I’m trying to enrich my logs with tags such as directionality, or activities etc. It’s easy in the collectors, but I just want a dynamic field that I can add “authentication” and “sysmon” and “internal_to_external” or whatever I feel like addding.
Again, it’s easy in sidecar or the collector, but how do I do it in the pipeline? I’m trying to build a one-stop SIEM rule with windows events and I wanted to start adding my enrichment to it. I’ve found a few references to teh capability, but unless I borked it,
add_tag = “authentication”