I have the following configuration:
"threatIntel": {
"fieldMap": {},
"fieldToTypeMap": {},
"config": {},
"triageConfig": {
"riskLevelRules": [
{
"name": "Rule1",
"comment": "Checks whatever 1.",
"rule": "test == \"false\"",
"score": 20,
"reason": null
},
{
"name": "Rule1",
"comment": "Checks whatever 2.",
"rule": "test2 == \"False\"",
"score": 20,
"reason": null
},
{
"name": "Rule3",
"comment": "Checks whatever 2.",
"rule": "test3 == \"No\"",
"score": 20,
"reason": null
}
],
"aggregator": "SUM",
"aggregationConfig": {}
}
},
I have no additional configuration in enrichment besides filling a
specific with true or false based on a Stellar expression.
I expected that when events would match my above rules, the _score field
would be filled in. That does not seem to be the case.
Does anyone know what I might be missing?
