When making a rule in Kibana, in certain cases, EQL type rules can now be considered of type rules_default instead of just EQL. We should add support for handling import/exporting this rule type.
Currently, when trying to import a rule of this type, a ValueError: Unknown rule type rule_default is thrown.
Output
```shell
detection-rules on 3674-frdac-add-exceptions-importing-from-ndjson [!?] is v0.1.0 via v3.12.4 (detection-rules-build) on eric.forte
❯ python -m detection_rules import-rules-to-repo ~/Downloads/rules_export_exception_list.ndjson -s custom_rules/rules --required-only
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json
█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄
█ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄
█▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█
[+] Building rule for custom_rules/rules/test_exception_list.toml
[+] Building rule for custom_rules/rules/exceptions_for_rule_test_exception_list.toml
Traceback (most recent call last):
File "", line 198, in _run_module_as_main
File "", line 88, in _run_code
File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/__main__.py", line 35, in
main()
File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/__main__.py", line 32, in main
root(prog_name="detection_rules")
File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1157, in __call__
return self.main(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1078, in main
rv = self.invoke(ctx)
^^^^^^^^^^^^^^^^
File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1688, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1434, in invoke
return ctx.invoke(self.callback, **ctx.params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 783, in invoke
return __callback(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/main.py", line 122, in import_rules_into_repo
rule_prompt(rule_path, required_only=required_only, save=True, verbose=True,
File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/cli_utils.py", line 122, in rule_prompt
target_data_subclass = TOMLRuleContents.get_data_subclass(rule_type)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/rule.py", line 1113, in get_data_subclass
raise ValueError(f"Unknown rule type {rule_type}")
ValueError: Unknown rule type rule_default
```
Example Rule ndjson
```ndjson
{"id":"77260f65-d17e-468b-8fe9-305048404e95","updated_at":"2024-07-01T17:50:10.160Z","updated_by":"3610252053","created_at":"2024-07-01T17:49:37.594Z","created_by":"3610252053","name":"Test Exception List","tags":[],"interval":"5h","enabled":true,"revision":1,"description":"Test Exception List","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://dev-deployment-2c684a.kb.us-central1.gcp.cloud.es.io:9243/app/security"},"author":["Elastic"],"false_positives":[],"from":"now-18060s","rule_id":"7c22a9d2-5910-4da2-92af-7ff7481bd0f7","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[{"id":"222e1466-6dee-49ed-bb40-b7791891dc90","list_id":"ad78032a-6730-44c1-8ec3-129ff1dc2ad9","type":"rule_default","namespace_type":"single"}],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"eql","language":"eql","index":["apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"process where true","filters":[],"actions":[]}
{"_version":"WzQ3NTYzLDJd","created_at":"2024-07-01T17:50:08.726Z","created_by":"3610252053","description":"Exception list containing exceptions for rule with id: 77260f65-d17e-468b-8fe9-305048404e95","id":"222e1466-6dee-49ed-bb40-b7791891dc90","immutable":false,"list_id":"ad78032a-6730-44c1-8ec3-129ff1dc2ad9","name":"Exceptions for rule - Test Exception List","namespace_type":"single","os_types":[],"tags":["default_rule_exception_list"],"tie_breaker_id":"dc3357a1-0f43-4476-b113-11d683dd5fe5","type":"rule_default","updated_at":"2024-07-01T17:50:08.727Z","updated_by":"3610252053","version":1}
{"_version":"WzQ3NTY1LDJd","comments":[],"created_at":"2024-07-01T19:35:20.071Z","created_by":"3610252053","description":"Exception list item","entries":[{"field":"Effective_process.pid","operator":"included","type":"match","value":"1"}],"id":"49f9966c-9fb4-4d8a-8bed-8e7bfcdafbc5","item_id":"970945dd-71d5-4128-89a8-7e8689326a19","list_id":"ad78032a-6730-44c1-8ec3-129ff1dc2ad9","name":"Pid not One","namespace_type":"single","os_types":[],"tags":[],"tie_breaker_id":"db323af7-5564-4a42-8d8e-81f933c5cef1","type":"simple","updated_at":"2024-07-01T19:35:20.071Z","updated_by":"3610252053"}
{"_version":"WzQ3NTY0LDJd","comments":[],"created_at":"2024-07-01T17:50:11.181Z","created_by":"3610252053","description":"Exception list item","entries":[{"field":"process.name","operator":"included","type":"match","value":"FakeRoot"}],"id":"8d1c6de2-12bf-442d-9b52-00bc99bfcea2","item_id":"d6a0e21c-bf41-4758-a522-cca5df3a2332","list_id":"ad78032a-6730-44c1-8ec3-129ff1dc2ad9","name":"FakeRoot","namespace_type":"single","os_types":[],"tags":[],"tie_breaker_id":"e1e84f62-b36f-4608-9778-1e4ca29539ae","type":"simple","updated_at":"2024-07-01T17:50:11.181Z","updated_by":"3610252053"}
{"exported_count":4,"exported_rules_count":1,"missing_rules":[],"missing_rules_count":0,"exported_exception_list_count":1,"exported_exception_list_item_count":2,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0,"exported_action_connector_count":0,"missing_action_connection_count":0,"missing_action_connections":[],"excluded_action_connection_count":0,"excluded_action_connections":[]}
