From 9f9775e3ad42291a4a03f30b674a0159ba11a012 Mon Sep 17 00:00:00 2001
From: SG <mero.mero.guero@gmail.com>
Date: Thu, 4 Jan 2024 13:31:35 -0700
Subject: [PATCH] work in progress for idaholab/Malcolm#288

---
 arkime/wise/source.zeeklogs.js      |  5 ++---
 dashboards/scripts/index-refresh.py | 10 +++-------
 2 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/arkime/wise/source.zeeklogs.js b/arkime/wise/source.zeeklogs.js
index 40a9c4035..cefc5e6f9 100644
--- a/arkime/wise/source.zeeklogs.js
+++ b/arkime/wise/source.zeeklogs.js
@@ -2210,10 +2210,9 @@ class MalcolmSource extends WISESource {
     var mimeFieldsStr = allFields.filter(value => /mime[_\.-]?type/i.test(value)).join(',');
     this.api.addValueAction("malcolm_websearch_mime", { name: "Media Type Registry", url: 'https://www.iana.org/assignments/media-types/%TEXT%', fields: mimeFieldsStr });
 
-    // add right-click for extracted/quarantined files from zeek
+    // add right-click for extracted files from zeek
     var carvedFieldsStr = allFields.filter(value => /^zeek\.files\.extracted$/i.test(value)).join(',');
-    this.api.addValueAction("malcolm_carved_file_quarantined", { name: "Download (if quarantined)", url: "/dl-extracted-files/quarantine/%TEXT%", fields: carvedFieldsStr });
-    this.api.addValueAction("malcolm_carved_file_preserved", { name: "Download (if preserved)", url: "/dl-extracted-files/preserved/%TEXT%", fields: carvedFieldsStr });
+    this.api.addValueAction("malcolm_carved_file_quarantined", { name: "Download", url: "/dl-extracted-files/%TEXT%", fields: carvedFieldsStr });
 
     // add right-clicks for pivoting into dashboards from Arkime (see nginx.conf)
     var filterLabel = "OpenSearch Dashboards %DBFIELD%";
diff --git a/dashboards/scripts/index-refresh.py b/dashboards/scripts/index-refresh.py
index ba65ac664..ce283fc58 100755
--- a/dashboards/scripts/index-refresh.py
+++ b/dashboards/scripts/index-refresh.py
@@ -410,14 +410,10 @@ def main():
                     drilldownInfoParamsUrlTemplates.append(drilldownInfoParamsUrlTemplateValues)
 
                 elif re.search(r'(^zeek\.files\.extracted$)', field['name'], re.IGNORECASE) is not None:
-                    # add download for extracted/quarantined zeek files
+                    # add download for extracted zeek files
                     drilldownInfoParamsUrlTemplateValues = {}
-                    drilldownInfoParamsUrlTemplateValues['url'] = '/dl-extracted-files/quarantine/{{value}}'
-                    drilldownInfoParamsUrlTemplateValues['label'] = 'Download (if quarantined)'
-                    drilldownInfoParamsUrlTemplates.append(drilldownInfoParamsUrlTemplateValues)
-                    drilldownInfoParamsUrlTemplateValues = {}
-                    drilldownInfoParamsUrlTemplateValues['url'] = '/dl-extracted-files/preserved/{{value}}'
-                    drilldownInfoParamsUrlTemplateValues['label'] = 'Download (if preserved)'
+                    drilldownInfoParamsUrlTemplateValues['url'] = '/dl-extracted-files/{{value}}'
+                    drilldownInfoParamsUrlTemplateValues['label'] = 'Download'
                     drilldownInfoParamsUrlTemplates.append(drilldownInfoParamsUrlTemplateValues)
 
                 drilldownInfoParams = {}