Currently, when I run Zircolite using the 'exportForSplunk' template each event that is generated contains the Sigma rule title and description, along with the information from the relevant evtx entry. Would you please consider adding the Sigma rule id to each event as well? Having that unique id would be helpful with some automation efforts.
Currently, when I run Zircolite using the 'exportForSplunk' template each event that is generated contains the Sigma rule title and description, along with the information from the relevant evtx entry. Would you please consider adding the Sigma rule id to each event as well? Having that unique id would be helpful with some automation efforts.