[Bug] Threshold Rule Importing Failures (#3560)

eric-forte-elastic · github-actions[bot] · commit e10ec0aaf15d · 2024-04-03T18:19:19.000Z
* remove threshold specific req * fix test event override --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> (cherry picked from commit a9cc323)
diff --git a/detection_rules/cli_utils.py b/detection_rules/cli_utils.py
@@ -161,11 +161,6 @@ def rule_prompt(path=None, rule_type=None, required_only=True, save=True, verbos
                 contents[name] = threat_map
             continue
 
-        if name == 'threshold':
-            contents[name] = {n: schema_prompt(f'threshold {n}', is_required=n in options['required'], **opts.copy())
-                              for n, opts in options['properties'].items()}
-            continue
-
         if kwargs.get(name):
             contents[name] = schema_prompt(name, value=kwargs.pop(name))
             continue
diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py
@@ -963,7 +963,7 @@ def test_event_override(self):
         for rule in self.all_rules:
             # skip rules that do not leverage queries (i.e. machine learning)
             # filters to acceptable query languages in definitions.FilterLanguages
-            # QueryRuleData should inheritenly ignore machine learning rules
+            # QueryRuleData should inherently ignore machine learning rules
             if isinstance(rule.contents.data, QueryRuleData):
                 rule_language = rule.contents.data.language
                 has_event_ingested = rule.contents.data.get('timestamp_override') == 'event.ingested'
@@ -973,7 +973,7 @@ def test_event_override(self):
                     # TODO: determine if we expand this to ES|QL
                     # ignores any rule that does not use EQL or KQL queries specifically
                     # this does not avoid rule types where variants of KQL are used (e.g. new terms)
-                    if rule_language not in ('eql', 'kuery') or rule.contents.data.is_sequence:
+                    if rule_language not in ('eql', 'kuery') or getattr(rule.contents.data, 'is_sequence', False):
                         continue
                     else:
                         errors.append(f'{rule_str} - rule must have `timestamp_override: event.ingested`')
