policy/frameworks/intel/do_notice.zeek

Intel

This script enables notice generation for intelligence matches.

Namespace:

Intel

Imports:

base/frameworks/intel, base/frameworks/notice

Summary

Redefinitions

Intel::MetaData: record

New Fields:

Intel::MetaData

do_notice: bool &default = F &optional

A boolean value to allow the data itself to represent if the indicator that this metadata is attached to is notice worthy.

if_in: Intel::Where &optional

Restrictions on when notices are created to only create them if the do_notice field is T and the notice was seen in the indicated location.

Notice::Type: enum

  • Intel::Notice: This notice is generated when an intelligence indicator is denoted to be notice-worthy.

Detailed Interface