Update problem-child.md (#1253)

2021-06-03 12:47:00 -07:00
parent 0ec8d67e78
commit 8bb7218e38
1 changed files with 1 additions and 1 deletions
@@ -61,4 +61,4 @@ You can optionally choose to refresh your index mapping from within Kibana:

 #### 4. Verify enrichment fields

-Any documents corresponding to Windows process events should now be enriched with `problemchild.*`
+Any documents corresponding to Windows process events should now be enriched with `problemchild.*`. By default, the enrichment pipeline also consists of a script processor for a blocklist, so you might also see the field `blocklist_label` appear in documents that match the blocklist.