Adding Content

Adding content in SSE is easy. For end users, you can run everything via the GUI. For partners, and SSE authors, you do need to interact with the JSON a bit.

Custom Content for End Users

There is an entire workflow for users to be able to add content through the GUI, in a way that is supported across upgrades and separated from the default app content. For more detail on this, visit the Custom Content feature. In addition to the automated introspection process, users can also directly create, delete, edit or view custom content from the dedicated Custom Content dashboard.

Distributed Content from Partners (or centralized content teams)

For most partners, it makes sense to start by creating custom content (as mentioned above), but then a variety of customizations are available to better support the partner needs. For more on this, view the detailed Partner Integration page.

Authoring Simple SSE Content

There is a variety of simple content in SSE, defined as content without demo data, that doesn’t leverage a full search builder. This includes all of the ES, ESCU, UBA, and Phantom content. There has also been discussion of simplifying the process of adding additional native SSE content by adding it in the same method.

For the most part, deploying this content is fairly straightforward. A similar approach to that outlined in the Partner Integration page can be followed, but with some tweaks to the fields. In particular, the Schema details a variety of fields specific to ES, ESCU, and UBA.

Authoring Full-Featured SSE Content

Authoring full-featured content on SSE is modestly more complicated. Configuration is required in two files:

  1. ShowcaseInfo.json has the high level information and is the primary interface that most of SSE uses for content. There are two pieces of configuration that dictate the connection with the search builder:
  2. dashboard: This tells the interface what dashboard to send users to when they click the link, and includes the search builder label in the URL.
  3. examples object: This is the list of what search builder objects (in lamens terms, what searches) exist for a particular piece of content. You’d typically have one for Demo Data, one for Live Data, one for Accelerated Data, etc.
  4. The Search Builder JSON files (showcase_simple_search.json, etc.) list the actual searches, the line-by-line SPL Docs, etc.

There is exactly one tricky thing about adding full-featured SSE content to the app. There are effectively four different names / IDs that must be defined:

  1. ShowcaseInfo.json ID. Inside of ShowcaseInfo.json there is a summaries object. That object has as it’s keys the IDs for each showcase.
  2. ShowcaseInfo.json Name. You can look up ShowcaseInfo.json['summaries']['my_showcase_id']['name'] for the pretty name that is actually displayed to the user.
  3. Search Label. This is the pretty name that is displayed in the upper right hand corner of the actual search page (e.g., Live Data)
  4. Search Name. This is the internal ID for the search.

The tricky part: In the Showcase examples object, it will list the Search Name (ShowcaseInfo.json['summaries']['my_showcase_id']['examples'][0]['name']). That must match exactly the object name in the Search Builder JSON file, and also match the Search Name (showcase_*.json['my_search_name']['label']). If this is not correct, when you click through and land at your dashboard, no JavaScript will fire.. it will just sit there looking disappointing, without any errors in the JavaScript console. In this developer’s experience, 99 out of 100 times, even when double and triple checking… there’s something wrong between those three values when this fires.

It’s clearer with an example. Here are the relevant components for Basic Brute Force Detection, which uses the Simple Search Assistant (showcase_simple_search):


   "summaries": {
       "basic_brute_force": {
            "name": "Basic Brute Force Detection", 
            "dashboard": "showcase_simple_search?ml_toolkit.dataset=Basic Brute Force - Demo", 
            "examples": [
                    "label": "Demo Data", 
                    "name": "Basic Brute Force - Demo"
                    "label": "Live Data", 
                    "name": "Basic Brute Force - Live"
                    "label": "Accelerated Data", 
                    "name": "Basic Brute Force - Accelerated"


    "Basic Brute Force - Demo": {
        "label": "Basic Brute Force - Demo",
        "value": "... demo search ..."
    "Basic Brute Force - Live": {
        "label": "Basic Brute Force - Live",
        "value": "... live search ..."
    "Basic Brute Force - Accelerated": {
        "label": "Basic Brute Force - Accelerated",
        "value": "... accelerated search ..."