more progess on drilldown updates

pyth0n1c · pyth0n1c · commit b3e7330c2bc7 · 2024-08-28T12:09:26.000-07:00
diff --git a/contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py b/contentctl/actions/detection_testing/infrastructures/DetectionTestingInfrastructure.py
@@ -1180,6 +1180,7 @@ def retry_search_until_timeout(
         return
 
     def delete_attack_data(self, attack_data_files: list[UnitTestAttackData]):
+        return
         for attack_data_file in attack_data_files:
             index = attack_data_file.custom_index or self.sync_obj.replay_index
             host = attack_data_file.host or self.sync_obj.replay_host
diff --git a/contentctl/objects/drilldown.py b/contentctl/objects/drilldown.py
@@ -1,6 +1,6 @@
 from pydantic import BaseModel, Field
 class Drilldown(BaseModel):
     name: str = Field(...,min_length=5)
-    search: str = Field(..., description="The text of a drilldown search. This must be valid SPL." min_length=1)
+    search: str = Field(..., description="The text of a drilldown search. This must be valid SPL.", min_length=1)
     earliest_offset:str = "$info_min_time$"
     latest_offset:str = "$info_max_time$"
diff --git a/contentctl/output/templates/savedsearches_detections.j2 b/contentctl/output/templates/savedsearches_detections.j2
@@ -108,7 +108,13 @@ quantity = 0
 realtime_schedule = 0
 is_visible = false
 search = {{ detection.search | escapeNewlines() }}
-
+{% if detection.tags.drilldown%}
+action.notable.param.drilldown_name = {{ detection.tags.drilldown.name }}
+action.notable.param.drilldown_search = {{ detection.tags.drilldown.search | escapeNewlines()}}
+action.notable.param.drilldown_earliest_offset = {{ detection.tags.drilldown.earliest_offset }}
+action.notable.param.drilldown_latest_offset = {{ detection.tags.drilldown.latest_offset }}
+{% endif %}
 {% endif %}
+
 {% endfor %}
 ### END {{ APP_NAME }} DETECTIONS ###
