Properly reference rule type in import-rules-to-repo command

[0xdeadbeefJERKY]

Pull Request

Issue link(s): Resolves 4011

Summary - What I changed

Updated the rule type validation logic in the import-rules-to-repo command to pull the type attribute from the [rule] key.

How To Test

Import any existing, valid rule:

➜ python -m detection_rules import-rules-to-repo ./rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml  

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

[+] Building rule for /home/user/detection-engineering/detection-rules/rules/suspicious_endpoint_security_parent_process.toml
actions (multi, comma separated): 
alert_suppression: 
building_block_type: 
data_view_id: 
enabled: 
event_category_override: 
exceptions_list (multi, comma separated): 
false_positives (multi, comma separated): 
filters (multi, comma separated): 
interval: 
investigation_fields: 
max_signals: 
meta: 
note: 
references (multi, comma separated): 
related_integrations (multi, comma separated): 
required_fields (multi, comma separated): 
risk_score_mapping (multi, comma separated): 
rule_name_override: 
severity_mapping (multi, comma separated): 
add mitre tactic? [y/N]: 
throttle: 
tiebreaker_field: 
timeline_id: 
timeline_title: 
timestamp_field: 
to: 
1 results exported
1 rules converted
0 exceptions exported
0 actions connectors exported

Checklist

• [ ] Added a label for the type of pr: bug, enhancement, schema, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
• [ ] ~Added the meta:rapid-merge label if planning to merge within 24 hours~
• [x] Secret and sensitive material has been managed correctly
• [ ] ~Automated testing was updated or added to match the most common scenarios~
• [ ] ~Documentation and comments were added for features that require explanation~

Contributor checklist

• Have you signed the contributor license agreement? ✅
• Have you followed the contributor guidelines? ✅

[eric-forte-elastic]

The original issue is primarily a typo in the help text for this CLI command, rather than a bug in its implementation.

The help text states: Import rules from json, toml, yaml, or Kibana exported rule file(s)., which is somewhat misleading. While it does support multiple types (json, toml, or yaml), all of these types require the rule to be the format of a Kibana exported rule (in effect a rule that is in the Kibana API format). The toml rule you are specifying has already been imported and is no longer in the Kibana API format, rather it is in the detection rules native rule format. Running the import-rules-to-repo command on this rule is redundant. If you would like that rule in your folder of custom rules, the recommended action is to either move the rule to a folder specified in your custom _config.yaml or add the folder the rule where the rule already exists to this file.

For reference, when we export-rules-from-repo we then convert the given rule(s) to the Kibana API format. These rules would then need to be imported via the import-rules-to-repo command.

Example run

``` detection-rules on  main [$!?] is  v0.1.0 via  v3.12.5 (detection-rules-build) on  eric.forte ❯ python -m detection_rules export-rules-from-repo --rule-id 0a97b20f-4144-49ea-be32-b540ecc445de -o tmp-export/test_rule.ndjson Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json █▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ Exported 1 rules into tmp-export/test_rule.ndjson detection-rules on  main [$!?] is  v0.1.0 via  v3.12.5 (detection-rules-build) on  eric.forte took 3s ❯ python -m detection_rules import-rules-to-repo tmp-export/test_rule.ndjson --required-only -s tmp-export Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json █▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ [+] Building rule for tmp-export/malware_detected_elastic_endgame.toml 1 results exported 1 rules converted 0 exceptions exported 0 actions connectors exported ```

Merged in a PR, https://github.com/elastic/detection-rules/pull/4013, to update the help text and error output to be more clear.