My thoughts here essentially devolve into a selfish interest in alerts
separate from a SOC analyst style alert in order to facilitate
notifications such as larger issues with a topology, extremely high latency
for an enrichment, a drop off in certain types of sensor traffic, etc. I
feel like there
You certainly can vote for neither. :)
Just for clarity, is_alert is not set by the triage code. Only messages
which are alerts already are triaged. I wasn't clear in how I explained
that, so sorry about that. Option 1 would just send the data through
untriaged and 2 would skip the bad rule and
Can I vote for neither? I believe that is_alert is primarily intended for
use by a SOC Analyst (assumed level 1) before it gets passed to a SOC
Investigator, Forensic Investigator, etc., and that a message which failed
a threat triage rule should instead come to the attention the SOC
Investigator
Similar to the other discuss thread that I just put out about field
transformations, I wanted to get some community impressions for how to
handle triage rule failure.
Currently, if a threat triage rule fails with an exception or returns a
non-boolean, an error is thrown and no triage happens. I w