```
Summary
When making a rule in Kibana, in certain cases, EQL type rules can now be considered of type
rules_default
instead of just EQL. We should add support for handling import/exporting this rule type.Currently, when trying to import a rule of this type, a
ValueError: Unknown rule type rule_default
is thrown.Output
```shell detection-rules on 3674-frdac-add-exceptions-importing-from-ndjson [!?] is v0.1.0 via v3.12.4 (detection-rules-build) on eric.forte ❯ python -m detection_rules import-rules-to-repo ~/Downloads/rules_export_exception_list.ndjson -s custom_rules/rules --required-only Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json █▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ [+] Building rule for custom_rules/rules/test_exception_list.toml [+] Building rule for custom_rules/rules/exceptions_for_rule_test_exception_list.toml Traceback (most recent call last): File "", line 198, in _run_module_as_main
File "", line 88, in _run_code
File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/__main__.py", line 35, in
main()
File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/__main__.py", line 32, in main
root(prog_name="detection_rules")
File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1157, in __call__
return self.main(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1078, in main
rv = self.invoke(ctx)
^^^^^^^^^^^^^^^^
File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1688, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1434, in invoke
return ctx.invoke(self.callback, **ctx.params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 783, in invoke
return __callback(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/main.py", line 122, in import_rules_into_repo
rule_prompt(rule_path, required_only=required_only, save=True, verbose=True,
File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/cli_utils.py", line 122, in rule_prompt
target_data_subclass = TOMLRuleContents.get_data_subclass(rule_type)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/rule.py", line 1113, in get_data_subclass
raise ValueError(f"Unknown rule type {rule_type}")
ValueError: Unknown rule type rule_default
```
Example Rule ndjson
```ndjson {"id":"77260f65-d17e-468b-8fe9-305048404e95","updated_at":"2024-07-01T17:50:10.160Z","updated_by":"3610252053","created_at":"2024-07-01T17:49:37.594Z","created_by":"3610252053","name":"Test Exception List","tags":[],"interval":"5h","enabled":true,"revision":1,"description":"Test Exception List","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://dev-deployment-2c684a.kb.us-central1.gcp.cloud.es.io:9243/app/security"},"author":["Elastic"],"false_positives":[],"from":"now-18060s","rule_id":"7c22a9d2-5910-4da2-92af-7ff7481bd0f7","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[{"id":"222e1466-6dee-49ed-bb40-b7791891dc90","list_id":"ad78032a-6730-44c1-8ec3-129ff1dc2ad9","type":"rule_default","namespace_type":"single"}],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"eql","language":"eql","index":["apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"process where true","filters":[],"actions":[]} {"_version":"WzQ3NTYzLDJd","created_at":"2024-07-01T17:50:08.726Z","created_by":"3610252053","description":"Exception list containing exceptions for rule with id: 77260f65-d17e-468b-8fe9-305048404e95","id":"222e1466-6dee-49ed-bb40-b7791891dc90","immutable":false,"list_id":"ad78032a-6730-44c1-8ec3-129ff1dc2ad9","name":"Exceptions for rule - Test Exception List","namespace_type":"single","os_types":[],"tags":["default_rule_exception_list"],"tie_breaker_id":"dc3357a1-0f43-4476-b113-11d683dd5fe5","type":"rule_default","updated_at":"2024-07-01T17:50:08.727Z","updated_by":"3610252053","version":1} {"_version":"WzQ3NTY1LDJd","comments":[],"created_at":"2024-07-01T19:35:20.071Z","created_by":"3610252053","description":"Exception list item","entries":[{"field":"Effective_process.pid","operator":"included","type":"match","value":"1"}],"id":"49f9966c-9fb4-4d8a-8bed-8e7bfcdafbc5","item_id":"970945dd-71d5-4128-89a8-7e8689326a19","list_id":"ad78032a-6730-44c1-8ec3-129ff1dc2ad9","name":"Pid not One","namespace_type":"single","os_types":[],"tags":[],"tie_breaker_id":"db323af7-5564-4a42-8d8e-81f933c5cef1","type":"simple","updated_at":"2024-07-01T19:35:20.071Z","updated_by":"3610252053"} {"_version":"WzQ3NTY0LDJd","comments":[],"created_at":"2024-07-01T17:50:11.181Z","created_by":"3610252053","description":"Exception list item","entries":[{"field":"process.name","operator":"included","type":"match","value":"FakeRoot"}],"id":"8d1c6de2-12bf-442d-9b52-00bc99bfcea2","item_id":"d6a0e21c-bf41-4758-a522-cca5df3a2332","list_id":"ad78032a-6730-44c1-8ec3-129ff1dc2ad9","name":"FakeRoot","namespace_type":"single","os_types":[],"tags":[],"tie_breaker_id":"e1e84f62-b36f-4608-9778-1e4ca29539ae","type":"simple","updated_at":"2024-07-01T17:50:11.181Z","updated_by":"3610252053"} {"exported_count":4,"exported_rules_count":1,"missing_rules":[],"missing_rules_count":0,"exported_exception_list_count":1,"exported_exception_list_item_count":2,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0,"exported_action_connector_count":0,"missing_action_connection_count":0,"missing_action_connections":[],"excluded_action_connection_count":0,"excluded_action_connections":[]} ```