diff --git a/docs/core_component_syncing_rules_and_data_from_vcs_to_elastic_security.md b/docs/core_component_syncing_rules_and_data_from_vcs_to_elastic_security.md index cbe7720..fc2bf02 100644 --- a/docs/core_component_syncing_rules_and_data_from_vcs_to_elastic_security.md +++ b/docs/core_component_syncing_rules_and_data_from_vcs_to_elastic_security.md @@ -113,7 +113,7 @@ Commands: ... ``` -💡 Note: For stacks with a version prior to 9.0, one can use the `kibana upload-rule` command. However, this is not recommended and one should use the `kibana import-rules` in its place. +💡 Note: For stacks with a version prior to 9.0, one can use the `kibana upload-rule` command. However, this is not recommended and one should use the `kibana import-rules` in its place. See the [CLI.md](https://github.com/elastic/detection-rules/blob/main/CLI.md) for more details. ```bash █▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ @@ -126,17 +126,7 @@ Usage: detection_rules kibana [OPTIONS] COMMAND [ARGS]... Options: --ignore-ssl-errors TEXT - --space TEXT Kibana space - --kibana-url TEXT - --api-key TEXT [required] - --cloud-id TEXT ID of the cloud instance. - -h, --help Show this message and exit. - -Commands: - export-rules Export custom rules from Kibana. - import-rules Import custom rules into Kibana. - search-alerts Search detection engine alerts with KQL. - upload-rule [Deprecated] Upload a list of rule .toml files to Kibana. +... ``` ### Testing diff --git a/docs/internals_of_the_detection_rules_repo.md b/docs/internals_of_the_detection_rules_repo.md index 1b1ca86..f092348 100644 --- a/docs/internals_of_the_detection_rules_repo.md +++ b/docs/internals_of_the_detection_rules_repo.md @@ -170,27 +170,28 @@ The repository extensively utilizes schemas sourced from upstream (e.g., Beats, 1. Explore the [rule dataclasses](https://github.com/elastic/detection-rules/blob/main/detection_rules/rule.py) detailed in the repository to understand the expected format for rule definitions. These are periodically updated to reflect new capabilities within the Kibana features set. ```python -@dataclass(frozen=True) +@dataclass(frozen=True, kw_only=True) class RuleMeta(MarshmallowDataclassMixin): """Data stored in a rule's [metadata] section of TOML.""" + creation_date: definitions.Date updated_date: definitions.Date - deprecation_date: Optional[definitions.Date] + deprecation_date: definitions.Date | None = None # Optional fields - bypass_bbr_timing: Optional[bool] - comments: Optional[str] - integration: Optional[Union[str, List[str]]] - maturity: Optional[definitions.Maturity] - min_stack_version: Optional[definitions.SemVer] - min_stack_comments: Optional[str] - os_type_list: Optional[List[definitions.OSType]] - query_schema_validation: Optional[bool] - related_endpoint_rules: Optional[List[str]] - promotion: Optional[bool] + bypass_bbr_timing: bool | None = None + comments: str | None = None + integration: str | list[str] | None = None + maturity: definitions.Maturity | None = None + min_stack_version: definitions.SemVer | None = None + min_stack_comments: str | None = None + os_type_list: list[definitions.OSType] | None = None + query_schema_validation: bool | None = None + related_endpoint_rules: list[str] | None = None + promotion: bool | None = None # Extended information as an arbitrary dictionary - extended: Optional[Dict[str, Any]] + extended: dict[str, Any] | None = None ``` 2. Visit the etc/ directory within the repository to review additional resources, including validation schemas and configuration files required for rule management and development. diff --git a/docs/known_limitations.md b/docs/known_limitations.md index bf9f863..71ed1c3 100644 --- a/docs/known_limitations.md +++ b/docs/known_limitations.md @@ -15,11 +15,10 @@ ## No Direct Support -- Managing prebuilt rules via DaC workflows is not supported at the moment (this is being addressed). - Rule loading - Core repo (loading Rule object) - - Officially supports from TOML to Rule object - - Support for json yaml will exist but will remain in a dict format + - Officially supports loading from TOML to Rule object + - Support for json and yaml exists but will remain in a dict format (as opposed to the nested TOML format) - This is only a convenience utility and will only be supported across minimal components, since all functionality depends on the validated object (and related pieces) - Kibana module does support raw dict's - We added a RawDictLoader as a util, but this will only serve to load rules to dicts, bypassing most of the value of the core repo @@ -32,6 +31,7 @@ ## Potential Upcoming Enhancements - Support for customizable folder structure: - - There currently is no support for customizing the folder structure which decides how rules are stored on disk when downloaded from kibana (however, this can also be reconciled post download in whatever manner desired). + - There currently is not full support for customizing the folder structure which decides how rules are stored on disk. - This means that users have to manually move rules to specific organized folders. - - This is tracked in: [#3625](https://github.com/elastic/detection-rules/issues/3625) \ No newline at end of file + - This is tracked in: [#3625](https://github.com/elastic/detection-rules/issues/3625) + - However, there is support for using an existing folder structure when importing rules from a Kibana export. This is done by using the `--load-rule-loading / -lr` option in the `kibana export-rules` and `import-rules-to-repo` commands. See [#4891](https://github.com/elastic/detection-rules/issues/4891) and its associated PR for more details. \ No newline at end of file