Add defaults for auto extracted observables

2025-12-06 09:12:45 +01:00 · 2023-01-24 13:17:50 -05:00
parent b0709e93fa
commit 7b1f867ac3
2 changed files with 6 additions and 0 deletions
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -1020,6 +1020,9 @@ soc:
        cacheMs: 300000
        verifyCert: false
        casesEnabled: true
+        extractCommonObservables:
+          - source.ip
+          - destination.ip
        timeoutMs: 300000
        timeShiftMs: 120000
        defaultDurationMs: 1800000
--- a/salt/soc/soc_soc.yaml
+++ b/salt/soc/soc_soc.yaml
@@ -69,6 +69,9 @@ soc:
          description: Set to true if the SOC case management module, natively integrated with Elasticsearch, should be enabled.
          global: True
          advanced: True
+        extractCommonObservables:
+          description: List of indexed fields to automatically extract into a case observable, when attaching related events to a case.
+          global: True
        timeShiftMs:
          description: Duration (in milliseconds) to further expand the PCAP time range when querying PCAP data related to an event. This duration is added to the normal duration value (see defaultDurationMs).
          global: True