That would be a perfect use for a stellar enrichment using a statement to trigger the alert based on some Boolean expression, I would recommend using the is_alert field as the output field though, which will trigger the triage scoring.
Simon > On 1 Apr 2017, at 10:59, Ali Nazemian <alinazem...@gmail.com> wrote: > > Hi all, > > I was wondering whether it is possible to have a conditional enrichment or > not? Suppose I want to have the following enrichment: > > If event_type == 'DDOS' and ip_dst_addr=='x.x.x.x' then alarm_status = true > > How can I set the enrichment configuration to handle this situation? > > Regards, > Ali
