elastic · Mikaayenson · Jul 1, 2025 · May 27, 2025 · May 27, 2025 · Jun 11, 2025
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1,14 +1,16 @@
 # detection-rules code owners
 # POC: Elastic Security Intelligence and Analytics Team
 
-tests/**/*.py     @mikaayenson @eric-forte-elastic @terrancedejesus
-detection_rules/  @mikaayenson @eric-forte-elastic @terrancedejesus
-tests/            @mikaayenson @eric-forte-elastic @terrancedejesus
-lib/              @mikaayenson @eric-forte-elastic @terrancedejesus
-hunting/          @mikaayenson @eric-forte-elastic @terrancedejesus
+tests/**/*.py     @mikaayenson @eric-forte-elastic @traut
+detection_rules/  @mikaayenson @eric-forte-elastic @traut
+tests/            @mikaayenson @eric-forte-elastic @traut
+lib/              @mikaayenson @eric-forte-elastic @traut
+hunting/**/*.py          @mikaayenson @eric-forte-elastic @traut
 
 # skip rta-mapping to avoid the spam
-detection_rules/etc/packages.yaml @mikaayenson @eric-forte-elastic @terrancedejesus
-detection_rules/etc/*.json        @mikaayenson @eric-forte-elastic @terrancedejesus
-detection_rules/etc/*.json        @mikaayenson @eric-forte-elastic @terrancedejesus
-detection_rules/etc/*/*           @mikaayenson @eric-forte-elastic @terrancedejesus
+detection_rules/etc/packages.yaml @mikaayenson @eric-forte-elastic @traut
+detection_rules/etc/*.json        @mikaayenson @eric-forte-elastic @traut
+detection_rules/etc/*/*           @mikaayenson @eric-forte-elastic @traut
+
+# exclude files from code owners
+detection_rules/etc/non-ecs-schema.json
diff --git a/.github/PULL_REQUEST_GUIDELINES/bug_guidelines.md b/.github/PULL_REQUEST_GUIDELINES/bug_guidelines.md
@@ -11,11 +11,7 @@ These guidelines serve as a reminder set of considerations when addressing a bug
 ### Code Standards and Practices
 
 - [ ] Code follows established design patterns within the repo and avoids duplication.
-- [ ] Code changes do not introduce new warnings or errors.
-- [ ] Variables and functions are well-named and descriptive.
-- [ ] Any unnecessary / commented-out code is removed.
 - [ ] Ensure that the code is modular and reusable where applicable.
-- [ ] Check for proper exception handling and messaging.
 
 ### Testing
 
@@ -25,11 +21,9 @@ These guidelines serve as a reminder set of considerations when addressing a bug
 - [ ] Validate that any rules affected by the bug are correctly updated.
 - [ ] Ensure that performance is not negatively impacted by the changes.
 - [ ] Verify that any release artifacts are properly generated and tested.
+- [ ] Conducted system testing, including fleet, import, and create APIs (e.g., run `make test-cli`, `make test-remote-cli`, `make test-hunting-cli`)
 
 ### Additional Checks
 
-- [ ] Ensure that the bug fix does not break existing functionality.
-- [ ] Review the bug fix with a peer or team member for additional insights.
 - [ ] Verify that the bug fix works across all relevant environments (e.g., different OS versions).
-- [ ] Confirm that all dependencies are up-to-date and compatible with the changes.
 - [ ] Confirm that the proper version label is applied to the PR `patch`, `minor`, `major`.
diff --git a/.github/PULL_REQUEST_GUIDELINES/enhancement_guidelines.md b/.github/PULL_REQUEST_GUIDELINES/enhancement_guidelines.md
@@ -11,11 +11,7 @@ These guidelines serve as a reminder set of considerations when addressing addin
 ### Code Standards and Practices
 
 - [ ] Code follows established design patterns within the repo and avoids duplication.
-- [ ] Code changes do not introduce new warnings or errors.
-- [ ] Variables and functions are well-named and descriptive.
-- [ ] Any unnecessary / commented-out code is removed.
 - [ ] Ensure that the code is modular and reusable where applicable.
-- [ ] Check for proper exception handling and messaging.
 
