I need a solution
I have been looking around and do not see a way to send some important information from an endpoint incident via a syslog action in a response rule, namely the "Machine IP" and "User" fields. There are a number of correlations I would like to setup in my SIEM based on these values, but I cannot find how to get them as part of the syslog message.
My current syslog message looks like this:
ENDPOINT $BLOCKED$, ENDPOINTMACHINE=$ENDPOINT_MACHINE$, FILENAME=$FILE_NAME$, FULLFILEPATH=$PATH$, INCIDENTID=$INCIDENT_ID$, MATCHCOUNT=$MATCH_COUNT$, POLICYNAME=$RULES$,
Does anyone have any idea's how this can be accomplished?