[Enhancement] Add flag to export rules via KQL search on name

[frederikb96]

Pull Request

Summary - What I changed

For the CLI:
Add the possibility to use a new flag --rule-name which allows searching for rules via their name and then exporting those from Kibana to local custom rules directory.

How To Test

Use

python -m detection_rules kibana export-rules -d custom-rules --rule-name some-rule-name

Checklist

• Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
• Added the meta:rapid-merge label if planning to merge within 24 hours
• Secret and sensitive material has been managed correctly
• Automated testing was updated or added to match the most common scenarios
• Documentation and comments were added for features that require explanation

Contributor checklist

• Have you signed the contributor license agreement?
• Have you followed the contributor guidelines?

[github-actions]

Enhancement - Guidelines

These guidelines serve as a reminder set of considerations when addressing adding a feature to the code.

Documentation and Context

• Describe the feature enhancement in detail (alternative solutions, description of the solution, etc.) if not already documented in an issue.
• Include additional context or screenshots.
• Ensure the enhancement includes necessary updates to the documentation and versioning.

Code Standards and Practices

• Code follows established design patterns within the repo and avoids duplication.
• Code changes do not introduce new warnings or errors.
• Variables and functions are well-named and descriptive.
• Any unnecessary / commented-out code is removed.
• Ensure that the code is modular and reusable where applicable.
• Check for proper exception handling and messaging.

Testing

• New unit tests have been added to cover the enhancement.
• Existing unit tests have been updated to reflect the changes.
• Provide evidence of testing and validating the enhancement (e.g., test logs, screenshots).
• Validate that any rules affected by the enhancement are correctly updated.
• Ensure that performance is not negatively impacted by the changes.
• Verify that any release artifacts are properly generated and tested.

Additional Checks

• Ensure that the enhancement does not break existing functionality.
• Review the enhancement with a peer or team member for additional insights.
• Verify that the enhancement works across all relevant environments (e.g., different OS versions).
• Confirm that all dependencies are up-to-date and compatible with the changes.
• Confirm that the proper version label is applied to the PR patch, minor, major.

[Mikaayenson]

👋 Great find on the incorrect filter. Aligns with the docs. Also, if you lint, this should be g2g.

You will need to do a pyproject.toml patch bump to 0.1.8 and the the repo pyproject.toml to 1.0.next (given you have a couple PRs open).

[eric-forte-elastic]

Also tested the code changes locally and performs as expected 🚀 In this case, I expect the KQL to return DAC Test Rules 1-4 which occurs.

❯ python -m detection_rules kibana --ignore-ssl-errors true --space new_test export-rules -d new_dac_demo/rules/ -rn "DAC Test Rule 4" -sv
Loaded config file: /home/forteea1/Code/dac_demo/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

4 results exported
4 rules converted
0 exceptions exported
0 action connectors exported
4 rules saved to new_dac_demo/rules
0 exception lists saved to /home/forteea1/Code/dac_demo/detection-rules/new_dac_demo/exceptions
0 action connectors saved to /home/forteea1/Code/dac_demo/detection-rules/new_dac_demo/action_connectors

[frederikb96]

@eric-forte-elastic @Mikaayenson
Thanks for the input and the help on the procedures 🙂 👍

I added those changes:

1. Added the KQL info to both CLI.md and the help text
2. Increased the version number of the kibana package and the repo (don't know why 0.1.8, guess it is rather 0.4.3)
3. Checked with flake8 the code guidelines and fixed line lengths

[frederikb96]

@eric-forte-elastic Anything else or would it be ready to merge? :)

[eric-forte-elastic]

@eric-forte-elastic Anything else or would it be ready to merge? :)

@frederikb96 since there are code changes in both the Kibana lib and kbwrap in Detection rules, the detection rules pyproject.toml should have a patch version bump too. Otherwise looks good to me 👍

[frederikb96]

Same here, bumped it up once more 🙂 👍

[Mikaayenson]

lgtm!

[eric-forte-elastic]

Will be merging this one in too following #4593

[frederikb96]

@eric-forte-elastic Oh just merged main into this again, since conflict was there. But yes, definitely feel free to merge further as fits :)

[eric-forte-elastic]

No worries :) Just having the battling pytoml versions lol, will approve momentarily, (depending on when you read this message we may need to bump it one more time)