Closed Mikaayenson closed 2 weeks ago
Now that we support custom schemas as a beta feature, we can probably close this out. We just need to build the runtime field in a stack and try to use DAC features with it to double check.
Example
in the summary description of https://github.com/elastic/kibana/pull/130929 add a runtime field and then create a test rulepython -m detection_rules custom-rules setup-config custom_rules
then add this config
bbr_rules_dirs:
- rules_building_block
directories:
action_connector_dir: action_connectors
action_dir: actions
exception_dir: exceptions
files:
deprecated_rules: etc/deprecated_rules.json
packages: etc/packages.yaml
stack_schema_map: etc/stack-schema-map.yaml
version_lock: etc/version.lock.json
rule_dirs:
- rules
testing:
config: etc/test_config.yaml
bypass_version_lock: True
normalize_kql_keywords: True
auto_gen_schema_file: "etc/schemas/auto_gen.json"
bypass_optional_elastic_validation: True
python -m detection_rules export-rules-from-repo : TOML --> NDJSON
python -m detection_rules import-rules-to-repo : NDJSON --> TOML
python -m detection_rules kibana export-rules : Pull directly from Elastic Security --> TOML
python -m detection_rules kibana import-rules : Push from local TOML --> Elastic Security
detection-rules on ξ issue-3509 [$?] is π¦ v0.1.0 via π v3.12.5 (.venv) on βοΈ shashank.suryanarayana@elastic.co
β― python -m detection_rules custom-rules setup-config custom_rules
ββββ βββ βββ βββ βββ βββ βββ βββ β β ββββ β β β βββ βββ
β β βββ β βββ β β β β β βββ β ββββ β β β βββ βββ
ββββ βββ β βββ βββ β βββ βββ β βββ β ββ ββββ βββ βββ βββ
Created directory: custom_rules/actions
Created directory: custom_rules/action_connectors
Created directory: custom_rules/exceptions
Created directory: custom_rules/rules
Created directory: custom_rules/rules_building_block
Created directory: custom_rules/etc
Created file with default content: custom_rules/etc/deprecated_rules.json
Created file with default content: custom_rules/etc/version.lock.json
Created file with default content: custom_rules/etc/packages.yaml
Created file with default content: custom_rules/etc/stack-schema-map.yaml
Created file with default content: custom_rules/etc/test_config.yaml
Created file with default content: custom_rules/_config.yaml
# For details on how to configure the _config.yaml file,
# consult: /Users/shashankks/elastic_workspace/detection-rules/detection_rules/etc/_config.yaml
# or the docs: /Users/shashankks/elastic_workspace/detection-rules/docs/custom-rules.md
(.venv)
detection-rules on ξ issue-3509 [$?] is π¦ v0.1.0 via π v3.12.5 (.venv) on βοΈ shashank.suryanarayana@elastic.co
β―
![Image](https://github.com/user-attachments/assets/9ad6f25d-b2e0-4ac6-925c-df13d2b0af94)
python -m detection_rules import-rules-to-repo /Users/shashankks/Downloads/test_run_time_filed.ndjson
ββββ βββ βββ βββ βββ βββ βββ βββ β β ββββ β β β βββ βββ
β β βββ β βββ β β β β β βββ β ββββ β β β βββ βββ
ββββ βββ β βββ βββ β βββ βββ β βββ β ββ ββββ βββ βββ βββ
[+] Building rule for /Users/shashankks/elastic_workspace/detection-rules/rules/run_time_filed_mapping_to_data_views.toml
actions (multi, comma separated):
alert_suppression:
building_block_type:
event_category_override:
exceptions_list (multi, comma separated):
false_positives (multi, comma separated):
filters (multi, comma separated):
index (multi, comma separated):
investigation_fields:
license:
note:
references (multi, comma separated):
related_integrations (multi, comma separated):
required_fields (multi, comma separated):
risk_score_mapping (multi, comma separated):
rule_name_override:
setup:
severity_mapping (multi, comma separated):
tags (multi, comma separated):
add mitre tactic? [y/N]: N
throttle:
tiebreaker_field:
timeline_id:
timeline_title:
timestamp_field:
timestamp_override:
Traceback (most recent call last):
File "
``` {"id":"c234a270-5e5d-41c9-9237-f716c36ac34c","updated_at":"2024-09-03T17:07:07.929Z","updated_by":"841510929","created_at":"2024-09-03T17:07:07.929Z","created_by":"841510929","name":"Run Time Filed Mapping to Data Views","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"Test Run Time Filed Mapping to Data Views","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://e2erelease.kb.us-west2.gcp.elastic-cloud.com:9243/app/security"},"author":[],"false_positives":[],"from":"now-360s","rule_id":"a97cf517-bb1c-4d46-9522-f449fd3b0873","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[],"setup":"","type":"eql","language":"eql","data_view_id":"logs-*","query":"any where `logs-data-view-files` == \"logs data view filed\"","filters":[],"actions":[]} {"exported_count":1,"exported_rules_count":1,"missing_rules":[],"missing_rules_count":0,"exported_exception_list_count":0,"exported_exception_list_item_count":0,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0,"exported_action_connector_count":0,"missing_action_connection_count":0,"missing_action_connections":[],"excluded_action_connection_count":0,"excluded_action_connections":[]} ```
