Compared to non-Threshold results that inherit the previously processed fields, Threshold Detection events only include the single field that is being aggregated. I would like to perform GeoIP processing of Threshold Detection results based on the IP address field that the Threshold Detection rule is operating on and emitting into the result document. This will enable me to triage Threshold Detection events more efficiently.
Is it possible to do this without creating an ingest pipeline manually and attaching it to the .siem_signals_default index template? I don't want to manually modify the index template as I would prefer that to still be managed by the system itself and automatically upgraded over time.