[BUG] Broken drilldown: "View risk events for the last 7 days for ..." #3976
Description
With the release of Enterprise Security 8, the risk drill down searches for TTP type detections are broken.
I'm referring to these:
drilldown_searches:
- name: View risk events for the last 7 days for - "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
I'm pinning this to a change done in the SA-ThreatIntelligence add-on. The baseSearch in the Risk.json datamodel now calls out an spath_annotations macro at the end. I believe this doesn't allow the use of starthoursago parameters later in the SPL.
What could potentially solve the problem would be:
- Removal of
starthoursago=168from the search key - Setting
earliest_offset=-7dandlatest_offset=now
This would technically achieve the same outcome as before, but I wasn't able to find the right way to make the -7d and now expand.