[Improvement] Add a new configuration for each normalizer that allows you to opt-out of sending a normalized field to the Artifacts Firehose

Question

[Improvement] Add a new configuration for each normalizer that allows you to opt-out of sending a normalized field to the Artifacts Firehose

chunyong-lin opened this issue 4 years ago · 0 comments

Background

One issue we've encountered by using Normalization v2 internally is that we have rules that listen on normalized fields that are not interesting to extract into Artifacts, so that we'll be collecting huge numbers of Artifacts that provide no value.

For example, we would normalization network connection protocol, port number among different data sources, however, those values are not interesting and they should not be exacted to the Artifacts.

Desired Change

Add a new configuration for each normalizer that allows you to opt-out of sending a normalized field to the Artifacts Firehose.