Hi,
I’m not sure exactly how to explain this correctly, but I’m looking for guidance on whether it’s possible to use data from custom event sources, to enrich the default IDR tracking and monitoring of users and endpoints.
In a nutshell, we use a product called Absolute, which tracks endpoint activity and user behavior on our mobile pc fleet (notebooks), and it’s great at generating alerts like when a device has changed countries etc.
We are ingesting this log data into IDR, however I was hoping there is a way to specify some of the fields and how they map to others already in use in IDR. For example, the Absolute logs include the hostname and user account within the logs, and surely there must be a way to indicate these as the same type of field in IDR, and thereby enrich the automatic monitoring and alerting?
I can obviously build custom detection rules/alerts in IDR, but I’m more interested in whether is a way to enrich the IDR XDR functionality with custom alerts by specifying what kind of data the fields in a custom log are reporting (like a username, or a “common key”).
Any guidance or ideas would be appreciated.