Closed 0xdeadbeefJERKY closed 1 month ago
The original issue is primarily a typo in the help text for this CLI command, rather than a bug in its implementation.
The help text states: Import rules from json, toml, yaml, or Kibana exported rule file(s).
, which is somewhat misleading. While it does support multiple types (json, toml, or yaml), all of these types require the rule to be the format of a Kibana exported rule (in effect a rule that is in the Kibana API format). The toml rule you are specifying has already been imported and is no longer in the Kibana API format, rather it is in the detection rules native rule format. Running the import-rules-to-repo
command on this rule is redundant. If you would like that rule in your folder of custom rules, the recommended action is to either move the rule to a folder specified in your custom _config.yaml
or add the folder the rule where the rule already exists to this file.
For reference, when we export-rules-from-repo
we then convert the given rule(s) to the Kibana API format. These rules would then need to be imported via the import-rules-to-repo
command.
``` detection-rules on main [$!?] is v0.1.0 via v3.12.5 (detection-rules-build) on eric.forte ❯ python -m detection_rules export-rules-from-repo --rule-id 0a97b20f-4144-49ea-be32-b540ecc445de -o tmp-export/test_rule.ndjson Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json █▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ Exported 1 rules into tmp-export/test_rule.ndjson detection-rules on main [$!?] is v0.1.0 via v3.12.5 (detection-rules-build) on eric.forte took 3s ❯ python -m detection_rules import-rules-to-repo tmp-export/test_rule.ndjson --required-only -s tmp-export Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json █▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ [+] Building rule for tmp-export/malware_detected_elastic_endgame.toml 1 results exported 1 rules converted 0 exceptions exported 0 actions connectors exported ```
Merged in a PR, https://github.com/elastic/detection-rules/pull/4013, to update the help text and error output to be more clear.
Pull Request
Issue link(s): Resolves 4011
Summary - What I changed
Updated the rule type validation logic in the
import-rules-to-repo
command to pull thetype
attribute from the[rule]
key.How To Test
Import any existing, valid rule:
Checklist
bug
,enhancement
,schema
,Rule: New
,Rule: Deprecation
,Rule: Tuning
,Hunt: New
, orHunt: Tuning
so guidelines can be generatedmeta:rapid-merge
label if planning to merge within 24 hours~Contributor checklist