Sentinel needs a means to get common-interest fields to automatically show-up when “More” is selected on an individual event or “Show more details” is clicked to do the same for all listed events in a search result window.

For instance, commonly AV / End Point Security related collectors like the upcoming Sophos collector will push detected attack signatures (specific Malware names) into the IDSAttackName field or Data Loss Prevention rule names that determined a Block action to removable storage will end up in Sentinel's “PolicyID” field, and in others the “TargetDataName” field often contains the crucial detail relevant to the situation. These are data points important enough that it should be one of the few fields automatically visible on the “More” expansion.

by: Ted E. | over a year ago | Integrations