Solved

How to exclude Enriched field values when checking for a match in detections?

Forum|Forum|2 months ago
January 8, 2026
6 replies
90 views

lalji_d
Bronze 1

Hello everyone,

I am currently facing a challenge where I need to perform data matching based on a specific field. However, this field contains enriched values that lead to incorrect matches. I want to ensure that my matches are based solely on the original values in this field, without considering the enriched information.

Is there a way to configure my detection logic to exclude these enriched values? Any guidance, instructions, or best practices on how to achieve this would be greatly appreciated.

Best answer by AymanC

Hi @lalji_d,

I don’t think there is a way out-of-the-box, it would be great to raise this as a feature request.

You could look to map the file names to a repeated field that isn’t being enriched, or to an additional.fields and call it this way.

Kind Regards,

Ayman

Eoved
Bronze 2
Forum|Forum|2 months ago
January 11, 2026

Hello,
There are multiple ways to exclude fields and enriched values in a detection rule.
Can you share sample logs (without real data) and the specific fields you want to exclude?

+14

AymanC
Bronze 5
Forum|Forum|2 months ago
January 11, 2026

Hi @lalji_d,

Potentially, if it’s a repeated field of which could contain enriched data, could you call the first element, typically this would be an unenriched field.

principal.user.email_addresses[0]

Kind Regards,

Ayman

lalji_d
Author
Bronze 1
Forum|Forum|2 months ago
January 12, 2026

Hello,
There are multiple ways to exclude fields and enriched values in a detection rule.
Can you share sample logs (without real data) and the specific fields you want to exclude?

Hello @Eoved ,

So I want to check for the filename against a data table which has a list of files which I want to detect if they are being running in the environment or not.

For example I am using regex to derive the filename and checking for that in the list.

$file_name = re.replace($e.target.process.file.names, `^.*[\\/]`, ``)
$file_name in %Tools.tools_list nocase

So in this case lets say the unenriched field is the first one marked U and I check that against the list its not there but since the list has test.exe getting a hit for that.

U target.process.file.names[0]:""c:\\dummy\\path\\cmd.exe"

E target.process.file.names[1]:"c:\\dummy\\path\\dummycmd.exe"

E target.process.file.names[2]:"C:\\Dummy\\Path\\test.exe"

E target.process.file.names[3]:"C:\\DUMMY\\Path\\Dummyfile.exe"

Thanks

lalji_d
Author
Bronze 1
Forum|Forum|1 month ago
January 12, 2026

Hi @lalji_d,

Potentially, if it’s a repeated field of which could contain enriched data, could you call the first element, typically this would be an unenriched field.

principal.user.email_addresses[0]

Kind Regards,

Ayman

Hi @AymanC ,

That works, but I was just not sure if that's always the case as I have seen sometimes it comes as second or third element.

Also are there any other ways of doing this?

Thanks

+14

AymanC
Bronze 5
Answer
Forum|Forum|1 month ago
January 12, 2026

Hi @lalji_d,

I don’t think there is a way out-of-the-box, it would be great to raise this as a feature request.

You could look to map the file names to a repeated field that isn’t being enriched, or to an additional.fields and call it this way.

Kind Regards,

Ayman

lalji_d
Author
Bronze 1
Forum|Forum|1 month ago
January 12, 2026

Hi @lalji_d,

I don’t think there is a way out-of-the-box, it would be great to raise this as a feature request.

You could look to map the file names to a repeated field that isn’t being enriched, or to an additional.fields and call it this way.

Kind Regards,

Ayman

Hi @AymanC

Yeah I mapped the file names to an unenriched field and that works.
Thank you for the help!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded