Open
Description
- In Enabling risk/observable matching #241 I refactored risk/notable lookups to use the oldest
orig_sidinstead of the newest - The benefit of this, is that it helps ensure we don't encounter weird race conditions, where close to the end of the timeout, we are looking at the most recent run of the savedsearch and only a partial set of risk events has been generated (leads to false validation errors where an observable might not have a corresponding risk)
- More work is needed though to alleviate very occasional false successes observed as it relates to risk/observable matching
- We have validation which ensure we don't have Attacker type observables matching to risk objects (we observe this issue in about ~50 detections at the time of writing, but Threat objects #234 will resolve these)
- Occasionally, a detection with one of these "bad" risk objects may pass this validation if at query time the bad risk event has not yet been generated
- This could be alleviated by instead finding a specific
orig_sid(savesearch ID) for the risk/notable in question, and pinning all future queries for risk/notables to that SID - Additionally, this would allow us to query the status of the SID job, so we might have more confidence that all risk events that are going to be generated, have been generated