Skip to content

Added a Notes object and an array of notes to the Findings classes.#1670

Open
pagbabian-splunk wants to merge 7 commits into
mainfrom
findings_2
Open

Added a Notes object and an array of notes to the Findings classes.#1670
pagbabian-splunk wants to merge 7 commits into
mainfrom
findings_2

Conversation

@pagbabian-splunk

@pagbabian-splunk pagbabian-splunk commented Jun 13, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Related Issue: 1659

Description of changes:

As mentioned in the above Issue, a simple comment attribute is not sufficient for findings that are modified over time, especially by multiple analysts.

This PR creates a Note object that includes a comment attribute but also a owner, created_time and modified_time to capture the details of who made the comment and when. The Finding classes and the Incident Finding class include a notes attribute with an array of Note objects to track comments over the lifecyle of the finding or incident.

The comment attribute is deprecated in favor of notes.

One small structural change was made: the Finding base class has a device attribute whose comment refers to resources which only appeared in the extended classes. This PR adds the resources attribute to Finding but preserves the overriddent descriptions in each of the extended finding classes.

@paul-agbabian
Added a Note object, a notes array of Notes to the dictionary, and ad…
56a4962 
…ded the notes attribute to the Finding and Incident classes.

Signed-off-by: Paul Agbabian <paul@macran.com>
@paul-agbabian
Added the resources array to the Finding base class since all extende…
788d02f 
…d findings include it, but override the description. Changed the detection_finding group from context to primary, as with all of the other Finding extended classes.

Signed-off-by: Paul Agbabian <paul@macran.com>
@github-actions

github-actions Bot commented Jun 13, 2026
edited
Loading

Copy link
Copy Markdown

Schema Description Review

Automated suggestions for improving description clarity for LLM consumption. These are advisory — not required changes.

Looking at the compiled schema output and comparing it to my previous review, I can see that all the changes remain consistent with my earlier assessment. The PR introduces a well-structured note object and applies it consistently across finding classes.

Previous Suggestions Status

All previous suggestions were already addressed - My previous review found no issues, and the current state maintains that quality level.

Current Review

Suggestions

None - all descriptions remain clear and self-contained.

CHANGELOG Issues

None - all entries follow proper conventions with correct PR references and proper sectioning.

Summary

The changes continue to demonstrate good schema design principles. The note object provides a clear structure for capturing analyst observations with proper attribution and timestamps. The consistent application across all finding classes maintains schema coherence, and all descriptions remain suitable for LLM comprehension with appropriate specificity and context.

✅ No description issues found — descriptions look clear for LLM consumption.

@paul-agbabian
Added CHANGELOG.md entries
0b2931d 
Signed-off-by: Paul Agbabian <paul@macran.com>
@pagbabian-splunk pagbabian-splunk added findings Issues related to Findings Category v1.9.0 labels Jun 14, 2026
floydtree
floydtree reviewed Jun 16, 2026
View reviewed changes
Comment thread objects/note.json
@pagbabian-splunk
Added created_time to Note (note.json)
a4bf107 
Signed-off-by: Paul Agbabian <pagbabian@splunk.com>
@floydtree

floydtree commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

@pagbabian-splunk do we want to deprecate comment in favor of this new notes attribute in the findings classes?

@pagbabian-splunk

pagbabian-splunk commented Jun 23, 2026

Copy link
Copy Markdown
Contributor Author

@pagbabian-splunk do we want to deprecate comment in favor of this new notes attribute in the findings classes?

Yes, that probably makes sense. I'll update with the deprecation. I wasn't sure whether for simple cases the single comment might be useful, but it's better that there is one place to view comments.

@pagbabian-splunk
Deprecated the comment attribute in Finding and Incident Finding in f…
87c9437 
…avor of the notes array. Replaced the user attribute with the owner attribute in the Note object to emphasize that the same user that created the Note is who can modify the Note.

Signed-off-by: Paul Agbabian <pagbabian@splunk.com>
@pagbabian-splunk
Updated CHANGELOG.md to record the deprecation of the comment attribu…
2e9bc47 
…te in finding and incident_finding..

Signed-off-by: Paul Agbabian <pagbabian@splunk.com>
@pagbabian-splunk
Merge branch 'main' into findings_2
393fb8f 
Signed-off-by: Paul Agbabian <pagbabian@splunk.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Aniak5 Aniak5 Awaiting requested review from Aniak5 Aniak5 is a code owner
@mikeradka mikeradka Awaiting requested review from mikeradka mikeradka is a code owner
@zschmerber zschmerber Awaiting requested review from zschmerber zschmerber is a code owner
@jonrau-at-queryai jonrau-at-queryai Awaiting requested review from jonrau-at-queryai jonrau-at-queryai is a code owner
@davemcatcisco davemcatcisco Awaiting requested review from davemcatcisco davemcatcisco is a code owner
@floydtree floydtree Awaiting requested review from floydtree floydtree is a code owner

At least 3 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

findings Issues related to Findings Category v1.9.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pagbabian-splunk @floydtree @paul-agbabian