Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DaC] Beta Release #3889

Merged
merged 102 commits into from
Aug 6, 2024
Merged

[DaC] Beta Release #3889

merged 102 commits into from
Aug 6, 2024

Conversation

eric-forte-elastic
Copy link
Contributor

@eric-forte-elastic eric-forte-elastic commented Jul 12, 2024
edited
Loading

Pull Request

Issue link(s):
https://github.com/elastic/ia-trade-team/issues/345

Summary - What I changed

Note: There is an intermittent issue when importing many rules and exception lists at the same time related to elastic/kibana#143864 that is currently being investigated. This may cause exception list references to be stripped when importing rules in some cases.

This PR is to promote the DAC-Feature branch to a beta release through merging to main.

We will want this PR to go through extensive, independent testing. One of the goals of pushing to Beta is to feature freeze the current DaC features. Testing the completeness of the features to achieve the desired workflow of using DaC to manage rules is just as important as functionality testing.

Note: Make sure to especially review logic changes in core functions like multi_collection(f):

TLDR: Jump to automated testing section and run tests, with these tests and manual review should be good to merge.

Testing

For testing we have 2 main workflows we need to test.

  1. Moving and testing custom rules and exceptions using the kibana import/export-rules
  2. Moving and testing custom rules and exceptions using import-rules-to-repo and export-rules-to-repo

These workflows should support appropriate testing and configuration for managing unit tests and schema validation.

Examples of things that we need to test for each workflow.

  1. Skipping unit tests for some subset of rules
  2. Skipping schema validation for some subset of rules
  3. Testing error handling to make sure they are handled gracefully as desired

We want to know where our code breaks to make sure it breaks gracefully on cases where that is appropriate. We should try to load and rules that are known to be broken, missing data, missing indexes, etc. that expect to fail as we want to make sure we are controlling the way they fail.

With this in mind there are a few collections of rules that we can use for testing.

Major Functionality Updates

Configuration Files

We need to test what happens when we have bad settings in the config files or when they are missing

Commands with major functionality updates that should be tested

Specifically these have been updated with support for the configuration files and support for handling exceptions and need to be tested.

  • kibana export-rules
  • kibana import-rules
  • import-rules-to-repo
  • export-rules-from-repo

Automated Testing

Base Functionality Testing (to test core features did not break)

  1. Run make test-cli
  2. Run make test-remote-cli

New Feature Functionality Testing (DAC-feature additions)

test_custom_cli.bash 

#!/bin/bash

# Path to the virtual environment
VENV_PATH="./env/detection-rules-build"

# Activate the virtual environment
source "$VENV_PATH/bin/activate"

# Get the ndjson file path from the first argument
ndjson_file_path=$1

echo "Running detection-rules CLI tests for custom rules..."

echo "Importing rules from specified njson..."
python -m detection_rules import-rules-to-repo $ndjson_file_path --required-only -e -ac

echo "Run tests..."
make test

echo "Performing a rule export to nsjdon..."
python -m detection_rules export-rules-from-repo -e -ac

echo "Detection-rules CLI tests completed!"

test_custom_remote_cli.bash 

#!/bin/bash

# Path to the virtual environment
VENV_PATH="./env/detection-rules-build"

# Activate the virtual environment
source "$VENV_PATH/bin/activate"

echo "Running detection-rules remote CLI tests for custom rules..."

echo "Performing a quick rule alerts search..."
echo "Requires .detection-rules-cfg.json credentials file set."
python -m detection_rules kibana search-alerts

echo "Performing a rule import..."
python -m detection_rules kibana import-rules --overwrite -e -ac

echo "Running Tests..."
make test

echo "Performing a rule export..."
mkdir tmp-export 2>/dev/null
python -m detection_rules kibana export-rules -d tmp-export -s -sv -e -ac


echo "Detection-rules CLI tests completed!"
#

  1. Setup custom config: python -m detection_rules custom-rules setup-config custom_rules_testing
  2. Have Rule Export .ndjson locally accessible (bring your own or download one of the reference ones above)
  3. Run bash test_custom_cli.sh <path_to_ndjson_file>
  4. Run bash test_custom_remote_cli.sh

Automated Testing Expected Results

Please note that your testing results will be different depending on your config and the rules you used to test. To obtain the desired results you will need to match the configuration for each command. The results for make test-cli require a non-custom config as these commands are designed to test our base functionality for detection rules. make test-remote-cli can function either with a custom config or without one; however, the results will vary based on your custom rules. It may be common for custom rules to have a version and a revision field set which will cause them all to fail unless bypass_version_lock set to True. The same is true for both custom bash scripts that are designed to test DaC feature, and expect a custom config to be set.

make test-cli 

detection-rules on  DAC-feature [$?] is  v0.1.0 via   on  eric.forte
❯ make test-cli
Installing all dependencies...
./env/detection-rules-build/bin/pip install .[dev]
Looking in indexes: https://pypi.org/simple, https://eric.forte%40elastic.co:****@artifactory.elastic.dev/artifactory/api/pypi/pypi-endgame/simple
Processing /home/forteea1/Code/clean_mains/detection-rules
  Installing build dependencies ... \



/
done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Collecting detection-rules-kql@ git+https://github.com/elastic/detection-rules.git#subdirectory=lib/kql (from detection_rules==0.1.0)
  Cloning https://github.com/elastic/detection-rules.git to /tmp/pip-install-molt5ueh/detection-rules-kql_386f5be35f30421c8dd959f71b661606
  Running command git clone --filter=blob:none --quiet https://github.com/elastic/detection-rules.git /tmp/pip-install-molt5ueh/detection-rules-kql_386f5be35f30421c8dd959f71b661606
  Resolved https://github.com/elastic/detection-rules.git to commit 03c99d22d3924b938574dc108dcc9f38af2ecc0e
  Running command git submodule update --init --recursive -q
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Collecting detection-rules-kibana@ git+https://github.com/elastic/detection-rules.git#subdirectory=lib/kibana (from detection_rules==0.1.0)
  Cloning https://github.com/elastic/detection-rules.git to /tmp/pip-install-molt5ueh/detection-rules-kibana_5c68f5c125294e8588c1e9b1b7ffc441
  Running command git clone --filter=blob:none --quiet https://github.com/elastic/detection-rules.git /tmp/pip-install-molt5ueh/detection-rules-kibana_5c68f5c125294e8588c1e9b1b7ffc441
  Resolved https://github.com/elastic/detection-rules.git to commit 03c99d22d3924b938574dc108dcc9f38af2ecc0e
  Running command git submodule update --init --recursive -q
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Requirement already satisfied: Click~=8.1.7 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (8.1.7)
Requirement already satisfied: elasticsearch~=8.12.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (8.12.1)
Requirement already satisfied: eql==0.9.19 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.9.19)
Requirement already satisfied: jsl==0.2.4 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.2.4)
Requirement already satisfied: jsonschema>=4.21.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (4.22.0)
Requirement already satisfied: marko==2.0.3 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (2.0.3)
Requirement already satisfied: marshmallow-dataclass~=8.6.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from marshmallow-dataclass[union]~=8.6.0->detection_rules==0.1.0) (8.6.1)
Requirement already satisfied: marshmallow-jsonschema~=0.13.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.13.0)
Requirement already satisfied: marshmallow-union~=0.1.15 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.1.15.post1)
Requirement already satisfied: marshmallow~=3.21.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.21.2)
Requirement already satisfied: pytoml==0.1.21 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.1.21)
Requirement already satisfied: PyYAML~=6.0.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (6.0.1)
Requirement already satisfied: requests~=2.31.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (2.31.0)
Requirement already satisfied: toml==0.10.2 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.10.2)
Requirement already satisfied: typing-inspect==0.9.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.9.0)
Requirement already satisfied: typing-extensions==4.10.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (4.10.0)
Requirement already satisfied: XlsxWriter~=3.2.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.2.0)
Requirement already satisfied: semver==3.0.2 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.0.2)
Requirement already satisfied: lark-parser~=0.12.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from eql==0.9.19->detection_rules==0.1.0) (0.12.0)
Requirement already satisfied: mypy-extensions>=0.3.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from typing-inspect==0.9.0->detection_rules==0.1.0) (1.0.0)
Requirement already satisfied: pep8-naming==0.13.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.13.0)
Requirement already satisfied: PyGithub==2.2.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (2.2.0)
Requirement already satisfied: flake8==7.0.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (7.0.0)
Requirement already satisfied: pyflakes==3.2.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.2.0)
Requirement already satisfied: pytest>=8.1.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (8.2.1)
Requirement already satisfied: nodeenv==1.8.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (1.8.0)
Requirement already satisfied: pre-commit==3.6.2 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.6.2)
Requirement already satisfied: mccabe<0.8.0,>=0.7.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from flake8==7.0.0->detection_rules==0.1.0) (0.7.0)
Requirement already satisfied: pycodestyle<2.12.0,>=2.11.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from flake8==7.0.0->detection_rules==0.1.0) (2.11.1)
Requirement already satisfied: setuptools in ./env/detection-rules-build/lib/python3.12/site-packages (from nodeenv==1.8.0->detection_rules==0.1.0) (70.1.1)
Requirement already satisfied: cfgv>=2.0.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pre-commit==3.6.2->detection_rules==0.1.0) (3.4.0)
Requirement already satisfied: identify>=1.0.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pre-commit==3.6.2->detection_rules==0.1.0) (2.5.36)
Requirement already satisfied: virtualenv>=20.10.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pre-commit==3.6.2->detection_rules==0.1.0) (20.26.2)
Requirement already satisfied: pynacl>=1.4.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from PyGithub==2.2.0->detection_rules==0.1.0) (1.5.0)
Requirement already satisfied: pyjwt>=2.4.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pyjwt[crypto]>=2.4.0->PyGithub==2.2.0->detection_rules==0.1.0) (2.8.0)
Requirement already satisfied: urllib3>=1.26.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from PyGithub==2.2.0->detection_rules==0.1.0) (2.2.1)
Requirement already satisfied: Deprecated in ./env/detection-rules-build/lib/python3.12/site-packages (from PyGithub==2.2.0->detection_rules==0.1.0) (1.2.14)
Requirement already satisfied: elastic-transport<9,>=8 in ./env/detection-rules-build/lib/python3.12/site-packages (from elasticsearch~=8.12.1->detection_rules==0.1.0) (8.13.0)
Requirement already satisfied: attrs>=22.2.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from jsonschema>=4.21.1->detection_rules==0.1.0) (23.2.0)
Requirement already satisfied: jsonschema-specifications>=2023.03.6 in ./env/detection-rules-build/lib/python3.12/site-packages (from jsonschema>=4.21.1->detection_rules==0.1.0) (2023.12.1)
Requirement already satisfied: referencing>=0.28.4 in ./env/detection-rules-build/lib/python3.12/site-packages (from jsonschema>=4.21.1->detection_rules==0.1.0) (0.35.1)
Requirement already satisfied: rpds-py>=0.7.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from jsonschema>=4.21.1->detection_rules==0.1.0) (0.18.1)
Requirement already satisfied: packaging>=17.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from marshmallow~=3.21.1->detection_rules==0.1.0) (24.0)
Requirement already satisfied: typeguard<4.0.0,>=2.4.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from marshmallow-dataclass[union]~=8.6.0->detection_rules==0.1.0) (3.0.2)
Requirement already satisfied: iniconfig in ./env/detection-rules-build/lib/python3.12/site-packages (from pytest>=8.1.1->detection_rules==0.1.0) (2.0.0)
Requirement already satisfied: pluggy<2.0,>=1.5 in ./env/detection-rules-build/lib/python3.12/site-packages (from pytest>=8.1.1->detection_rules==0.1.0) (1.5.0)
Requirement already satisfied: charset-normalizer<4,>=2 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests~=2.31.0->detection_rules==0.1.0) (3.3.2)
Requirement already satisfied: idna<4,>=2.5 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests~=2.31.0->detection_rules==0.1.0) (3.7)
Requirement already satisfied: certifi>=2017.4.17 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests~=2.31.0->detection_rules==0.1.0) (2024.2.2)
Requirement already satisfied: cryptography>=3.4.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pyjwt[crypto]>=2.4.0->PyGithub==2.2.0->detection_rules==0.1.0) (42.0.7)
Requirement already satisfied: cffi>=1.4.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from pynacl>=1.4.0->PyGithub==2.2.0->detection_rules==0.1.0) (1.16.0)
Requirement already satisfied: distlib<1,>=0.3.7 in ./env/detection-rules-build/lib/python3.12/site-packages (from virtualenv>=20.10.0->pre-commit==3.6.2->detection_rules==0.1.0) (0.3.8)
Requirement already satisfied: filelock<4,>=3.12.2 in ./env/detection-rules-build/lib/python3.12/site-packages (from virtualenv>=20.10.0->pre-commit==3.6.2->detection_rules==0.1.0) (3.14.0)
Requirement already satisfied: platformdirs<5,>=3.9.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from virtualenv>=20.10.0->pre-commit==3.6.2->detection_rules==0.1.0) (4.2.2)
Requirement already satisfied: wrapt<2,>=1.10 in ./env/detection-rules-build/lib/python3.12/site-packages (from Deprecated->PyGithub==2.2.0->detection_rules==0.1.0) (1.16.0)
Requirement already satisfied: pycparser in ./env/detection-rules-build/lib/python3.12/site-packages (from cffi>=1.4.1->pynacl>=1.4.0->PyGithub==2.2.0->detection_rules==0.1.0) (2.22)
Building wheels for collected packages: detection_rules
  Building wheel for detection_rules (pyproject.toml) ... done
  Created wheel for detection_rules: filename=detection_rules-0.1.0-py3-none-any.whl size=41007017 sha256=5f7293d6abeb6f621dd74445e64e6dee575a45fabd10b76a86f3fb50c611cb78
  Stored in directory: /home/forteea1/.cache/pip/wheels/33/0b/6f/442542fc0e808e368b4dfaf768ed0b61a5d8281942974600d4
Successfully built detection_rules
Installing collected packages: detection_rules
  Attempting uninstall: detection_rules
    Found existing installation: detection_rules 0.1.0
    Uninstalling detection_rules-0.1.0:
      Successfully uninstalled detection_rules-0.1.0
Successfully installed detection_rules-0.1.0

[notice] A new release of pip is available: 24.1 -> 24.1.2
[notice] To update, run: python3.12 -m pip install --upgrade pip
./env/detection-rules-build/bin/pip install lib/kibana
Looking in indexes: https://pypi.org/simple, https://eric.forte%40elastic.co:****@artifactory.elastic.dev/artifactory/api/pypi/pypi-endgame/simple
Processing ./lib/kibana
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Requirement already satisfied: requests<3.0,>=2.25 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection-rules-kibana==0.3.0) (2.31.0)
Requirement already satisfied: elasticsearch~=8.12.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection-rules-kibana==0.3.0) (8.12.1)
Requirement already satisfied: elastic-transport<9,>=8 in ./env/detection-rules-build/lib/python3.12/site-packages (from elasticsearch~=8.12.1->detection-rules-kibana==0.3.0) (8.13.0)
Requirement already satisfied: charset-normalizer<4,>=2 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests<3.0,>=2.25->detection-rules-kibana==0.3.0) (3.3.2)
Requirement already satisfied: idna<4,>=2.5 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests<3.0,>=2.25->detection-rules-kibana==0.3.0) (3.7)
Requirement already satisfied: urllib3<3,>=1.21.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests<3.0,>=2.25->detection-rules-kibana==0.3.0) (2.2.1)
Requirement already satisfied: certifi>=2017.4.17 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests<3.0,>=2.25->detection-rules-kibana==0.3.0) (2024.2.2)
Building wheels for collected packages: detection-rules-kibana
  Building wheel for detection-rules-kibana (pyproject.toml) ... done
  Created wheel for detection-rules-kibana: filename=detection_rules_kibana-0.3.0-py3-none-any.whl size=9449 sha256=fb89d7fead7e4345d0ca3d515a1e998745a45dd6792b6da6d504ddfb7e4f4291
  Stored in directory: /tmp/pip-ephem-wheel-cache-jjbi9uzb/wheels/05/3b/89/3dab4aeb78501459dd86df8d126afb94aab37d28aea1263c1d
Successfully built detection-rules-kibana
Installing collected packages: detection-rules-kibana
  Attempting uninstall: detection-rules-kibana
    Found existing installation: detection-rules-kibana 0.3.0
    Uninstalling detection-rules-kibana-0.3.0:
      Successfully uninstalled detection-rules-kibana-0.3.0
Successfully installed detection-rules-kibana-0.3.0

[notice] A new release of pip is available: 24.1 -> 24.1.2
[notice] To update, run: python3.12 -m pip install --upgrade pip
./env/detection-rules-build/bin/pip install lib/kql
Looking in indexes: https://pypi.org/simple, https://eric.forte%40elastic.co:****@artifactory.elastic.dev/artifactory/api/pypi/pypi-endgame/simple
Processing ./lib/kql
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Requirement already satisfied: eql==0.9.19 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection-rules-kql==0.1.7) (0.9.19)
Requirement already satisfied: lark-parser>=0.12.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection-rules-kql==0.1.7) (0.12.0)
Building wheels for collected packages: detection-rules-kql
  Building wheel for detection-rules-kql (pyproject.toml) ... done
  Created wheel for detection-rules-kql: filename=detection_rules_kql-0.1.7-py3-none-any.whl size=16336 sha256=cfe056e9d1afbba397c233aed9a21105fcc93266cf11c7e068a22ec3c7834cb7
  Stored in directory: /tmp/pip-ephem-wheel-cache-2c1dkh_6/wheels/56/d8/16/54016845ffe39458d941c5c2dbc03e4998264eeec10328eebb
Successfully built detection-rules-kql
Installing collected packages: detection-rules-kql
  Attempting uninstall: detection-rules-kql
    Found existing installation: detection-rules-kql 0.1.7
    Uninstalling detection-rules-kql-0.1.7:
      Successfully uninstalled detection-rules-kql-0.1.7
Successfully installed detection-rules-kql-0.1.7

[notice] A new release of pip is available: 24.1 -> 24.1.2
[notice] To update, run: python3.12 -m pip install --upgrade pip
Executing test_cli script...
Running detection-rules CLI tests...
Refreshing redirect mappings in ATT&CK
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

refreshing data in attack_technique_redirects.json


refreshed mapping file: /home/forteea1/Code/clean_mains/detection-rules/detection_rules/etc/attack-technique-redirects.json
Viewing rule: threat_intel_indicator_match_address.toml
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

Error loading rule in /home/forteea1/Code/clean_mains/detection-rules/rules/cross-platform/threat_intel_indicator_match_address.toml
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/__main__.py", line 35, in <module>
    main()
  File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/__main__.py", line 32, in main
    root(prog_name="detection_rules")
  File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1157, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1078, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1688, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1434, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 783, in invoke
    return __callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/decorators.py", line 33, in new_func
    return f(get_current_context(), *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/main.py", line 296, in view_rule
    rule = RuleCollection().load_file(rule_file)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/rule_loader.py", line 437, in load_file
    obj = self._load_toml_file(path)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/rule_loader.py", line 363, in _load_toml_file
    with io.open(path, "r", encoding="utf-8") as f:
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '/home/forteea1/Code/clean_mains/detection-rules/rules/cross-platform/threat_intel_indicator_match_address.toml'
Exporting rule by ID: 0a97b20f-4144-49ea-be32-b540ecc445de
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

Error loading rule in /home/forteea1/Code/clean_mains/detection-rules/rules/promotions/endgame_malware_detected.toml
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/__main__.py", line 35, in <module>
    main()
  File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/__main__.py", line 32, in main
    root(prog_name="detection_rules")
  File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1157, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1078, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1688, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1434, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 783, in invoke
    return __callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/cli_utils.py", line 86, in get_collection
    rules.load_directories(DEFAULT_PREBUILT_RULES_DIRS + DEFAULT_PREBUILT_BBR_DIRS,
  File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/rule_loader.py", line 504, in load_directories
    self.load_directory(path, recursive=recursive, obj_filter=obj_filter)
  File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/rule_loader.py", line 499, in load_directory
    self.load_files(paths)
  File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/rule_loader.py", line 492, in load_files
    self.load_file(path)
  File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/rule_loader.py", line 438, in load_file
    return self.load_dict(obj, path=path)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/rule_loader.py", line 418, in load_dict
    self.add_rule(rule)
  File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/rule_loader.py", line 393, in add_rule
    self._assert_new(rule)
  File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/rule_loader.py", line 382, in _assert_new
    assert rule.id not in id_map, \
           ^^^^^^^^^^^^^^^^^^^^^
AssertionError: Rule ID 0a97b20f-4144-49ea-be32-b540ecc445de for Malware - Detected - Elastic Endgame collides with rule Malware - Detected - Elastic Endgame
Updating rule data schemas
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

Validating rule: execution_github_new_event_action_for_pat.toml
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

Rule validation successful
Checking licenses
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

Building release and updating version lock
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

[+] Building package 8.16
 - 24 rules excluded from package
Rule changes detected!
 - 81 changed rules
 - 13 new rules
 - 1 newly deprecated rules
run `build-release --update-version-lock` to update version.lock.json and deprecated_rules.json
Rule changes detected!
 - 81 changed rules
 - 13 new rules
 - 1 newly deprecated rules
Detailed changes:
  A: 28371aa1-14ed-46cf-ab5b-2fc7d1942278, new version: 1
    - min_stack_version added: 8.13.0
  A: 4182e486-fc61-11ee-a05d-f661ea17fbce, new version: 1
    - min_stack_version added: 8.13.0
  A: 5f0234fd-7f21-42af-8391-511d5fd11d5c, new version: 2
    - min_stack_version added: 8.13.0
  A: 7fda9bb2-fd28-11ee-85f9-f661ea17fbce, new version: 2
    - min_stack_version added: 8.13.0
  A: ab8f074c-5565-4bc4-991c-d49770e19fc9, new version: 1
    - min_stack_version added: 8.13.0
  A: 696015ef-718e-40ff-ac4a-cc2ba88dbeeb, new version: 2
    - min_stack_version added: 8.13.0
  A: df919b5e-a0f6-4fd8-8598-e3ce79299e3b, new version: 2
    - min_stack_version added: 8.13.0
  A: dde13d58-bc39-4aa0-87fd-b4bdbf4591da, new version: 2
    - min_stack_version added: 8.13.0
  A: 9aa4be8d-5828-417d-9f54-7cd304571b24, new version: 2
    - min_stack_version added: 8.13.0
  A: 0cd2f3e6-41da-40e6-b28b-466f688f00a6, new version: 1
    - min_stack_version added: 8.13.0
  A: f4c2515a-18bb-47ce-a768-1dc4e7b0fe6c, new version: 1
    - min_stack_version added: 8.13.0
  A: 4f855297-c8e0-4097-9d97-d653f7e471c4, new version: 1
    - min_stack_version added: 8.13.0
  A: b1773d05-f349-45fb-9850-287b8f92f02d, new version: 1
    - min_stack_version added: 8.13.0
  A: 17261da3-a6d0-463c-aac8-ea1718afcd20, new version: 1
    - min_stack_version added: 8.13.0
  A: cc382a2e-7e52-11ee-9aac-f661ea17fbcd, new version: 102
    - min_stack_version added: 8.13.0
  A: 94e734c0-2cda-11ef-84e1-f661ea17fbce, new version: 1
    - min_stack_version added: 8.13.0
  A: 95b99adc-2cda-11ef-84e1-f661ea17fbce, new version: 1
    - min_stack_version added: 8.13.0
  A: 23f18264-2d6d-11ef-9413-f661ea17fbce, new version: 1
    - min_stack_version added: 8.13.0
  A: 2e56e1bc-867a-11ee-b13e-f661ea17fbcd, new version: 101
    - min_stack_version added: 8.13.0
  A: 5c351f54-4187-4ad8-abc8-29b0cfbef8b1, new version: 2
    - min_stack_version added: 8.11.0
  A: a80d96cd-1164-41b3-9852-ef58724be496, new version: 1
    - min_stack_version added: 8.10.0
  A: f4d1c0ac-aedb-4063-9fa6-cc651eb5e6ee, new version: 1
    - min_stack_version added: 8.10.0
  A: 8cc72fa3-70ae-4ea1-bee2-8e6aaf3c1fcf, new version: 1
    - min_stack_version added: 8.10.0
  A: f7c70f2e-4616-439c-85ac-5b98415042fe, new version: 2
    - min_stack_version added: 8.11.0
  A: bc0fc359-68db-421e-a435-348ced7a7f92, new version: 2
    - min_stack_version added: 8.11.0
  A: c296f888-eac6-4543-8da5-b6abb0d3304f, new version: 2
    - min_stack_version added: 8.11.0
  A: 28bc620d-b2f7-4132-b372-f77953881d05, new version: 2
    - min_stack_version added: 8.11.0
  A: d55abdfb-5384-402b-add4-6c401501b0c3, new version: 3
    - min_stack_version added: 8.11.0
  A: 9b80cb26-9966-44b5-abbf-764fbdbc3586, new version: 3
    - min_stack_version added: 8.11.0
  A: 20457e4f-d1de-4b92-ae69-142e27a4342a, new version: 208
    - min_stack_version added: 8.11.0
  A: 7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1, new version: 206
    - min_stack_version added: 8.11.0
  A: 66da12b1-ac83-40eb-814c-07ed1d82b7b9, new version: 207
    - min_stack_version added: 8.11.0
  A: 37f638ea-909d-4f94-9248-edd21e4a9906, new version: 206
    - min_stack_version added: 8.11.0
  A: 827f8d8f-4117-4ae4-b551-f56d54b9da6b, new version: 207
    - min_stack_version added: 8.11.0
  A: 565c2b44-7a21-4818-955f-8d4737967d2e, new version: 206
    - min_stack_version added: 8.11.0
  A: 6aace640-e631-4870-ba8e-5fdda09325db, new version: 314
    - min_stack_version added: 8.13.0
  A: 54a81f68-5f2a-421e-8eed-f888278bb712, new version: 108
    - min_stack_version added: 8.12.0
  A: 92984446-aefb-4d5e-ad12-598042ca80ba, new version: 108
    - min_stack_version added: 8.12.0
  A: 3535c8bb-3bd5-40f4-ae32-b7cd589d5372, new version: 312
    - min_stack_version added: 8.13.0
  A: 76fd43b7-3480-4dd9-8ad7-8bd36bfad92f, new version: 313
    - min_stack_version added: 8.13.0
  A: 78de1aeb-5225-4067-b8cc-f4a1de8a8546, new version: 204
    - min_stack_version added: 8.13.0
  A: b83a7e96-2eb3-4edf-8346-427b6858d3bd, new version: 311
    - min_stack_version added: 8.13.0
  A: b8f8da2d-a9dc-48c0-90e4-955c0aa1259a, new version: 208
    - min_stack_version added: 8.13.0
  A: ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6, new version: 311
    - min_stack_version added: 8.13.0
  A: fa488440-04cc-41d7-9279-539387bf2a17, new version: 212
    - min_stack_version added: 8.13.0
  A: 93c1ce76-494c-4f01-8167-35edfb52f7b1, new version: 309
    - min_stack_version added: 8.13.0
  A: ac5012b8-8da8-440b-aaaf-aedafdea2dff, new version: 314
    - min_stack_version added: 8.13.0
  A: 07b1ef73-1fde-4a49-a34a-5dd40011b076, new version: 211
    - min_stack_version added: 8.13.0
  A: e26f042e-c590-4e82-8e05-41e81bd822ad, new version: 213
    - min_stack_version added: 8.12.0
  A: 81fe9dc6-a2d7-4192-a2d8-eed98afc766a, new version: 212
    - min_stack_version added: 8.12.0
  A: 97aba1ef-6034-4bd3-8c1a-1e0996b27afa, new version: 313
    - min_stack_version added: 8.13.0
  A: 61ac3638-40a3-44b2-855a-985636ca985e, new version: 214
    - min_stack_version added: 8.12.0
  A: 291a0de9-937a-4189-94c0-3e847c8b13e4, new version: 311
    - min_stack_version added: 8.12.0
  A: 3b47900d-e793-49e8-968f-c90dc3526aa1, new version: 313
    - min_stack_version added: 8.13.0
  A: cde1bafa-9f01-4f43-a872-605b678968b0, new version: 111
    - min_stack_version added: 8.12.0
  A: 56f2e9b5-4803-4e44-a0a4-a52dc79d57fe, new version: 211
    - min_stack_version added: 8.12.0
  A: 7e23dfef-da2c-4d64-b11d-5f285b638853, new version: 103
    - min_stack_version added: 8.12.0
  A: 32f4675e-6c49-4ace-80f9-97c9259dca2e, new version: 314
    - min_stack_version added: 8.13.0
  A: 2bf78aa2-9c56-48de-b139-f169bf99cf86, new version: 314
    - min_stack_version added: 8.13.0
  A: 513f0ffd-b317-4b9c-9494-92ce861f22c7, new version: 311
    - min_stack_version added: 8.13.0
  A: 1327384f-00f3-44d5-9a8c-2373ba071e92, new version: 310
    - min_stack_version added: 8.13.0
  A: 0022d47d-39c7-4f69-a232-4fe9dc7a3acd, new version: 313
    - min_stack_version added: 8.13.0
  A: c3b915e0-22f3-4bf7-991d-b643513c722f, new version: 309
    - min_stack_version added: 8.13.0
  A: 2917d495-59bd-4250-b395-c29409b76086, new version: 313
    - min_stack_version added: 8.13.0
  A: 27071ea3-e806-4697-8abc-e22c92aa4293, new version: 106
    - min_stack_version added: 8.12.0
  A: 3d3aa8f9-12af-441f-9344-9f31053e316d, new version: 106
    - min_stack_version added: 8.12.0
  A: e28b8093-833b-4eda-b877-0873d134cf3c, new version: 2
    - min_stack_version added: 8.11.0
  A: 1e0a3f7c-21e7-4bb1-98c7-2036612fb1be, new version: 107
    - min_stack_version added: 8.12.0
  A: 0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83, new version: 106
    - min_stack_version added: 8.12.0
  A: a577e524-c2ee-47bd-9c5b-e917d01d3276, new version: 2
    - min_stack_version added: 8.11.0
Updated /home/forteea1/Code/clean_mains/detection-rules/detection_rules/etc/version.lock.json file
Updated /home/forteea1/Code/clean_mains/detection-rules/detection_rules/etc/deprecated_rules.json file
Package saved to: /home/forteea1/Code/clean_mains/detection-rules/releases/8.16
loaded security_detection_engine manifests from the following package versions: ['8.14.6', '8.14.5', '8.14.4', '8.14.3', '8.14.2', '8.14.1', '8.13.12', '8.13.11', '8.13.10', '8.13.9', '8.13.8', '8.13.7', '8.13.6', '8.13.5', '8.13.4', '8.13.3', '8.13.2', '8.13.1', '8.12.17', '8.12.16', '8.12.15', '8.12.14', '8.12.13', '8.12.12', '8.12.11', '8.12.10', '8.12.9', '8.12.8', '8.12.7', '8.12.6', '8.12.5', '8.12.4', '8.12.3', '8.12.2', '8.12.1', '8.11.21', '8.11.20', '8.11.19', '8.11.18', '8.11.17', '8.11.16', '8.11.15', '8.11.14', '8.11.13', '8.11.12', '8.11.11', '8.11.10', '8.11.9', '8.11.8', '8.11.7', '8.11.6', '8.11.5', '8.11.4', '8.11.3', '8.11.2', '8.11.1', '8.10.18', '8.10.17', '8.10.16', '8.10.15', '8.10.14', '8.10.13', '8.10.12', '8.10.11', '8.10.10', '8.10.9', '8.10.8', '8.10.7', '8.10.6', '8.10.5', '8.10.4', '8.10.3', '8.10.2', '8.10.1', '8.9.15', '8.9.14', '8.9.13', '8.9.12', '8.9.11', '8.9.10', '8.9.9', '8.9.8', '8.9.7', '8.9.6', '8.9.5', '8.9.4', '8.9.3', '8.9.2', '8.9.1', '8.8.15', '8.8.14', '8.8.13', '8.8.12', '8.8.11', '8.8.10', '8.8.9', '8.8.8', '8.8.7', '8.8.6', '8.8.5', '8.8.4', '8.8.3', '8.8.2', '8.8.1', '8.7.13', '8.7.12', '8.7.11', '8.7.10', '8.7.9', '8.7.8', '8.7.7', '8.7.6', '8.7.5', '8.7.4', '8.7.3', '8.7.2', '8.7.1', '8.6.10', '8.6.9', '8.6.8', '8.6.7', '8.6.6', '8.6.5', '8.6.4', '8.6.3', '8.6.2', '8.6.1', '8.5.8', '8.5.7', '8.5.6', '8.5.5', '8.5.4', '8.5.3', '8.5.2', '8.5.1', '8.4.5', '8.4.4', '8.4.3', '8.4.2', '8.4.1', '8.3.4', '8.3.3', '8.3.2', '8.3.1', '8.2.1', '8.1.1', '1.0.2', '1.0.1']
[+] Adding historical rules from 8.14.6 package
- sha256: cacc81c3cab60911b391ecc1e38f6c4bb286ac055ed5ec028be6b9ef15c9228e
- 1183 rules included
Refreshing ATT&CK data
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

