I’m working with curated rules and its triggered alerts in Google SecOps SIEM and trying to better understand how to configure Detection Outcome Fields effectively. As we can’t edit curated rules and if the detection outcome field from the curated rule triggered alert doesn’t match with the ontology mapping we have done, then entity section from SOAR case remains blank. Leading to no alert grouping, no meaningful context, playbooks gets failed as entities are blank
Are there any recommended guidelines or examples for configuring Detection Outcome Fields in curated rules?