Skip to content

Commit 469ab90

Browse files
chrisberkhoutchrisberkhout
committed
Add m365_defender.incident.alerts.evidence.user_account.display_name to related.user.
1 parent 0728fa7 commit 469ab90

File tree

1 file changed

+9
-0
lines changed
  • packages/m365_defender/data_stream/incident/elasticsearch/ingest_pipeline

1 file changed

+9
-0
lines changed

packages/m365_defender/data_stream/incident/elasticsearch/ingest_pipeline/default.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1550,6 +1550,15 @@ processors:
15501550
field: _ingest._value.userAccount.displayName
15511551
target_field: _ingest._value.user_account.display_name
15521552
ignore_missing: true
1553+
- foreach:
1554+
field: json.alerts.evidence
1555+
if: ctx.json?.alerts?.evidence instanceof List
1556+
processor:
1557+
append:
1558+
field: related.user
1559+
value: '{{{_ingest._value.user_account.display_name}}}'
1560+
allow_duplicates: false
1561+
ignore_failure: true
15531562
- foreach:
15541563
field: json.alerts.evidence
15551564
if: ctx.json?.alerts?.evidence instanceof List

0 commit comments

Comments
 (0)