No versions newer than the current detected: 15.1.0
Updating rules with latest ATT&CK data
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

No rule changes needed
Getting target branches
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

Showing latest compatible version for security_detection_engine with stack version 8.12.0
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

Compatible integration version=('8.15.0', ('There is a new integration endpoint version 8.15.0 available!', 'Update the rule min_stack version from 8.12.0 to 8.15.0 if using new features in this latest version.'))
Building limited rules for stack version 8.12
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

Potential Widespread Malware Infection Across Multiple Hosts - Skipping unsupported rule type: esql
AWS EC2 EBS Snapshot Shared with Another Account - Skipping unsupported rule type: esql
AWS S3 Bucket Enumeration or Brute Force - Skipping unsupported rule type: esql
Potential AWS S3 Bucket Ransomware Note Uploaded - Skipping unsupported rule type: esql
AWS S3 Object Encryption Using External KMS Key - Skipping unsupported rule type: esql
AWS IAM User Created Access Keys For Another User - Skipping unsupported rule type: esql
AWS IAM AdministratorAccess Policy Attached to Group - Skipping unsupported rule type: esql
AWS IAM AdministratorAccess Policy Attached to Role - Skipping unsupported rule type: esql
AWS IAM AdministratorAccess Policy Attached to User - Skipping unsupported rule type: esql
AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session - Skipping unsupported rule type: esql
AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request - Skipping unsupported rule type: esql
Unusual High Confidence Misconduct Blocks Detected - Skipping unsupported rule type: esql
Potential Abuse of Resources by High Token Count and Large Response Sizes - Skipping unsupported rule type: esql
AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User - Skipping unsupported rule type: esql
Attempts to Brute Force a Microsoft 365 User Account - Skipping unsupported rule type: esql
Multiple Device Token Hashes for Single Okta Session - Skipping unsupported rule type: esql
Multiple Okta User Authentication Events with Client Address - Skipping unsupported rule type: esql
Multiple Okta User Authentication Events with Same Device Token Hash - Skipping unsupported rule type: esql
High Number of Okta Device Token Cookies Generated for Authentication - Skipping unsupported rule type: esql
Okta User Sessions Started from Different Geolocations - Skipping unsupported rule type: esql
Success: Rules written to output_file.ndjson
Building limited rules for stack version 8.12 with custom rules
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

- sha256: b423aafafad354b6efc4dd9f579dcea4c56bad087bd68aabbdcf5e21364147cc
files saved to: /home/forteea1/Code/clean_mains/detection-rules/enriched-rule-indexes/b423aafafad354b6efc4dd9f579dcea4c56bad087bd68aabbdcf5e21364147cc
1207 rules included
Building manifests for integrations
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

loading rules to determine all integration tags
loaded endpoint manifests from the following package versions: ['8.15.0', '8.14.0', '8.13.0', '8.12.0', '8.11.1', '8.11.0', '8.10.2', '8.10.1', '8.10.0', '8.9.1', '8.9.0', '8.8.0', '8.7.1', '8.7.0', '8.6.1', '8.6.0', '8.5.0', '8.4.1', '8.4.0', '8.3.0', '8.2.0', '1.5.0', '1.4.1', '1.4.0', '1.3.0', '1.2.2', '1.2.1', '1.2.0', '1.1.1', '1.1.0', '1.0.0']
final integrations manifests dumped: /home/forteea1/Code/clean_mains/detection-rules/detection_rules/etc/integration-manifests.json.gz
Building schemas for integrations
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

Building integration schemas...
processing endpoint
final integrations manifests dumped: /home/forteea1/Code/clean_mains/detection-rules/detection_rules/etc/integration-schemas.json.gz
Detection-rules CLI tests completed!

make test-remote-cli 

detection-rules on  DAC-feature [$!?] is  v0.1.0 via  v3.12.4 (detection-rules-build) on  eric.forte 
❯ make test-remote-cli
Installing all dependencies...
./env/detection-rules-build/bin/pip install .[dev]
Looking in indexes: https://pypi.org/simple, https://eric.forte%40elastic.co:****@artifactory.elastic.dev/artifactory/api/pypi/pypi-endgame/simple
Processing /home/forteea1/Code/clean_mains/detection-rules
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Collecting detection-rules-kql@ git+https://github.com/elastic/detection-rules.git#subdirectory=lib/kql (from detection_rules==0.1.0)
  Cloning https://github.com/elastic/detection-rules.git to /tmp/pip-install-7ogmj6aw/detection-rules-kql_ce575c77fbc14d61964abed35ee06560
  Running command git clone --filter=blob:none --quiet https://github.com/elastic/detection-rules.git /tmp/pip-install-7ogmj6aw/detection-rules-kql_ce575c77fbc14d61964abed35ee06560
  Resolved https://github.com/elastic/detection-rules.git to commit 823e8fd1402421f3c066bcf748e35d4503d71b8f
  Running command git submodule update --init --recursive -q
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Collecting detection-rules-kibana@ git+https://github.com/elastic/detection-rules.git#subdirectory=lib/kibana (from detection_rules==0.1.0)
  Cloning https://github.com/elastic/detection-rules.git to /tmp/pip-install-7ogmj6aw/detection-rules-kibana_ca8ced826479495390c6fc162c16d1c6
  Running command git clone --filter=blob:none --quiet https://github.com/elastic/detection-rules.git /tmp/pip-install-7ogmj6aw/detection-rules-kibana_ca8ced826479495390c6fc162c16d1c6
  Resolved https://github.com/elastic/detection-rules.git to commit 823e8fd1402421f3c066bcf748e35d4503d71b8f
  Running command git submodule update --init --recursive -q
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Requirement already satisfied: Click~=8.1.7 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (8.1.7)
Requirement already satisfied: elasticsearch~=8.12.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (8.12.1)
Requirement already satisfied: eql==0.9.19 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.9.19)
Requirement already satisfied: jsl==0.2.4 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.2.4)
Requirement already satisfied: jsonschema>=4.21.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (4.22.0)
Requirement already satisfied: marko==2.0.3 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (2.0.3)
Requirement already satisfied: marshmallow-dataclass~=8.6.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from marshmallow-dataclass[union]~=8.6.0->detection_rules==0.1.0) (8.6.1)
Requirement already satisfied: marshmallow-jsonschema~=0.13.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.13.0)
Requirement already satisfied: marshmallow-union~=0.1.15 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.1.15.post1)
Requirement already satisfied: marshmallow~=3.21.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.21.2)
Requirement already satisfied: pytoml==0.1.21 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.1.21)
Requirement already satisfied: PyYAML~=6.0.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (6.0.1)
Requirement already satisfied: requests~=2.31.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (2.31.0)
Requirement already satisfied: toml==0.10.2 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.10.2)
Requirement already satisfied: typing-inspect==0.9.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.9.0)
Requirement already satisfied: typing-extensions==4.10.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (4.10.0)
Requirement already satisfied: XlsxWriter~=3.2.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.2.0)
Requirement already satisfied: semver==3.0.2 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.0.2)
Requirement already satisfied: lark-parser~=0.12.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from eql==0.9.19->detection_rules==0.1.0) (0.12.0)
Requirement already satisfied: mypy-extensions>=0.3.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from typing-inspect==0.9.0->detection_rules==0.1.0) (1.0.0)
Requirement already satisfied: pep8-naming==0.13.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.13.0)
Requirement already satisfied: PyGithub==2.2.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (2.2.0)
Requirement already satisfied: flake8==7.0.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (7.0.0)
Requirement already satisfied: pyflakes==3.2.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.2.0)
Requirement already satisfied: pytest>=8.1.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (8.2.1)
Requirement already satisfied: nodeenv==1.8.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (1.8.0)
Requirement already satisfied: pre-commit==3.6.2 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.6.2)
Requirement already satisfied: mccabe<0.8.0,>=0.7.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from flake8==7.0.0->detection_rules==0.1.0) (0.7.0)
Requirement already satisfied: pycodestyle<2.12.0,>=2.11.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from flake8==7.0.0->detection_rules==0.1.0) (2.11.1)
Requirement already satisfied: setuptools in ./env/detection-rules-build/lib/python3.12/site-packages (from nodeenv==1.8.0->detection_rules==0.1.0) (70.1.1)
Requirement already satisfied: cfgv>=2.0.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pre-commit==3.6.2->detection_rules==0.1.0) (3.4.0)
Requirement already satisfied: identify>=1.0.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pre-commit==3.6.2->detection_rules==0.1.0) (2.5.36)
Requirement already satisfied: virtualenv>=20.10.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pre-commit==3.6.2->detection_rules==0.1.0) (20.26.2)
Requirement already satisfied: pynacl>=1.4.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from PyGithub==2.2.0->detection_rules==0.1.0) (1.5.0)
Requirement already satisfied: pyjwt>=2.4.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pyjwt[crypto]>=2.4.0->PyGithub==2.2.0->detection_rules==0.1.0) (2.8.0)
Requirement already satisfied: urllib3>=1.26.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from PyGithub==2.2.0->detection_rules==0.1.0) (2.2.1)
Requirement already satisfied: Deprecated in ./env/detection-rules-build/lib/python3.12/site-packages (from PyGithub==2.2.0->detection_rules==0.1.0) (1.2.14)
Requirement already satisfied: elastic-transport<9,>=8 in ./env/detection-rules-build/lib/python3.12/site-packages (from elasticsearch~=8.12.1->detection_rules==0.1.0) (8.13.0)
Requirement already satisfied: attrs>=22.2.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from jsonschema>=4.21.1->detection_rules==0.1.0) (23.2.0)
Requirement already satisfied: jsonschema-specifications>=2023.03.6 in ./env/detection-rules-build/lib/python3.12/site-packages (from jsonschema>=4.21.1->detection_rules==0.1.0) (2023.12.1)
Requirement already satisfied: referencing>=0.28.4 in ./env/detection-rules-build/lib/python3.12/site-packages (from jsonschema>=4.21.1->detection_rules==0.1.0) (0.35.1)
Requirement already satisfied: rpds-py>=0.7.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from jsonschema>=4.21.1->detection_rules==0.1.0) (0.18.1)
Requirement already satisfied: packaging>=17.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from marshmallow~=3.21.1->detection_rules==0.1.0) (24.0)
Requirement already satisfied: typeguard<4.0.0,>=2.4.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from marshmallow-dataclass[union]~=8.6.0->detection_rules==0.1.0) (3.0.2)
Requirement already satisfied: iniconfig in ./env/detection-rules-build/lib/python3.12/site-packages (from pytest>=8.1.1->detection_rules==0.1.0) (2.0.0)
Requirement already satisfied: pluggy<2.0,>=1.5 in ./env/detection-rules-build/lib/python3.12/site-packages (from pytest>=8.1.1->detection_rules==0.1.0) (1.5.0)
Requirement already satisfied: charset-normalizer<4,>=2 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests~=2.31.0->detection_rules==0.1.0) (3.3.2)
Requirement already satisfied: idna<4,>=2.5 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests~=2.31.0->detection_rules==0.1.0) (3.7)
Requirement already satisfied: certifi>=2017.4.17 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests~=2.31.0->detection_rules==0.1.0) (2024.2.2)
Requirement already satisfied: cryptography>=3.4.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pyjwt[crypto]>=2.4.0->PyGithub==2.2.0->detection_rules==0.1.0) (42.0.7)
Requirement already satisfied: cffi>=1.4.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from pynacl>=1.4.0->PyGithub==2.2.0->detection_rules==0.1.0) (1.16.0)
Requirement already satisfied: distlib<1,>=0.3.7 in ./env/detection-rules-build/lib/python3.12/site-packages (from virtualenv>=20.10.0->pre-commit==3.6.2->detection_rules==0.1.0) (0.3.8)
Requirement already satisfied: filelock<4,>=3.12.2 in ./env/detection-rules-build/lib/python3.12/site-packages (from virtualenv>=20.10.0->pre-commit==3.6.2->detection_rules==0.1.0) (3.14.0)
Requirement already satisfied: platformdirs<5,>=3.9.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from virtualenv>=20.10.0->pre-commit==3.6.2->detection_rules==0.1.0) (4.2.2)
Requirement already satisfied: wrapt<2,>=1.10 in ./env/detection-rules-build/lib/python3.12/site-packages (from Deprecated->PyGithub==2.2.0->detection_rules==0.1.0) (1.16.0)
Requirement already satisfied: pycparser in ./env/detection-rules-build/lib/python3.12/site-packages (from cffi>=1.4.1->pynacl>=1.4.0->PyGithub==2.2.0->detection_rules==0.1.0) (2.22)
Building wheels for collected packages: detection_rules
  Building wheel for detection_rules (pyproject.toml) ... done
  Created wheel for detection_rules: filename=detection_rules-0.1.0-py3-none-any.whl size=41015150 sha256=73cdb92a98ffbbacb02fe927816c01bc40a823ee6e984d1878f7ef8e033bb306
  Stored in directory: /home/forteea1/.cache/pip/wheels/33/0b/6f/442542fc0e808e368b4dfaf768ed0b61a5d8281942974600d4
Successfully built detection_rules
Installing collected packages: detection_rules
  Attempting uninstall: detection_rules
    Found existing installation: detection_rules 0.1.0
    Uninstalling detection_rules-0.1.0:
      Successfully uninstalled detection_rules-0.1.0
Successfully installed detection_rules-0.1.0

