contentctl 4.3.5__py3-none-any.whl → 4.4.1__py3-none-any.whl

contentctl/objects/correlation_search.py

@@ -1,10 +1,11 @@
 import logging
 import time
 import json
-from typing import Union, Optional, Any
+from typing import Any
 from enum import Enum
+from functools import cached_property
 
-from pydantic import BaseModel, validator, Field, PrivateAttr
+from pydantic import ConfigDict, BaseModel, computed_field, Field, PrivateAttr
 from splunklib.results import JSONResultsReader, Message                                            # type: ignore
 from splunklib.binding import HTTPError, ResponseReader                                             # type: ignore
 import splunklib.client as splunklib                                                                # type: ignore
@@ -15,7 +16,7 @@ from contentctl.objects.notable_action import NotableAction
 from contentctl.objects.base_test_result import TestResultStatus
 from contentctl.objects.integration_test_result import IntegrationTestResult
 from contentctl.actions.detection_testing.progress_bar import (
-    format_pbar_string,
+    format_pbar_string,                                                                             # type: ignore
     TestReportingType,
     TestingStates
 )
@@ -178,13 +179,14 @@ class PbarData(BaseModel):
     :param fq_test_name: the fully qualifed (fq) test name ("<detection_name>:<test_name>") used for logging
     :param start_time: the start time used for logging
     """
-    pbar: tqdm
+    pbar: tqdm                                                                                      # type: ignore
     fq_test_name: str
     start_time: float
 
-    class Config:
-        # needed to support the tqdm type
-        arbitrary_types_allowed = True
+    # needed to support the tqdm type
+    model_config = ConfigDict(
+        arbitrary_types_allowed=True
+    )
 
 
 class CorrelationSearch(BaseModel):
@@ -197,143 +199,110 @@ class CorrelationSearch(BaseModel):
     :param pbar_data: the encapsulated info needed for logging w/ pbar
     :param test_index: the index attack data is forwarded to for testing (optionally used in cleanup)
     """
-    ## The following three fields are explicitly needed at instantiation                            # noqa: E266
-
     # the detection associated with the correlation search (e.g. "Windows Modify Registry EnableLinkedConnections")
-    detection: Detection
+    detection: Detection = Field(...)
 
     # a Service instance representing a connection to a Splunk instance
-    service: splunklib.Service
+    service: splunklib.Service = Field(...)
 
     # the encapsulated info needed for logging w/ pbar
-    pbar_data: PbarData
-
-    ## The following field is optional for instantiation                                            # noqa: E266
+    pbar_data: PbarData = Field(...)
 
     # The index attack data is sent to; can be None if we are relying on the caller to do our
     # cleanup of this index
-    test_index: Optional[str] = Field(default=None, min_length=1)
-
-    ## All remaining fields can be derived from other fields or have intentional defaults that      # noqa: E266
-    ## should not be changed (validators should prevent instantiating some of these fields directly # noqa: E266
-    ## to prevent undefined behavior)                                                               # noqa: E266
+    test_index: str | None = Field(default=None, min_length=1)
 
     # The logger to use (logs all go to a null pipe unless ENABLE_LOGGING is set to True, so as not
     # to conflict w/ tqdm)
-    logger: logging.Logger = Field(default_factory=get_logger)
-
-    # The search name (e.g. "ESCU - Windows Modify Registry EnableLinkedConnections - Rule")
-    name: Optional[str] = None
-
-    # The path to the saved search on the Splunk instance
-    splunk_path: Optional[str] = None
-
-    # A model of the saved search as provided by splunklib
-    saved_search: Optional[splunklib.SavedSearch] = None
+    logger: logging.Logger = Field(default_factory=get_logger, init=False)
 
     # The set of indexes to clear on cleanup
-    indexes_to_purge: set[str] = set()
+    indexes_to_purge: set[str] = Field(default=set(), init=False)
 
     # The risk analysis adaptive response action (if defined)
-    risk_analysis_action: Union[RiskAnalysisAction, None] = None
+    _risk_analysis_action: RiskAnalysisAction | None = PrivateAttr(default=None)
 
     # The notable adaptive response action (if defined)
-    notable_action: Union[NotableAction, None] = None
+    _notable_action: NotableAction | None = PrivateAttr(default=None)
 
     # The list of risk events found
-    _risk_events: Optional[list[RiskEvent]] = PrivateAttr(default=None)
+    _risk_events: list[RiskEvent] | None = PrivateAttr(default=None)
 
     # The list of notable events found
-    _notable_events: Optional[list[NotableEvent]] = PrivateAttr(default=None)
+    _notable_events: list[NotableEvent] | None = PrivateAttr(default=None)
 
-    class Config:
-        # needed to allow fields w/ types like SavedSearch
-        arbitrary_types_allowed = True
-        # We want to have more ridgid typing
-        extra = 'forbid'
+    # Need arbitrary types to allow fields w/ types like SavedSearch; we also want to forbid
+    # unexpected fields
+    model_config = ConfigDict(
+        arbitrary_types_allowed=True,
+        extra='forbid'
+    )
 
-    @validator("name", always=True)
-    @classmethod
-    def _convert_detection_to_search_name(cls, v, values) -> str:
-        """
-        Validate name and derive if None
-        """
-        if "detection" not in values:
-            raise ValueError("detection missing; name is dependent on detection")
+    def model_post_init(self, __context: Any) -> None:
+        super().model_post_init(__context)
 
-        expected_name = f"ESCU - {values['detection'].name} - Rule"
-        if v is not None and v != expected_name:
-            raise ValueError(
-                "name must be derived from detection; leave as None and it will be derived automatically"
-            )
-        return expected_name
+        # Parse the initial values for the risk/notable actions
+        self._parse_risk_and_notable_actions()
 
-    @validator("splunk_path", always=True)
-    @classmethod
-    def _derive_splunk_path(cls, v, values) -> str:
+    @computed_field
+    @cached_property
+    def name(self) -> str:
         """
-        Validate splunk_path and derive if None
+        The search name (e.g. "ESCU - Windows Modify Registry EnableLinkedConnections - Rule")
+
+        :returns: the search name
+        :rtype: str
         """
-        if "name" not in values:
-            raise ValueError("name missing; splunk_path is dependent on name")
+        return f"ESCU - {self.detection.name} - Rule"
 
-        expected_path = f"saved/searches/{values['name']}"
-        if v is not None and v != expected_path:
-            raise ValueError(
-                "splunk_path must be derived from name; leave as None and it will be derived automatically"
-            )
-        return f"saved/searches/{values['name']}"
+    @computed_field
+    @cached_property
+    def splunk_path(self) -> str:
+        """
+        The path to the saved search on the Splunk instance
 
-    @validator("saved_search", always=True)
-    @classmethod
-    def _instantiate_saved_search(cls, v, values) -> str:
+        :returns: the search path
+        :rtype: str
         """
-        Ensure saved_search was initialized as None and derive
+        return f"/saved/searches/{self.name}"
+
+    @computed_field
+    @cached_property
+    def saved_search(self) -> splunklib.SavedSearch:
         """
-        if "splunk_path" not in values or "service" not in values:
-            raise ValueError("splunk_path or service missing; saved_search is dependent on both")
+        A model of the saved search as provided by splunklib
 
-        if v is not None:
-            raise ValueError(
-                "saved_search must be derived from the service and splunk_path; leave as None and it will be derived "
-                "automatically"
-            )
+        :returns: the SavedSearch object
+        :rtype: :class:`splunklib.client.SavedSearch`
+        """
         return splunklib.SavedSearch(
-            values['service'],
-            values['splunk_path'],
+            self.service,
+            self.splunk_path,
         )
 
-    @validator("risk_analysis_action", always=True)
-    @classmethod
-    def _init_risk_analysis_action(cls, v, values) -> Optional[RiskAnalysisAction]:
-        """
-        Initialize risk_analysis_action
+    # TODO (cmcginley): need to make this refreshable
+    @computed_field
+    @property
+    def risk_analysis_action(self) -> RiskAnalysisAction | None:
         """
-        if "saved_search" not in values:
-            raise ValueError("saved_search missing; risk_analysis_action is dependent on saved_search")
+        The risk analysis adaptive response action (if defined)
 
-        if v is not None:
-            raise ValueError(
-                "risk_analysis_action must be derived from the saved_search; leave as None and it will be derived "
-                "automatically"
-            )
-        return CorrelationSearch._get_risk_analysis_action(values['saved_search'].content)
-
-    @validator("notable_action", always=True)
-    @classmethod
-    def _init_notable_action(cls, v, values) -> Optional[NotableAction]:
+        :returns: the RiskAnalysisAction object, if it exists
+        :rtype: :class:`contentctl.objects.risk_analysis_action.RiskAnalysisAction` | None
         """
-        Initialize notable_action
+        return self._risk_analysis_action
+
+    # TODO (cmcginley): need to make this refreshable
+    @computed_field
+    @property
+    def notable_action(self) -> NotableAction | None:
         """
-        if "saved_search" not in values:
-            raise ValueError("saved_search missing; notable_action is dependent on saved_search")
+        The notable adaptive response action (if defined)
 
-        if v is not None:
-            raise ValueError(
-                "notable_action must be derived from the saved_search; leave as None and it will be derived "
-                "automatically"
-            )
-        return CorrelationSearch._get_notable_action(values['saved_search'].content)
+        :returns: the NotableAction object, if it exists
+        :rtype: :class:`contentctl.objects.notable_action.NotableAction` | None
+        """
+        return self._notable_action
 
     @property
     def earliest_time(self) -> str:
@@ -393,7 +362,7 @@ class CorrelationSearch(BaseModel):
         return self.notable_action is not None
 
     @staticmethod
-    def _get_risk_analysis_action(content: dict[str, Any]) -> Optional[RiskAnalysisAction]:
+    def _get_risk_analysis_action(content: dict[str, Any]) -> RiskAnalysisAction | None:
         """
         Given the saved search content, parse the risk analysis action
         :param content: a dict of strings to values
@@ -407,7 +376,7 @@ class CorrelationSearch(BaseModel):
         return None
 
     @staticmethod
-    def _get_notable_action(content: dict[str, Any]) -> Optional[NotableAction]:
+    def _get_notable_action(content: dict[str, Any]) -> NotableAction | None:
         """
         Given the saved search content, parse the notable action
         :param content: a dict of strings to values
@@ -431,10 +400,6 @@ class CorrelationSearch(BaseModel):
                 relevant.append(observable)
         return relevant
 
-    # TODO (PEX-484): ideally, we could handle this and the following init w/ a call to
-    #   model_post_init, so that all the logic is encapsulated w/in _parse_risk_and_notable_actions
-    #   but that is a pydantic v2 feature (see the init validators for risk/notable actions):
-    #   https://docs.pydantic.dev/latest/api/base_model/#pydantic.main.BaseModel.model_post_init
     def _parse_risk_and_notable_actions(self) -> None:
         """Parses the risk/notable metadata we care about from self.saved_search.content
 
@@ -445,12 +410,12 @@ class CorrelationSearch(BaseModel):
             unpacked to be anything other than a singleton
         """
         # grab risk details if present
-        self.risk_analysis_action = CorrelationSearch._get_risk_analysis_action(
+        self._risk_analysis_action = CorrelationSearch._get_risk_analysis_action(
             self.saved_search.content                                                               # type: ignore
         )
 
         # grab notable details if present
-        self.notable_action = CorrelationSearch._get_notable_action(self.saved_search.content)      # type: ignore
+        self._notable_action = CorrelationSearch._get_notable_action(self.saved_search.content)     # type: ignore
 
     def refresh(self) -> None:
         """Refreshes the metadata in the SavedSearch entity, and re-parses the fields we care about
@@ -738,7 +703,7 @@ class CorrelationSearch(BaseModel):
         # TODO (#250): Re-enable and refactor code that validates the specific risk counts
         # Validate risk events in aggregate; we should have an equal amount of risk events for each
         # relevant observable, and the total count should match the total number of events
-        # individual_count: Optional[int] = None
+        # individual_count: int | None = None
         # total_count = 0
         # for observable_str in observable_counts:
         #     self.logger.debug(
@@ -802,7 +767,7 @@ class CorrelationSearch(BaseModel):
             )
 
         # initialize result as None
-        result: Optional[IntegrationTestResult] = None
+        result: IntegrationTestResult | None = None
 
         # keep track of time slept and number of attempts for exponential backoff (base 2)
         elapsed_sleep_time = 0

contentctl/objects/dashboard.py

@@ -0,0 +1,100 @@
+from typing import Any
+from pydantic import Field, Json, model_validator
+
+import pathlib
+from jinja2 import Environment
+import json
+from contentctl.objects.security_content_object import SecurityContentObject
+from contentctl.objects.config import build
+from enum import StrEnum
+
+DEFAULT_DASHBAORD_JINJA2_TEMPLATE = '''<dashboard version="2" theme="{{ dashboard.theme }}">
+    <label>{{ dashboard.label(config) }}</label>
+    <description></description>
+    <definition><![CDATA[
+{{ dashboard.pretty_print_json_obj() }}
+    ]]></definition>
+    <meta type="hiddenElements"><![CDATA[
+{
+	"hideEdit": false,
+	"hideOpenInSearch": false,
+	"hideExport": false
+}
+    ]]></meta>
+</dashboard>'''
+
+class DashboardTheme(StrEnum):
+    light = "light"
+    dark = "dark"
+
+class Dashboard(SecurityContentObject):
+    j2_template: str = Field(default=DEFAULT_DASHBAORD_JINJA2_TEMPLATE, description="Jinja2 Template used to construct the dashboard")
+    description: str = Field(...,description="A description of the dashboard. This does not have to match "
+                             "the description of the dashboard in the JSON file.", max_length=10000)
+    theme: DashboardTheme = Field(default=DashboardTheme.light, description="The theme of the dashboard. Choose between 'light' and 'dark'.")
+    json_obj: Json[dict[str,Any]] = Field(..., description="Valid JSON object that describes the dashboard")
+    
+    
+    
+    def label(self, config:build)->str:
+        return f"{config.app.label} - {self.name}"
+    
+    @model_validator(mode="before")
+    @classmethod
+    def validate_fields_from_json(cls, data:Any)->Any:
+        yml_file_name:str|None = data.get("file_path", None)
+        if yml_file_name is None:
+            raise ValueError("File name not passed to dashboard constructor")
+        yml_file_path = pathlib.Path(yml_file_name)
+        json_file_path = yml_file_path.with_suffix(".json")
+
+        if not json_file_path.is_file():
+            raise ValueError(f"Required file {json_file_path} does not exist.")
+        
+        with open(json_file_path,'r') as jsonFilePointer:
+            try:
+                json_obj:dict[str,Any] = json.load(jsonFilePointer)
+            except Exception as e:
+                raise ValueError(f"Unable to load data from {json_file_path}: {str(e)}")
+
+        name_from_file = data.get("name",None)
+        name_from_json  = json_obj.get("title",None)
+
+        errors:list[str] = []
+        if name_from_json is None:
+            errors.append(f"'title' field is missing from {json_file_path}")
+        elif name_from_json != name_from_file:
+            errors.append(f"The 'title' field in the JSON file [{json_file_path}] does not match the 'name' field in the YML object [{yml_file_path}]. These two MUST match:\n    "
+                          f"title in JSON : {name_from_json}\n    "
+                          f"title in YML  : {name_from_file}\n    ")
+        
+        description_from_json = json_obj.get("description",None)
+        if description_from_json is None:
+            errors.append("'description' field is missing from field 'json_object'")
+        
+        if len(errors) > 0 :
+            err_string = "\n  - ".join(errors)
+            raise ValueError(f"Error(s) validating dashboard:\n  - {err_string}")
+        
+        data['name'] = name_from_file
+        data['json_obj'] = json.dumps(json_obj)
+        return data
+
+    
+    def pretty_print_json_obj(self):
+        return json.dumps(self.json_obj, indent=4)
+    
+    def getOutputFilepathRelativeToAppRoot(self, config:build)->pathlib.Path:
+        filename = f"{self.file_path.stem}.xml".lower()
+        return pathlib.Path("default/data/ui/views")/filename
+    
+    
+    def writeDashboardFile(self, j2_env:Environment, config:build):
+        template = j2_env.from_string(self.j2_template)
+        dashboard_text = template.render(config=config, dashboard=self)
+
+        with open(config.getPackageDirectoryPath()/self.getOutputFilepathRelativeToAppRoot(config), 'a') as f:
+            output_xml = dashboard_text.encode('utf-8', 'ignore').decode('utf-8')
+            f.write(output_xml)
+
+

contentctl/objects/deployment.py

@@ -1,7 +1,8 @@
 from __future__ import annotations
-from pydantic import Field, computed_field, model_validator,ValidationInfo, model_serializer
-from typing import Optional,Any
-
+from pydantic import Field, computed_field,ValidationInfo, model_serializer, NonNegativeInt
+from typing import Any
+import uuid
+import datetime
 from contentctl.objects.security_content_object import SecurityContentObject
 from contentctl.objects.deployment_scheduling import DeploymentScheduling
 from contentctl.objects.alert_action import AlertAction
@@ -15,9 +16,13 @@ class Deployment(SecurityContentObject):
     #author: str = None
     #description: str = None
     #contentType: SecurityContentType = SecurityContentType.deployments
+    
+    
     scheduling: DeploymentScheduling = Field(...)
     alert_action: AlertAction = AlertAction()
     type: DeploymentType = Field(...)
+    author: str = Field(...,max_length=255)
+    version: NonNegativeInt = 1
 
     #Type was the only tag exposed and should likely be removed/refactored.
     #For transitional reasons, provide this as a computed_field in prep for removal
@@ -25,7 +30,8 @@ class Deployment(SecurityContentObject):
     @property
     def tags(self)->dict[str,DeploymentType]:
         return {"type": self.type}
-    
+
+        
     @staticmethod
     def getDeployment(v:dict[str,Any], info:ValidationInfo)->Deployment:
         if v != {}:
@@ -36,8 +42,17 @@ class Deployment(SecurityContentObject):
             detection_name = info.data.get("name", None)
             if detection_name is None:
                 raise ValueError("Could not create inline deployment - Baseline or Detection lacking 'name' field,")
+
+            # Add a number of static values            
+            v.update({
+              'name': f"{detection_name} - Inline Deployment",
+              'id':uuid.uuid4(),
+              'date': datetime.date.today(),
+              'description': "Inline deployment created at runtime.",
+              'author': "contentctl tool"
+            })
+
             
-            v['name'] = f"{detection_name} - Inline Deployment"
             # This constructs a temporary in-memory deployment,
             # allowing the deployment to be easily defined in the 
             # detection on a per detection basis.

contentctl/objects/detection_tags.py

@@ -16,6 +16,7 @@ from pydantic import (
     model_validator
 )
 from contentctl.objects.story import Story
+from contentctl.objects.throttling import Throttling
 if TYPE_CHECKING:
     from contentctl.input.director import DirectorOutputDto
 
@@ -29,7 +30,6 @@ from contentctl.objects.enums import (
     RiskSeverity,
     KillChainPhase,
     NistCategory,
-    RiskLevel,
     SecurityContentProductName
 )
 from contentctl.objects.atomic import AtomicEnrichment, AtomicTest
@@ -49,6 +49,23 @@ class DetectionTags(BaseModel):
     @property
     def risk_score(self) -> int:
         return round((self.confidence * self.impact)/100)
+    
+    @computed_field
+    @property
+    def severity(self)->RiskSeverity:
+        if 0 <= self.risk_score <= 20:
+            return RiskSeverity.INFORMATIONAL
+        elif 20 < self.risk_score <= 40:
+            return RiskSeverity.LOW
+        elif 40 < self.risk_score <= 60:
+            return RiskSeverity.MEDIUM
+        elif 60 < self.risk_score <= 80:
+            return RiskSeverity.HIGH
+        elif 80 < self.risk_score <= 100:
+            return RiskSeverity.CRITICAL
+        else:
+            raise Exception(f"Error getting severity - risk_score must be between 0-100, but was actually {self.risk_score}")
+
 
     mitre_attack_id: List[MITRE_ATTACK_ID_TYPE] = []
     nist: list[NistCategory] = []
@@ -58,31 +75,16 @@ class DetectionTags(BaseModel):
     message: str = Field(...)
     product: list[SecurityContentProductName] = Field(..., min_length=1)
     required_fields: list[str] = Field(min_length=1)
-
+    throttling: Optional[Throttling] = None
     security_domain: SecurityDomain = Field(...)
-
-    @computed_field
-    @property
-    def risk_severity(self) -> RiskSeverity:
-        if self.risk_score >= 80:
-            return RiskSeverity('high')
-        elif (self.risk_score >= 50 and self.risk_score <= 79):
-            return RiskSeverity('medium')
-        else:
-            return RiskSeverity('low')
-
     cve: List[CVE_TYPE] = []
     atomic_guid: List[AtomicTest] = []
-    drilldown_search: Optional[str] = None
+    
 
     # enrichment
     mitre_attack_enrichments: List[MitreAttackEnrichment] = Field([], validate_default=True)
     confidence_id: Optional[PositiveInt] = Field(None, ge=1, le=3)
     impact_id: Optional[PositiveInt] = Field(None, ge=1, le=5)
-    # context_ids: list = None
-    risk_level_id: Optional[NonNegativeInt] = Field(None, le=4)
-    risk_level: Optional[RiskLevel] = None
-    # observable_str: str = None
     evidence_str: Optional[str] = None
 
     @computed_field
@@ -112,7 +114,7 @@ class DetectionTags(BaseModel):
 
