Switch drilldowns to dump in json format so

we can support and arbitrary number of them

Author: pyth0n1c

contentctl/objects/abstract_security_content_objects/detection_abstract.py

@@ -573,6 +573,10 @@ def model_post_init(self, __context: Any) -> None:
         print("adding default drilldown?")
         self.drilldown_searches.extend(Drilldown.constructDrilldownsFromDetection(self))
 
+    @property
+    def drilldownsInJSON(self) -> list[dict[str,str]]:
+        return [drilldown.model_dump() for drilldown in self.drilldown_searches]
+
     @field_validator('lookups', mode="before")
     @classmethod
     def getDetectionLookups(cls, v:list[str], info:ValidationInfo) -> list[Lookup]:

contentctl/objects/drilldown.py

@@ -50,6 +50,4 @@ def perform_search_substitutions(self, detection:Detection)->None:
                   f"drilldown search '{self.search}' for Detection {detection.file_path}.\n"
                   "If this was intentional, then please ignore this warning.\n")
         self.search = self.search.replace(SEARCH_PLACEHOLDER, detection.search)
-    
-
-
+    

contentctl/output/templates/savedsearches_detections.j2

@@ -112,12 +112,7 @@ alert.suppress.fields = {{ detection.tags.throttling.conf_formatted_fields() }}
 alert.suppress.period = {{ detection.tags.throttling.period }}
 {% endif %}
 search = {{ detection.search | escapeNewlines() }}
-{% for drilldown_search in detection.drilldown_searches%}
-action.notable.param.drilldown_name = {{ drilldown_search.name }}
-action.notable.param.drilldown_search = {{ drilldown_search.search | escapeNewlines()}}
-action.notable.param.drilldown_earliest_offset = {{ drilldown_search.earliest_offset }}
-action.notable.param.drilldown_latest_offset = {{ drilldown_search.latest_offset }}
-{% endfor %}
+action.notable.param.drilldown_searches = {{ detection.drilldownsInJSON | tojson | escapeNewlines() }}
 {% endif %}
 
 {% endfor %}