 ### Testing
 
@@ -25,11 +21,9 @@ These guidelines serve as a reminder set of considerations when addressing addin
 - [ ] Validate that any rules affected by the enhancement are correctly updated.
 - [ ] Ensure that performance is not negatively impacted by the changes.
 - [ ] Verify that any release artifacts are properly generated and tested.
+- [ ] Conducted system testing, including fleet, import, and create APIs (e.g., run `make test-cli`, `make test-remote-cli`, `make test-hunting-cli`)
 
 ### Additional Checks
 
-- [ ] Ensure that the enhancement does not break existing functionality.
-- [ ] Review the enhancement with a peer or team member for additional insights.
 - [ ] Verify that the enhancement works across all relevant environments (e.g., different OS versions).
-- [ ] Confirm that all dependencies are up-to-date and compatible with the changes.
 - [ ] Confirm that the proper version label is applied to the PR `patch`, `minor`, `major`.
diff --git a/.github/PULL_REQUEST_GUIDELINES/schema_enhancement_guidelines.md b/.github/PULL_REQUEST_GUIDELINES/schema_enhancement_guidelines.md
@@ -11,11 +11,7 @@ These guidelines serve as a reminder set of considerations when addressing addin
 ### Code Standards and Practices
 
 - [ ] Code follows established design patterns within the repo and avoids duplication.
-- [ ] Code changes do not introduce new warnings or errors.
-- [ ] Variables and functions are well-named and descriptive.
-- [ ] Any unnecessary / commented-out code is removed.
 - [ ] Ensure that the code is modular and reusable where applicable.
-- [ ] Check for proper exception handling and messaging.
 
 ### Testing
 
@@ -25,23 +21,21 @@ These guidelines serve as a reminder set of considerations when addressing addin
 - [ ] Validate that any rules affected by the enhancement are correctly updated.
 - [ ] Ensure that performance is not negatively impacted by the changes.
 - [ ] Verify that any release artifacts are properly generated and tested.
+- [ ] Conducted system testing, including fleet, import, and create APIs (e.g., run `make test-cli`, `make test-remote-cli`, `make test-hunting-cli`)
 
 ### Additional Schema Related Checks
 
-- [ ] Ensure that the enhancement does not break existing functionality. (e.g., run `make test-cli`)
-- [ ] Review the enhancement with a peer or team member for additional insights.
 - [ ] Verify that the enhancement works across all relevant environments (e.g., different OS versions).
-- [ ] Confirm that all dependencies are up-to-date and compatible with the changes.
 - [ ] Link to the relevant Kibana PR or issue provided
-- [ ] Exported detection rule(s) from Kibana to showcase the feature(s)
-- [ ] Converted the exported ndjson file(s) to toml in the detection-rules repo
-- [ ] Re-exported the toml rule(s) to ndjson and re-imported into Kibana
+- [ ] Test export/import flow:
+  - [ ] Exported detection rule(s) from Kibana to showcase the feature(s)
+  - [ ] Converted the exported ndjson file(s) to toml in the detection-rules repo
+  - [ ] Re-exported the toml rule(s) to ndjson and re-imported into Kibana
 - [ ] Updated necessary unit tests to accommodate the feature
+- [ ] Incorporated a comprehensive test rule in unit tests for full schema coverage
 - [ ] Applied min_compat restrictions to limit the feature to a specified minimum stack version
 - [ ] Executed all unit tests locally with a test toml rule to confirm passing
 - [ ] Included Kibana PR implementer as an optional reviewer for insights on the feature
 - [ ] Implemented requisite downgrade functionality
 - [ ] Cross-referenced the feature with product documentation for consistency
-- [ ] Incorporated a comprehensive test rule in unit tests for full schema coverage
-- [ ] Conducted system testing, including fleet, import, and create APIs (e.g., run `make test-remote-cli`)
 - [ ] Confirm that the proper version label is applied to the PR `patch`, `minor`, `major`.
diff --git a/.github/workflows/code-checks.yaml b/.github/workflows/code-checks.yaml
@@ -0,0 +1,47 @@
+name: Code checks
+
+on:
+  push:
+    branches: [ "main", "7.*", "8.*", "9.*" ]
+  pull_request:
+    branches: [ "*" ]
+    paths:
+      - 'detection_rules/**/*.py'
+      - 'hunting/**/*.py'
+
+jobs:
+  code-checks:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 1
+
+    - name: Set up Python 3.13
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.13'
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip cache purge
+        pip install .[dev]
+
+    - name: Linting check
+      run: |
+        ruff check --exit-non-zero-on-fix
+
+    - name: Formatting check
+      run: |
+        ruff format --check
+
+    - name: Pyright check
+      run: |
+        pyright
+
+    - name: Python License Check
+      run: |
+        python -m detection_rules dev license-check
diff --git a/.github/workflows/pythonpackage.yml b/.github/workflows/pythonpackage.yml
@@ -20,25 +20,17 @@ jobs:
       run: |
         git fetch origin main:refs/remotes/origin/main
 
-    - name: Set up Python 3.12
+    - name: Set up Python 3.13
       uses: actions/setup-python@v5
       with:
-        python-version: '3.12'
+        python-version: '3.13'
 
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
         pip cache purge
         pip install .[dev]
 
-    - name: Python Lint
-      run: |
-        python -m flake8 tests detection_rules --ignore D203,N815 --max-line-length 120
-
-    - name: Python License Check
-      run: |
-        python -m detection_rules dev license-check
-
     - name: Unit tests
       env:
         # only run the test test_rule_change_has_updated_date on pull request events to main

diff --git a/Makefile b/Makefile
@@ -43,7 +43,9 @@ license-check: $(VENV) deps
 .PHONY: lint
 lint: $(VENV) deps
 	@echo "LINTING"
-	$(PYTHON) -m flake8 tests detection_rules --ignore D203,N815 --max-line-length 120
+	$(PYTHON) -m ruff check --exit-non-zero-on-fix
+	$(PYTHON) -m ruff format --check
+	$(PYTHON) -m pyright
 
 .PHONY: test
 test: $(VENV) lint pytest

@@ -5,43 +5,38 @@
 
 """Detection rules."""
 
-import sys
-
-
-assert (3, 12) <= sys.version_info < (4, 0), "Only Python 3.12+ supported"
-
-from . import (  # noqa: E402
-    custom_schemas,
+from . import (
     custom_rules,
+    custom_schemas,
     devtools,
     docs,
     eswrap,
     ghwrap,
     kbwrap,
     main,
-    ml,
     misc,
+    ml,
     navigator,
     rule_formatter,
     rule_loader,
     schemas,
-    utils
+    utils,
 )
 
 __all__ = (
-    'custom_rules',
-    'custom_schemas',
-    'devtools',
-    'docs',
-    'eswrap',
-    'ghwrap',
-    'kbwrap',
+    "custom_rules",
+    "custom_schemas",
+    "devtools",
+    "docs",
+    "eswrap",
+    "ghwrap",
+    "kbwrap",
     "main",
-    'misc',
-    'ml',
-    'navigator',
-    'rule_formatter',
-    'rule_loader',
-    'schemas',
-    'utils'
+    "misc",
+    "ml",
+    "navigator",
+    "rule_formatter",
+    "rule_loader",
+    "schemas",
+    "utils",
 )
@@ -3,17 +3,13 @@
 # 2.0; you may not use this file except in compliance with the Elastic License
 # 2.0.
 
-# coding=utf-8
 """Shell for detection-rules."""
-import sys
+
 from pathlib import Path
 
 import click
 
-assert (3, 12) <= sys.version_info < (4, 0), "Only Python 3.12+ supported"
-
-
-from .main import root  # noqa: E402
+from .main import root
 
 CURR_DIR = Path(__file__).resolve().parent
 CLI_DIR = CURR_DIR.parent
@@ -26,7 +22,7 @@
 """
 
 
-def main():
+def main() -> None:
     """CLI entry point."""
     click.echo(BANNER)
     root(prog_name="detection_rules")

@@ -4,9 +4,10 @@
 # 2.0.
 
 """Dataclasses for Action."""
+
 from dataclasses import dataclass
 from pathlib import Path
-from typing import List, Optional
+from typing import Any
 
 from .mixins import MarshmallowDataclassMixin
 from .schemas import definitions
@@ -15,50 +16,56 @@
 @dataclass(frozen=True)
 class ActionMeta(MarshmallowDataclassMixin):
     """Data stored in an exception's [metadata] section of TOML."""
+
     creation_date: definitions.Date
-    rule_id: List[definitions.UUIDString]
+    rule_id: list[definitions.UUIDString]
     rule_name: str
     updated_date: definitions.Date
 
     # Optional fields
-    deprecation_date: Optional[definitions.Date]
-    comments: Optional[str]
-    maturity: Optional[definitions.Maturity]
+    deprecation_date: definitions.Date | None = None
+    comments: str | None = None
+    maturity: definitions.Maturity | None = None
 
 
-@dataclass
+@dataclass(frozen=True)
 class Action(MarshmallowDataclassMixin):
     """Data object for rule Action."""
+
     @dataclass
     class ActionParams:
         """Data object for rule Action params."""
+
         body: str
 
     action_type_id: definitions.ActionTypeId
     group: str
     params: ActionParams
-    id: Optional[str]
-    frequency: Optional[dict]
-    alerts_filter: Optional[dict]
+
+    id: str | None = None
+    frequency: dict[str, Any] | None = None
+    alerts_filter: dict[str, Any] | None = None
 
 
 @dataclass(frozen=True)
 class TOMLActionContents(MarshmallowDataclassMixin):
     """Object for action from TOML file."""
+
     metadata: ActionMeta
-    actions: List[Action]
+    actions: list[Action]
 
 
 @dataclass(frozen=True)
 class TOMLAction:
     """Object for action from TOML file."""
+
     contents: TOMLActionContents
     path: Path
 
     @property
-    def name(self):
+    def name(self) -> str:
         return self.contents.metadata.rule_name
 
     @property
-    def id(self):
+    def id(self) -> list[definitions.UUIDString]:
         return self.contents.metadata.rule_id