From a9cc323d095c1b076a1d9f4575d9d46572430c22 Mon Sep 17 00:00:00 2001
From: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Date: Wed, 3 Apr 2024 14:15:09 -0400
Subject: [PATCH] [Bug] Threshold Rule Importing Failures (#3560)

* remove threshold specific req

* fix test event override

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
---
 detection_rules/cli_utils.py | 5 -----
 tests/test_all_rules.py      | 4 ++--
 2 files changed, 2 insertions(+), 7 deletions(-)

diff --git a/detection_rules/cli_utils.py b/detection_rules/cli_utils.py
index e7b0b4853..4eb865615 100644
--- a/detection_rules/cli_utils.py
+++ b/detection_rules/cli_utils.py
@@ -161,11 +161,6 @@ def rule_prompt(path=None, rule_type=None, required_only=True, save=True, verbos
                 contents[name] = threat_map
             continue
 
-        if name == 'threshold':
-            contents[name] = {n: schema_prompt(f'threshold {n}', is_required=n in options['required'], **opts.copy())
-                              for n, opts in options['properties'].items()}
-            continue
-
         if kwargs.get(name):
             contents[name] = schema_prompt(name, value=kwargs.pop(name))
             continue
diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py
index 33084fee7..c66563c34 100644
--- a/tests/test_all_rules.py
+++ b/tests/test_all_rules.py
@@ -963,7 +963,7 @@ class TestRuleTiming(BaseRuleTest):
         for rule in self.all_rules:
             # skip rules that do not leverage queries (i.e. machine learning)
             # filters to acceptable query languages in definitions.FilterLanguages
-            # QueryRuleData should inheritenly ignore machine learning rules
+            # QueryRuleData should inherently ignore machine learning rules
             if isinstance(rule.contents.data, QueryRuleData):
                 rule_language = rule.contents.data.language
                 has_event_ingested = rule.contents.data.get('timestamp_override') == 'event.ingested'
@@ -973,7 +973,7 @@ class TestRuleTiming(BaseRuleTest):
                     # TODO: determine if we expand this to ES|QL
                     # ignores any rule that does not use EQL or KQL queries specifically
                     # this does not avoid rule types where variants of KQL are used (e.g. new terms)
-                    if rule_language not in ('eql', 'kuery') or rule.contents.data.is_sequence:
+                    if rule_language not in ('eql', 'kuery') or getattr(rule.contents.data, 'is_sequence', False):
                         continue
                     else:
                         errors.append(f'{rule_str} - rule must have `timestamp_override: event.ingested`')