From f306404fe548b59d419fd18110e4916d06a1f577 Mon Sep 17 00:00:00 2001 From: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com> Date: Wed, 11 Feb 2026 15:18:20 -0500 Subject: [PATCH] [Bug] CLI adds frequency field to system actions (.cases), causing import failure (#5690) * No frequency field to cases --- detection_rules/rule.py | 4 +++- detection_rules/schemas/definitions.py | 2 ++ pyproject.toml | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/detection_rules/rule.py b/detection_rules/rule.py index 02713b5f8..c7624478e 100644 --- a/detection_rules/rule.py +++ b/detection_rules/rule.py @@ -1377,7 +1377,9 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin): items_to_update: list[dict[str, Any]] = [ item for item in value # type: ignore[reportUnknownVariableType] - if isinstance(item, dict) and get_nested_value(item, sub_key) is None + if isinstance(item, dict) + and get_nested_value(item, sub_key) is None + and get_nested_value(item, "action_type_id") not in definitions.SYSTEM_ACTION_TYPE_IDS ] for item in items_to_update: set_nested_value(item, sub_key, None) diff --git a/detection_rules/schemas/definitions.py b/detection_rules/schemas/definitions.py index 7c0989f19..7d0132793 100644 --- a/detection_rules/schemas/definitions.py +++ b/detection_rules/schemas/definitions.py @@ -121,6 +121,8 @@ KNOWN_BAD_RULE_IDS = Literal["119c8877-8613-416d-a98a-96b6664ee73a5", "7eb54028- KNOWN_BAD_DEPRECATED_DATES = Literal["2021-03-03"] # Known Null values that cannot be handled in TOML due to lack of Null value support via compound dicts KNOWN_NULL_ENTRIES = [{"rule.actions": "frequency.throttle"}] +# Action type IDs (e.g. .cases) that do not support frequency/throttle; do not add frequency to these +SYSTEM_ACTION_TYPE_IDS = (".cases",) OPERATORS = ["equals"] TIMELINE_TEMPLATES: Final[dict[str, str]] = { diff --git a/pyproject.toml b/pyproject.toml index b23c79650..52fced6b3 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.5.43" +version = "1.5.44" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"