From ee70674e2cb7ab9ab713d3dffd96940fd8f94e0f Mon Sep 17 00:00:00 2001
From: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Date: Wed, 20 Aug 2025 19:04:57 +0530
Subject: [PATCH] Add all rule types DaC testing (#4969)

---
 .../etc/custom-consolidated-rules.ndjson      | 15 +++++++++++
 detection_rules/etc/test_remote_cli.bash      | 27 ++++++++++---------
 pyproject.toml                                |  2 +-
 3 files changed, 31 insertions(+), 13 deletions(-)
 create mode 100644 detection_rules/etc/custom-consolidated-rules.ndjson

diff --git a/detection_rules/etc/custom-consolidated-rules.ndjson b/detection_rules/etc/custom-consolidated-rules.ndjson
new file mode 100644
index 000000000..7a295c9cf
--- /dev/null
+++ b/detection_rules/etc/custom-consolidated-rules.ndjson
@@ -0,0 +1,15 @@
+{"id":"49954888-3d9a-44fd-b224-8f8e9653d294","updated_at":"2025-08-18T03:39:54.977Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.318Z","created_by":"841510929","name":"test_kql_rule","tags":["child process","ms office"],"interval":"1h","enabled":true,"revision":1,"description":"Process started by MS Office program - possible payload","risk_score":50,"severity":"low","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-70m","rule_id":"process_started_by_ms_office_program","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[{"package":"o365","version":"^2.3.2"}],"required_fields":[{"name":"process.parent.name","type":"keyword","ecs":true}],"setup":"None","type":"query","language":"kuery","index":["logs-*"],"query":"process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE\n","filters":[{"meta":{"type":"phrase","key":"event.action","params":{"query":"Process Create (rule: ProcessCreate)"},"disabled":false,"negate":false},"$state":{"store":"appState"},"query":{"match_phrase":{"event.action":{"query":"Process Create (rule: ProcessCreate)"}}}}],"actions":[]}
+{"id":"c7c868c0-cfe1-4139-a873-4c8ce7b181c1","updated_at":"2025-08-18T03:41:10.096Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.310Z","created_by":"841510929","name":"test_kql_with_alert_supprestion_and_investigation_fileds","tags":["child process","ms office"],"interval":"1h","enabled":true,"revision":1,"description":"Process started by MS Office program - possible payload","risk_score":50,"severity":"low","note":"This a a test sample investigation Guide\nThis a a test sample investigation Guide\nThis a a test sample investigation Guide\n\n!{osquery{\"query\":\"SELECT * FROM file WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%'\\nOR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE '/etc/systemd/system/%' OR path LIKE\\n'/usr/lib/systemd/system/%' )\",\"label\":\"test-osquery\"}}\n\n!{investigate{\"label\":\"test-investigation-query\",\"description\":\"test-investigation-query\",\"providers\":[[{\"field\":\"host.name\",\"excluded\":false,\"queryType\":\"phrase\",\"value\":\"test-host\",\"valueType\":\"string\"}]]}}","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-70m","rule_id":"742feb36-ac4c-45e0-b8a5-3b3cfa66b6d2","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"process.parent.name","type":"keyword","ecs":true}],"setup":"None","type":"query","language":"kuery","index":["logs-*"],"query":"process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE\n","filters":[{"$state":{"store":"appState"},"meta":{"disabled":false,"key":"event.action","negate":false,"type":"phrase","params":{"query":"Process Create (rule: ProcessCreate)"}},"query":{"match_phrase":{"event.action":{"query":"Process Create (rule: ProcessCreate)"}}}}],"alert_suppression":{"group_by":["process.parent.name"],"duration":{"value":5,"unit":"h"},"missing_fields_strategy":"suppress"},"actions":[]}
+{"id":"e9430a4c-5fce-41b7-9d55-7645360e11d9","updated_at":"2025-08-18T03:40:30.081Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.326Z","created_by":"841510929","name":"test_kql_with_alert_suppression","tags":["child process","ms office"],"interval":"1h","enabled":true,"revision":1,"description":"Process started by MS Office program - possible payload","risk_score":50,"severity":"low","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-70m","rule_id":"process_started_by_ms_office_program_supression","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"process.parent.name","type":"keyword","ecs":true}],"setup":"None","type":"query","language":"kuery","index":["logs-*"],"query":"process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE\n","filters":[{"meta":{"type":"phrase","key":"event.action","params":{"query":"Process Create (rule: ProcessCreate)"},"disabled":false,"negate":false},"$state":{"store":"appState"},"query":{"match_phrase":{"event.action":{"query":"Process Create (rule: ProcessCreate)"}}}}],"alert_suppression":{"group_by":["process.parent.name"],"duration":{"value":5,"unit":"h"},"missing_fields_strategy":"suppress"},"actions":[]}
