decidealert,filter,bypass) and the rules action value. If so, which combinations are allowed?event.kindthat is currently always set toevent. if would make sense setting it toalertfor alerts resulting from policy matches. Does the action have to bealertfor this to happen?