Is data normalization/categorization on the roadmap? I want to be able to query across multiple tables for IP addresses. Currently, it appears that I have to know what various names of IP address fields across many different tables. Then if a table is added, I have to update my queries. Maybe that's supposed to be done through Alerts, but that seems pretty late in the event data processing pipeline. Am I overlooking something here?
Please bear in mind that my perspective is heavily ArcSight-oriented. I tend to look at SIEM though that lens.