Additional Fields for SIEM export
I would like to add PATH and MATCHED TYPE into CAP export logs.
To work around this, I would need to create individual CAP policies for each of my regex denylist use cases.
Hi,
Thanks for raising this. I think this is a sensible request.
When CAP events are forwarded to a SIEM, the logs need enough context to be useful for investigation and correlation. Adding fields such as PATH and MATCHED TYPE would make those exports more actionable and would also reduce the need to create separate CAP policies purely to work around reporting limitations.
We’ve noted this as an enhancement request and it’s the kind of SIEM/logging improvement we would like to evaluate as part of upcoming release planning. I can’t commit to a specific version at this stage, but this is a reasonable request and one we’ll keep in view.
Best,
Mihai
I met with Aaron last week and he showed me that the “matched type” field is called “item details” in syslog. I would still like to see the “path” field added in, though.