[notice] A new release of pip is available: 24.1 -> 24.1.2
[notice] To update, run: pip install --upgrade pip
./env/detection-rules-build/bin/pip install lib/kibana
Looking in indexes: https://pypi.org/simple, https://eric.forte%40elastic.co:****@artifactory.elastic.dev/artifactory/api/pypi/pypi-endgame/simple
Processing ./lib/kibana
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Requirement already satisfied: requests<3.0,>=2.25 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection-rules-kibana==0.3.0) (2.31.0)
Requirement already satisfied: elasticsearch~=8.12.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection-rules-kibana==0.3.0) (8.12.1)
Requirement already satisfied: elastic-transport<9,>=8 in ./env/detection-rules-build/lib/python3.12/site-packages (from elasticsearch~=8.12.1->detection-rules-kibana==0.3.0) (8.13.0)
Requirement already satisfied: charset-normalizer<4,>=2 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests<3.0,>=2.25->detection-rules-kibana==0.3.0) (3.3.2)
Requirement already satisfied: idna<4,>=2.5 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests<3.0,>=2.25->detection-rules-kibana==0.3.0) (3.7)
Requirement already satisfied: urllib3<3,>=1.21.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests<3.0,>=2.25->detection-rules-kibana==0.3.0) (2.2.1)
Requirement already satisfied: certifi>=2017.4.17 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests<3.0,>=2.25->detection-rules-kibana==0.3.0) (2024.2.2)
Building wheels for collected packages: detection-rules-kibana
  Building wheel for detection-rules-kibana (pyproject.toml) ... done
  Created wheel for detection-rules-kibana: filename=detection_rules_kibana-0.3.0-py3-none-any.whl size=9449 sha256=328b5d9adc8b41ac240dc0aa3b01d6c079df751a8c198bd035d99ae6249fc96b
  Stored in directory: /tmp/pip-ephem-wheel-cache-u0wpx5we/wheels/05/3b/89/3dab4aeb78501459dd86df8d126afb94aab37d28aea1263c1d
Successfully built detection-rules-kibana
Installing collected packages: detection-rules-kibana
  Attempting uninstall: detection-rules-kibana
    Found existing installation: detection-rules-kibana 0.3.0
    Uninstalling detection-rules-kibana-0.3.0:
      Successfully uninstalled detection-rules-kibana-0.3.0
Successfully installed detection-rules-kibana-0.3.0

[notice] A new release of pip is available: 24.1 -> 24.1.2
[notice] To update, run: pip install --upgrade pip
./env/detection-rules-build/bin/pip install lib/kql
Looking in indexes: https://pypi.org/simple, https://eric.forte%40elastic.co:****@artifactory.elastic.dev/artifactory/api/pypi/pypi-endgame/simple
Processing ./lib/kql
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Requirement already satisfied: eql==0.9.19 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection-rules-kql==0.1.7) (0.9.19)
Requirement already satisfied: lark-parser>=0.12.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection-rules-kql==0.1.7) (0.12.0)
Building wheels for collected packages: detection-rules-kql
  Building wheel for detection-rules-kql (pyproject.toml) ... done
  Created wheel for detection-rules-kql: filename=detection_rules_kql-0.1.7-py3-none-any.whl size=16336 sha256=cdbe24566ca919f420d711b9040d39beb6420ae4808222a1f4ff7d8bf9c067fd
  Stored in directory: /tmp/pip-ephem-wheel-cache-9hzphg5l/wheels/56/d8/16/54016845ffe39458d941c5c2dbc03e4998264eeec10328eebb
Successfully built detection-rules-kql
Installing collected packages: detection-rules-kql
  Attempting uninstall: detection-rules-kql
    Found existing installation: detection-rules-kql 0.1.7
    Uninstalling detection-rules-kql-0.1.7:
      Successfully uninstalled detection-rules-kql-0.1.7
Successfully installed detection-rules-kql-0.1.7

[notice] A new release of pip is available: 24.1 -> 24.1.2
[notice] To update, run: pip install --upgrade pip
Executing test_remote_cli script...
Running detection-rules remote CLI tests...
Performing a quick rule alerts search...
Requires .detection-rules-cfg.json credentials file set.
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

No alerts detected
Performing a rule export...
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

- skipping H-DEFENSEEVASION-266 - Windows Defender Exclusions Added - KqlParseError
10 results exported
9 rules converted
0 exceptions exported
9 saved to tmp-export
1 errors saved to tmp-export/_errors.txt
command_and_control_dac_demo_dev_rule_13.toml                                 dac_demo_dev_rule_1_also_updated.toml  defense_evasion_adding_hidden_file_attribute_via_attrib_duplicate.toml  test_exception_list.toml
command_and_control_dac_demo_dev_rule_1.toml                                  dac_demo_dev_rule_1_updated.toml       _errors.txt
command_and_control_test_potential_protocol_tunneling_via_chisel_client.toml  dac_demo_dev_rule_2_feedback.toml      infosec_css_test_rule.toml
Removing generated files...
Detection-rules CLI tests completed!

test_custom_cli.bash 

detection-rules on  DAC-feature [$!?] is  v0.1.0 via  v3.12.4 (detection-rules-build) on  eric.forte took 40s 
❯ bash detection_rules/etc/test_custom_cli.bash ~/Downloads/data_view_rules_export.ndjson
Running detection-rules CLI tests for custom rules...
Importing rules from specified njson...
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

[+] Building rule for /home/forteea1/Code/clean_mains/detection-rules/custom_rules/rules/adding_hidden_file_attribute_via_attrib_data_view.toml
Run tests...
Installing all dependencies...
./env/detection-rules-build/bin/pip install .[dev]
Looking in indexes: https://pypi.org/simple, https://eric.forte%40elastic.co:****@artifactory.elastic.dev/artifactory/api/pypi/pypi-endgame/simple
Processing /home/forteea1/Code/clean_mains/detection-rules
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Collecting detection-rules-kql@ git+https://github.com/elastic/detection-rules.git#subdirectory=lib/kql (from detection_rules==0.1.0)
  Cloning https://github.com/elastic/detection-rules.git to /tmp/pip-install-gdyomalj/detection-rules-kql_a330b7f1219340f8a25df43e8950f952
  Running command git clone --filter=blob:none --quiet https://github.com/elastic/detection-rules.git /tmp/pip-install-gdyomalj/detection-rules-kql_a330b7f1219340f8a25df43e8950f952
  Resolved https://github.com/elastic/detection-rules.git to commit 823e8fd1402421f3c066bcf748e35d4503d71b8f
  Running command git submodule update --init --recursive -q
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Collecting detection-rules-kibana@ git+https://github.com/elastic/detection-rules.git#subdirectory=lib/kibana (from detection_rules==0.1.0)
  Cloning https://github.com/elastic/detection-rules.git to /tmp/pip-install-gdyomalj/detection-rules-kibana_38f6d664d6844d49a7f3c27dd53918e2
  Running command git clone --filter=blob:none --quiet https://github.com/elastic/detection-rules.git /tmp/pip-install-gdyomalj/detection-rules-kibana_38f6d664d6844d49a7f3c27dd53918e2
  Resolved https://github.com/elastic/detection-rules.git to commit 823e8fd1402421f3c066bcf748e35d4503d71b8f
  Running command git submodule update --init --recursive -q
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Requirement already satisfied: Click~=8.1.7 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (8.1.7)
Requirement already satisfied: elasticsearch~=8.12.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (8.12.1)
Requirement already satisfied: eql==0.9.19 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.9.19)
Requirement already satisfied: jsl==0.2.4 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.2.4)
Requirement already satisfied: jsonschema>=4.21.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (4.22.0)
Requirement already satisfied: marko==2.0.3 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (2.0.3)
Requirement already satisfied: marshmallow-dataclass~=8.6.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from marshmallow-dataclass[union]~=8.6.0->detection_rules==0.1.0) (8.6.1)
Requirement already satisfied: marshmallow-jsonschema~=0.13.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.13.0)
Requirement already satisfied: marshmallow-union~=0.1.15 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.1.15.post1)
Requirement already satisfied: marshmallow~=3.21.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.21.2)
Requirement already satisfied: pytoml==0.1.21 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.1.21)
Requirement already satisfied: PyYAML~=6.0.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (6.0.1)
Requirement already satisfied: requests~=2.31.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (2.31.0)
Requirement already satisfied: toml==0.10.2 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.10.2)
Requirement already satisfied: typing-inspect==0.9.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.9.0)
Requirement already satisfied: typing-extensions==4.10.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (4.10.0)
Requirement already satisfied: XlsxWriter~=3.2.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.2.0)
Requirement already satisfied: semver==3.0.2 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.0.2)
Requirement already satisfied: lark-parser~=0.12.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from eql==0.9.19->detection_rules==0.1.0) (0.12.0)
Requirement already satisfied: mypy-extensions>=0.3.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from typing-inspect==0.9.0->detection_rules==0.1.0) (1.0.0)
Requirement already satisfied: pep8-naming==0.13.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.13.0)
Requirement already satisfied: PyGithub==2.2.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (2.2.0)
Requirement already satisfied: flake8==7.0.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (7.0.0)
Requirement already satisfied: pyflakes==3.2.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.2.0)
Requirement already satisfied: pytest>=8.1.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (8.2.1)
Requirement already satisfied: nodeenv==1.8.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (1.8.0)
Requirement already satisfied: pre-commit==3.6.2 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.6.2)
Requirement already satisfied: mccabe<0.8.0,>=0.7.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from flake8==7.0.0->detection_rules==0.1.0) (0.7.0)
Requirement already satisfied: pycodestyle<2.12.0,>=2.11.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from flake8==7.0.0->detection_rules==0.1.0) (2.11.1)
Requirement already satisfied: setuptools in ./env/detection-rules-build/lib/python3.12/site-packages (from nodeenv==1.8.0->detection_rules==0.1.0) (70.1.1)
Requirement already satisfied: cfgv>=2.0.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pre-commit==3.6.2->detection_rules==0.1.0) (3.4.0)
Requirement already satisfied: identify>=1.0.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pre-commit==3.6.2->detection_rules==0.1.0) (2.5.36)
Requirement already satisfied: virtualenv>=20.10.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pre-commit==3.6.2->detection_rules==0.1.0) (20.26.2)
Requirement already satisfied: pynacl>=1.4.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from PyGithub==2.2.0->detection_rules==0.1.0) (1.5.0)
Requirement already satisfied: pyjwt>=2.4.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pyjwt[crypto]>=2.4.0->PyGithub==2.2.0->detection_rules==0.1.0) (2.8.0)
Requirement already satisfied: urllib3>=1.26.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from PyGithub==2.2.0->detection_rules==0.1.0) (2.2.1)
Requirement already satisfied: Deprecated in ./env/detection-rules-build/lib/python3.12/site-packages (from PyGithub==2.2.0->detection_rules==0.1.0) (1.2.14)
Requirement already satisfied: elastic-transport<9,>=8 in ./env/detection-rules-build/lib/python3.12/site-packages (from elasticsearch~=8.12.1->detection_rules==0.1.0) (8.13.0)
Requirement already satisfied: attrs>=22.2.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from jsonschema>=4.21.1->detection_rules==0.1.0) (23.2.0)
Requirement already satisfied: jsonschema-specifications>=2023.03.6 in ./env/detection-rules-build/lib/python3.12/site-packages (from jsonschema>=4.21.1->detection_rules==0.1.0) (2023.12.1)
Requirement already satisfied: referencing>=0.28.4 in ./env/detection-rules-build/lib/python3.12/site-packages (from jsonschema>=4.21.1->detection_rules==0.1.0) (0.35.1)
Requirement already satisfied: rpds-py>=0.7.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from jsonschema>=4.21.1->detection_rules==0.1.0) (0.18.1)
Requirement already satisfied: packaging>=17.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from marshmallow~=3.21.1->detection_rules==0.1.0) (24.0)
Requirement already satisfied: typeguard<4.0.0,>=2.4.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from marshmallow-dataclass[union]~=8.6.0->detection_rules==0.1.0) (3.0.2)
Requirement already satisfied: iniconfig in ./env/detection-rules-build/lib/python3.12/site-packages (from pytest>=8.1.1->detection_rules==0.1.0) (2.0.0)
Requirement already satisfied: pluggy<2.0,>=1.5 in ./env/detection-rules-build/lib/python3.12/site-packages (from pytest>=8.1.1->detection_rules==0.1.0) (1.5.0)
Requirement already satisfied: charset-normalizer<4,>=2 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests~=2.31.0->detection_rules==0.1.0) (3.3.2)
Requirement already satisfied: idna<4,>=2.5 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests~=2.31.0->detection_rules==0.1.0) (3.7)
Requirement already satisfied: certifi>=2017.4.17 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests~=2.31.0->detection_rules==0.1.0) (2024.2.2)
Requirement already satisfied: cryptography>=3.4.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pyjwt[crypto]>=2.4.0->PyGithub==2.2.0->detection_rules==0.1.0) (42.0.7)
Requirement already satisfied: cffi>=1.4.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from pynacl>=1.4.0->PyGithub==2.2.0->detection_rules==0.1.0) (1.16.0)
Requirement already satisfied: distlib<1,>=0.3.7 in ./env/detection-rules-build/lib/python3.12/site-packages (from virtualenv>=20.10.0->pre-commit==3.6.2->detection_rules==0.1.0) (0.3.8)
Requirement already satisfied: filelock<4,>=3.12.2 in ./env/detection-rules-build/lib/python3.12/site-packages (from virtualenv>=20.10.0->pre-commit==3.6.2->detection_rules==0.1.0) (3.14.0)
Requirement already satisfied: platformdirs<5,>=3.9.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from virtualenv>=20.10.0->pre-commit==3.6.2->detection_rules==0.1.0) (4.2.2)
Requirement already satisfied: wrapt<2,>=1.10 in ./env/detection-rules-build/lib/python3.12/site-packages (from Deprecated->PyGithub==2.2.0->detection_rules==0.1.0) (1.16.0)
Requirement already satisfied: pycparser in ./env/detection-rules-build/lib/python3.12/site-packages (from cffi>=1.4.1->pynacl>=1.4.0->PyGithub==2.2.0->detection_rules==0.1.0) (2.22)
Building wheels for collected packages: detection_rules
  Building wheel for detection_rules (pyproject.toml) ... done
  Created wheel for detection_rules: filename=detection_rules-0.1.0-py3-none-any.whl size=41015675 sha256=ef62b1d3927db743bde59476608dd521b38aa9aca5587333e1705cd325d34e75
  Stored in directory: /home/forteea1/.cache/pip/wheels/33/0b/6f/442542fc0e808e368b4dfaf768ed0b61a5d8281942974600d4
Successfully built detection_rules
Installing collected packages: detection_rules
  Attempting uninstall: detection_rules
    Found existing installation: detection_rules 0.1.0
    Uninstalling detection_rules-0.1.0:
      Successfully uninstalled detection_rules-0.1.0
Successfully installed detection_rules-0.1.0