+{"id":"45241dcf-1bb2-41eb-8e91-89741af275c0","updated_at":"2025-08-18T03:43:41.240Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.317Z","created_by":"841510929","name":"test_eql_rule","tags":["EQL","Windows","rundll32.exe"],"interval":"5m","enabled":true,"revision":1,"description":"Unusual rundll32.exe network connection","risk_score":21,"severity":"low","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-6m","rule_id":"eql-outbound-rundll32-connections","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"event.type","type":"keyword","ecs":true},{"name":"process.args","type":"keyword","ecs":true},{"name":"process.args_count","type":"long","ecs":true},{"name":"process.entity_id","type":"keyword","ecs":true},{"name":"process.name","type":"keyword","ecs":true},{"name":"process.pe.original_file_name","type":"keyword","ecs":true}],"setup":"None","type":"eql","language":"eql","index":["logs-*"],"query":"sequence by process.entity_id with maxspan=2h [process where event.type in (\"start\", \"process_started\") and (process.name == \"rundll32.exe\" or process.pe.original_file_name == \"rundll32.exe\") and ((process.args == \"rundll32.exe\" and process.args_count == 1) or (process.args != \"rundll32.exe\" and process.args_count == 0))] [network where event.type == \"connection\" and (process.name == \"rundll32.exe\" or process.pe.original_file_name == \"rundll32.exe\")]\n","filters":[],"actions":[]}
+{"id":"11d7b970-0076-4ae1-b328-16d6778489f2","updated_at":"2025-08-18T03:45:34.509Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.308Z","created_by":"841510929","name":"test_esql_rule_with_shared_rule_exception","tags":[],"interval":"5m","enabled":true,"revision":2,"description":"Find Excel events","risk_score":21,"severity":"low","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-6m","rule_id":"7e0f6dae-5847-465f-89e9-a6de0e9ef918","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[{"id":"5c6a49d5-b3f1-42f7-b484-1a36462f3e06","list_id":"1c8a1378-8f0d-4565-9ae0-abeeaf3981ca","type":"detection","namespace_type":"single"}],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"process.parent.name","type":"keyword","ecs":true}],"setup":"None","type":"esql","language":"esql","query":"from auditbeat-8.10.2 METADATA _id, _version, _index | KEEP process.parent.name | where process.parent.name == \"EXCEL.EXE\"\n","actions":[]}
+{"id":"72abd101-fe39-43f0-a6d1-e9a373684cab","updated_at":"2025-08-18T03:46:00.515Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.334Z","created_by":"841510929","name":"test_new_terms_rule_with_shared_rule_exception","tags":[],"interval":"5m","enabled":true,"revision":2,"description":"Detects a user associated with a new IP address","risk_score":21,"severity":"medium","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-6m","rule_id":"2390c9dd-ad90-4af6-97a4-1d607ba0f092","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[{"id":"5c6a49d5-b3f1-42f7-b484-1a36462f3e06","list_id":"1c8a1378-8f0d-4565-9ae0-abeeaf3981ca","type":"detection","namespace_type":"single"}],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"user.id","type":"keyword","ecs":true},{"name":"source.ip","type":"ip","ecs":true}],"setup":"None","type":"new_terms","query":"host.name:prml-19 and event.category:authentication and event.outcome:failure\n","new_terms_fields":["user.id","source.ip"],"history_window_start":"now-30d","index":["auditbeat*"],"filters":[],"language":"kuery","actions":[]}
