An event source is a definition that includes:
The table that will be queried
The specific events that will be filtered (since we'll usually want our query to be on a specific event like "process creation", and not on the entire raw table)
The specific attributes that will be extracted in the query
If you didn't find a suitable built-in event source, you can create your own custom event source on top of any of your data sources.
🚧 Attention
Custom event sources are only created in the scope of the current custom detector. It is not possible to use a custom event source you create for one custom detector in any other detector.
To create a new event source:
From the custom detector setup, click New Event Source in the Query step.
In the New event source dialog box, fill in the following fields:
From the Choose data type field, select the data type you want to track. The list will display only data sources configured as part of the ingestion phase.
From the Choose event type field, select the type of event you want to track. This list is populated based on your data type selection.
📘Note
Some data types don't have the notion of "event type" defined. In this case, the detector will run on all the events in the table.
From the Choose event fields field, select which attributes to add to your event source. These are the attributes that will eventually appear in your detector's leads.
From the Define attribute types field, define the type of an attribute to enable Hunters' Automatic Investigation on that attribute. If you don't know the type choose Other.
📘Note
Some attributes might already be pre-populated in the attribute types list. These are general mapped attributes for this datatype. You can keep them to save some work, or remove them if you're not interested in including them.
Once done, click Submit to create the event source.