From ec6038b9d9176ea2d14481fba5bc777b9e954fb4 Mon Sep 17 00:00:00 2001
From: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
Date: Tue, 9 Jul 2024 15:05:12 -0400
Subject: [PATCH] Added Schema Check for Data View ID and Index (#3830)

---
 detection_rules/rule.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/detection_rules/rule.py b/detection_rules/rule.py
index ba14a2f6a..ddb371d58 100644
--- a/detection_rules/rule.py
+++ b/detection_rules/rule.py
@@ -708,6 +708,12 @@ class QueryRuleData(BaseRuleData):
         if validator is not None:
             return validator.get_required_fields(index or [])
 
+    @validates_schema
+    def validates_index_and_data_view_id(self, data, **kwargs):
+        """Validate that either index or data_view_id is set, but not both."""
+        if data.get('index') and data.get('data_view_id'):
+            raise ValidationError("Only one of index or data_view_id should be set.")
+
     @validates_schema
     def validates_query_data(self, data, **kwargs):
         """Custom validation for query rule type and subclasses."""