Update template and drilldown object

pyth0n1c · pyth0n1c · commit 7bde9d72f515 · 2024-09-26T16:36:07.000-07:00
diff --git a/contentctl/objects/drilldown.py b/contentctl/objects/drilldown.py
@@ -25,14 +25,14 @@ class Drilldown(BaseModel):
 
     @classmethod
     def constructDrilldownsFromDetection(cls, detection: Detection) -> list[Drilldown]:
-        if len([f"${o.name}$" for o in detection.tags.observable if o.role[0] == "Victim"]) == 0 and detection.type != AnalyticsType.Hunting:
-            print("no victim!")
-            # print(detection.tags.observable)
-            # print(detection.file_path)
+        victim_observables = [o for o in detection.tags.observable if o.role[0] == "Victim"] 
+        if len(victim_observables) == 0 or detection.type == AnalyticsType.Hunting:
+            # No victims, so no drilldowns
+            return []
 
-        variableNamesString = ' and'.join([f"${o.name}$" for o in detection.tags.observable if o.type[0] == "Victim"])
-        nameField = "View the detection results for }" + variableNamesString
-        appendedSearch =  " | search " + ' '.join([f"o.name = ${o.name}$" for o in detection.tags.observable])
+        variableNamesString = ' and '.join([f"${o.name}$" for o in victim_observables])
+        nameField = f"View the detection results for {variableNamesString}"
+        appendedSearch =  " | search " + ' '.join([f"{o.name} = ${o.name}$" for o in victim_observables])
         search_field = f"{detection.search}{appendedSearch}"
         detection_results = cls(name=nameField, earliest_offset=EARLIEST_OFFSET, latest_offset=LATEST_OFFSET, search=search_field)
         
diff --git a/contentctl/output/templates/savedsearches_detections.j2 b/contentctl/output/templates/savedsearches_detections.j2
@@ -112,12 +112,12 @@ alert.suppress.fields = {{ detection.tags.throttling.conf_formatted_fields() }}
 alert.suppress.period = {{ detection.tags.throttling.period }}
 {% endif %}
 search = {{ detection.search | escapeNewlines() }}
-{% if detection.tags.drilldown%}
-action.notable.param.drilldown_name = {{ detection.tags.drilldown.name }}
-action.notable.param.drilldown_search = {{ detection.tags.drilldown.search | escapeNewlines()}}
-action.notable.param.drilldown_earliest_offset = {{ detection.tags.drilldown.earliest_offset }}
-action.notable.param.drilldown_latest_offset = {{ detection.tags.drilldown.latest_offset }}
-{% endif %}
+{% for drilldown_search in detection.drilldown_searches%}
+action.notable.param.drilldown_name = {{ drilldown_search.name }}
+action.notable.param.drilldown_search = {{ drilldown_search.search | escapeNewlines()}}
+action.notable.param.drilldown_earliest_offset = {{ drilldown_search.earliest_offset }}
+action.notable.param.drilldown_latest_offset = {{ drilldown_search.latest_offset }}
+{% endfor %}
 {% endif %}
 
 {% endfor %}
