Merge pull request #296 from splunk/ryanplasma_add_explanation

Ryanplasma add explanation

Author: pyth0n1c

contentctl/objects/abstract_security_content_objects/detection_abstract.py

@@ -67,6 +67,16 @@ class Detection_Abstract(SecurityContentObject):
     search: str = Field(...)
     how_to_implement: str = Field(..., min_length=4)
     known_false_positives: str = Field(..., min_length=4)
+    explanation: None | str = Field(
+        default=None,
+        exclude=True, #Don't serialize this value when dumping the object
+        description="Provide an explanation to be included "
+        "in the 'Explanation' field of the Detection in "
+        "the Use Case Library. If this field is not "
+        "defined in the YML, it will default to the "
+        "value of the 'description' field when " 
+        "serialized in analyticstories_detections.j2",
+    )
 
     enabled_by_default: bool = False
     file_path: FilePath = Field(...)

contentctl/output/templates/analyticstories_detections.j2

@@ -7,7 +7,7 @@
 type = detection
 asset_type = {{ detection.tags.asset_type.value }}
 confidence = medium
-explanation = {{ detection.description | escapeNewlines() }}
+explanation = {{ (detection.explanation if detection.explanation else detection.description) | escapeNewlines() }}
 {% if detection.how_to_implement is defined %}
 how_to_implement = {{ detection.how_to_implement | escapeNewlines() }}
 {% else %}