You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using export-rules-from-repo with --include-exceptions (-e) or --include-action-connectors (-ac), the command includes all exception lists and all action connectors from the repo in the exported NDJSON file, instead of only those whose metadata.rule_ids are associated with the rules being exported.
By contrast, kibana import-rules correctly scopes exceptions and action connectors to the rule IDs being imported (via _matches_rule_ids). Export should mirror that behavior so that a subset export (e.g. --rule-id X -e) only includes exceptions/connectors linked to the exported rules.
To Reproduce
Have a repo with multiple rules and multiple exception lists (and/or action connectors), where different rules reference different exceptions.
Export a subset of rules with exceptions: python -m detection_rules export-rules-from-repo --rule-id <one-rule-id> -e -o subset.ndjson
Inspect the NDJSON: it contains every exception list in the repo, not only the one(s) linked to <one-rule-id>.
Expected Behavior
When --include-exceptions is used, only exception lists whose metadata.rule_ids intersect with the set of exported rule IDs should be included in the NDJSON.
When --include-action-connectors is used, only action connectors whose metadata.rule_ids intersect with the set of exported rule IDs should be included.
Full-repo export (no --rule-id filter) should still include all exceptions/connectors that are linked to any of the exported rules (unchanged in practice when exporting all rules).
Same rule-ID association is used in exception/connector TOML: metadata.rule_ids (and in kbwrap, _matches_rule_ids). Centralizing this in generic_loader.matches_rule_ids keeps import and export behavior aligned and avoids duplication.
Describe the Bug
When using
export-rules-from-repowith--include-exceptions(-e) or--include-action-connectors(-ac), the command includes all exception lists and all action connectors from the repo in the exported NDJSON file, instead of only those whosemetadata.rule_idsare associated with the rules being exported.By contrast,
kibana import-rulescorrectly scopes exceptions and action connectors to the rule IDs being imported (via_matches_rule_ids). Export should mirror that behavior so that a subset export (e.g.--rule-id X -e) only includes exceptions/connectors linked to the exported rules.To Reproduce
python -m detection_rules export-rules-from-repo --rule-id <one-rule-id> -e -o subset.ndjson<one-rule-id>.Expected Behavior
--include-exceptionsis used, only exception lists whosemetadata.rule_idsintersect with the set of exported rule IDs should be included in the NDJSON.--include-action-connectorsis used, only action connectors whosemetadata.rule_idsintersect with the set of exported rule IDs should be included.--rule-idfilter) should still include all exceptions/connectors that are linked to any of the exported rules (unchanged in practice when exporting all rules).Screenshots
No response
Desktop - OS
None
Desktop - Version
No response
Additional Context
metadata.rule_ids(and in kbwrap,_matches_rule_ids). Centralizing this ingeneric_loader.matches_rule_idskeeps import and export behavior aligned and avoids duplication.