alerts add other field

[sdlsyc]

hi,How to customize the fields in the column, such as displaying the country field and region field in geoip on the page, so that I can judge the source of ip more quickly

[dougburks]

First, please keep in mind that geoip information may not actually tell you where an attacker is actually sitting as they may be routing their traffic through a host in another country, perhaps your own country.

With that in mind, you should be able to do add other fields as shown in the documentation. From https://docs.securityonion.net/en/2.3/alerts.html:

When you click the arrow to expand a row in the Events table, it will show all of the individual fields from that event. Field names are shown on the left and field values on the right. When looking at the field names, there is an icon to the left that will add that field to the groupby section of your query.