[Bug][DAC] Rule Threat Reference Fields Exported from Kibana Mismatch URL

[eric-forte-elastic]

Summary

When rules with MITRE ATT&CK information are exported from Kibana, the URLs for the reference links are missing a trailing /. For instance Kibana returns https://attack.mitre.org/tactics/TA0002 instead of the desired https://attack.mitre.org/tactics/TA0002/. As such, our current schema formatting for the URL validation fails on these rule exports as it expects the trailing / to be present.

To address this issue, we may want to add support in detection-rules for URLs with or without the trailing /. In prior Kibana rule exports, there historically have been the / and we would not want to loose support for rules exported under this previous format.

To reproduce

Create a new rule in Kibana and add MITRE ATT&CK information (tactic, etc.). Then attempt to export the new rule using the export-rules command

e.g. python -m detection_rules kibana --space customer export-rules -d custom_rules/rules -s -sv -r 6559f7d2-56d9-49b1-9426-76caf2f8ab04

This should result in a schema failure.

One possibility for accomplishing this is to modify the BaseThreatEntry class in rule.py to have a pre-load function to modify the reference url if needed.

@dataclass(frozen=True)
class BaseThreatEntry:
    id: str
    name: str
    reference: str

    @pre_load()
    def modify_url(self, data, **kwargs):
        """Modify the URL."""
        if not data["reference"].endswith("/"):
            data["reference"] += "/"
        return data

[Mikaayenson]

So it appears that the issue is with the latest enterprise-attack.json which may no longer include the trailing slashes in the urls.