+{"id":"e0e31a34-2e18-40c0-af09-539021e8439d","updated_at":"2025-08-18T03:47:21.590Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.344Z","created_by":"841510929","name":"test_indicator_match_rule_with_email_actions","tags":[],"interval":"5m","enabled":true,"revision":5,"description":"Checks for bad IP addresses listed in the ip-threat-list index","risk_score":50,"severity":"medium","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-6m","rule_id":"4c589d81-2622-4036-8cc7-372ea8f0e038","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"destination.ip","type":"ip","ecs":true},{"name":"destination.port","type":"long","ecs":true},{"name":"host.ip","type":"ip","ecs":true}],"setup":"None","type":"threat_match","language":"kuery","index":["packetbeat-*"],"query":"destination.ip:* or host.ip:*\n","filters":[],"threat_filters":[],"threat_query":"*:*","threat_mapping":[{"entries":[{"field":"destination.ip","type":"mapping","value":"destination.ip"},{"field":"destination.port","type":"mapping","value":"destination.port"}]},{"entries":[{"field":"source.ip","type":"mapping","value":"host.ip"}]}],"threat_language":"kuery","threat_index":["ip-threat-list"],"threat_indicator_path":"threat.indicator","actions":[{"id":"elastic-cloud-email","params":{"message":"Rule {{context.rule.name}} generated {{state.signals_count}} alerts","subject":"Test Actions","to":["tradebot-elastic@elastic.com"]},"action_type_id":".email","uuid":"74c388a4-c94f-4541-bacc-2a1b4c47e768","frequency":{"summary":true,"notifyWhen":"onActiveAlert","throttle":null},"group":"default"}]}
+{"id":"a0d623ea-e8a4-4eff-9c6c-643ceff9f3e5","updated_at":"2025-08-18T03:44:54.407Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.331Z","created_by":"841510929","name":"test_threshold_with_rule_exception","tags":["Brute force"],"interval":"2m","enabled":true,"revision":1,"description":"Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame.","risk_score":30,"severity":"low","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-3m","rule_id":"liv-win-ser-logins","max_signals":100,"risk_score_mapping":[],"severity_mapping":[{"field":"source.geo.city_name","operator":"equals","severity":"low","value":"Manchester"},{"field":"source.geo.city_name","operator":"equals","severity":"medium","value":"London"},{"field":"source.geo.city_name","operator":"equals","severity":"high","value":"Birmingham"},{"field":"source.geo.city_name","operator":"equals","severity":"critical","value":"Wallingford"}],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[{"id":"82395156-8ad2-46c3-be79-1f1a23c0d802","list_id":"0a4124f8-2074-450b-8689-d7dee319c666","type":"rule_default","namespace_type":"single"}],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"source.ip","type":"ip","ecs":true}],"setup":"None","type":"threshold","language":"kuery","index":["winlogbeat-*"],"query":"host.name:prml-19 and event.category:authentication and event.outcome:failure\n","filters":[],"threshold":{"field":["source.ip"],"value":20,"cardinality":[]},"actions":[]}
+{"id":"9bcffa42-d8b5-4706-afec-3cf33b19d9b1","updated_at":"2025-08-18T03:48:19.634Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.415Z","created_by":"841510929","name":"test_machine_learning_rule_with_index_action_connector ","tags":["machine learning","Linux"],"interval":"5m","enabled":true,"revision":5,"description":"Generates alerts when the job discovers anomalies over 70","risk_score":70,"severity":"high","note":"Shut down the internet.","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-6m","rule_id":"ml_linux_network_high_threshold","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[],"setup":"This rule requires data coming in from Elastic Defend.","type":"machine_learning","anomaly_threshold":70,"machine_learning_job_id":["linux_anomalous_network_activity_ecs"],"actions":[{"id":"e1b418e7-78df-4042-bfb0-1cc5fb6f7a4e","params":{"documents":[{"rule.id":"{{rule.id}}"}]},"action_type_id":".index","uuid":"175f50f8-3bc1-4017-805f-e532d7eb2f91","frequency":{"summary":true,"notifyWhen":"onActiveAlert","throttle":null},"group":"default"}]}
+{"_version":"WzE3NjU1LDhd","created_at":"2025-08-14T12:42:04.522Z","created_by":"841510929","description":"","id":"5c6a49d5-b3f1-42f7-b484-1a36462f3e06","immutable":false,"list_id":"1c8a1378-8f0d-4565-9ae0-abeeaf3981ca","name":"Test Excpetion List","namespace_type":"single","os_types":[],"tags":[],"tie_breaker_id":"14b3565d-0c8a-48db-b76a-e46c01574a57","type":"detection","updated_at":"2025-08-14T12:42:04.522Z","updated_by":"841510929","version":1}
