Hi !
Just a interesting question. I know that other SIEM vendors have problem with this. Maybe LogPoint have a good function for this.
So I received a JSON-event that didn’t normalise, due to that no normalization-package was enabled. I enabled this after I received the event.
So to my question. Is It possible to parse this event afterwards so that It gets normalized? Or do I have to wait for another event from the same logsource to see If this one gets normalized?