[Bug] Fix BBR Folder Location Requirements for Specific Integrations (#3348)

* fixing bug in BBR rule folder location * fixed export rules missing BBR rules * adjusted directory loading * Update tests/test_all_rules.py Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com> --------- Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
2023-12-19 15:36:45 -05:00
parent b32733601a
commit eafec1d857
2 changed files with 11 additions and 6 deletions
@@ -17,7 +17,10 @@ import functools
 from . import ecs
 from .attack import matrix, tactics, build_threat_map_entry
 from .rule import TOMLRule, TOMLRuleContents
-from .rule_loader import RuleCollection, DEFAULT_RULES_DIR, dict_filter
+from .rule_loader import (RuleCollection,
+                          DEFAULT_RULES_DIR,
+                          DEFAULT_BBR_DIR,
+                          dict_filter)
 from .schemas import definitions
 from .utils import clear_caches, get_path

@@ -46,8 +49,8 @@ def single_collection(f):
        rules.load_directories(Path(d) for d in directories)

        if rule_id:
-            rules.load_directory(DEFAULT_RULES_DIR, toml_filter=dict_filter(rule__rule_id=rule_id))
-
+            rules.load_directories((DEFAULT_RULES_DIR, DEFAULT_BBR_DIR),
+                                   toml_filter=dict_filter(rule__rule_id=rule_id))
            if len(rules) != 1:
                client_error(f"Could not find rule with ID {rule_id}")

@@ -80,7 +83,8 @@ def multi_collection(f):
        rules.load_directories(Path(d) for d in directories)

        if rule_id:
-            rules.load_directory(DEFAULT_RULES_DIR, toml_filter=dict_filter(rule__rule_id=rule_id))
+            rules.load_directories((DEFAULT_RULES_DIR, DEFAULT_BBR_DIR),
+                                   toml_filter=dict_filter(rule__rule_id=rule_id))
            found_ids = {rule.id for rule in rules}
            missing = set(rule_id).difference(found_ids)

@@ -632,8 +632,9 @@ class TestRuleMetadata(BaseRuleTest):

                    # checks if the rule path matches the intended integration
                    # excludes BBR rules
-                    if rule_integration in valid_integration_folders:
-                        if rule.path.parent.name not in rule_integrations and rule.path.parent.name != "bbr":
+                    if rule_integration in valid_integration_folders and \
+                            not hasattr(rule.contents.data, 'building_block_type'):
+                        if rule.path.parent.name not in rule_integrations:
                            err_msg = f'{self.rule_str(rule)} {rule_integration} tag, path is {rule.path.parent.name}'
                            failures.append(err_msg)