0xC0FFEEEE

> Hmmm interesting. What you mean here is to entirely reproduce the `search` field in the YML as the `drilldown.search` field, right? It sounds like this is a fairly common...

> If this is the case, do you see any reason not to just reproduce the search as a drilldown for ANY piece of content (not just Anomaly/TTP) that doesn't...

@patel-bhavin Yes we do add the notable action to Anomaly detections. This can generate a lot of notables, but we tend to tune an Anomaly detection against the previous 30...

Some context as to why this would be a great feature from the perspective of a Splunk cloud customer w/ >950 ESCU rules enabled: When we adopted Splunk ES, we...