Ali, can you pseudocode out what you are logically looking to do? IF ( IS_ALERT(Field0) AND IS_TRUE(Field1 > 0 ) OR ……….. THEN (alarm_status = true )
On April 1, 2017 at 10:09:36, Ali Nazemian (alinazem...@gmail.com) wrote: Hi Simon, This is a different use case. We might need to have multiple boolean attributes. Having "is_alert" is not enough for this one. I am looking for the same behaviour as "is_alert" with different attributes. Let's say "is_alert" is bounded to Threat Triage with a scoring mechanism, but I need another boolean attribute for a different condition. Cheers, Ali On Sat, Apr 1, 2017 at 9:14 PM, Simon Elliston Ball < si...@simonellistonball.com> wrote: > That would be a perfect use for a stellar enrichment using a statement to > trigger the alert based on some Boolean expression, I would recommend using > the is_alert field as the output field though, which will trigger the > triage scoring. > > Simon > > > On 1 Apr 2017, at 10:59, Ali Nazemian <alinazem...@gmail.com> wrote: > > > > Hi all, > > > > I was wondering whether it is possible to have a conditional enrichment > or not? Suppose I want to have the following enrichment: > > > > If event_type == 'DDOS' and ip_dst_addr=='x.x.x.x' then alarm_status = > true > > > > How can I set the enrichment configuration to handle this situation? > > > > Regards, > > Ali > -- A.Nazemian