+{"_version":"WzE3NjU2LDhd","comments":[],"created_at":"2025-08-14T12:42:34.361Z","created_by":"841510929","description":"Exception list item","entries":[{"type":"match","field":"host.name","value":"test-host","operator":"included"}],"id":"dc084b23-4b9c-40c9-a172-77468ee2a4d9","item_id":"734852b6-b3bf-4942-8b3b-c058bd16088f","list_id":"1c8a1378-8f0d-4565-9ae0-abeeaf3981ca","name":"host_excpetion","namespace_type":"single","os_types":[],"tags":[],"tie_breaker_id":"50c46edf-691b-4397-ad9e-e06a544a81d0","type":"simple","updated_at":"2025-08-14T12:42:34.361Z","updated_by":"841510929"}
+{"_version":"WzE3NjUwLDhd","created_at":"2025-08-14T12:19:29.454Z","created_by":"841510929","description":"Exception list containing exceptions for rule with id: 51a51212-5975-45ac-b909-c7840a903141","id":"82395156-8ad2-46c3-be79-1f1a23c0d802","immutable":false,"list_id":"0a4124f8-2074-450b-8689-d7dee319c666","name":"Exceptions for rule - Test Windows server prml-19","namespace_type":"single","os_types":[],"tags":["default_rule_exception_list"],"tie_breaker_id":"46a0d0b5-8793-4f60-a20b-6f76274b1722","type":"rule_default","updated_at":"2025-08-14T12:19:29.454Z","updated_by":"841510929","version":1}
+{"_version":"WzE3NjUxLDhd","comments":[],"created_at":"2025-08-14T12:19:31.919Z","created_by":"841510929","description":"Exception list item","entries":[{"type":"match","field":" host.name","value":"liv-win-ser","operator":"included"}],"id":"1a4a30ce-bbf2-483a-86a7-7af9ea4b562e","item_id":"9ed8fb85-d920-4759-ba47-8d273cbb55b6","list_id":"0a4124f8-2074-450b-8689-d7dee319c666","name":"int-ips","namespace_type":"single","os_types":[],"tags":[],"tie_breaker_id":"430065d9-8c30-40bf-a589-706ae5cc490d","type":"simple","updated_at":"2025-08-14T12:19:31.919Z","updated_by":"841510929"}
+{"id":"e1b418e7-78df-4042-bfb0-1cc5fb6f7a4e","type":"action","updated_at":"2025-08-14T12:30:20.229Z","created_at":"2025-08-14T12:30:20.229Z","version":"WzI3MDY1OSwxMF0=","attributes":{"actionTypeId":".index","name":"test-connector","isMissingSecrets":false,"config":{"index":"logs-connector","refresh":false,"executionTimeField":null},"secrets":{}},"references":[],"managed":false,"coreMigrationVersion":"8.8.0","typeMigrationVersion":"10.1.0"}
+{"exported_count":14,"exported_rules_count":9,"missing_rules":[],"missing_rules_count":0,"exported_exception_list_count":2,"exported_exception_list_item_count":2,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0,"exported_action_connector_count":1,"missing_action_connection_count":0,"missing_action_connections":[],"excluded_action_connection_count":0,"excluded_action_connections":[]}
diff --git a/detection_rules/etc/test_remote_cli.bash b/detection_rules/etc/test_remote_cli.bash
index 6ab387512..386ed327f 100755
--- a/detection_rules/etc/test_remote_cli.bash
+++ b/detection_rules/etc/test_remote_cli.bash
@@ -12,20 +12,23 @@ echo "Performing a quick rule alerts search..."
 echo "Requires .detection-rules-cfg.json credentials file set."
 python -m detection_rules kibana search-alerts
 
-echo "Performing a rule export..."
-mkdir tmp-export 2>/dev/null
-python -m detection_rules kibana export-rules -d tmp-export -sv --skip-errors -r 565d6ca5-75ba-4c82-9b13-add25353471c
-ls tmp-export
-echo "Removing generated files..."
-rm -rf tmp-export
-
-echo "Performing a rule import..."
-
+echo "Setting Up Custom Directory..."
+mkdir tmp-custom 2>/dev/null
 python -m detection_rules custom-rules setup-config tmp-custom
-export CUSTOM_RULES_DIR=./tmp-custom
-cp rules/threat_intel/threat_intel_indicator_match_address.toml tmp-custom/rules/
+export CUSTOM_RULES_DIR=./tmp-custom/
+
+echo "Performing a rule conversion from ndjson to toml files..."
+python -m detection_rules import-rules-to-repo detection_rules/etc/custom-consolidated-rules.ndjson -ac -e -s $CUSTOM_RULES_DIR/rules --required-only
+
+echo "Performing a rule import to kibana..."
+
 python -m detection_rules kibana import-rules -o -e -ac
-rm -rf tmp-custom
+
+echo "Performing a rule export..."
+python -m detection_rules kibana export-rules -d $CUSTOM_RULES_DIR -ac -e -sv --custom-rules-only 
+
+echo "Removing generated files..."
+rm -rf $CUSTOM_RULES_DIR
 set -e CUSTOM_RULES_DIR
 
 echo "Detection-rules Remote CLI tests completed!"
diff --git a/pyproject.toml b/pyproject.toml
index 8303f0fcb..a9f9f718a 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.3.25"
+version = "1.3.26"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"