Skip to content

Allow filter-only KQL custom rule exports#6253

Open
srkyn wants to merge 1 commit into
elastic:mainfrom
srkyn:allow-empty-kql-filter-rules-clean
Open

Allow filter-only KQL custom rule exports#6253
srkyn wants to merge 1 commit into
elastic:mainfrom
srkyn:allow-empty-kql-filter-rules-clean

Conversation

@srkyn
Copy link
Copy Markdown

@srkyn srkyn commented Jun 4, 2026

Summary

  • allow filter-only KQL rules to load when custom rule export mode is active
  • keep empty-query KQL invalid for prebuilt rules and custom rules without filters
  • bump the package patch version

Fixes #6167.

Tests

  • python -m pytest tests/test_schemas.py::TestSchemas::test_empty_kuery_with_filters_is_valid_for_custom_rules tests/test_schemas.py::TestSchemas::test_empty_kuery_with_filters_is_invalid_for_prebuilt_rules -q
  • python -m compileall -q detection_rules tests

@botelastic botelastic Bot added the python Internal python for the repository label Jun 4, 2026
@srkyn
Copy link
Copy Markdown
Author

srkyn commented Jun 4, 2026

Reopened this as a clean replacement for #6180 after the old PR ref stopped updating cleanly. Local validation passed:

  • python -m pytest tests/test_schemas.py::TestSchemas::test_empty_kuery_with_filters_is_valid_for_custom_rules tests/test_schemas.py::TestSchemas::test_empty_kuery_with_filters_is_invalid_for_prebuilt_rules -q
  • python -m compileall -q detection_rules tests

The remaining failing add-comment workflow is label-gated. I tried to add bug, detections-as-code, and patch, but GitHub reports I do not have permission to add labels here.

@eric-forte-elastic eric-forte-elastic added patch enhancement New feature or request labels Jun 4, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 4, 2026

Enhancement - Guidelines

These guidelines serve as a reminder set of considerations when addressing adding a feature to the code.

Documentation and Context

  • Describe the feature enhancement in detail (alternative solutions, description of the solution, etc.) if not already documented in an issue.
  • Include additional context or screenshots.
  • Ensure the enhancement includes necessary updates to the documentation and versioning.

Code Standards and Practices

  • Code follows established design patterns within the repo and avoids duplication.
  • Ensure that the code is modular and reusable where applicable.

Testing

  • New unit tests have been added to cover the enhancement.
  • Existing unit tests have been updated to reflect the changes.
  • Provide evidence of testing and validating the enhancement (e.g., test logs, screenshots).
  • Validate that any rules affected by the enhancement are correctly updated.
  • Ensure that performance is not negatively impacted by the changes.
  • Verify that any release artifacts are properly generated and tested.
  • Conducted system testing, including fleet, import, and create APIs (e.g., run make test-cli, make test-remote-cli, make test-hunting-cli)

Additional Checks

  • Verify that the enhancement works across all relevant environments (e.g., different OS versions).
  • Confirm that the proper version label is applied to the PR patch, minor, major.

@eric-forte-elastic
Copy link
Copy Markdown
Contributor

eric-forte-elastic commented Jun 4, 2026

Testing importing, functions as expected.

image

Remote testing paths for pre-built and custom rules pass
make_test_remote_cli.txt

eric-forte-elastic
eric-forte-elastic reviewed Jun 4, 2026
View reviewed changes
Comment thread detection_rules/rule.py
@cached_property
def validator(self) -> QueryValidator | None:
if self.language == "kuery":
if not self.query.strip() and self.filters and CUSTOM_RULES_DIR:
Copy link
Copy Markdown
Contributor

@eric-forte-elastic eric-forte-elastic Jun 4, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will work for validation, but if you try to run view-rule it will still fail because the dataclass type check happens first. It looks like for this to work we will also need to update the schema similar to this patch,

filter_only_schema_optional_query.patch

Image

Example test rule (.txt extension needed for github upload, remove before use):

rule_filter_only_export.ndjson.txt
test_filer_only_rule.toml.txt

@srkyn
Copy link
Copy Markdown
Author

srkyn commented Jun 5, 2026

Thanks for testing this and adding the labels. I appreciate the validation on both the import path and the remote prebuilt/custom rule paths.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eric-forte-elastic eric-forte-elastic eric-forte-elastic left review comments

@Mikaayenson Mikaayenson Awaiting requested review from Mikaayenson Mikaayenson is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

backport: auto community enhancement New feature or request patch python Internal python for the repository

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[DaC] export-rules fails on KQL rules with empty query (filters only)

2 participants

@srkyn @eric-forte-elastic