Skip to content

[FR] Add Kibana Action Connector Error to Exception List Workaround #4583

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 25 additions & 8 deletions detection_rules/kbwrap.py
Original file line number Diff line number Diff line change
Expand Up @@ -108,27 +108,44 @@ def _parse_list_id(s: str):

# Re-try to address known Kibana issue: https://github.com/elastic/kibana/issues/143864
workaround_errors = []
workaround_error_types = set()

flattened_exceptions = [e for sublist in exception_dicts for e in sublist]
all_exception_list_ids = {exception["list_id"] for exception in flattened_exceptions}

click.echo(f'{len(response["errors"])} rule(s) failed to import!')

action_connector_validation_error = "Error validating create data"
action_connector_type_error = "expected value of type [string] but got [undefined]"
for error in response['errors']:
click.echo(f' - {error["rule_id"]}: ({error["error"]["status_code"]}) {error["error"]["message"]}')
error_message = error["error"]["message"]
click.echo(f' - {error["rule_id"]}: ({error["error"]["status_code"]}) {error_message}')

if "references a non existent exception list" in error["error"]["message"]:
list_id = _parse_list_id(error["error"]["message"])
if "references a non existent exception list" in error_message:
list_id = _parse_list_id(error_message)
if list_id in all_exception_list_ids:
workaround_errors.append(error["rule_id"])
workaround_error_types.add("non existent exception list")

if action_connector_validation_error in error_message and action_connector_type_error in error_message:
workaround_error_types.add("connector still being built")

if workaround_errors:
workaround_errors = list(set(workaround_errors))
click.echo(f'Missing exception list errors detected for {len(workaround_errors)} rules. '
'Try re-importing using the following command and rule IDs:\n')
click.echo('python -m detection_rules kibana import-rules -o ', nl=False)
click.echo(' '.join(f'-id {rule_id}' for rule_id in workaround_errors))
click.echo()
if "non existent exception list" in workaround_error_types:
click.echo(
f"Missing exception list errors detected for {len(workaround_errors)} rules. "
"Try re-importing using the following command and rule IDs:\n"
)
click.echo("python -m detection_rules kibana import-rules -o ", nl=False)
click.echo(" ".join(f"-id {rule_id}" for rule_id in workaround_errors))
click.echo()
if "connector still being built" in workaround_error_types:
click.echo(
f"Connector still being built errors detected for {len(workaround_errors)} rules. "
"Please try re-importing the rules again."
)
click.echo()

def _process_imported_items(imported_items_list, item_type_description, item_key):
"""Displays appropriately formatted success message that all items imported successfully."""
Expand Down
2 changes: 1 addition & 1 deletion pyproject.toml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[project]
name = "detection_rules"
version = "1.0.6"
version = "1.0.7"
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
readme = "README.md"
requires-python = ">=3.12"
Expand Down
Loading