[notice] A new release of pip is available: 24.1 -> 24.1.2
[notice] To update, run: pip install --upgrade pip
./env/detection-rules-build/bin/pip install lib/kibana
Looking in indexes: https://pypi.org/simple, https://eric.forte%40elastic.co:****@artifactory.elastic.dev/artifactory/api/pypi/pypi-endgame/simple
Processing ./lib/kibana
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Requirement already satisfied: requests<3.0,>=2.25 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection-rules-kibana==0.3.0) (2.31.0)
Requirement already satisfied: elasticsearch~=8.12.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection-rules-kibana==0.3.0) (8.12.1)
Requirement already satisfied: elastic-transport<9,>=8 in ./env/detection-rules-build/lib/python3.12/site-packages (from elasticsearch~=8.12.1->detection-rules-kibana==0.3.0) (8.13.0)
Requirement already satisfied: charset-normalizer<4,>=2 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests<3.0,>=2.25->detection-rules-kibana==0.3.0) (3.3.2)
Requirement already satisfied: idna<4,>=2.5 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests<3.0,>=2.25->detection-rules-kibana==0.3.0) (3.7)
Requirement already satisfied: urllib3<3,>=1.21.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests<3.0,>=2.25->detection-rules-kibana==0.3.0) (2.2.1)
Requirement already satisfied: certifi>=2017.4.17 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests<3.0,>=2.25->detection-rules-kibana==0.3.0) (2024.2.2)
Building wheels for collected packages: detection-rules-kibana
  Building wheel for detection-rules-kibana (pyproject.toml) ... done
  Created wheel for detection-rules-kibana: filename=detection_rules_kibana-0.3.0-py3-none-any.whl size=9450 sha256=286d880b62fa3f0c685dc2522170045090f12cb9022e38342954ebcc449a70ac
  Stored in directory: /tmp/pip-ephem-wheel-cache-n_bq6ty6/wheels/05/3b/89/3dab4aeb78501459dd86df8d126afb94aab37d28aea1263c1d
Successfully built detection-rules-kibana
Installing collected packages: detection-rules-kibana
  Attempting uninstall: detection-rules-kibana
    Found existing installation: detection-rules-kibana 0.3.0
    Uninstalling detection-rules-kibana-0.3.0:
      Successfully uninstalled detection-rules-kibana-0.3.0
Successfully installed detection-rules-kibana-0.3.0

[notice] A new release of pip is available: 24.1 -> 24.1.2
[notice] To update, run: pip install --upgrade pip
./env/detection-rules-build/bin/pip install lib/kql
Looking in indexes: https://pypi.org/simple, https://eric.forte%40elastic.co:****@artifactory.elastic.dev/artifactory/api/pypi/pypi-endgame/simple
Processing ./lib/kql
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Requirement already satisfied: eql==0.9.19 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection-rules-kql==0.1.7) (0.9.19)
Requirement already satisfied: lark-parser>=0.12.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection-rules-kql==0.1.7) (0.12.0)
Building wheels for collected packages: detection-rules-kql
  Building wheel for detection-rules-kql (pyproject.toml) ... done
  Created wheel for detection-rules-kql: filename=detection_rules_kql-0.1.7-py3-none-any.whl size=16336 sha256=c0d9f692459eb289d92162c2325ad28b5ebd8c105505a077b4a22dc279e4dc0f
  Stored in directory: /tmp/pip-ephem-wheel-cache-0o0ww103/wheels/56/d8/16/54016845ffe39458d941c5c2dbc03e4998264eeec10328eebb
Successfully built detection-rules-kql
Installing collected packages: detection-rules-kql
  Attempting uninstall: detection-rules-kql
    Found existing installation: detection-rules-kql 0.1.7
    Uninstalling detection-rules-kql-0.1.7:
      Successfully uninstalled detection-rules-kql-0.1.7
Successfully installed detection-rules-kql-0.1.7

[notice] A new release of pip is available: 24.1 -> 24.1.2
[notice] To update, run: pip install --upgrade pip
LINTING
./env/detection-rules-build/bin/python -m flake8 tests detection_rules --ignore D203,N815 --max-line-length 120
./env/detection-rules-build/bin/python -m detection_rules test
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

Tests skipped per config (4):
tests/test_all_rules.py::TestValidRules::test_schema_and_dupes
tests/test_gh_workflows.py::TestWorkflows::test_matrix_to_lock_version_defaults
tests/test_packages.py::TestRegistryPackage::test_registry_package_config
tests/test_schemas.py::TestVersionLockSchema::test_version_lock_has_nested_previous
=================================================================================================================== test session starts ====================================================================================================================
platform linux -- Python 3.12.4, pytest-8.2.1, pluggy-1.5.0 -- /home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/bin/python
cachedir: .pytest_cache
rootdir: /home/forteea1/Code/clean_mains/detection-rules
configfile: pyproject.toml
plugins: typeguard-3.0.2
collected 144 items                                                                                                                                                                                                                                        

tests/kuery/test_dsl.py::TestKQLtoDSL::test_and_query PASSED                                                                                                                                                                                         [  0%]
tests/kuery/test_dsl.py::TestKQLtoDSL::test_field_exists PASSED                                                                                                                                                                                      [  1%]
tests/kuery/test_dsl.py::TestKQLtoDSL::test_field_inequality PASSED                                                                                                                                                                                  [  2%]
tests/kuery/test_dsl.py::TestKQLtoDSL::test_field_match PASSED                                                                                                                                                                                       [  2%]
tests/kuery/test_dsl.py::TestKQLtoDSL::test_not_query PASSED                                                                                                                                                                                         [  3%]
tests/kuery/test_dsl.py::TestKQLtoDSL::test_optimizations PASSED                                                                                                                                                                                     [  4%]
tests/kuery/test_dsl.py::TestKQLtoDSL::test_or_query PASSED                                                                                                                                                                                          [  4%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_and_query PASSED                                                                                                                                                                                      [  5%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_boolean_precedence PASSED                                                                                                                                                                             [  6%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_field_equals PASSED                                                                                                                                                                                   [  6%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_field_inequality PASSED                                                                                                                                                                               [  7%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_ip_checks PASSED                                                                                                                                                                                      [  8%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_list_of_values PASSED                                                                                                                                                                                 [  9%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_not_query PASSED                                                                                                                                                                                      [  9%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_or_query PASSED                                                                                                                                                                                       [ 10%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_wildcard_field PASSED                                                                                                                                                                                 [ 11%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_and_expr PASSED                                                                                                                                                                                  [ 11%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_and_values PASSED                                                                                                                                                                                [ 12%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_cidr_match PASSED                                                                                                                                                                                [ 13%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_field_exists PASSED                                                                                                                                                                              [ 13%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_flattening PASSED                                                                                                                                                                                [ 14%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_list_value PASSED                                                                                                                                                                                [ 15%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_not_value PASSED                                                                                                                                                                                 [ 15%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_or_expr PASSED                                                                                                                                                                                   [ 16%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_or_values PASSED                                                                                                                                                                                 [ 17%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_quoted_wildcard PASSED                                                                                                                                                                           [ 18%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_range PASSED                                                                                                                                                                                     [ 18%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_single_value PASSED                                                                                                                                                                              [ 19%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_wildcard PASSED                                                                                                                                                                                  [ 20%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_and_query PASSED                                                                                                                                                                                      [ 20%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_boolean_precedence PASSED                                                                                                                                                                             [ 21%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_field_equals PASSED                                                                                                                                                                                   [ 22%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_field_inequality PASSED                                                                                                                                                                               [ 22%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_list_of_values PASSED                                                                                                                                                                                 [ 23%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_lone_value PASSED                                                                                                                                                                                     [ 24%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_nested_query PASSED                                                                                                                                                                                   [ 25%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_not_query PASSED                                                                                                                                                                                      [ 25%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_or_query PASSED                                                                                                                                                                                       [ 26%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_schema PASSED                                                                                                                                                                                         [ 27%]
tests/kuery/test_lint.py::LintTests::test_and_not PASSED                                                                                                                                                                                             [ 27%]
tests/kuery/test_lint.py::LintTests::test_compound PASSED                                                                                                                                                                                            [ 28%]
tests/kuery/test_lint.py::LintTests::test_double_negate PASSED                                                                                                                                                                                       [ 29%]
tests/kuery/test_lint.py::LintTests::test_extract_not PASSED                                                                                                                                                                                         [ 29%]
tests/kuery/test_lint.py::LintTests::test_ip PASSED                                                                                                                                                                                                  [ 30%]
tests/kuery/test_lint.py::LintTests::test_lint_field PASSED                                                                                                                                                                                          [ 31%]
tests/kuery/test_lint.py::LintTests::test_lint_precedence PASSED                                                                                                                                                                                     [ 31%]
tests/kuery/test_lint.py::LintTests::test_merge_fields PASSED                                                                                                                                                                                        [ 32%]
tests/kuery/test_lint.py::LintTests::test_mixed_demorgans PASSED                                                                                                                                                                                     [ 33%]
tests/kuery/test_lint.py::LintTests::test_not_demorgans PASSED                                                                                                                                                                                       [ 34%]
tests/kuery/test_lint.py::LintTests::test_not_or PASSED                                                                                                                                                                                              [ 34%]
tests/kuery/test_lint.py::LintTests::test_upper_tokens PASSED                                                                                                                                                                                        [ 35%]
tests/kuery/test_parser.py::ParserTests::test_conversion PASSED                                                                                                                                                                                      [ 36%]
tests/kuery/test_parser.py::ParserTests::test_date PASSED                                                                                                                                                                                            [ 36%]
tests/kuery/test_parser.py::ParserTests::test_keyword PASSED                                                                                                                                                                                         [ 37%]
tests/kuery/test_parser.py::ParserTests::test_list_equals PASSED                                                                                                                                                                                     [ 38%]
tests/kuery/test_parser.py::ParserTests::test_multiple_types_fail PASSED                                                                                                                                                                             [ 38%]
tests/kuery/test_parser.py::ParserTests::test_multiple_types_success PASSED                                                                                                                                                                          [ 39%]
tests/kuery/test_parser.py::ParserTests::test_number_exists PASSED                                                                                                                                                                                   [ 40%]
tests/kuery/test_parser.py::ParserTests::test_number_wildcard_fail PASSED                                                                                                                                                                            [ 40%]
tests/kuery/test_parser.py::ParserTests::test_type_family_fail PASSED                                                                                                                                                                                [ 41%]
tests/kuery/test_parser.py::ParserTests::test_type_family_success PASSED                                                                                                                                                                             [ 42%]
tests/test_all_rules.py::TestAlertSuppression::test_group_field_in_schemas PASSED                                                                                                                                                                    [ 43%]
tests/test_all_rules.py::TestBuildTimeFields::test_build_fields_min_stack PASSED                                                                                                                                                                     [ 43%]
tests/test_all_rules.py::TestIncompatibleFields::test_rule_backports_for_restricted_fields PASSED                                                                                                                                                    [ 44%]
tests/test_all_rules.py::TestIntegrationRules::test_all_min_stack_rules_have_comment PASSED                                                                                                                                                          [ 45%]
tests/test_all_rules.py::TestIntegrationRules::test_integration_guide SKIPPED (8.3+ Stacks Have Related Integrations Feature)                                                                                                                        [ 45%]
tests/test_all_rules.py::TestIntegrationRules::test_ml_integration_jobs_exist PASSED                                                                                                                                                                 [ 46%]
tests/test_all_rules.py::TestIntegrationRules::test_rule_demotions PASSED                                                                                                                                                                            [ 47%]
tests/test_all_rules.py::TestLicense::test_elastic_license_only_v2 PASSED                                                                                                                                                                            [ 47%]
tests/test_all_rules.py::TestNoteMarkdownPlugins::test_if_plugins_explicitly_defined PASSED                                                                                                                                                          [ 48%]
tests/test_all_rules.py::TestNoteMarkdownPlugins::test_note_has_osquery_warning PASSED                                                                                                                                                               [ 49%]
tests/test_all_rules.py::TestNoteMarkdownPlugins::test_plugin_placeholders_match_entries PASSED                                                                                                                                                      [ 50%]
tests/test_all_rules.py::TestRiskScoreMismatch::test_rule_risk_score_severity_mismatch PASSED                                                                                                                                                        [ 50%]
tests/test_all_rules.py::TestRuleFiles::test_bbr_in_correct_dir PASSED                                                                                                                                                                               [ 51%]
tests/test_all_rules.py::TestRuleFiles::test_non_bbr_in_correct_dir PASSED                                                                                                                                                                           [ 52%]
tests/test_all_rules.py::TestRuleFiles::test_rule_file_name_tactic PASSED                                                                                                                                                                            [ 52%]
tests/test_all_rules.py::TestRuleMetadata::test_deprecated_rules PASSED                                                                                                                                                                              [ 53%]
tests/test_all_rules.py::TestRuleMetadata::test_deprecated_rules_modified PASSED                                                                                                                                                                     [ 54%]
tests/test_all_rules.py::TestRuleMetadata::test_event_dataset PASSED                                                                                                                                                                                 [ 54%]
tests/test_all_rules.py::TestRuleMetadata::test_integration_tag PASSED                                                                                                                                                                               [ 55%]
tests/test_all_rules.py::TestRuleMetadata::test_invalid_queries PASSED                                                                                                                                                                               [ 56%]
tests/test_all_rules.py::TestRuleMetadata::test_rule_change_has_updated_date PASSED                                                                                                                                                                  [ 56%]
tests/test_all_rules.py::TestRuleMetadata::test_updated_date_newer_than_creation PASSED                                                                                                                                                              [ 57%]
tests/test_all_rules.py::TestRuleTags::test_casing_and_spacing PASSED                                                                                                                                                                                [ 58%]
tests/test_all_rules.py::TestRuleTags::test_investigation_guide_tag SKIPPED (Skipping until all Investigation Guides follow the proper format.)                                                                                                      [ 59%]
tests/test_all_rules.py::TestRuleTags::test_ml_rule_type_tags PASSED                                                                                                                                                                                 [ 59%]
tests/test_all_rules.py::TestRuleTags::test_no_duplicate_tags PASSED                                                                                                                                                                                 [ 60%]
tests/test_all_rules.py::TestRuleTags::test_os_tags PASSED                                                                                                                                                                                           [ 61%]
tests/test_all_rules.py::TestRuleTags::test_primary_tactic_as_tag PASSED                                                                                                                                                                             [ 61%]
tests/test_all_rules.py::TestRuleTags::test_required_tags PASSED                                                                                                                                                                                     [ 62%]
tests/test_all_rules.py::TestRuleTags::test_tag_prefix PASSED                                                                                                                                                                                        [ 63%]
tests/test_all_rules.py::TestRuleTimelines::test_timeline_has_title PASSED                                                                                                                                                                           [ 63%]
tests/test_all_rules.py::TestRuleTiming::test_eql_interval_to_maxspan PASSED                                                                                                                                                                         [ 64%]
tests/test_all_rules.py::TestRuleTiming::test_eql_lookback PASSED                                                                                                                                                                                    [ 65%]
tests/test_all_rules.py::TestRuleTiming::test_event_override PASSED                                                                                                                                                                                  [ 65%]
tests/test_all_rules.py::TestRuleTiming::test_required_lookback PASSED                                                                                                                                                                               [ 66%]
tests/test_all_rules.py::TestThreatMappings::test_duplicated_tactics PASSED                                                                                                                                                                          [ 67%]
tests/test_all_rules.py::TestThreatMappings::test_tactic_to_technique_correlations PASSED                                                                                                                                                            [ 68%]
tests/test_all_rules.py::TestThreatMappings::test_technique_deprecations PASSED                                                                                                                                                                      [ 68%]
tests/test_all_rules.py::TestValidRules::test_all_rule_queries_optimized PASSED                                                                                                                                                                      [ 69%]
tests/test_all_rules.py::TestValidRules::test_bbr_validation PASSED                                                                                                                                                                                  [ 70%]
tests/test_all_rules.py::TestValidRules::test_duplicate_file_names PASSED                                                                                                                                                                            [ 70%]
tests/test_all_rules.py::TestValidRules::test_file_names PASSED                                                                                                                                                                                      [ 71%]
tests/test_all_rules.py::TestValidRules::test_from_filed_value PASSED                                                                                                                                                                                [ 72%]
tests/test_all_rules.py::TestValidRules::test_max_signals_note PASSED                                                                                                                                                                                [ 72%]
tests/test_all_rules.py::TestValidRules::test_production_rules_have_rta PASSED                                                                                                                                                                       [ 73%]
tests/test_all_rules.py::TestValidRules::test_rule_type_changes PASSED                                                                                                                                                                               [ 74%]
tests/test_hunt_data.py::TestHunt::test_load_toml_files PASSED                                                                                                                                                                                       [ 75%]
tests/test_hunt_data.py::TestHunt::test_markdown_existence PASSED                                                                                                                                                                                    [ 75%]
tests/test_hunt_data.py::TestHunt::test_toml_loading PASSED                                                                                                                                                                                          [ 76%]
tests/test_mappings.py::TestMappings::test_false_positives PASSED                                                                                                                                                                                    [ 77%]
tests/test_mappings.py::TestMappings::test_true_positives PASSED                                                                                                                                                                                     [ 77%]
tests/test_mappings.py::TestRTAs::test_rtas_with_triggered_rules_have_uuid PASSED                                                                                                                                                                    [ 78%]
tests/test_packages.py::TestPackages::test_package_loader_default_configs PASSED                                                                                                                                                                     [ 79%]
tests/test_packages.py::TestPackages::test_package_loader_production_config PASSED                                                                                                                                                                   [ 79%]
tests/test_packages.py::TestPackages::test_package_summary PASSED                                                                                                                                                                                    [ 80%]
tests/test_packages.py::TestPackages::test_rule_versioning PASSED                                                                                                                                                                                    [ 81%]
tests/test_python_library.py::TestEQLInSet::test_eql_in_set PASSED                                                                                                                                                                                   [ 81%]
tests/test_schemas.py::TestSchemas::test_eql_validation PASSED                                                                                                                                                                                       [ 82%]
tests/test_schemas.py::TestSchemas::test_query_downgrade_7_x PASSED                                                                                                                                                                                  [ 83%]
tests/test_schemas.py::TestSchemas::test_query_downgrade_8_x PASSED                                                                                                                                                                                  [ 84%]
tests/test_schemas.py::TestSchemas::test_threshold_downgrade_7_x PASSED                                                                                                                                                                              [ 84%]
tests/test_schemas.py::TestSchemas::test_threshold_downgrade_8_x PASSED                                                                                                                                                                              [ 85%]
tests/test_schemas.py::TestSchemas::test_versioned_downgrade_7_x PASSED                                                                                                                                                                              [ 86%]
tests/test_schemas.py::TestSchemas::test_versioned_downgrade_8_x PASSED                                                                                                                                                                              [ 86%]
tests/test_schemas.py::TestVersionLockSchema::test_version_lock_no_previous PASSED                                                                                                                                                                   [ 87%]
tests/test_schemas.py::TestVersions::test_stack_schema_map PASSED                                                                                                                                                                                    [ 88%]
tests/test_specific_rules.py::TestESQLRules::test_esql_queries PASSED                                                                                                                                                                                [ 88%]
tests/test_specific_rules.py::TestEndpointQuery::test_os_and_platform_in_query PASSED                                                                                                                                                                [ 89%]
tests/test_specific_rules.py::TestNewTerms::test_history_window_start PASSED                                                                                                                                                                         [ 90%]
tests/test_specific_rules.py::TestNewTerms::test_new_terms_field_exists PASSED                                                                                                                                                                       [ 90%]
tests/test_specific_rules.py::TestNewTerms::test_new_terms_fields PASSED                                                                                                                                                                             [ 91%]
tests/test_specific_rules.py::TestNewTerms::test_new_terms_fields_unique PASSED                                                                                                                                                                      [ 92%]
tests/test_specific_rules.py::TestNewTerms::test_new_terms_max_limit PASSED                                                                                                                                                                          [ 93%]
tests/test_toml_formatter.py::TestRuleTomlFormatter::test_formatter_deep PASSED                                                                                                                                                                      [ 93%]
tests/test_toml_formatter.py::TestRuleTomlFormatter::test_formatter_rule PASSED                                                                                                                                                                      [ 94%]
tests/test_toml_formatter.py::TestRuleTomlFormatter::test_normalization PASSED                                                                                                                                                                       [ 95%]
tests/test_transform_fields.py::TestGuideMarkdownPlugins::test_plugin_conversion PASSED                                                                                                                                                              [ 95%]
tests/test_transform_fields.py::TestGuideMarkdownPlugins::test_transform_guide_markdown_plugins PASSED                                                                                                                                               [ 96%]
tests/test_utils.py::TestTimeUtils::test_caching PASSED                                                                                                                                                                                              [ 97%]
tests/test_utils.py::TestTimeUtils::test_event_class_normalization PASSED                                                                                                                                                                            [ 97%]
tests/test_utils.py::TestTimeUtils::test_schema_multifields PASSED                                                                                                                                                                                   [ 98%]
tests/test_utils.py::TestTimeUtils::test_time_normalize PASSED                                                                                                                                                                                       [ 99%]
tests/test_version_locking.py::TestVersionLock::test_previous_entries_gte_current_min_stack PASSED                                                                                                                                                   [100%]

===================================================================================================================== warnings summary =====================================================================================================================
env/detection-rules-build/lib/python3.12/site-packages/_pytest/config/__init__.py:1285
  /home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/_pytest/config/__init__.py:1285: PytestAssertRewriteWarning: Module already imported so cannot be rewritten: typeguard
    self._mark_plugins_for_rewrite(hook)

-- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
======================================================================================================== 142 passed, 2 skipped, 1 warning in 6.08s =========================================================================================================
Performing a rule export to nsjdon...
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

Exported 5 rules into /home/forteea1/Code/clean_mains/detection-rules/exports/20240729T114821L.ndjson
Detection-rules CLI tests completed!

test_custom_remote_cli.bash 

detection-rules on  DAC-feature [$!?] is  v0.1.0 via  v3.12.4 (detection-rules-build) on  eric.forte took 53s 
❯ bash detection_rules/etc/test_custom_remote_cli.bash
Running detection-rules remote CLI tests for custom rules...
Performing a quick rule alerts search...
Requires .detection-rules-cfg.json credentials file set.
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

No alerts detected
Performing a rule import...
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

5 rule(s) successfully imported
 - d0cf5aad-cc24-4670-a190-f3067f9ec600
 - 794d2fc0-ecd0-4963-99da-fd587666b80d
 - b5f3eb03-2368-4b1a-8b3b-fb11397ac516
 - 7c22a9d2-5910-4da2-92af-7ff7481bd0f7
 - 230e7043-b0fc-44eb-86b8-e9eb1e5e38d4
Running Tests...
Installing all dependencies...
./env/detection-rules-build/bin/pip install .[dev]
Looking in indexes: https://pypi.org/simple, https://eric.forte%40elastic.co:****@artifactory.elastic.dev/artifactory/api/pypi/pypi-endgame/simple
Processing /home/forteea1/Code/clean_mains/detection-rules
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Collecting detection-rules-kql@ git+https://github.com/elastic/detection-rules.git#subdirectory=lib/kql (from detection_rules==0.1.0)
  Cloning https://github.com/elastic/detection-rules.git to /tmp/pip-install-nfixlnkn/detection-rules-kql_bee02685d87243648adb5e745303c333
  Running command git clone --filter=blob:none --quiet https://github.com/elastic/detection-rules.git /tmp/pip-install-nfixlnkn/detection-rules-kql_bee02685d87243648adb5e745303c333
  Resolved https://github.com/elastic/detection-rules.git to commit 823e8fd1402421f3c066bcf748e35d4503d71b8f
  Running command git submodule update --init --recursive -q
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Collecting detection-rules-kibana@ git+https://github.com/elastic/detection-rules.git#subdirectory=lib/kibana (from detection_rules==0.1.0)
  Cloning https://github.com/elastic/detection-rules.git to /tmp/pip-install-nfixlnkn/detection-rules-kibana_5ff69d417fb14794b2ac11f7ab94cc90
  Running command git clone --filter=blob:none --quiet https://github.com/elastic/detection-rules.git /tmp/pip-install-nfixlnkn/detection-rules-kibana_5ff69d417fb14794b2ac11f7ab94cc90
  Resolved https://github.com/elastic/detection-rules.git to commit 823e8fd1402421f3c066bcf748e35d4503d71b8f
  Running command git submodule update --init --recursive -q
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Requirement already satisfied: Click~=8.1.7 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (8.1.7)
Requirement already satisfied: elasticsearch~=8.12.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (8.12.1)
Requirement already satisfied: eql==0.9.19 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.9.19)
Requirement already satisfied: jsl==0.2.4 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.2.4)
Requirement already satisfied: jsonschema>=4.21.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (4.22.0)
Requirement already satisfied: marko==2.0.3 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (2.0.3)
Requirement already satisfied: marshmallow-dataclass~=8.6.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from marshmallow-dataclass[union]~=8.6.0->detection_rules==0.1.0) (8.6.1)
Requirement already satisfied: marshmallow-jsonschema~=0.13.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.13.0)
Requirement already satisfied: marshmallow-union~=0.1.15 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.1.15.post1)
Requirement already satisfied: marshmallow~=3.21.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.21.2)
Requirement already satisfied: pytoml==0.1.21 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.1.21)
Requirement already satisfied: PyYAML~=6.0.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (6.0.1)
Requirement already satisfied: requests~=2.31.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (2.31.0)
Requirement already satisfied: toml==0.10.2 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.10.2)
Requirement already satisfied: typing-inspect==0.9.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.9.0)
Requirement already satisfied: typing-extensions==4.10.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (4.10.0)
Requirement already satisfied: XlsxWriter~=3.2.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.2.0)
Requirement already satisfied: semver==3.0.2 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.0.2)
Requirement already satisfied: lark-parser~=0.12.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from eql==0.9.19->detection_rules==0.1.0) (0.12.0)
Requirement already satisfied: mypy-extensions>=0.3.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from typing-inspect==0.9.0->detection_rules==0.1.0) (1.0.0)
Requirement already satisfied: pep8-naming==0.13.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (0.13.0)
Requirement already satisfied: PyGithub==2.2.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (2.2.0)
Requirement already satisfied: flake8==7.0.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (7.0.0)
Requirement already satisfied: pyflakes==3.2.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.2.0)
Requirement already satisfied: pytest>=8.1.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (8.2.1)
Requirement already satisfied: nodeenv==1.8.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (1.8.0)
Requirement already satisfied: pre-commit==3.6.2 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection_rules==0.1.0) (3.6.2)
Requirement already satisfied: mccabe<0.8.0,>=0.7.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from flake8==7.0.0->detection_rules==0.1.0) (0.7.0)
Requirement already satisfied: pycodestyle<2.12.0,>=2.11.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from flake8==7.0.0->detection_rules==0.1.0) (2.11.1)
Requirement already satisfied: setuptools in ./env/detection-rules-build/lib/python3.12/site-packages (from nodeenv==1.8.0->detection_rules==0.1.0) (70.1.1)
Requirement already satisfied: cfgv>=2.0.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pre-commit==3.6.2->detection_rules==0.1.0) (3.4.0)
Requirement already satisfied: identify>=1.0.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pre-commit==3.6.2->detection_rules==0.1.0) (2.5.36)
Requirement already satisfied: virtualenv>=20.10.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pre-commit==3.6.2->detection_rules==0.1.0) (20.26.2)
Requirement already satisfied: pynacl>=1.4.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from PyGithub==2.2.0->detection_rules==0.1.0) (1.5.0)
Requirement already satisfied: pyjwt>=2.4.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pyjwt[crypto]>=2.4.0->PyGithub==2.2.0->detection_rules==0.1.0) (2.8.0)
Requirement already satisfied: urllib3>=1.26.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from PyGithub==2.2.0->detection_rules==0.1.0) (2.2.1)
Requirement already satisfied: Deprecated in ./env/detection-rules-build/lib/python3.12/site-packages (from PyGithub==2.2.0->detection_rules==0.1.0) (1.2.14)
Requirement already satisfied: elastic-transport<9,>=8 in ./env/detection-rules-build/lib/python3.12/site-packages (from elasticsearch~=8.12.1->detection_rules==0.1.0) (8.13.0)
Requirement already satisfied: attrs>=22.2.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from jsonschema>=4.21.1->detection_rules==0.1.0) (23.2.0)
Requirement already satisfied: jsonschema-specifications>=2023.03.6 in ./env/detection-rules-build/lib/python3.12/site-packages (from jsonschema>=4.21.1->detection_rules==0.1.0) (2023.12.1)
Requirement already satisfied: referencing>=0.28.4 in ./env/detection-rules-build/lib/python3.12/site-packages (from jsonschema>=4.21.1->detection_rules==0.1.0) (0.35.1)
Requirement already satisfied: rpds-py>=0.7.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from jsonschema>=4.21.1->detection_rules==0.1.0) (0.18.1)
Requirement already satisfied: packaging>=17.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from marshmallow~=3.21.1->detection_rules==0.1.0) (24.0)
Requirement already satisfied: typeguard<4.0.0,>=2.4.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from marshmallow-dataclass[union]~=8.6.0->detection_rules==0.1.0) (3.0.2)
Requirement already satisfied: iniconfig in ./env/detection-rules-build/lib/python3.12/site-packages (from pytest>=8.1.1->detection_rules==0.1.0) (2.0.0)
Requirement already satisfied: pluggy<2.0,>=1.5 in ./env/detection-rules-build/lib/python3.12/site-packages (from pytest>=8.1.1->detection_rules==0.1.0) (1.5.0)
Requirement already satisfied: charset-normalizer<4,>=2 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests~=2.31.0->detection_rules==0.1.0) (3.3.2)
Requirement already satisfied: idna<4,>=2.5 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests~=2.31.0->detection_rules==0.1.0) (3.7)
Requirement already satisfied: certifi>=2017.4.17 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests~=2.31.0->detection_rules==0.1.0) (2024.2.2)
Requirement already satisfied: cryptography>=3.4.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from pyjwt[crypto]>=2.4.0->PyGithub==2.2.0->detection_rules==0.1.0) (42.0.7)
Requirement already satisfied: cffi>=1.4.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from pynacl>=1.4.0->PyGithub==2.2.0->detection_rules==0.1.0) (1.16.0)
Requirement already satisfied: distlib<1,>=0.3.7 in ./env/detection-rules-build/lib/python3.12/site-packages (from virtualenv>=20.10.0->pre-commit==3.6.2->detection_rules==0.1.0) (0.3.8)
Requirement already satisfied: filelock<4,>=3.12.2 in ./env/detection-rules-build/lib/python3.12/site-packages (from virtualenv>=20.10.0->pre-commit==3.6.2->detection_rules==0.1.0) (3.14.0)
Requirement already satisfied: platformdirs<5,>=3.9.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from virtualenv>=20.10.0->pre-commit==3.6.2->detection_rules==0.1.0) (4.2.2)
Requirement already satisfied: wrapt<2,>=1.10 in ./env/detection-rules-build/lib/python3.12/site-packages (from Deprecated->PyGithub==2.2.0->detection_rules==0.1.0) (1.16.0)
Requirement already satisfied: pycparser in ./env/detection-rules-build/lib/python3.12/site-packages (from cffi>=1.4.1->pynacl>=1.4.0->PyGithub==2.2.0->detection_rules==0.1.0) (2.22)
Building wheels for collected packages: detection_rules
  Building wheel for detection_rules (pyproject.toml) ... done
  Created wheel for detection_rules: filename=detection_rules-0.1.0-py3-none-any.whl size=41015675 sha256=e37c76e39568d4fbf9766c3c9ab6797b1a5a42c0274a97fd5019738d01a8197f
  Stored in directory: /home/forteea1/.cache/pip/wheels/33/0b/6f/442542fc0e808e368b4dfaf768ed0b61a5d8281942974600d4
Successfully built detection_rules
Installing collected packages: detection_rules
  Attempting uninstall: detection_rules
    Found existing installation: detection_rules 0.1.0
    Uninstalling detection_rules-0.1.0:
      Successfully uninstalled detection_rules-0.1.0
Successfully installed detection_rules-0.1.0

[notice] A new release of pip is available: 24.1 -> 24.1.2
[notice] To update, run: pip install --upgrade pip
./env/detection-rules-build/bin/pip install lib/kibana
Looking in indexes: https://pypi.org/simple, https://eric.forte%40elastic.co:****@artifactory.elastic.dev/artifactory/api/pypi/pypi-endgame/simple
Processing ./lib/kibana
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Requirement already satisfied: requests<3.0,>=2.25 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection-rules-kibana==0.3.0) (2.31.0)
Requirement already satisfied: elasticsearch~=8.12.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection-rules-kibana==0.3.0) (8.12.1)
Requirement already satisfied: elastic-transport<9,>=8 in ./env/detection-rules-build/lib/python3.12/site-packages (from elasticsearch~=8.12.1->detection-rules-kibana==0.3.0) (8.13.0)
Requirement already satisfied: charset-normalizer<4,>=2 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests<3.0,>=2.25->detection-rules-kibana==0.3.0) (3.3.2)
Requirement already satisfied: idna<4,>=2.5 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests<3.0,>=2.25->detection-rules-kibana==0.3.0) (3.7)
Requirement already satisfied: urllib3<3,>=1.21.1 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests<3.0,>=2.25->detection-rules-kibana==0.3.0) (2.2.1)
Requirement already satisfied: certifi>=2017.4.17 in ./env/detection-rules-build/lib/python3.12/site-packages (from requests<3.0,>=2.25->detection-rules-kibana==0.3.0) (2024.2.2)
Building wheels for collected packages: detection-rules-kibana
  Building wheel for detection-rules-kibana (pyproject.toml) ... done
  Created wheel for detection-rules-kibana: filename=detection_rules_kibana-0.3.0-py3-none-any.whl size=9450 sha256=653a7ac42da73ef9ce7a4be34191bc9ce5303b22a76a38a4e338c4aeb6fe84b8
  Stored in directory: /tmp/pip-ephem-wheel-cache-fqtleamh/wheels/05/3b/89/3dab4aeb78501459dd86df8d126afb94aab37d28aea1263c1d
Successfully built detection-rules-kibana
Installing collected packages: detection-rules-kibana
  Attempting uninstall: detection-rules-kibana
    Found existing installation: detection-rules-kibana 0.3.0
    Uninstalling detection-rules-kibana-0.3.0:
      Successfully uninstalled detection-rules-kibana-0.3.0
Successfully installed detection-rules-kibana-0.3.0

[notice] A new release of pip is available: 24.1 -> 24.1.2
[notice] To update, run: pip install --upgrade pip
./env/detection-rules-build/bin/pip install lib/kql
Looking in indexes: https://pypi.org/simple, https://eric.forte%40elastic.co:****@artifactory.elastic.dev/artifactory/api/pypi/pypi-endgame/simple
Processing ./lib/kql
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Requirement already satisfied: eql==0.9.19 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection-rules-kql==0.1.7) (0.9.19)
Requirement already satisfied: lark-parser>=0.12.0 in ./env/detection-rules-build/lib/python3.12/site-packages (from detection-rules-kql==0.1.7) (0.12.0)
Building wheels for collected packages: detection-rules-kql
  Building wheel for detection-rules-kql (pyproject.toml) ... done
  Created wheel for detection-rules-kql: filename=detection_rules_kql-0.1.7-py3-none-any.whl size=16336 sha256=09c7a91df96798a9ac5b2ceba802e04e5593d27754aae9ad0e0a2ec5e695d28b
  Stored in directory: /tmp/pip-ephem-wheel-cache-cp65we3a/wheels/56/d8/16/54016845ffe39458d941c5c2dbc03e4998264eeec10328eebb
Successfully built detection-rules-kql
Installing collected packages: detection-rules-kql
  Attempting uninstall: detection-rules-kql
    Found existing installation: detection-rules-kql 0.1.7
    Uninstalling detection-rules-kql-0.1.7:
      Successfully uninstalled detection-rules-kql-0.1.7
Successfully installed detection-rules-kql-0.1.7

[notice] A new release of pip is available: 24.1 -> 24.1.2
[notice] To update, run: pip install --upgrade pip
LINTING
./env/detection-rules-build/bin/python -m flake8 tests detection_rules --ignore D203,N815 --max-line-length 120
./env/detection-rules-build/bin/python -m detection_rules test
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

Tests skipped per config (4):
tests/test_all_rules.py::TestValidRules::test_schema_and_dupes
tests/test_gh_workflows.py::TestWorkflows::test_matrix_to_lock_version_defaults
tests/test_packages.py::TestRegistryPackage::test_registry_package_config
tests/test_schemas.py::TestVersionLockSchema::test_version_lock_has_nested_previous
=================================================================================================================== test session starts ====================================================================================================================
platform linux -- Python 3.12.4, pytest-8.2.1, pluggy-1.5.0 -- /home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/bin/python
cachedir: .pytest_cache
rootdir: /home/forteea1/Code/clean_mains/detection-rules
configfile: pyproject.toml
plugins: typeguard-3.0.2
collected 144 items                                                                                                                                                                                                                                        

tests/kuery/test_dsl.py::TestKQLtoDSL::test_and_query PASSED                                                                                                                                                                                         [  0%]
tests/kuery/test_dsl.py::TestKQLtoDSL::test_field_exists PASSED                                                                                                                                                                                      [  1%]
tests/kuery/test_dsl.py::TestKQLtoDSL::test_field_inequality PASSED                                                                                                                                                                                  [  2%]
tests/kuery/test_dsl.py::TestKQLtoDSL::test_field_match PASSED                                                                                                                                                                                       [  2%]
tests/kuery/test_dsl.py::TestKQLtoDSL::test_not_query PASSED                                                                                                                                                                                         [  3%]
tests/kuery/test_dsl.py::TestKQLtoDSL::test_optimizations PASSED                                                                                                                                                                                     [  4%]
tests/kuery/test_dsl.py::TestKQLtoDSL::test_or_query PASSED                                                                                                                                                                                          [  4%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_and_query PASSED                                                                                                                                                                                      [  5%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_boolean_precedence PASSED                                                                                                                                                                             [  6%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_field_equals PASSED                                                                                                                                                                                   [  6%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_field_inequality PASSED                                                                                                                                                                               [  7%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_ip_checks PASSED                                                                                                                                                                                      [  8%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_list_of_values PASSED                                                                                                                                                                                 [  9%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_not_query PASSED                                                                                                                                                                                      [  9%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_or_query PASSED                                                                                                                                                                                       [ 10%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_wildcard_field PASSED                                                                                                                                                                                 [ 11%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_and_expr PASSED                                                                                                                                                                                  [ 11%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_and_values PASSED                                                                                                                                                                                [ 12%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_cidr_match PASSED                                                                                                                                                                                [ 13%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_field_exists PASSED                                                                                                                                                                              [ 13%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_flattening PASSED                                                                                                                                                                                [ 14%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_list_value PASSED                                                                                                                                                                                [ 15%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_not_value PASSED                                                                                                                                                                                 [ 15%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_or_expr PASSED                                                                                                                                                                                   [ 16%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_or_values PASSED                                                                                                                                                                                 [ 17%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_quoted_wildcard PASSED                                                                                                                                                                           [ 18%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_range PASSED                                                                                                                                                                                     [ 18%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_single_value PASSED                                                                                                                                                                              [ 19%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_wildcard PASSED                                                                                                                                                                                  [ 20%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_and_query PASSED                                                                                                                                                                                      [ 20%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_boolean_precedence PASSED                                                                                                                                                                             [ 21%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_field_equals PASSED                                                                                                                                                                                   [ 22%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_field_inequality PASSED                                                                                                                                                                               [ 22%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_list_of_values PASSED                                                                                                                                                                                 [ 23%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_lone_value PASSED                                                                                                                                                                                     [ 24%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_nested_query PASSED                                                                                                                                                                                   [ 25%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_not_query PASSED                                                                                                                                                                                      [ 25%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_or_query PASSED                                                                                                                                                                                       [ 26%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_schema PASSED                                                                                                                                                                                         [ 27%]
tests/kuery/test_lint.py::LintTests::test_and_not PASSED                                                                                                                                                                                             [ 27%]
tests/kuery/test_lint.py::LintTests::test_compound PASSED                                                                                                                                                                                            [ 28%]
tests/kuery/test_lint.py::LintTests::test_double_negate PASSED                                                                                                                                                                                       [ 29%]
tests/kuery/test_lint.py::LintTests::test_extract_not PASSED                                                                                                                                                                                         [ 29%]
tests/kuery/test_lint.py::LintTests::test_ip PASSED                                                                                                                                                                                                  [ 30%]
tests/kuery/test_lint.py::LintTests::test_lint_field PASSED                                                                                                                                                                                          [ 31%]
tests/kuery/test_lint.py::LintTests::test_lint_precedence PASSED                                                                                                                                                                                     [ 31%]
tests/kuery/test_lint.py::LintTests::test_merge_fields PASSED                                                                                                                                                                                        [ 32%]
tests/kuery/test_lint.py::LintTests::test_mixed_demorgans PASSED                                                                                                                                                                                     [ 33%]
tests/kuery/test_lint.py::LintTests::test_not_demorgans PASSED                                                                                                                                                                                       [ 34%]
tests/kuery/test_lint.py::LintTests::test_not_or PASSED                                                                                                                                                                                              [ 34%]
tests/kuery/test_lint.py::LintTests::test_upper_tokens PASSED                                                                                                                                                                                        [ 35%]
tests/kuery/test_parser.py::ParserTests::test_conversion PASSED                                                                                                                                                                                      [ 36%]
tests/kuery/test_parser.py::ParserTests::test_date PASSED                                                                                                                                                                                            [ 36%]
tests/kuery/test_parser.py::ParserTests::test_keyword PASSED                                                                                                                                                                                         [ 37%]
tests/kuery/test_parser.py::ParserTests::test_list_equals PASSED                                                                                                                                                                                     [ 38%]
tests/kuery/test_parser.py::ParserTests::test_multiple_types_fail PASSED                                                                                                                                                                             [ 38%]
tests/kuery/test_parser.py::ParserTests::test_multiple_types_success PASSED                                                                                                                                                                          [ 39%]
tests/kuery/test_parser.py::ParserTests::test_number_exists PASSED                                                                                                                                                                                   [ 40%]
tests/kuery/test_parser.py::ParserTests::test_number_wildcard_fail PASSED                                                                                                                                                                            [ 40%]
tests/kuery/test_parser.py::ParserTests::test_type_family_fail PASSED                                                                                                                                                                                [ 41%]
tests/kuery/test_parser.py::ParserTests::test_type_family_success PASSED                                                                                                                                                                             [ 42%]
tests/test_all_rules.py::TestAlertSuppression::test_group_field_in_schemas PASSED                                                                                                                                                                    [ 43%]
tests/test_all_rules.py::TestBuildTimeFields::test_build_fields_min_stack PASSED                                                                                                                                                                     [ 43%]
tests/test_all_rules.py::TestIncompatibleFields::test_rule_backports_for_restricted_fields PASSED                                                                                                                                                    [ 44%]
tests/test_all_rules.py::TestIntegrationRules::test_all_min_stack_rules_have_comment PASSED                                                                                                                                                          [ 45%]
tests/test_all_rules.py::TestIntegrationRules::test_integration_guide SKIPPED (8.3+ Stacks Have Related Integrations Feature)                                                                                                                        [ 45%]
tests/test_all_rules.py::TestIntegrationRules::test_ml_integration_jobs_exist PASSED                                                                                                                                                                 [ 46%]
tests/test_all_rules.py::TestIntegrationRules::test_rule_demotions PASSED                                                                                                                                                                            [ 47%]
tests/test_all_rules.py::TestLicense::test_elastic_license_only_v2 PASSED                                                                                                                                                                            [ 47%]
tests/test_all_rules.py::TestNoteMarkdownPlugins::test_if_plugins_explicitly_defined PASSED                                                                                                                                                          [ 48%]
tests/test_all_rules.py::TestNoteMarkdownPlugins::test_note_has_osquery_warning PASSED                                                                                                                                                               [ 49%]
tests/test_all_rules.py::TestNoteMarkdownPlugins::test_plugin_placeholders_match_entries PASSED                                                                                                                                                      [ 50%]
tests/test_all_rules.py::TestRiskScoreMismatch::test_rule_risk_score_severity_mismatch PASSED                                                                                                                                                        [ 50%]
tests/test_all_rules.py::TestRuleFiles::test_bbr_in_correct_dir PASSED                                                                                                                                                                               [ 51%]
tests/test_all_rules.py::TestRuleFiles::test_non_bbr_in_correct_dir PASSED                                                                                                                                                                           [ 52%]
tests/test_all_rules.py::TestRuleFiles::test_rule_file_name_tactic PASSED                                                                                                                                                                            [ 52%]
tests/test_all_rules.py::TestRuleMetadata::test_deprecated_rules PASSED                                                                                                                                                                              [ 53%]
tests/test_all_rules.py::TestRuleMetadata::test_deprecated_rules_modified PASSED                                                                                                                                                                     [ 54%]
tests/test_all_rules.py::TestRuleMetadata::test_event_dataset PASSED                                                                                                                                                                                 [ 54%]
tests/test_all_rules.py::TestRuleMetadata::test_integration_tag PASSED                                                                                                                                                                               [ 55%]
tests/test_all_rules.py::TestRuleMetadata::test_invalid_queries PASSED                                                                                                                                                                               [ 56%]
tests/test_all_rules.py::TestRuleMetadata::test_rule_change_has_updated_date PASSED                                                                                                                                                                  [ 56%]
tests/test_all_rules.py::TestRuleMetadata::test_updated_date_newer_than_creation PASSED                                                                                                                                                              [ 57%]
tests/test_all_rules.py::TestRuleTags::test_casing_and_spacing PASSED                                                                                                                                                                                [ 58%]
tests/test_all_rules.py::TestRuleTags::test_investigation_guide_tag SKIPPED (Skipping until all Investigation Guides follow the proper format.)                                                                                                      [ 59%]
tests/test_all_rules.py::TestRuleTags::test_ml_rule_type_tags PASSED                                                                                                                                                                                 [ 59%]
tests/test_all_rules.py::TestRuleTags::test_no_duplicate_tags PASSED                                                                                                                                                                                 [ 60%]
tests/test_all_rules.py::TestRuleTags::test_os_tags PASSED                                                                                                                                                                                           [ 61%]
tests/test_all_rules.py::TestRuleTags::test_primary_tactic_as_tag PASSED                                                                                                                                                                             [ 61%]
tests/test_all_rules.py::TestRuleTags::test_required_tags PASSED                                                                                                                                                                                     [ 62%]
tests/test_all_rules.py::TestRuleTags::test_tag_prefix PASSED                                                                                                                                                                                        [ 63%]
tests/test_all_rules.py::TestRuleTimelines::test_timeline_has_title PASSED                                                                                                                                                                           [ 63%]
tests/test_all_rules.py::TestRuleTiming::test_eql_interval_to_maxspan PASSED                                                                                                                                                                         [ 64%]
tests/test_all_rules.py::TestRuleTiming::test_eql_lookback PASSED                                                                                                                                                                                    [ 65%]
tests/test_all_rules.py::TestRuleTiming::test_event_override PASSED                                                                                                                                                                                  [ 65%]
tests/test_all_rules.py::TestRuleTiming::test_required_lookback PASSED                                                                                                                                                                               [ 66%]
tests/test_all_rules.py::TestThreatMappings::test_duplicated_tactics PASSED                                                                                                                                                                          [ 67%]
tests/test_all_rules.py::TestThreatMappings::test_tactic_to_technique_correlations PASSED                                                                                                                                                            [ 68%]
tests/test_all_rules.py::TestThreatMappings::test_technique_deprecations PASSED                                                                                                                                                                      [ 68%]
tests/test_all_rules.py::TestValidRules::test_all_rule_queries_optimized PASSED                                                                                                                                                                      [ 69%]
tests/test_all_rules.py::TestValidRules::test_bbr_validation PASSED                                                                                                                                                                                  [ 70%]
tests/test_all_rules.py::TestValidRules::test_duplicate_file_names PASSED                                                                                                                                                                            [ 70%]
tests/test_all_rules.py::TestValidRules::test_file_names PASSED                                                                                                                                                                                      [ 71%]
tests/test_all_rules.py::TestValidRules::test_from_filed_value PASSED                                                                                                                                                                                [ 72%]
tests/test_all_rules.py::TestValidRules::test_max_signals_note PASSED                                                                                                                                                                                [ 72%]
tests/test_all_rules.py::TestValidRules::test_production_rules_have_rta PASSED                                                                                                                                                                       [ 73%]
tests/test_all_rules.py::TestValidRules::test_rule_type_changes PASSED                                                                                                                                                                               [ 74%]
tests/test_hunt_data.py::TestHunt::test_load_toml_files PASSED                                                                                                                                                                                       [ 75%]
tests/test_hunt_data.py::TestHunt::test_markdown_existence PASSED                                                                                                                                                                                    [ 75%]
tests/test_hunt_data.py::TestHunt::test_toml_loading PASSED                                                                                                                                                                                          [ 76%]
tests/test_mappings.py::TestMappings::test_false_positives PASSED                                                                                                                                                                                    [ 77%]
tests/test_mappings.py::TestMappings::test_true_positives PASSED                                                                                                                                                                                     [ 77%]
tests/test_mappings.py::TestRTAs::test_rtas_with_triggered_rules_have_uuid PASSED                                                                                                                                                                    [ 78%]
tests/test_packages.py::TestPackages::test_package_loader_default_configs PASSED                                                                                                                                                                     [ 79%]
tests/test_packages.py::TestPackages::test_package_loader_production_config PASSED                                                                                                                                                                   [ 79%]
tests/test_packages.py::TestPackages::test_package_summary PASSED                                                                                                                                                                                    [ 80%]
tests/test_packages.py::TestPackages::test_rule_versioning PASSED                                                                                                                                                                                    [ 81%]
tests/test_python_library.py::TestEQLInSet::test_eql_in_set PASSED                                                                                                                                                                                   [ 81%]
tests/test_schemas.py::TestSchemas::test_eql_validation PASSED                                                                                                                                                                                       [ 82%]
tests/test_schemas.py::TestSchemas::test_query_downgrade_7_x PASSED                                                                                                                                                                                  [ 83%]
tests/test_schemas.py::TestSchemas::test_query_downgrade_8_x PASSED                                                                                                                                                                                  [ 84%]
tests/test_schemas.py::TestSchemas::test_threshold_downgrade_7_x PASSED                                                                                                                                                                              [ 84%]
tests/test_schemas.py::TestSchemas::test_threshold_downgrade_8_x PASSED                                                                                                                                                                              [ 85%]
tests/test_schemas.py::TestSchemas::test_versioned_downgrade_7_x PASSED                                                                                                                                                                              [ 86%]
tests/test_schemas.py::TestSchemas::test_versioned_downgrade_8_x PASSED                                                                                                                                                                              [ 86%]
tests/test_schemas.py::TestVersionLockSchema::test_version_lock_no_previous PASSED                                                                                                                                                                   [ 87%]
tests/test_schemas.py::TestVersions::test_stack_schema_map PASSED                                                                                                                                                                                    [ 88%]
tests/test_specific_rules.py::TestESQLRules::test_esql_queries PASSED                                                                                                                                                                                [ 88%]
tests/test_specific_rules.py::TestEndpointQuery::test_os_and_platform_in_query PASSED                                                                                                                                                                [ 89%]
tests/test_specific_rules.py::TestNewTerms::test_history_window_start PASSED                                                                                                                                                                         [ 90%]
tests/test_specific_rules.py::TestNewTerms::test_new_terms_field_exists PASSED                                                                                                                                                                       [ 90%]
tests/test_specific_rules.py::TestNewTerms::test_new_terms_fields PASSED                                                                                                                                                                             [ 91%]
tests/test_specific_rules.py::TestNewTerms::test_new_terms_fields_unique PASSED                                                                                                                                                                      [ 92%]
tests/test_specific_rules.py::TestNewTerms::test_new_terms_max_limit PASSED                                                                                                                                                                          [ 93%]
tests/test_toml_formatter.py::TestRuleTomlFormatter::test_formatter_deep PASSED                                                                                                                                                                      [ 93%]
tests/test_toml_formatter.py::TestRuleTomlFormatter::test_formatter_rule PASSED                                                                                                                                                                      [ 94%]
tests/test_toml_formatter.py::TestRuleTomlFormatter::test_normalization PASSED                                                                                                                                                                       [ 95%]
tests/test_transform_fields.py::TestGuideMarkdownPlugins::test_plugin_conversion PASSED                                                                                                                                                              [ 95%]
tests/test_transform_fields.py::TestGuideMarkdownPlugins::test_transform_guide_markdown_plugins PASSED                                                                                                                                               [ 96%]
tests/test_utils.py::TestTimeUtils::test_caching PASSED                                                                                                                                                                                              [ 97%]
tests/test_utils.py::TestTimeUtils::test_event_class_normalization PASSED                                                                                                                                                                            [ 97%]
tests/test_utils.py::TestTimeUtils::test_schema_multifields PASSED                                                                                                                                                                                   [ 98%]
tests/test_utils.py::TestTimeUtils::test_time_normalize PASSED                                                                                                                                                                                       [ 99%]
tests/test_version_locking.py::TestVersionLock::test_previous_entries_gte_current_min_stack PASSED                                                                                                                                                   [100%]

