Closed brokensound77 closed 1 year ago
Just backing up a bit here for context. The /releases
folder is used to store prebuilt rule packages after they are built using the python -m detection_rules dev build-release
command. Packages are stored based on the major and minor stack version they were built on, which references packages.yml
. After building a package, several files are dropped into releases/x.x/extras
. The files titled x.x-enriched-rules-index-importable.ndjson
are created to allow rules to be uploaded as documents into ES if need be.
Problem:
We were not adding the rule contents themselves to these documents, which should be added after to_api_format()
is called for the JSON representation of the rule.
Solution:
If we simply add rule_doc.update(**rule.contents.to_api_format())
within packging.Package.create_bulk_index_body()
method it will update the ES doc to include the rule content themselves, which will ultimately be written to x.x-enriched-rules-index-importable.ndjson
.
Update code to include all rule fields as well