Closed
Description
Describe the bug
Related to #3266
Related to #3442
When attempting to use the rule importer for Threshold rules, there appears to some issues with not being able to auto import the threshold values when provided in the ndjson.
Based on this code https://github.com/elastic/detection-rules/blob/main/detection_rules/cli_utils.py#L164-L167, this issue has existed since it was first introduced several years ago most likely because schemas didn't exist at the time.
What we need to do is update the cli_utiles importer to use existing fields if they exist instead of prompting. This should be a relatively small fix.
To Reproduce
Steps to reproduce the behavior:
- Export a threshold rule from Kibana
- Use the importer `python -m detection_rules import-rules <file.ndjson>
- See that the importer tries to prompt for threshold fields even though they exist in the ndjson
Patch rule_prompt
I think we just need to remove the custom prompting logic.
diff --git a/detection_rules/cli_utils.py b/detection_rules/cli_utils.py
index e7b0b4853..4eb865615 100644
--- a/detection_rules/cli_utils.py
+++ b/detection_rules/cli_utils.py
@@ -161,11 +161,6 @@ def rule_prompt(path=None, rule_type=None, required_only=True, save=True, verbos
contents[name] = threat_map
continue
- if name == 'threshold':
- contents[name] = {n: schema_prompt(f'threshold {n}', is_required=n in options['required'], **opts.copy())
- for n, opts in options['properties'].items()}
- continue
-
if kwargs.get(name):
contents[name] = schema_prompt(name, value=kwargs.pop(name))
continue