My thoughts here essentially devolve into a selfish interest in alerts
separate from a SOC analyst style alert in order to facilitate
notifications such as larger issues with a topology, extremely high latency
for an enrichment, a drop off in certain types of sensor traffic, etc. I
feel like
You certainly can vote for neither. :)
Just for clarity, is_alert is not set by the triage code. Only messages
which are alerts already are triaged. I wasn't clear in how I explained
that, so sorry about that. Option 1 would just send the data through
untriaged and 2 would skip the bad rule
Can I vote for neither? I believe that is_alert is primarily intended for
use by a SOC Analyst (assumed level 1) before it gets passed to a SOC
Investigator, Forensic Investigator, etc., and that a message which failed
a threat triage rule should instead come to the attention the SOC
Investigator
