Notices

I see that when some notice gets emailed (like SQL) it can contain extra data that is not in the notice.log. How does this get created? Is there a way to log it so I can send it to my SIEM?

Hi,

what is sent via email can be extended using email_body_sections (see
https://www.bro.org/sphinx-git/frameworks/notice.html#extending-notice-emails).
In detect-sqli.bro
(https://github.com/bro/bro/blob/master/scripts/policy/protocols/http/detect-sqli.bro#L84)
you can see how it is used to add additional information.

Regards,
Jan