Merge pull request #132 from splunk/additional_search_annotations

pyth0n1c · web-flow · commit 3426a7c5adbf · 2024-04-23T14:10:49.000-07:00
Note that the following appears for a non-deprecated search: <img width="1021" alt="image" src="https://github.com/splunk/contentctl/assets/87383215/2d471b6d-ec3a-46cd-be39-cddb81b5a417"> And for a deprecated search: <img width="1094" alt="image" src="https://github.com/splunk/contentctl/assets/87383215/2ac103bb-0108-4223-bf4a-7c5f91b50e06"> This change has also been ported/implemented with `@computed_field` in: dd4b150
diff --git a/contentctl/objects/abstract_security_content_objects/detection_abstract.py b/contentctl/objects/abstract_security_content_objects/detection_abstract.py
@@ -57,6 +57,7 @@ class Detection_Abstract(SecurityContentObject):
     runtime: str = None
     enabled_by_default: bool = False
 
+
     class Config:
         use_enum_values = True
 
@@ -346,3 +347,10 @@ def get_summary(
 
         # Return the summary
         return summary_dict
+
+
+    def getMetadata(self)->dict[str,str]:
+        return {'detection_id':str(self.id),
+                'deprecated':'1' if self.status==DetectionStatus.deprecated.value else '0',
+                'detection_version':str(self.version)}
+
diff --git a/contentctl/output/templates/savedsearches_detections.j2 b/contentctl/output/templates/savedsearches_detections.j2
@@ -64,6 +64,7 @@ action.correlationsearch.label = {{APP_NAME}} - RIR - {{ detection.name }} - Rul
 action.correlationsearch.label = {{APP_NAME}} - {{ detection.name }} - Rule
 {% endif %}
 action.correlationsearch.annotations = {{ detection.annotations | tojson }}
+action.correlationsearch.metadata = {{ detection.getMetadata() | tojson }}
 {% if detection.deployment.scheduling.schedule_window is defined %}
 schedule_window = {{ detection.deployment.scheduling.schedule_window }}
 {% endif %}
