Added some documentation and

updated the jinja2 template.
escapeNewlines() was ONLY
being applied to the
detection.description before,
but it MUST be applied to
the explanation as well. This
bug was confirmed by generating
some conf files with description
and/or explanations, with spaces,
defined.
Now, whichever value is used to
populate that field is properly
escaped.

Author: pyth0n1c

contentctl/objects/abstract_security_content_objects/detection_abstract.py

@@ -67,7 +67,16 @@ class Detection_Abstract(SecurityContentObject):
     search: str = Field(...)
     how_to_implement: str = Field(..., min_length=4)
     known_false_positives: str = Field(..., min_length=4)
-    explanation: Optional[str] = None
+    explanation: None | str = Field(
+        default=None,
+        exclude=True, #Don't serialize this value when dumping the object
+        description="Provide an explanation to be included "
+        "in the 'Explanation' field of the Detection in "
+        "the Use Case Library. If this field is not "
+        "defined in the YML, it will default to the "
+        "value of the 'description' field when " 
+        "serialized in analyticstories_detections.j2",
+    )
 
     enabled_by_default: bool = False
     file_path: FilePath = Field(...)

contentctl/output/templates/analyticstories_detections.j2

@@ -7,7 +7,7 @@
 type = detection
 asset_type = {{ detection.tags.asset_type.value }}
 confidence = medium
-explanation = {{ detection.explanation if detection.explanation else detection.description | escapeNewlines() }}
+explanation = {{ (detection.explanation if detection.explanation else detection.description) | escapeNewlines() }}
 {% if detection.how_to_implement is defined %}
 how_to_implement = {{ detection.how_to_implement | escapeNewlines() }}
 {% else %}