From ea7de8230ccbd146ce8d611b00bddf93daa1d493 Mon Sep 17 00:00:00 2001 From: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com> Date: Tue, 15 Apr 2025 09:18:50 -0400 Subject: [PATCH] [FR] Add Kibana Action Connector Error to Exception List Workaround (#4583) * Add error catch for workaround * Switch to set for efficiency * Patch version bump --------- Co-authored-by: Mika Ayenson, PhD --- detection_rules/kbwrap.py | 33 +++++++++++++++++++++++++-------- pyproject.toml | 2 +- 2 files changed, 26 insertions(+), 9 deletions(-) diff --git a/detection_rules/kbwrap.py b/detection_rules/kbwrap.py index bd3b14b75..27bcd2e79 100644 --- a/detection_rules/kbwrap.py +++ b/detection_rules/kbwrap.py @@ -108,27 +108,44 @@ def kibana_import_rules(ctx: click.Context, rules: RuleCollection, overwrite: Op # Re-try to address known Kibana issue: https://github.com/elastic/kibana/issues/143864 workaround_errors = [] + workaround_error_types = set() flattened_exceptions = [e for sublist in exception_dicts for e in sublist] all_exception_list_ids = {exception["list_id"] for exception in flattened_exceptions} click.echo(f'{len(response["errors"])} rule(s) failed to import!') + action_connector_validation_error = "Error validating create data" + action_connector_type_error = "expected value of type [string] but got [undefined]" for error in response['errors']: - click.echo(f' - {error["rule_id"]}: ({error["error"]["status_code"]}) {error["error"]["message"]}') + error_message = error["error"]["message"] + click.echo(f' - {error["rule_id"]}: ({error["error"]["status_code"]}) {error_message}') - if "references a non existent exception list" in error["error"]["message"]: - list_id = _parse_list_id(error["error"]["message"]) + if "references a non existent exception list" in error_message: + list_id = _parse_list_id(error_message) if list_id in all_exception_list_ids: workaround_errors.append(error["rule_id"]) + workaround_error_types.add("non existent exception list") + + if action_connector_validation_error in error_message and action_connector_type_error in error_message: + workaround_error_types.add("connector still being built") if workaround_errors: workaround_errors = list(set(workaround_errors)) - click.echo(f'Missing exception list errors detected for {len(workaround_errors)} rules. ' - 'Try re-importing using the following command and rule IDs:\n') - click.echo('python -m detection_rules kibana import-rules -o ', nl=False) - click.echo(' '.join(f'-id {rule_id}' for rule_id in workaround_errors)) - click.echo() + if "non existent exception list" in workaround_error_types: + click.echo( + f"Missing exception list errors detected for {len(workaround_errors)} rules. " + "Try re-importing using the following command and rule IDs:\n" + ) + click.echo("python -m detection_rules kibana import-rules -o ", nl=False) + click.echo(" ".join(f"-id {rule_id}" for rule_id in workaround_errors)) + click.echo() + if "connector still being built" in workaround_error_types: + click.echo( + f"Connector still being built errors detected for {len(workaround_errors)} rules. " + "Please try re-importing the rules again." + ) + click.echo() def _process_imported_items(imported_items_list, item_type_description, item_key): """Displays appropriately formatted success message that all items imported successfully.""" diff --git a/pyproject.toml b/pyproject.toml index 49958ed78..d7d73d5df 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.0.6" +version = "1.0.7" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"