From a300df4c4d7dc5db01b12d3353ddc975e916e31f Mon Sep 17 00:00:00 2001 From: Jeff Lucovsky Date: Wed, 18 Jun 2025 09:14:16 -0400 Subject: [PATCH] detect/entropy: Clarify when entropy is logged Clarify when entropy values are logged and associated with non-alert log records. --- doc/userguide/rules/payload-keywords.rst | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst index 71885ef05b..8e9d8f71fa 100644 --- a/doc/userguide/rules/payload-keywords.rst +++ b/doc/userguide/rules/payload-keywords.rst @@ -737,10 +737,11 @@ Logging ~~~~~~~ When the ``entropy`` rule keyword is provided and the rule is evaluated, the -`calculated entropy` value is logged within the ``metadata`` section of an -output log. If the alert matched, it will be included there; here's an example -that shows the calculated entropy value with the buffer on which the value was -computed:: +`calculated entropy` value is associated with the flow even if the calculated +entropy value didn't result in a match or alert. Subsequent logging of event +types that include the flow, including alerts, will contain the ``entropy`` value in +the ``metadata`` section of an output log. The follow is an example that shows +the calculated entropy value with the buffer on which the value was computed:: "metadata": { "entropy": {