change _UPDATE_ string to __UPDATE__

Remove extra pair of quotes from new detection template
splunk · Nov 21, 2024 · db19969 · db19969
1 parent 3fea2f6
commit db19969
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 4 deletions.
diff --git a/contentctl/actions/new_content.py b/contentctl/actions/new_content.py
@@ -12,7 +12,7 @@
 from contentctl.objects.enums import AssetType
 from contentctl.objects.constants import SES_OBSERVABLE_TYPE_MAPPING, SES_OBSERVABLE_ROLE_MAPPING
 class NewContent:
-    UPDATE_PREFIX = "_UPDATE_"
+    UPDATE_PREFIX = "__UPDATE__"
 
     DEFAULT_DRILLDOWN_DEF = [
         {
@@ -68,7 +68,7 @@ def buildDetection(self) -> tuple[dict[str, Any], str]:
             "type": answers["detection_type"],
             "description": f"{NewContent.UPDATE_PREFIX} by providing a description of your search",
             "data_source": data_source_field,
-            "search": f"{answers['detection_search']} | `{file_name}_filter`'",
+            "search": f"{answers['detection_search']} | `{file_name}_filter`",
             "how_to_implement": f"{NewContent.UPDATE_PREFIX} how to implement your search",
             "known_false_positives": f"{NewContent.UPDATE_PREFIX} known false positives for your search",
             "references": [f"{NewContent.UPDATE_PREFIX} zero or more http references to provide more information about your search"],

diff --git a/contentctl/input/new_content_questions.py b/contentctl/input/new_content_questions.py
@@ -57,7 +57,7 @@ def get_questions_detection(cls) -> list[dict[str,Any]]:
                 "type": "text",
                 "message": "enter search (spl)",
                 "name": "detection_search",
-                "default": "| _UPDATE_ SPL",
+                "default": "| __UPDATE__ SPL",
             },
             {
                 "type": "text",

diff --git a/contentctl/input/yml_reader.py b/contentctl/input/yml_reader.py
@@ -29,7 +29,7 @@ def load_file(file_path: pathlib.Path, add_fields:bool=True, STRICT_YML_CHECKING
                 # and use NewContent.UPDATE_PREFIX, 
                 # but there is a circular dependency right now which makes that difficult.
                 # We have instead hardcoded UPDATE_PREFIX
-                UPDATE_PREFIX = "_UPDATE_"
+                UPDATE_PREFIX = "__UPDATE__"
                 data = file_handler.read()
                 if UPDATE_PREFIX in data:
                     raise Exception(f"The file {file_path} contains the value '{UPDATE_PREFIX}'. Please fill out any unpopulated fields as required.")