Creating extra field based on an existing one

majo1 : to simulate other SIEMs and add a physical field, you will have to use Logstash for ingestion (see here). However the Sentinel way would be to reference the data using for example externaldata or a Sentinel table ingested using a custom connector. While you will not physically create a new field, you can enrich as part of a query, or if you want a "virtual" field, use a "view" function that will add the field on top of the original event. We are going to write a series of blogs on some of those techniques in the coming weeks.