We are pointing to an external list (type=ip) and then an once triggered, an email is generated and sent to the incident handler inbox generated from the event action in the triggered rule.
Question: Is it possible to return the 'comment' column from the IP subscribed lists?
We have it populating with an internal URL that would point to the more info on the source of the triggered IOC.
Hope that makes sense
it makes sense, but unfortunately, it cannot.
There is no property that can return the comment field back to the rule engine for logging or other policy enforcement.
The closest thing you can do is use a mapType list where there is a key column, and a value column.
You're challenge, however, is a MapType is a complex list type with an XML structure, and maintaining that as a subscribed list means more work on your end with formatting the data, instead of using a flat file.