I have double checked twice my steps, hopefully i am not missing anything here! @Mikaayenson
The only thing im not seeing is if you exported the CUSTOM_RULES_DIR environment variable. Also can you share the contents of auto_gen.json
The only thing im not seeing is if you exported the CUSTOM_RULES_DIR environment variable. Also can you share the contents of auto_gen.json
Yes the environment variable export was missing from the steps, and that fixed the problem
```console β― python -m detection_rules import-rules-to-repo /Users/shashankks/Downloads/test_run_time_filed.ndjson --required-only ββββ βββ βββ βββ βββ βββ βββ βββ β β ββββ β β β βββ βββ β β βββ β βββ β β β β β βββ β ββββ β β β βββ βββ ββββ βββ β βββ βββ β βββ βββ β βββ β ββ ββββ βββ βββ βββ [+] Building rule for /Users/shashankks/elastic_workspace/detection-rules/custom_rules/rules/run_time_filed_mapping_to_data_views.toml 1 results exported 1 rules converted 0 exceptions exported 0 actions connectors exported (.venv) detection-rules on ξ issue-3509 [$?] is π¦ v0.1.0 via π v3.12.5 (.venv) on βοΈ shashank.suryanarayana@elastic.co took 2s ``` AutoGen Schema populated successfully ![Image](https://github.com/user-attachments/assets/de947e7b-2fab-4574-a1e9-dd11ba4628d1)
```console β― python -m detection_rules export-rules-from-repo -id "a97cf517-bb1c-4d46-9522-f449fd3b0873" Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json ββββ βββ βββ βββ βββ βββ βββ βββ β β ββββ β β β βββ βββ β β βββ β βββ β β β β β βββ β ββββ β β β βββ βββ ββββ βββ β βββ βββ β βββ βββ β βββ β ββ ββββ βββ βββ βββ Exported 1 rules into /Users/shashankks/elastic_workspace/detection-rules/exports/20240903T234353L.ndjson (.venv) detection-rules on ξ issue-3509 [$?] is π¦ v0.1.0 via π v3.12.5 (.venv) on βοΈ shashank.suryanarayana@elastic.co β― ```
```console β― python -m detection_rules kibana export-rules -r "a97cf517-bb1c-4d46-9522-f449fd3b0873" -d /Users/shashankks/elastic_workspace/detection-rules/custom_rules Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json ββββ βββ βββ βββ βββ βββ βββ βββ β β ββββ β β β βββ βββ β β βββ β βββ β β β β β βββ β ββββ β β β βββ βββ ββββ βββ β βββ βββ β βββ βββ β βββ β ββ ββββ βββ βββ βββ 1 results exported 1 rules converted 0 exceptions exported 0 action connectors exported 1 rules saved to /Users/shashankks/elastic_workspace/detection-rules/custom_rules 0 exception lists saved to /Users/shashankks/elastic_workspace/detection-rules/custom_rules/exceptions 0 action connectors saved to /Users/shashankks/elastic_workspace/detection-rules/custom_rules/action_connectors (.venv) detection-rules on ξ issue-3509 [$?] is π¦ v0.1.0 via π v3.12.5 (.venv) on βοΈ shashank.suryanarayana@elastic.co took 3s ```
Expected failure as the rule already exists ```console β― python -m detection_rules kibana import-rules -id "a97cf517-bb1c-4d46-9522-f449fd3b0873" Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json ββββ βββ βββ βββ βββ βββ βββ βββ β β ββββ β β β βββ βββ β β βββ β βββ β β β β β βββ β ββββ β β β βββ βββ ββββ βββ β βββ βββ β βββ βββ β βββ β ββ ββββ βββ βββ βββ 1 rule(s) failed to import! - a97cf517-bb1c-4d46-9522-f449fd3b0873: (409) rule_id: "a97cf517-bb1c-4d46-9522-f449fd3b0873" already exists (.venv) detection-rules on ξ issue-3509 [$?] is π¦ v0.1.0 via π v3.12.5 (.venv) on βοΈ shashank.suryanarayana@elastic.co took 3s β― ``` Changed rule id and name just to test ```console β― python -m detection_rules kibana import-rules -id "b97cf517-bb1c-4d46-9522-f449fd3b0873" Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json ββββ βββ βββ βββ βββ βββ βββ βββ β β ββββ β β β βββ βββ β β βββ β βββ β β β β β βββ β ββββ β β β βββ βββ ββββ βββ β βββ βββ β βββ βββ β βββ β ββ ββββ βββ βββ βββ 1 rule(s) successfully imported - b97cf517-bb1c-4d46-9522-f449fd3b0873 (.venv) detection-rules on ξ issue-3509 [$?] is π¦ v0.1.0 via π v3.12.5 (.venv) on βοΈ shashank.suryanarayana@elastic.co took 4s β― ``` ![Image](https://github.com/user-attachments/assets/79bc738d-ab96-4737-bb13-969d70114e86)
@Mikaayenson With DAC the feature is working as expected. This should be good to close
All verification steps completed
Summary
https://github.com/elastic/kibana/pull/130929
Tasks
Dependencies and Constraints
...