I would like to enrich processes fields in my graylog events with some additional information. for example, when graylog spots a process.exe query that online to see what is that process.exe used for (get its description) get its usual behavior, dependencies, etc, if it is malicious or just a windows internal etc. Is there an easy way to do this? I am looking into enriching the processes just like we enrich ip addresses mainly
This sounds like something you can build a pipeline rule. Graylog Pipeline Rules can change and enrich messages. Here is blog that walks through setting up a pipeline rule: