Skip to content

[Bug] CLI detection_rules kibana import-rules imports all exceptions and connectors if --rule-file or --rule-id is set #4574

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
frederikb96 opened this issue Mar 27, 2025 · 1 comment
Open

[Bug] CLI detection_rules kibana import-rules imports all exceptions and connectors if --rule-file or --rule-id is set #4574

frederikb96 opened this issue Mar 27, 2025 · 1 comment
Labels
bug Something isn't working community Team: TRADE

Comments

@frederikb96
Copy link
Contributor

frederikb96 commented Mar 27, 2025
edited
Loading

Describe the Bug

According to the CLI documentation for kibana import-rules command, when setting --rule-file or --rule-id argument, only a single rule should be imported and not everything recursively from the directory.

However, this imports all exceptions and connectors and not only the exception lists and connectors linked to the rule of interest.

So all exception lists and connectors are imported if the env CUSTOM_RULES_DIR is set (which is necessary to find items the rule depends on).

To Reproduce

In the Screenshare you can see the problem:

Screencast.From.2025-03-27.12-42-41.webm
  1. The env is set
  2. The command imports all the exceptions from the custom dir to Kibana though the rule doesn't contain any exceptions or connectors at all.
  3. Unset the env
  4. Only the rule is imported

Expected Behavior

Only the exceptions and connectors where the rule depends on should be imported.

Screenshots

No response

Desktop - OS

None

Desktop - Version

No response

Additional Context
@frederikb96 frederikb96 added bug Something isn't working Team: TRADE labels Mar 27, 2025
@frederikb96
Copy link
Contributor Author

This is especially problematic for the use of the flag -id, --rule-id TEXT since we need to have the environment variable CUSTOM_RULES_DIR set to use the flag. But this will also lead to all exceptions and action connectors being imported even though undesired:

export CUSTOM_RULES_DIR=custom-soc

elastic-detection-rules-soc on  master-soc [$✘!?⇡] is 📦 v1.0.0 via 🐍 v3.12.9 (detection-rules-build) 

elastic-detection-rules-soc on  master-soc [$✘!?⇡] is 📦 v1.0.0 via 🐍 v3.12.9 (detection-rules-build) 
❯ python -m detection_rules kibana --space $SPACE --ignore-ssl-errors true import-rules -id $RULE_ID --overwrite                                                     
Loaded config file: /var/home/frederik/Programming/elastic-detection-rules-soc/.detection-rules-cfg.yaml

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

1 rule(s) successfully imported
 - 87596efc-e89a-4f3b-9a58-3632b4871d8d
34 exception list(s) successfully imported
 - 603046ce-ebb6-5a05-7c16-af43a6f0cbc1
 - e6ebb35a-c4d6-57dd-90b8-76e32ca39204
 - 71e61dae-2747-9c73-193a-f4acba5fe0cd
 - 3cb1354e-5455-d262-c469-521d80a71c3a
 - de04ed87-8cf2-2ca8-cacc-aca4a4369317
 - f96f3c40-32b6-b95d-0a90-016c8a17b395
 - 39f60ba5-e73c-d459-bb16-a3b96588515e
 - 673dc8a6-82b9-2c87-d6a8-a6f7a11a69db
 - 16b51475-3ad4-b56e-2d99-b3079c27bc1f
 - 8c2c204e-8307-ffab-6ed1-2706c61e3b4c
 - c27c6d38-59b4-6124-7159-f479a79da26d
 - a37e7ba5-8ced-2198-d509-4ffa9657ccae
 - 91947275-e3dc-248b-b4ea-ac201c54de07
 - 0afaedd0-9696-7940-0cee-e9c159430a56
 - 18aa544b-d01a-86a5-ecca-eaa9987913ab
 - e44cb041-4a0c-d9af-0012-13510798417a
 - 2bdb391f-08d2-2ae9-26e6-ccbfe3c55e53
 - d0b0fc33-9b21-bd46-5943-be05f54be114
 - 9a0769c6-9cf3-56dc-378c-6ecdc870e82c
 - 633faddc-961f-d921-8d76-f35bb1785ba0
 - c4427bc3-94c8-45a2-1896-e2d93ac7e831
 - fd65d23f-c99a-8172-92fb-0db99f94287f
 - 2de6ce98-7a02-5984-3e46-290e811ebbc6
 - 49dc4c8c-6d54-7611-5061-2c7e594877e9
 - 21930f3b-fe8f-b971-0edf-2edd760ca315
 - f6fd1793-4eb1-0e78-247c-653c6c27b2c6
 - 0ea680c8-9d7e-5212-6741-91a4c6a9b70a
 - aa5f489e-42a0-7bd2-f53e-e1cda46cdf9d
 - a2fbc437-f8b5-d8d6-4bd9-367aa12cf299
 - 14ff59f6-bab0-1aca-c334-6cb88cb9db74
 - ef343879-13bd-09e9-e9b4-bb55e705d8e3
 - 923d13c1-7f3c-4fab-7a33-ea4ddf86f88d
 - 773973bf-fc11-f63c-b335-86d5970dda6c
 - e02ade13-b9b5-d99b-8d32-c39ec555545a
1 action connector(s) successfully imported
 - 4a6ec133-d852-45ce-8573-52b9dada3327

and without the var set, no dir is find to look for the id:

elastic-detection-rules-soc on  master-soc [$✘!?⇡] is 📦 v1.0.0 via 🐍 v3.12.9 (detection-rules-build) 
❯ unset CUSTOM_RULES_DIR

elastic-detection-rules-soc on  master-soc [$✘!?⇡] is 📦 v1.0.0 via 🐍 v3.12.9 (detection-rules-build) 

elastic-detection-rules-soc on  master-soc [$✘!?⇡] is 📦 v1.0.0 via 🐍 v3.12.9 (detection-rules-build) 
❯ python -m detection_rules kibana --space $SPACE --ignore-ssl-errors true import-rules -id $RULE_ID --overwrite
Loaded config file: /var/home/frederik/Programming/elastic-detection-rules-soc/.detection-rules-cfg.yaml

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

CLI Error (): Could not find rules with IDs: 87596efc-e89a-4f3b-9a58-3632b4871d8d

@frederikb96 frederikb96 changed the title [Bug] CLI detection_rules kibana import-rules doesnt regard the --rule-file parameter for exceptions and actions if dir env is set [Bug] CLI detection_rules kibana import-rules imports all exceptions and connectors if --rule-file or --rule-id is set Mar 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working community Team: TRADE
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@frederikb96