Open gs3cl opened 1 year ago
Hey @gs3cl thank you so much for the request, we are absolutely looking to introduce this feature as part of a major update security content 4.0.0, this is not likely slated until EOY closer to November/December timeframe with that said lets keep it open and we will update you once we have a PR ready.
Hey @d1vious thanks for the information sounds great.
was it implemented?
Hey,
it is possible to include both functions regarding Drilldowns
Why ?
As an analyst in a SOC with different level/stages it is very helful to build Drilldown Searches for the analysts. To reduce workload during daily Work it would be cool to have this capability in the detection specs. Hence we could build pre defined "Drilldown Searches"
Example:
ESCU - Account Discovery With Net App - Rule
SPL:
Instead of Risk I want a Search for the Drilldown with a variable like "dest"
and that would be the result in .yml with new to fileds:
search_drilldown: drilldown_name:
Thanks in advance
Regards,