|
12 | 12 | from contentctl.objects.enums import AssetType |
13 | 13 | from contentctl.objects.constants import SES_OBSERVABLE_TYPE_MAPPING, SES_OBSERVABLE_ROLE_MAPPING |
14 | 14 | class NewContent: |
| 15 | + UPDATE_PREFIX = "_UPDATE_" |
| 16 | + |
15 | 17 | DEFAULT_DRILLDOWN_DEF = [ |
16 | 18 | { |
17 | | - "name": 'View the detection results for - "$first_observable_name_here$" and "$second_observable_name_here$"', |
18 | | - "search": '%original_detection_search% | search first_observable_type_here = "$first_observable_name_here$" second_observable_type_here = $second_observable_name_here$', |
| 19 | + "name": f'View the detection results for - "${UPDATE_PREFIX}FIRST_RISK_OBJECT$" and "${UPDATE_PREFIX}SECOND_RISK_OBJECT$"', |
| 20 | + "search": f'%original_detection_search% | search "${UPDATE_PREFIX}FIRST_RISK_OBJECT = "${UPDATE_PREFIX}FIRST_RISK_OBJECT$" second_observable_type_here = "${UPDATE_PREFIX}SECOND_RISK_OBJECT$"', |
19 | 21 | "earliest_offset": '$info_min_time$', |
20 | 22 | "latest_offset": '$info_max_time$' |
21 | 23 | }, |
22 | 24 | { |
23 | | - "name": 'View risk events for the last 7 days for - "$first_observable_name_here$" and "$second_observable_name_here$"', |
24 | | - "search": '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$first_observable_name_here$", "$second_observable_name_here$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`', |
| 25 | + "name": f'View risk events for the last 7 days for - "${UPDATE_PREFIX}FIRST_RISK_OBJECT$" and "${UPDATE_PREFIX}SECOND_RISK_OBJECT$"', |
| 26 | + "search": f'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("${UPDATE_PREFIX}FIRST_RISK_OBJECT$", "${UPDATE_PREFIX}SECOND_RISK_OBJECT$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`', |
25 | 27 | "earliest_offset": '$info_min_time$', |
26 | 28 | "latest_offset": '$info_max_time$' |
27 | 29 | } |
28 | 30 | ] |
29 | | - UPDATE_PREFIX = "_UPDATE_" |
| 31 | + |
30 | 32 |
|
31 | 33 | def buildDetection(self) -> tuple[dict[str, Any], str]: |
32 | 34 | questions = NewContentQuestions.get_questions_detection() |
|
0 commit comments