[Bug] Threshold Rule Importing Failures #3560

eric-forte-elastic · 2024-04-02T13:36:03Z

Issues

Summary

This PR addresses an issue where threshold rules would not import correctly as the rule prompt would ask for information that was present in the rule file instead of using what was supplied. See the original issue for the steps to reproduce the error. The fix is to remove a hardcoding loading for specifically threshold rules to load them in this way. I expect that this was done due to a historic Kibana issue that is not longer necessary.

Note: If you import a rule and then run unit tests they will fail as we have some additional tags and fields that we enforce on our rules that should not be enforced on customers. In testing this, we also found a minor flaw in one of our unit tests (test_event_override) that is also fixed here. Previously the unit test would fail on the first instance of a test violation and not produce a list of all of the rules violating the test. This fix addresses that.

Testing

Export a threshold rule from Kibana
Example: rules_export_threashold.ndjson.txt
Use the importer `python -m detection_rules import-rules <file.ndjson>
See that the importer no longer tries to prompt for threshold fields even though they exist in the ndjson

Mikaayenson

With the issue to do larger refactors later, I think this makes sense.

Mikaayenson · 2024-04-02T19:09:29Z

tests/test_all_rules.py

@@ -973,7 +973,7 @@ def test_event_override(self):
                    # TODO: determine if we expand this to ES|QL
                    # ignores any rule that does not use EQL or KQL queries specifically
                    # this does not avoid rule types where variants of KQL are used (e.g. new terms)
-                    if rule_language not in ('eql', 'kuery') or rule.contents.data.is_sequence:
+                    if rule_language not in ('eql', 'kuery') or getattr(rule.contents.data, 'is_sequence', False):


Good catch.

shashank-elastic · 2024-04-03T17:40:30Z

🟢 Testing Looks Good.

Ran Import Rule of the test file.
threshold fields were not prompted by the importer

python -m detection_rules import-rules ~/Downloads/rules_export_threashold.ndjson 

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

[+] Building rule for /Users/shashankks/elastic_workspace/detection-rules/rules/test_threshold.toml
actions (multi, comma separated): 
alert_suppression: 
author (required)  (multi, comma separated): Elastic
building_block_type: 
data_view_id: 
exceptions_list (multi, comma separated): 
false_positives (multi, comma separated): 
filters (multi, comma separated): 
license: 
note: 
references (multi, comma separated): 
related_integrations (multi, comma separated): 
required_fields (multi, comma separated): 
risk_score_mapping (multi, comma separated): 
rule_name_override: 
setup: 
severity_mapping (multi, comma separated): 
tags (multi, comma separated): 
add mitre tactic? [y/N]: 
throttle: 
timeline_id: 
timeline_title: 
timestamp_override: 
(.venv)

File creation

* remove threshold specific req * fix test event override --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> (cherry picked from commit a9cc323)

eric-forte-elastic added 2 commits April 2, 2024 08:07

remove threshold specific req

f07c463

fix test event override

c88aacd

eric-forte-elastic added bug Something isn't working Area: DED labels Apr 2, 2024

eric-forte-elastic self-assigned this Apr 2, 2024

eric-forte-elastic requested review from brokensound77 and Mikaayenson as code owners April 2, 2024 13:36

eric-forte-elastic linked an issue Apr 2, 2024 that may be closed by this pull request

[Bug] Threshold Rule Importing Failures #3547

Closed

botelastic bot added the python Internal python for the repository label Apr 2, 2024

eric-forte-elastic changed the title ~~[Bug] Threshold rule importing failures~~ [Bug] Threshold Rule Importing Failures Apr 2, 2024

github-actions bot added the backport: auto label Apr 2, 2024

eric-forte-elastic requested a review from shashank-elastic April 2, 2024 13:36

Mikaayenson approved these changes Apr 2, 2024

View reviewed changes

eric-forte-elastic and others added 2 commits April 2, 2024 18:21

Merge branch 'main' into 3547-bug-threshold-rule-importing-failures

837bd09

Merge branch 'main' into 3547-bug-threshold-rule-importing-failures

a1c9a1b

shashank-elastic approved these changes Apr 3, 2024

View reviewed changes

eric-forte-elastic merged commit a9cc323 into main Apr 3, 2024

eric-forte-elastic deleted the 3547-bug-threshold-rule-importing-failures branch April 3, 2024 18:15

eric-forte-elastic linked an issue Apr 4, 2024 that may be closed by this pull request

[Bug] CLI Command import-rules Prompts Threshold Related Values to be Submitted #3266

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Bug] Threshold Rule Importing Failures #3560

[Bug] Threshold Rule Importing Failures #3560

Uh oh!

eric-forte-elastic commented Apr 2, 2024

Uh oh!

Mikaayenson left a comment

Uh oh!

Mikaayenson Apr 2, 2024

Uh oh!

shashank-elastic commented Apr 3, 2024

Uh oh!

Uh oh!

[Bug] Threshold Rule Importing Failures #3560

[Bug] Threshold Rule Importing Failures #3560

Uh oh!

Conversation

eric-forte-elastic commented Apr 2, 2024

Issues

Summary

Testing

Uh oh!

Mikaayenson left a comment

Choose a reason for hiding this comment

Uh oh!

Mikaayenson Apr 2, 2024

Choose a reason for hiding this comment

Uh oh!

shashank-elastic commented Apr 3, 2024

Uh oh!

Uh oh!