Description
I am requesting when using an Alert to create an Incident or Incident Response, the TA parses all observables in an observable field if the field is multi-valued. Example Splunk stats results screenshot below.
Currently:
Based on the screenshot below the TA would create 6 Incidents/Incident Responses. However only the 2 incidents that have single IPs in the "octi_ip" field would get the observable attached to the event. The incidents that had multi-value "octi_ip" fields had 0 observables added to the incident.
Expected:
Based on the screenshot below the TA would create 6 Incidents/Incident Responses. Each IP value in the "octi_ip" field would be added to the incident as a distinct observable.
Reasoning:
Instead of creating potentially hundreds of incidents with 1 observable in them, we can bucket them by related information in Splunk so that an analysts does not have to combine the incidents manually into an incident response container.
