search

splunk / security_content

Splunk Security Content
https://research.splunk.com
Apache License 2.0
1.26k stars 354 forks source link

Application drilldowns #3130

Closed patel-bhavin closed 3 days ago

patel-bhavin commented 2 weeks ago

Updated yaml structure after speaking with Eric: All TTP, Anomaly and Correlation detections will have drilldown search associated with it 

drilldown_searches:
- name: View the detection results for $user$ and $dest$
  search: '%orginal_detection_search% | search  user = $user$ dest = $dest$'

%orginal_detection_search% -> this is written in such syntax so that we can dynamically update drilldown search when the seach is updated, and to keep the yaml clean

%orginal_detection_search%-> this field will be replaced by the search string during build time from contentctl

Contentctl to make updates such that the following fields are optional in the yaml, if not present we use the following default, 

 earliest_offset: $info_min_time$
  latest_offset: $info_max_time$
pyth0n1c commented 2 weeks ago

FYI, I committed to this branch with the following fix.
All the updated detections went from the typo %orginal_detection_search% to %original_detection_search%