diff --git a/detection_rules/rule.py b/detection_rules/rule.py index 02713b5f8..c7624478e 100644 --- a/detection_rules/rule.py +++ b/detection_rules/rule.py @@ -1377,7 +1377,9 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin): items_to_update: list[dict[str, Any]] = [ item for item in value # type: ignore[reportUnknownVariableType] - if isinstance(item, dict) and get_nested_value(item, sub_key) is None + if isinstance(item, dict) + and get_nested_value(item, sub_key) is None + and get_nested_value(item, "action_type_id") not in definitions.SYSTEM_ACTION_TYPE_IDS ] for item in items_to_update: set_nested_value(item, sub_key, None) diff --git a/detection_rules/schemas/definitions.py b/detection_rules/schemas/definitions.py index 7c0989f19..7d0132793 100644 --- a/detection_rules/schemas/definitions.py +++ b/detection_rules/schemas/definitions.py @@ -121,6 +121,8 @@ KNOWN_BAD_RULE_IDS = Literal["119c8877-8613-416d-a98a-96b6664ee73a5", "7eb54028- KNOWN_BAD_DEPRECATED_DATES = Literal["2021-03-03"] # Known Null values that cannot be handled in TOML due to lack of Null value support via compound dicts KNOWN_NULL_ENTRIES = [{"rule.actions": "frequency.throttle"}] +# Action type IDs (e.g. .cases) that do not support frequency/throttle; do not add frequency to these +SYSTEM_ACTION_TYPE_IDS = (".cases",) OPERATORS = ["equals"] TIMELINE_TEMPLATES: Final[dict[str, str]] = { diff --git a/pyproject.toml b/pyproject.toml index b23c79650..52fced6b3 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.5.43" +version = "1.5.44" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"