[KNOWN BUG] Summon correlation strips user_defined_severity and user_defined_category fields, causing upload error 101704

[simonsigre]

When importing a correlation rule using summon correlation, the user_defined_severity and user_defined_category fields are stripped from the output YAML.
When the rule has severity set to "User Defined" or alert_category set to "User Defined", Cortex Platform requires these companion fields to be present. Without them, upload fails with error 101704.
The fix is to conditionally preserving these fields when their parent field is set to "User Defined".

Will be fixed in next release

[simonsigre]

When importing correlation rules, the user_defined_severity and user_defined_category fields were being stripped out along with other platform-specific fields. Problem was, when a rule has its severity or alert category set to "User Defined", Cortex Platform actually requires those companion fields to be present, without them the upload fails with error 101704. Fixed it so those fields are only kept when their parent is set to "User Defined", and dropped when it's not.

Resolved in v1.22.0-beta.1 (not currently :LATEST tag ) so anyone keen to test try this;

docker pull gocortexio/spellbook:1.22.0-beta.1