You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have physical servers tied into span ports on our core switches. These have always previously run Packetbeat, but we are migrating to the new Network Traffic Capture Integration. One of the key issues I have noticed with this Integration is that it includes the host.* fields with no apparent way to disable them. Many Integrations have the option to disable the host.* fields if tags contains "forwarded", but I don't see that option on this Integration. This is causing these servers to be deemed the most critical devices based on the Host Risk Score, when the devices are nothing more than observers to the activity.
Since these events are not actually happening on these hosts, I feel the host.* fields should be disabled on this Integration, and the observer.* fields should be populated instead.
Eric
The text was updated successfully, but these errors were encountered:
We have physical servers tied into span ports on our core switches. These have always previously run Packetbeat, but we are migrating to the new Network Traffic Capture Integration. One of the key issues I have noticed with this Integration is that it includes the
host.*
fields with no apparent way to disable them. Many Integrations have the option to disable thehost.*
fields iftags
contains "forwarded", but I don't see that option on this Integration. This is causing these servers to be deemed the most critical devices based on the Host Risk Score, when the devices are nothing more than observers to the activity.Since these events are not actually happening on these hosts, I feel the
host.*
fields should be disabled on this Integration, and theobserver.*
fields should be populated instead.Eric
The text was updated successfully, but these errors were encountered: