diff --git a/detection_rules/main.py b/detection_rules/main.py index c98bb4a9e..84e197ba6 100644 --- a/detection_rules/main.py +++ b/detection_rules/main.py @@ -25,7 +25,7 @@ from .misc import add_client, client_error, nested_set, parse_config, load_curre from .rule import TOMLRule, TOMLRuleContents, QueryRuleData from .rule_formatter import toml_write from .rule_loader import RuleCollection -from .schemas import all_versions, definitions, get_incompatible_fields +from .schemas import all_versions, definitions, get_incompatible_fields, get_schema_file from .utils import Ndjson, get_path, get_etc_path, clear_caches, load_dump, load_rule_contents RULES_DIR = get_path('rules') @@ -139,10 +139,13 @@ def build_limited_rules(stack_version: str, output_file: str): # Define ndjson instance for output ndjson_output = Ndjson() + # Get API schema for rule type + api_schema = get_schema_file(stack_version, "base")["properties"]["type"]["enum"] + # Function to process each rule def process_rule(rule, incompatible_fields: List[str]): - if rule.contents.type in definitions.UNSUPPORTED_RULE_TYPES: - click.secho(f'{rule.contents.name} - Skipping supported rule type: {rule.contents.get("type")}', + if rule.contents.type not in api_schema: + click.secho(f'{rule.contents.name} - Skipping unsupported rule type: {rule.contents.get("type")}', fg='yellow') return None diff --git a/detection_rules/schemas/definitions.py b/detection_rules/schemas/definitions.py index a1b4557e9..a177d3939 100644 --- a/detection_rules/schemas/definitions.py +++ b/detection_rules/schemas/definitions.py @@ -36,7 +36,6 @@ MACHINE_LEARNING = 'machine_learning' SAVED_QUERY = 'saved_query' QUERY = 'query' QUERY_FIELD_OP_EXCEPTIONS = ["powershell.file.script_block_text"] -UNSUPPORTED_RULE_TYPES = {'new_terms', 'threat_match', 'threshold', 'machine_learning'} # we had a bad rule ID make it in before tightening up the pattern, and so we have to let it bypass KNOWN_BAD_RULE_IDS = Literal['119c8877-8613-416d-a98a-96b6664ee73a5']