action.notable.param._entities parameter in savedsearches.conf

[AndreiBanaru]

Hello-

Are there plans to begin to properly set the action.notable.param._entities parameter in savedsearches.conf, for TTP type detections?

Right now, we have N/A as values for the risk_object_field and the risk_object_type keys, as per the contentctl template.

For detections which have a single single risk object (e.g. Access LSASS Memory for Dump Creation), I believe it would be easy to copy over the same values, but leave the risk_score to 0 for the finding.

I can only assume this hasn't been implemented yet, because a decision has to be made how to tackle detections which have more than 1 risk object- e.g. which one to choose as the entity for the finding.

[patel-bhavin]

Hi @AndreiBanaru - It is not implemented yet since we are working on some major tooling updates to how we build the ESCU app. With that said, i imagine it would be easy to implement the above change for TTP detections with one risk_object and might just consider having only one entitiy listed in the yamls for TTP detections

Tagging @pyth0n1c and @cmcginley-splunk for their input on this issue.