fixes to ensure that every search that

pyth0n1c · pyth0n1c · commit db7de0bf5505 · 2024-10-01T10:24:44.000-07:00
needs one should have the appropriate
default drilldown.
diff --git a/contentctl/objects/abstract_security_content_objects/detection_abstract.py b/contentctl/objects/abstract_security_content_objects/detection_abstract.py
@@ -36,7 +36,7 @@
 from contentctl.objects.integration_test import IntegrationTest
 from contentctl.objects.data_source import DataSource
 from contentctl.objects.base_test_result import TestResultStatus
-from contentctl.objects.drilldown import Drilldown
+from contentctl.objects.drilldown import Drilldown, DRILLDOWN_SEARCH_PLACEHOLDER
 from contentctl.objects.enums import ProvidingTechnology
 from contentctl.enrichments.cve_enrichment import CveEnrichmentObj
 import datetime
@@ -564,15 +564,32 @@ def model_post_init(self, __context: Any) -> None:
         # Derive TestGroups and IntegrationTests, adjust for ManualTests, skip as needed
         self.adjust_tests_and_groups()
 
-        #Add the default drilldown
-        #self.drilldown_searches.append(Drilldown.constructDrilldownFromDetection(self))
-        
+        # Ensure that if there is at least 1 drilldown, at least
+        # 1 of the drilldowns contains the string Drilldown.SEARCH_PLACEHOLDER.
+        # This is presently a requirement when 1 or more drilldowns are added to a detection.
+        # Note that this is only required for production searches that are not hunting
+            
+        if self.type == AnalyticsType.Hunting.value or self.status != DetectionStatus.production.value:
+            #No additional check need to happen on the potential drilldowns.
+            pass
+        else:
+            found_placeholder = False
+            if len(self.drilldown_searches) < 2:
+                raise ValueError(f"This detection is required to have 2 drilldown_searches, but only has [{len(self.drilldown_searches)}]")
+            for drilldown in self.drilldown_searches:
+                if DRILLDOWN_SEARCH_PLACEHOLDER in drilldown.search:
+                    found_placeholder = True
+            if not found_placeholder:
+                raise ValueError("Detection has one or more drilldown_searches, but none of them "
+                                 f"contained '{DRILLDOWN_SEARCH_PLACEHOLDER}. This is a requirement "
+                                 "if drilldown_searches are defined.'")
+            
         # Update the search fields with the original search, if required
         for drilldown in self.drilldown_searches:
             drilldown.perform_search_substitutions(self)
-        
+
         #For experimental purposes, add the default drilldowns
-        self.drilldown_searches.extend(Drilldown.constructDrilldownsFromDetection(self))
+        #self.drilldown_searches.extend(Drilldown.constructDrilldownsFromDetection(self))
 
     @property
     def drilldowns_in_JSON(self) -> list[dict[str,str]]:
diff --git a/contentctl/objects/drilldown.py b/contentctl/objects/drilldown.py
@@ -4,7 +4,7 @@
 if TYPE_CHECKING:
     from contentctl.objects.detection import Detection
 from contentctl.objects.enums import AnalyticsType
-SEARCH_PLACEHOLDER = "%original_detection_search%"
+DRILLDOWN_SEARCH_PLACEHOLDER = "%original_detection_search%"
 EARLIEST_OFFSET = "$info_min_time$"
 LATEST_OFFSET = "$info_max_time$"
 RISK_SEARCH = "index = risk  starthoursago = 168 endhoursago = 0 | stats count values(search_name) values(risk_message) values(analyticstories) values(annotations._all) values(annotations.mitre_attack.mitre_tactic) "
@@ -29,7 +29,7 @@ def constructDrilldownsFromDetection(cls, detection: Detection) -> list[Drilldow
         if len(victim_observables) == 0 or detection.type == AnalyticsType.Hunting:
             # No victims, so no drilldowns
             return []
-        print("Adding default drilldowns. REMOVE THIS BEFORE MERGING")
+        print(f"Adding default drilldowns for [{detection.name}]")
         variableNamesString = ' and '.join([f"${o.name}$" for o in victim_observables])
         nameField = f"View the detection results for {variableNamesString}"
         appendedSearch =  " | search " + ' '.join([f"{o.name} = ${o.name}$" for o in victim_observables])
@@ -40,18 +40,20 @@ def constructDrilldownsFromDetection(cls, detection: Detection) -> list[Drilldow
         nameField = f"View risk events for the last 7 days for {variableNamesString}"
         fieldNamesListString = ', '.join([o.name for o in victim_observables])
         search_field = f"{RISK_SEARCH}by {fieldNamesListString} {appendedSearch}"
-        #risk_events_last_7_days = cls(name=nameField, earliest_offset=EARLIEST_OFFSET, latest_offset=LATEST_OFFSET, search=search_field)
         risk_events_last_7_days = cls(name=nameField, earliest_offset=None, latest_offset=None, search=search_field)
 
         return [detection_results,risk_events_last_7_days]
     
 
     def perform_search_substitutions(self, detection:Detection)->None:
-        if (self.search.count("%") % 2) or (self.search.count("$") % 2):
-            print("\n\nWarning - a non-even number of '%' or '$' characters were found in the\n"
-                  f"drilldown search '{self.search}' for Detection {detection.file_path}.\n"
-                  "If this was intentional, then please ignore this warning.\n")
-        self.search = self.search.replace(SEARCH_PLACEHOLDER, detection.search)
+        """Replaces the field DRILLDOWN_SEARCH_PLACEHOLDER (%original_detection_search%)
+        with the search contained in the detection. We do this so that the YML does not
+        need the search copy/pasted from the search field into the drilldown object.
+
+        Args:
+            detection (Detection): Detection to be used to update the search field of the drilldown
+        """             
+        self.search = self.search.replace(DRILLDOWN_SEARCH_PLACEHOLDER, detection.search)
     
 
     @model_serializer
