san-zrl
commented
3 years ago Done in the latest update to PR https://github.com/sysflow-telemetry/sf-processor/pull/38.
Closed ghost closed 2 years ago
san-zrl
commented
3 years ago Done in the latest update to PR https://github.com/sysflow-telemetry/sf-processor/pull/38.
When handling records and converting to ECS, it would be cool to set the 'event.kind' field to indicate whether this created by a rule as an 'alert' or whether it is reported as base record, ie 'event'.