From ffed3fc1801f08ed1334b3acd02b26e95093780e Mon Sep 17 00:00:00 2001 From: eric-forte-elastic Date: Sat, 29 Mar 2025 22:06:31 -0400 Subject: [PATCH 1/3] Add error catch for workaround --- detection_rules/kbwrap.py | 27 +++++++++++++++++++++------ pyproject.toml | 2 +- 2 files changed, 22 insertions(+), 7 deletions(-) diff --git a/detection_rules/kbwrap.py b/detection_rules/kbwrap.py index bd3b14b756b..9007a2850b9 100644 --- a/detection_rules/kbwrap.py +++ b/detection_rules/kbwrap.py @@ -108,6 +108,7 @@ def _parse_list_id(s: str): # Re-try to address known Kibana issue: https://github.com/elastic/kibana/issues/143864 workaround_errors = [] + workaround_error_types = [] flattened_exceptions = [e for sublist in exception_dicts for e in sublist] all_exception_list_ids = {exception["list_id"] for exception in flattened_exceptions} @@ -121,13 +122,27 @@ def _parse_list_id(s: str): list_id = _parse_list_id(error["error"]["message"]) if list_id in all_exception_list_ids: workaround_errors.append(error["rule_id"]) - - if workaround_errors: + workaround_error_types.append("non existent exception list") + + if ( + "Error validating create data" in error["error"]["message"] + and "expected value of type [string] but got [undefined]" in error["error"]["message"] + ): + workaround_error_types.append("connector still being built") + if workaround_errors and "non existent exception list" in workaround_error_types: workaround_errors = list(set(workaround_errors)) - click.echo(f'Missing exception list errors detected for {len(workaround_errors)} rules. ' - 'Try re-importing using the following command and rule IDs:\n') - click.echo('python -m detection_rules kibana import-rules -o ', nl=False) - click.echo(' '.join(f'-id {rule_id}' for rule_id in workaround_errors)) + click.echo( + f"Missing exception list errors detected for {len(workaround_errors)} rules. " + "Try re-importing using the following command and rule IDs:\n" + ) + click.echo("python -m detection_rules kibana import-rules -o ", nl=False) + click.echo(" ".join(f"-id {rule_id}" for rule_id in workaround_errors)) + click.echo() + if workaround_errors and "connector still being built" in workaround_error_types: + click.echo( + f"Connector still being built errors detected for {len(workaround_errors)} rules. " + "Please try re-importing the rules again." + ) click.echo() def _process_imported_items(imported_items_list, item_type_description, item_key): diff --git a/pyproject.toml b/pyproject.toml index a80fd2c0470..86441ff8818 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.0.4" +version = "1.0.5" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" From e537e83fe2293e0d29d9f5fff49994edc89540b0 Mon Sep 17 00:00:00 2001 From: eric-forte-elastic Date: Sat, 29 Mar 2025 22:30:06 -0400 Subject: [PATCH 2/3] Switch to set for efficiency --- detection_rules/kbwrap.py | 52 ++++++++++++++++++++------------------- 1 file changed, 27 insertions(+), 25 deletions(-) diff --git a/detection_rules/kbwrap.py b/detection_rules/kbwrap.py index 9007a2850b9..27bcd2e7930 100644 --- a/detection_rules/kbwrap.py +++ b/detection_rules/kbwrap.py @@ -108,42 +108,44 @@ def _parse_list_id(s: str): # Re-try to address known Kibana issue: https://github.com/elastic/kibana/issues/143864 workaround_errors = [] - workaround_error_types = [] + workaround_error_types = set() flattened_exceptions = [e for sublist in exception_dicts for e in sublist] all_exception_list_ids = {exception["list_id"] for exception in flattened_exceptions} click.echo(f'{len(response["errors"])} rule(s) failed to import!') + action_connector_validation_error = "Error validating create data" + action_connector_type_error = "expected value of type [string] but got [undefined]" for error in response['errors']: - click.echo(f' - {error["rule_id"]}: ({error["error"]["status_code"]}) {error["error"]["message"]}') + error_message = error["error"]["message"] + click.echo(f' - {error["rule_id"]}: ({error["error"]["status_code"]}) {error_message}') - if "references a non existent exception list" in error["error"]["message"]: - list_id = _parse_list_id(error["error"]["message"]) + if "references a non existent exception list" in error_message: + list_id = _parse_list_id(error_message) if list_id in all_exception_list_ids: workaround_errors.append(error["rule_id"]) - workaround_error_types.append("non existent exception list") - - if ( - "Error validating create data" in error["error"]["message"] - and "expected value of type [string] but got [undefined]" in error["error"]["message"] - ): - workaround_error_types.append("connector still being built") - if workaround_errors and "non existent exception list" in workaround_error_types: + workaround_error_types.add("non existent exception list") + + if action_connector_validation_error in error_message and action_connector_type_error in error_message: + workaround_error_types.add("connector still being built") + + if workaround_errors: workaround_errors = list(set(workaround_errors)) - click.echo( - f"Missing exception list errors detected for {len(workaround_errors)} rules. " - "Try re-importing using the following command and rule IDs:\n" - ) - click.echo("python -m detection_rules kibana import-rules -o ", nl=False) - click.echo(" ".join(f"-id {rule_id}" for rule_id in workaround_errors)) - click.echo() - if workaround_errors and "connector still being built" in workaround_error_types: - click.echo( - f"Connector still being built errors detected for {len(workaround_errors)} rules. " - "Please try re-importing the rules again." - ) - click.echo() + if "non existent exception list" in workaround_error_types: + click.echo( + f"Missing exception list errors detected for {len(workaround_errors)} rules. " + "Try re-importing using the following command and rule IDs:\n" + ) + click.echo("python -m detection_rules kibana import-rules -o ", nl=False) + click.echo(" ".join(f"-id {rule_id}" for rule_id in workaround_errors)) + click.echo() + if "connector still being built" in workaround_error_types: + click.echo( + f"Connector still being built errors detected for {len(workaround_errors)} rules. " + "Please try re-importing the rules again." + ) + click.echo() def _process_imported_items(imported_items_list, item_type_description, item_key): """Displays appropriately formatted success message that all items imported successfully.""" From 0ddd203be89c5092db465eaf2c5ba4ec99dd78c9 Mon Sep 17 00:00:00 2001 From: eric-forte-elastic Date: Tue, 15 Apr 2025 08:52:13 -0400 Subject: [PATCH 3/3] Patch version bump --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 86441ff8818..d7d73d5df21 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.0.5" +version = "1.0.7" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"