ES8 findings, intermediate findings, etc confusion!

Confused by how to configure detections in ES8? You're probably not the only one. I ran a lot of tests for myself and thought I might as well write this post to document my...uh findings. *sigh*

The entity field

As far as I can see, the entity field is just an alias for the good old risk_object field. In the rest of this post I'm only talking about the risk_object field, but you can assume the entity field is a duplicate of it.

One entity - intermediate finding

This raises an event in index=risk with risk_object populated with what was configured (so here the content of the user field).

This is what we call a risk-only rule. Straightforward, except that as far as I can tell things like the title and description in section 2 (intermediate finding details) are completely pointless and not used anywhere.

One entity - finding

This raises an event in index=notable with risk_object populated with what was configured (so here the content of the user field).

This is kind of what we call a notable-only rule. Mostly straightforward, but what is the point of the risk_object field being populated if there's no risk raised?! Also it demands risk_message to be filled even though it is useless.

N/A entity- intermediate finding

This raises nothing. What's the point in having section 2 and 3 at all then?

I guess this option is still useful to have if all you want to do is some other adaptive response action (section 9), such as sending an email etc.

 N/A entity - finding

This raises an event in index=notable without risk_object populated.

This is the closest to what we had as a notable-only rule. Straightforward. But then what's the point in having to fill in the risk_message config?

2 entities - both intermediate findings

This raises 2 identical events in index=risk but with different values for the risk_object, risk_score, etc, as configured.

This is basically a multi-risk rule. Straightforward.

2 entities - both findings

This raises 2 identical events in index=notable, but with different values for the risk_object.

What's the point?!!

We spend an incredible amount of efforts to REDUCE the number of alerts we have to deal with, we don't need a way to create more pointlessly.

Plus as mentioned above, what is the point of risk_object being populated if there's no risk raised?

2 entities - 1 finding, 1 intermediate finding

This raises one event in index=notable with the (pointless) risk_object set to what the user field contains, and one event in index=risk with risk_object set to what the dest field contains.

Again, why would you want to do that? If the user is the entity of interest, why raise the risk on the dest? If you raise the risk on dest, why not mention it as the "entity" in the notable? I don't understand this.

Before making this test, I would have thought that this would create 2 risks and one notable. I checked some of our existing rules that raised both a notable and multiple risks for what they are doing after the upgrade and this is what it looks like:

Which is similar to my next test, and so maintains the pre-upgrade behaviour.

2 entities - 1 finding, 2 intermediate findings

This raises one event in index=notable with the (pointless) risk_object set to what the user is, and two events in index=risk, one with risk_object set to the user and the other set to the dest.

contributing_events_search

I've noticed this weird field in the events of index=risk. I haven't had time to research this yet, but curious what it is for.

Conclusion

I'm looking for feedback: Is this fair? Am I missing something?