We have physical servers tied into span ports on our core switches. These have always previously run Packetbeat, but we are migrating to the new Network Traffic Capture Integration. One of the key issues I have noticed with this Integration is that it includes the host.* fields with no apparent way to disable them. Many Integrations have the option to disable the host.* fields if tags contains "forwarded", but I don't see that option on this Integration. This is causing these servers to be deemed the most critical devices based on the Host Risk Score, when the devices are nothing more than observers to the activity.

Since these events are not actually happening on these hosts, I feel the host.* fields should be disabled on this Integration, and the observer.* fields should be populated instead.

Eric