Open ghost opened 1 year ago
ghost
commented
1 year ago and I should have read the documentation closer: https://trackme.readthedocs.io/en/latest/configuration.html#step-6-entities-priority-management crap, that's for the previous version.
Would this be the best option available currently?
guilhemmarchand
commented
1 year ago @MikeAnderson-E16247
This indeed is relevant. However, I like the idea of having some form of a workflow which would be embedded and controled by TrackMe.
Currently, if you have a tenant called "mytenant", you would have for instance the entities KVstore as:
| inputlookup trackme_dsm_tenant_mytenantYou can then update the priority value by any mean in SPL, as long as you rely on the _key stored in the KV.
I keep this in the backlog as it is being considered seriously
Describe the solution you'd like Add something that assigns a data source a certain priority, based on whether it's in a lookup file/found in a search.
Additional context This will be useful when new ES correlation rules are created, looking into indexes/sourcetypes not previously searched. This keeps Trackme focused on the important data sources. Running a search against the correlation rules in use is easy enough to get that information.