-
|
Hi there, Within the sample DetectionSummaryEvent output in the event.PatternDispositionFlags section, there is a specific flag called "InddetMask" -- can someone provide context about what this flag means? Thanks in advance! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Hi @dkindlund! This field represents Indicator Detection Mask and is one of the deprecated pattern disposition fields. You should be able to get the same detail using just the Pattern Disposition value (which is an integer, reference table here). I'm investigating the different times this flag would be returned as a True and will let you know what I discover. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the clarification -- do you happen to know if all the pattern disposition fields will be deprecated, or is it just this one? (The fields are much easier to decipher than the integer value which appears to essentially be a bitmask.) |
Beta Was this translation helpful? Give feedback.
-
|
I believe this was changed to provide better detail, as there are some scenarios where policies would have been applied had they been enabled. The better field to look at is the pattern disposition value and then translate since there are values for 'would have done X if policy was enabled'. |
Beta Was this translation helpful? Give feedback.
Hi @dkindlund!
This field represents Indicator Detection Mask and is one of the deprecated pattern disposition fields. You should be able to get the same detail using just the Pattern Disposition value (which is an integer, reference table here).
I'm investigating the different times this flag would be returned as a True and will let you know what I discover.