Value error, Error, there must be AT LEAST 1 Observable with the role 'Victim' declared in Detection.tags.observables. However, none were found.

splunk / contentctl

Splunk Content Control Tool

Apache License 2.0

91 stars 25 forks source link

Value error, Error, there must be AT LEAST 1 Observable with the role 'Victim' declared in Detection.tags.observables. However, none were found. #315

Open Res260 opened 1 month ago

Res260 commented 1 month ago

Hello, when I put an empty list in the tags section for observable, I get this error:

Value error, Error, there must be AT LEAST 1 Observable with the role 'Victim' declared in Detection.tags.observables. However, none were found.

I'd like to be able to create a Detection without an observable. I don't understand why this should be enforced, can we somehow remove this rigid constraint?

Thanks!

Res260 commented 1 week ago

An ugly but working workaround is to add this to the Detection YAML:

tags:
  analytic_story: []
  asset_type: Account
  confidence: 1
  cve: []
  impact: 60
  message: N/A
  mitre_attack_id:
  - T1555
  observable:
  - name: host
    role:
    - Victim
    type: Unknown
  product:
  - Splunk Enterprise Security
  required_fields:
  - nothing
  risk_score: N/A
  security_domain: access