Detection - known_false_positives should support a list

[0xC0FFEEEE]

Wasn't sure whether to raise this here or within security_content...

known_false_positives is currently of type str, which is fine if there is one known false positive, but more than one would just result in a blob of text that is difficult to read.

Ideally this field should support either a string or list of strings so multiple false positives can be added, providing improved readability and separation of distinct known false positives.

Appreciate this will require an update to the ESCU savedsearch.conf spec, but I don't believe it's used anywhere within Splunk today.

[ljstella]

known_false_positives is currently rendered in the Enterprise Security app, in the Use Case Library:

Even lengthy sections in an 80-character wide terminal look relatively small in this UI:

This is a UI surface our team doesn't own, and has its own limitations on formatting. If you'd like alternative formats to appear there in the UI, or for the field to be used in additional places in ES, it probably has to go through Splunk Ideas

[0xC0FFEEEE]

Thanks @ljstella, I thought I might have missed somewhere that field does appear.

This shares a gripe I have with some other text based fields in ES, so I might just ask for markdown support instead 😄