-
Notifications
You must be signed in to change notification settings - Fork 359
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Include "Drilldown name and Search" in the detection template #2385
Labels
Comments
Hey @gs3cl thank you so much for the request, we are absolutely looking to introduce this feature as part of a major update security content 4.0.0, this is not likely slated until EOY closer to November/December timeframe with that said lets keep it open and we will update you once we have a PR ready. |
Hey @d1vious thanks for the information sounds great. |
was it implemented? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hey,
it is possible to include both functions regarding Drilldowns
Why ?
As an analyst in a SOC with different level/stages it is very helful to build Drilldown Searches for the analysts. To reduce workload during daily Work it would be cool to have this capability in the detection specs. Hence we could build pre defined "Drilldown Searches"
Example:
ESCU - Account Discovery With Net App - Rule
SPL:
Instead of Risk I want a Search for the Drilldown with a variable like "dest"
and that would be the result in .yml with new to fileds:
search_drilldown:
drilldown_name:
Thanks in advance
Regards,
The text was updated successfully, but these errors were encountered: