From db1996973cdff1ba959595b1f4a9cc1f6d88381d Mon Sep 17 00:00:00 2001
From: pyth0n1c <emcginnis@splunk.com>
Date: Wed, 20 Nov 2024 17:01:07 -0800
Subject: [PATCH] change _UPDATE_ string to __UPDATE__ Remove extra pair of
 quotes from new detection template

---
 contentctl/actions/new_content.py         | 4 ++--
 contentctl/input/new_content_questions.py | 2 +-
 contentctl/input/yml_reader.py            | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/contentctl/actions/new_content.py b/contentctl/actions/new_content.py
index 136528b8..0d3ffc4a 100644
--- a/contentctl/actions/new_content.py
+++ b/contentctl/actions/new_content.py
@@ -12,7 +12,7 @@
 from contentctl.objects.enums import AssetType
 from contentctl.objects.constants import SES_OBSERVABLE_TYPE_MAPPING, SES_OBSERVABLE_ROLE_MAPPING
 class NewContent:
-    UPDATE_PREFIX = "_UPDATE_"
+    UPDATE_PREFIX = "__UPDATE__"
     
     DEFAULT_DRILLDOWN_DEF = [
         {
@@ -68,7 +68,7 @@ def buildDetection(self) -> tuple[dict[str, Any], str]:
             "type": answers["detection_type"],
             "description": f"{NewContent.UPDATE_PREFIX} by providing a description of your search",
             "data_source": data_source_field,
-            "search": f"{answers['detection_search']} | `{file_name}_filter`'",
+            "search": f"{answers['detection_search']} | `{file_name}_filter`",
             "how_to_implement": f"{NewContent.UPDATE_PREFIX} how to implement your search",
             "known_false_positives": f"{NewContent.UPDATE_PREFIX} known false positives for your search",
             "references": [f"{NewContent.UPDATE_PREFIX} zero or more http references to provide more information about your search"],
diff --git a/contentctl/input/new_content_questions.py b/contentctl/input/new_content_questions.py
index 98595776..dbc47cdd 100644
--- a/contentctl/input/new_content_questions.py
+++ b/contentctl/input/new_content_questions.py
@@ -57,7 +57,7 @@ def get_questions_detection(cls) -> list[dict[str,Any]]:
                 "type": "text",
                 "message": "enter search (spl)",
                 "name": "detection_search",
-                "default": "| _UPDATE_ SPL",
+                "default": "| __UPDATE__ SPL",
             },
             {
                 "type": "text",
diff --git a/contentctl/input/yml_reader.py b/contentctl/input/yml_reader.py
index 8df243fd..49dfb812 100644
--- a/contentctl/input/yml_reader.py
+++ b/contentctl/input/yml_reader.py
@@ -29,7 +29,7 @@ def load_file(file_path: pathlib.Path, add_fields:bool=True, STRICT_YML_CHECKING
                 # and use NewContent.UPDATE_PREFIX, 
                 # but there is a circular dependency right now which makes that difficult.
                 # We have instead hardcoded UPDATE_PREFIX
-                UPDATE_PREFIX = "_UPDATE_"
+                UPDATE_PREFIX = "__UPDATE__"
                 data = file_handler.read()
                 if UPDATE_PREFIX in data:
                     raise Exception(f"The file {file_path} contains the value '{UPDATE_PREFIX}'. Please fill out any unpopulated fields as required.")