Add appropriate updated

fields to
savedsearches.conf

Author: pyth0n1c

contentctl/output/templates/savedsearches_detections.j2

@@ -35,12 +35,14 @@ cron_schedule = {{ detection.deployment.scheduling.cron_schedule }}
 dispatch.earliest_time = {{ detection.deployment.scheduling.earliest_time }}
 dispatch.latest_time = {{ detection.deployment.scheduling.latest_time }}
 action.correlationsearch.enabled = 1
+action.correlationsearch.detection_type = ebd
 action.correlationsearch.label = {{ detection.get_action_dot_correlationsearch_dot_label(app) }}
 action.correlationsearch.annotations = {{ detection.annotations | tojson }}
 action.correlationsearch.metadata = {{ detection.metadata | tojson }}
 schedule_window = {{ detection.deployment.scheduling.schedule_window }}
 {% if detection.deployment.alert_action.notable %}
 action.notable = 1
+action.notable.param._entities = [{"risk_object_field": "N/A", "risk_object_type": "N/A", "risk_score": "0"}]
 action.notable.param.nes_fields = {{ detection.nes_fields }}
 action.notable.param.rule_description = {{ detection.deployment.alert_action.notable.rule_description | custom_jinja2_enrichment_filter(detection) | escapeNewlines()}}
 action.notable.param.rule_title = {% if detection.type | lower == "correlation" %}RBA: {{ detection.deployment.alert_action.notable.rule_title | custom_jinja2_enrichment_filter(detection) }}{% else %}{{ detection.deployment.alert_action.notable.rule_title | custom_jinja2_enrichment_filter(detection) }}{% endif +%}