The problem I'm trying to solve is, that we need to chart the snort rules that are being matched, but the snort parser populates the risk.* metakeys. So if I make a rule, selecting ie. risk.info where threat.source=’snort rule’, we see the snort message of course, but lots of other values in risk.info
If the snort message were in a custom metakey, it would be easier to chart.
Do you know is there a way to have the snort parser update a custom metakey, ie. snort.message ?
Or do you have any other great ideas to solve my problem ?