manage-event-groups.zeek

Intel

Namespace:: Intel
Imports:: base/frameworks/reporter, policy/frameworks/intel/seen

Summary

Redefinable Options

Intel::manage_seen_event_groups: bool &redef

Whether Intel event groups for the seen scripts are managed.

Detailed Interface

Redefinable Options

Intel::manage_seen_event_groups 

Type:: bool
Attributes:: &redef
Default:: T

Whether Intel event groups for the seen scripts are managed.

When loading this script, by default, all Intel::Type event groups are disabled at startup and only enabled when indicators of corresponding types are loaded into the Intel framework’s store. This allows to load the frameworks/intel/seen scripts without incurring event handling overhead when no Intel indicators are loaded.

One caveat is that the Intel::seen_policy hook will not be invoked for indicator types that are not at all in the Intel framework’s store. If you rely on Intel::seen_policy to find unmatched indicators, do not not load this script, set this variable to F, or insert dummy values of the types using Intel::insert.