===================================================================================================================== warnings summary =====================================================================================================================
env/detection-rules-build/lib/python3.12/site-packages/_pytest/config/__init__.py:1285
  /home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/_pytest/config/__init__.py:1285: PytestAssertRewriteWarning: Module already imported so cannot be rewritten: typeguard
    self._mark_plugins_for_rewrite(hook)

-- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
======================================================================================================== 142 passed, 2 skipped, 1 warning in 5.91s =========================================================================================================
Performing a rule export...
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

- skipping H-DEFENSEEVASION-266 - Windows Defender Exclusions Added - KqlParseError
17 results exported
11 rules converted
2 exceptions exported
11 saved to tmp-export
1 errors saved to tmp-export/_errors.txt
Detection-rules CLI tests completed!

Checklist

  • Added a label for the type of pr: bug, enhancement, Rule: New, Rule: Deprecation, Rule: Promote, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
  • Added the meta:rapid-merge label if planning to merge within 24 hours
  • Secret and sensitive material has been managed correctly
  • Automated testing was updated or added to match the most common scenarios
  • Documentation and comments were added for features that require explanation

brokensound77 and others added 30 commits April 26, 2024 15:36
@brokensound77
[FR] Refactor to more seamlessly support multiple DAC approaches (#3407)
303a64e 
* [FR] Add custom rule directory support
* [FR] Add support for configurable tests and validation
* [FR] Add support to decouple actions and exceptions
* update actions schema
* add custom-rules init-config command
* update docs
---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
@eric-forte-elastic
Merge branch 'main' into DAC-feature
fb5de8c
@shashank-elastic
Allow lock-versions on DAC-feature branch
5d51a42
@eric-forte-elastic
Merge branch 'main' into DAC-feature
55c9b0d
@eric-forte-elastic
Merge branch 'main' into DAC-feature
8142248
@eric-forte-elastic
Merge branch 'main' into DAC-feature
568b232
@eric-forte-elastic
Merge branch 'main' into DAC-feature
e579b0f
@eric-forte-elastic
Merge branch 'main' into DAC-feature
00befbf
@eric-forte-elastic
Merge branch 'main' into DAC-feature
9bce0be
@Mikaayenson
[FR] Improve DAC custom folder init (#3653)
ed34883
@eric-forte-elastic
Merge branch 'main' into DAC-feature
f46ba06
@eric-forte-elastic
Merge branch 'main' into DAC-feature
fd4ae95
@eric-forte-elastic
Merge branch 'main' into DAC-feature
89b9178
@eric-forte-elastic
Merge branch 'main' into DAC-feature
531c396
@eric-forte-elastic
Merge branch 'main' into DAC-feature
9225324
@eric-forte-elastic
Merge branch 'main' into DAC-feature
06ccba9
@eric-forte-elastic @Mikaayenson @brokensound77
[FR] [DAC] further decouple reliance on default rule dir locations (#…
d0a2e28 
…3654)

* Improve dac custom init

* Fix path naming

* patch for ci runs

* add doc strings and rename test config name

* expand how unit test are selected

* Updated to support list of dirs

* raise unlink to CLI

* Fix unit test config post assertion

* Add a custom method to generate the test config

* add explicit checks for package.yml fields

* newline

* raise SystemExit instead of sys.exit

* Collapsing missing config message and exit

* flake8

* update base config

* typo

* Updated config parsing

* Update detection_rules/config.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* simplify package requirements

* remove import

* add dataclass to validate rules config file and create default setup-config cli

* add kibana_version cli param

* update doc string

* rename delete cli option to overwrite, and small edits to exceptions

* Typo in config

* Add resolve

* Added TODO

* Cleanup

* Update path to config path

* Added get_rules_dir_path function

* revert config change

* Updated config

* Minor Cleanup

* Cleanup get_base_rule_dir

* Updated to remove try except

* update test cli command

* Updated config generation

* Add default in config

* Update test CLI

* update readme

* readme updates

* Add support for multiple rules dirs

* Updated import-rules-to-repo readme

* Update unit test

* Remove redundant check

* Remove additional parse_rules_config from mappings

---------

Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
@eric-forte-elastic
Merge branch 'main' into DAC-feature
b3c7dc1
@eric-forte-elastic
Update custom-rules.md with additional notes about (#3673)
c90d087 
optional BBR rules
@Mikaayenson
add rules_building_block (#3678)
29d2605
@eric-forte-elastic
Merge branch 'main' into DAC-feature
dccf5b8
@eric-forte-elastic
Merge branch 'main' into DAC-feature
8d8c051
@eric-forte-elastic
Update config to pacakges.yaml
1057e75
@eric-forte-elastic
Fix default file name in setup-config command
e11fcb2
@Mikaayenson
[FR] Normalize yaml/yml extension (#3683)
7d4ad1c
@eric-forte-elastic
Adds defaults to use config for import rules (#3686)
57af1bb
@eric-forte-elastic
[FR] [DAC] Add Flag to Enable All Prebuilt Tests (#3684)
944fe30 
* Add flag to enable all prebuilt tests

* Add additional bypasses

* Added format_test_string function
@eric-forte-elastic
Merge branch 'main' into DAC-feature
7c3be70
@eric-forte-elastic
Merge branch 'main' into DAC-feature
baf2188
@eric-forte-elastic
Merge branch 'main' into DAC-feature
d87c21c
@eric-forte-elastic
Copy link
Contributor Author

There is an intermittent issue when importing many rules and exception lists at the same time related to elastic/kibana#143864 that is currently being investigated. This may cause exception list references to be stripped when importing rules in some cases.

eric-forte-elastic
eric-forte-elastic commented Aug 6, 2024
View reviewed changes
detection_rules/action.py
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.

"""Dataclasses for Action."""
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#3962

Mikaayenson
Mikaayenson approved these changes Aug 6, 2024
View reviewed changes
Copy link
Contributor

@Mikaayenson Mikaayenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚢

A lot of effort in this PR to support many edge cases. Based on the walkthroughs, test runs, re: import/export via ndjson / kibana on multiple rules (sigma, internal team rules, and past exercise rulesets), this lgtm.

Most of the nuances have been documented in dac-reference so I think this will help most of the users get up and running.

We know that there are a couple gaps like schema support for new kibana features (alert suppression on specific rule types, etc.). We will tackle that in a different/later PR.

Final tests on the version lock didn't have any changes, so I think we're good with our release branches, but we'll see when we merge.

Merging this formally moves us to beta where we'll continue edge case testing with reduced hurdles for users to onboard and start natively integrating into their workflows.

We'll also reduce feature development for a bit to ensure this existing capability works as expected given our diverse user base and environments.

🚀

@eric-forte-elastic eric-forte-elastic merged commit 47d7a3a into main Aug 6, 2024
9 checks passed
protectionsmachine pushed a commit that referenced this pull request Aug 6, 2024
@eric-forte-elastic @github-actions
[DaC] Beta Release (#3889)
c44f68c 
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>

(cherry picked from commit 47d7a3a)
protectionsmachine pushed a commit that referenced this pull request Aug 6, 2024
@eric-forte-elastic @github-actions
[DaC] Beta Release (#3889)
4ce55fc 
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>

(cherry picked from commit 47d7a3a)
protectionsmachine pushed a commit that referenced this pull request Aug 6, 2024
@eric-forte-elastic @github-actions
[DaC] Beta Release (#3889)
75ef74b 
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>

(cherry picked from commit 47d7a3a)
protectionsmachine pushed a commit that referenced this pull request Aug 6, 2024
@eric-forte-elastic @github-actions
[DaC] Beta Release (#3889)
6b7cfbe 
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>

(cherry picked from commit 47d7a3a)
protectionsmachine pushed a commit that referenced this pull request Aug 6, 2024
@eric-forte-elastic @github-actions
[DaC] Beta Release (#3889)
95aa9a6 
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>

(cherry picked from commit 47d7a3a)
protectionsmachine pushed a commit that referenced this pull request Aug 6, 2024
@eric-forte-elastic @github-actions
[DaC] Beta Release (#3889)
3850f1f 
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>

(cherry picked from commit 47d7a3a)
This was referenced Aug 7, 2024
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
zsohamwag pushed a commit to zsohamwag/zsoham-detection-rules that referenced this pull request Sep 13, 2024
@eric-forte-elastic @brokensound77
@Mikaayenson @zsohamwag
[DaC] Beta Release (elastic#3889)
b800eef 
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@traut traut traut approved these changes

@Mikaayenson Mikaayenson Mikaayenson approved these changes

@shashank-elastic shashank-elastic shashank-elastic approved these changes

@terrancedejesus terrancedejesus terrancedejesus approved these changes

Assignees

@eric-forte-elastic eric-forte-elastic

Labels
backport: auto detections-as-code enhancement New feature or request python Internal python for the repository schema
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@eric-forte-elastic @protectionsmachine @traut @Mikaayenson @shashank-elastic @terrancedejesus @brokensound77