Skip to content

The "User Name" type should map to a "user" risk object and not "other" #246

New issue
New issue
Open
Bug
Open
The "User Name" type should map to a "user" risk object and not "other"#246
Bug
Labels
bugSomething isn't working
@cmcginley-splunk

Description

@cmcginley-splunk
cmcginley-splunk
opened on Aug 20, 2024
  • In detection_abstract.py we look for observable of type username
  • In practice, the valid type (see SES_OBSERVABLE_TYPE_MAPPING) is User Name; Username/username is invalid and static validation does not allwo for these values
  • This is causing a handful of detections to create risk objects of type other instead of type user
  • Additionally, device is not a valid observable type per SES_OBSERVABLE_TYPE_MAPPING (used in validation)

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions