From eafec1d85792f00f460dcca8cc29a0d336254883 Mon Sep 17 00:00:00 2001
From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Date: Tue, 19 Dec 2023 15:36:45 -0500
Subject: [PATCH] [Bug] Fix BBR Folder Location Requirements for Specific
 Integrations (#3348)

* fixing bug in BBR rule folder location

* fixed export rules missing BBR rules

* adjusted directory loading

* Update tests/test_all_rules.py

Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
---
 detection_rules/cli_utils.py | 12 ++++++++----
 tests/test_all_rules.py      |  5 +++--
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/detection_rules/cli_utils.py b/detection_rules/cli_utils.py
index 8ec2ce928..e7b0b4853 100644
--- a/detection_rules/cli_utils.py
+++ b/detection_rules/cli_utils.py
@@ -17,7 +17,10 @@ import functools
 from . import ecs
 from .attack import matrix, tactics, build_threat_map_entry
 from .rule import TOMLRule, TOMLRuleContents
-from .rule_loader import RuleCollection, DEFAULT_RULES_DIR, dict_filter
+from .rule_loader import (RuleCollection,
+                          DEFAULT_RULES_DIR,
+                          DEFAULT_BBR_DIR,
+                          dict_filter)
 from .schemas import definitions
 from .utils import clear_caches, get_path
 
@@ -46,8 +49,8 @@ def single_collection(f):
         rules.load_directories(Path(d) for d in directories)
 
         if rule_id:
-            rules.load_directory(DEFAULT_RULES_DIR, toml_filter=dict_filter(rule__rule_id=rule_id))
-
+            rules.load_directories((DEFAULT_RULES_DIR, DEFAULT_BBR_DIR),
+                                   toml_filter=dict_filter(rule__rule_id=rule_id))
             if len(rules) != 1:
                 client_error(f"Could not find rule with ID {rule_id}")
 
@@ -80,7 +83,8 @@ def multi_collection(f):
         rules.load_directories(Path(d) for d in directories)
 
         if rule_id:
-            rules.load_directory(DEFAULT_RULES_DIR, toml_filter=dict_filter(rule__rule_id=rule_id))
+            rules.load_directories((DEFAULT_RULES_DIR, DEFAULT_BBR_DIR),
+                                   toml_filter=dict_filter(rule__rule_id=rule_id))
             found_ids = {rule.id for rule in rules}
             missing = set(rule_id).difference(found_ids)
 
diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py
index 58fae3f00..b63d393f1 100644
--- a/tests/test_all_rules.py
+++ b/tests/test_all_rules.py
@@ -632,8 +632,9 @@ class TestRuleMetadata(BaseRuleTest):
 
                     # checks if the rule path matches the intended integration
                     # excludes BBR rules
-                    if rule_integration in valid_integration_folders:
-                        if rule.path.parent.name not in rule_integrations and rule.path.parent.name != "bbr":
+                    if rule_integration in valid_integration_folders and \
+                            not hasattr(rule.contents.data, 'building_block_type'):
+                        if rule.path.parent.name not in rule_integrations:
                             err_msg = f'{self.rule_str(rule)} {rule_integration} tag, path is {rule.path.parent.name}'
                             failures.append(err_msg)