     # TODO (#268): Validate manual_test has length > 0 if not None
     manual_test: Optional[str] = None
-
+    
     # The following validator is temporarily disabled pending further discussions
     # @validator('message')
     # def validate_message(cls,v,values):
@@ -158,7 +160,7 @@ class DetectionTags(BaseModel):
             "message": self.message,
             "risk_score": self.risk_score,
             "security_domain": self.security_domain,
-            "risk_severity": self.risk_severity,
+            "risk_severity": self.severity,
             "mitre_attack_id": self.mitre_attack_id,
             "mitre_attack_enrichments": self.mitre_attack_enrichments
         }

contentctl/objects/drilldown.py

@@ -0,0 +1,70 @@
+from __future__ import annotations
+from pydantic import BaseModel, Field, model_serializer
+from typing import TYPE_CHECKING
+if TYPE_CHECKING:
+    from contentctl.objects.detection import Detection
+from contentctl.objects.enums import AnalyticsType
+DRILLDOWN_SEARCH_PLACEHOLDER = "%original_detection_search%"
+EARLIEST_OFFSET = "$info_min_time$"
+LATEST_OFFSET = "$info_max_time$"
+RISK_SEARCH = "index = risk  starthoursago = 168 endhoursago = 0 | stats count values(search_name) values(risk_message) values(analyticstories) values(annotations._all) values(annotations.mitre_attack.mitre_tactic) "
+
+class Drilldown(BaseModel):
+    name: str = Field(..., description="The name of the drilldown search", min_length=5)
+    search: str = Field(..., description="The text of a drilldown search. This must be valid SPL.", min_length=1)
+    earliest_offset:None | str = Field(..., 
+                                description="Earliest offset time for the drilldown search. "
+                                f"The most common value for this field is '{EARLIEST_OFFSET}', "
+                                "but it is NOT the default value and must be supplied explicitly.", 
+                                min_length= 1)
+    latest_offset:None | str = Field(..., 
+                              description="Latest offset time for the driolldown search. "
+                              f"The most common value for this field is '{LATEST_OFFSET}', "
+                              "but it is NOT the default value and must be supplied explicitly.", 
+                              min_length= 1)
+
+    @classmethod
+    def constructDrilldownsFromDetection(cls, detection: Detection) -> list[Drilldown]:
+        victim_observables = [o for o in detection.tags.observable if o.role[0] == "Victim"] 
+        if len(victim_observables) == 0 or detection.type == AnalyticsType.Hunting:
+            # No victims, so no drilldowns
+            return []
+        print(f"Adding default drilldowns for [{detection.name}]")
+        variableNamesString = ' and '.join([f"${o.name}$" for o in victim_observables])
+        nameField = f"View the detection results for {variableNamesString}"
+        appendedSearch =  " | search " + ' '.join([f"{o.name} = ${o.name}$" for o in victim_observables])
+        search_field = f"{detection.search}{appendedSearch}"
+        detection_results = cls(name=nameField, earliest_offset=EARLIEST_OFFSET, latest_offset=LATEST_OFFSET, search=search_field)
+        
+        
+        nameField = f"View risk events for the last 7 days for {variableNamesString}"
+        fieldNamesListString = ', '.join([o.name for o in victim_observables])
+        search_field = f"{RISK_SEARCH}by {fieldNamesListString} {appendedSearch}"
+        risk_events_last_7_days = cls(name=nameField, earliest_offset=None, latest_offset=None, search=search_field)
+
+        return [detection_results,risk_events_last_7_days]
+    
+
+    def perform_search_substitutions(self, detection:Detection)->None:
+        """Replaces the field DRILLDOWN_SEARCH_PLACEHOLDER (%original_detection_search%)
+        with the search contained in the detection. We do this so that the YML does not
+        need the search copy/pasted from the search field into the drilldown object.
+
+        Args:
+            detection (Detection): Detection to be used to update the search field of the drilldown
+        """             
+        self.search = self.search.replace(DRILLDOWN_SEARCH_PLACEHOLDER, detection.search)
+    
+
+    @model_serializer
+    def serialize_model(self) -> dict[str,str]:
+        #Call serializer for parent
+        model:dict[str,str] = {}
+
+        model['name'] = self.name
+        model['search'] = self.search
+        if self.earliest_offset is not None:
+            model['earliest_offset'] = self.earliest_offset
+        if self.latest_offset is not None:
+            model['latest_offset'] = self.latest_offset
+        return model