From 142e98af8a2bb01b2ae5ad28f20337ed36fa6cc2 Mon Sep 17 00:00:00 2001
From: 0xC0FFEEEE <119874251+0xC0FFEEEE@users.noreply.github.com>
Date: Tue, 8 Jul 2025 23:47:25 +0100
Subject: [PATCH 1/2] override deployment

---
 contentctl/actions/new_content.py         | 17 +++++++++++++++++
 contentctl/input/new_content_questions.py | 10 ++++++++++
 2 files changed, 27 insertions(+)

diff --git a/contentctl/actions/new_content.py b/contentctl/actions/new_content.py
index 6557d82e..cdac0390 100644
--- a/contentctl/actions/new_content.py
+++ b/contentctl/actions/new_content.py
@@ -82,6 +82,19 @@ def buildDetection(self) -> tuple[dict[str, Any], str]:
             "author": answers["detection_author"],
             "status": "production",  # start everything as production since that's what we INTEND the content to become
             "type": answers["detection_type"],
+            "deployment": {
+                "scheduling": {
+                    "cron_schedule": "0 * * * *",
+                    "earliest_time": "-70m@m",
+                    "latest_time": "-10m@m",
+                    "schedule_window": "auto",
+                },
+                "alert_action": {
+                    "rba": {
+                        "enabled": "true",
+                    },
+                },
+            },
             "description": f"{NewContent.UPDATE_PREFIX} by providing a description of your search",
             "data_source": data_source_field,
             "search": f"{answers['detection_search']} | `{file_name}_filter`",
@@ -125,6 +138,10 @@ def buildDetection(self) -> tuple[dict[str, Any], str]:
 
         if answers["detection_type"] not in ["TTP", "Anomaly"]:
             del output_file_answers["rba"]
+            del output_file_answers["deployment"]["alert_action"]
+        
+        if answers["deployment_override"] == "no":
+            del output_file_answers["deployment"]
 
         return output_file_answers, answers["detection_kind"]
 
diff --git a/contentctl/input/new_content_questions.py b/contentctl/input/new_content_questions.py
index a7ce0e56..07bdf9ca 100644
--- a/contentctl/input/new_content_questions.py
+++ b/contentctl/input/new_content_questions.py
@@ -71,6 +71,16 @@ def get_questions_detection(cls) -> list[dict[str, Any]]:
                 ],
                 "default": "endpoint",
             },
+            {
+                "type": "select",
+                "message": "deployment override",
+                "name": "deployment_override",
+                "choices": [
+                    "yes",
+                    "no",
+                ],
+                "default": "no",
+            },
         ]
         return questions
 

From 09b5346e73d8c554d13f89227e48d5f763964645 Mon Sep 17 00:00:00 2001
From: 0xC0FFEEEE <119874251+0xC0FFEEEE@users.noreply.github.com>
Date: Tue, 8 Jul 2025 23:52:52 +0100
Subject: [PATCH 2/2] ruff formatting

---
 contentctl/actions/new_content.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/contentctl/actions/new_content.py b/contentctl/actions/new_content.py
index cdac0390..4b4989e4 100644
--- a/contentctl/actions/new_content.py
+++ b/contentctl/actions/new_content.py
@@ -139,7 +139,7 @@ def buildDetection(self) -> tuple[dict[str, Any], str]:
         if answers["detection_type"] not in ["TTP", "Anomaly"]:
             del output_file_answers["rba"]
             del output_file_answers["deployment"]["alert_action"]
-        
+
         if answers["deployment_override"] == "no":
             del output_file_answers["deployment"]