Hi All,
We're getting a number of notable events through originating from zscaler that have a signature of "None". From looking at the props.conf, I see there are two aliases resulting in signature.
FIELDALIAS-aob_gen_zscalernss_web_alias_4 = threatname AS signature
FIELDALIAS-dlpdictionaries_as_signature = dlpdictionaries AS signature
If 100% of events have signature="None" then can FIELDALIAS-dlpdictionaries_as_signature be disabled?
Looks like there are two aliases for category field as well:
FIELDALIAS-threatcategory_as_category = threatcategory AS category
FIELDALIAS-urlcategory_as_category = urlcategory AS category
... View more