update detections.json output with new rba structure#390
Conversation
tags into higher level Detection_Abstract object. Make sure risk_severity is consistent and included only in json content that requires it. Updated serialization logic for detections.json
|
I have submitted a draft of the new objects to the relevant team and am waiting on feedback. This PR should remain in DRAFT until we receive that feedback and confirmation that it is correct. |
|
After internal feedback approved of these changes, I have now marked it Ready for Review |
|
I have taken a look by diffing the old JSON files and old Application files side by side. The only notable differences are the expected changes around Some of the fields in some of these JSON files have their orderings change on subsequent runs - this ordering is not meaningful for our purposes (for example a list of MITRE enrichments) but we may consider sorting them in the future since they make diffing much more challenging and time-consuming. |
|
verified the generation of the output and manually compared with https://securitycontent.scs.splunk.com/detections.json
The generation json file has been tested by the SSE team. |
2 participants
Move risk_score and risk_severity from
tags into higher level Detection_Abstract
object. Make sure risk_severity
is consistent and included only in
json content that requires it.
Updated serialization logic for
detections.json
Note that this PR also supercedes the following PR, which has been closed:
#379