fix: type hinting fixes and additional code checks

[traut]

Pull Request

Issue link(s):

• https://github.com/elastic/ia-trade-team/issues/626
• https://github.com/elastic/ia-trade-team/issues/481
• [FR] Add Support for Python 3.13 #4534

Summary - What I changed

• adding ruff and pyright checks in CI workflow
• making sure pyright has no complains

How To Test

Checklist

• Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
• Added the meta:rapid-merge label if planning to merge within 24 hours
• Secret and sensitive material has been managed correctly
• Automated testing was updated or added to match the most common scenarios
• Documentation and comments were added for features that require explanation

Contributor checklist

• Have you signed the contributor license agreement?
• Have you followed the contributor guidelines?

[github-actions]

Enhancement - Guidelines

These guidelines serve as a reminder set of considerations when addressing adding a new schema feature to the code.

Documentation and Context

• Describe the feature enhancement in detail (alternative solutions, description of the solution, etc.) if not already documented in an issue.
• Include additional context or screenshots.
• Ensure the enhancement includes necessary updates to the documentation and versioning.

Code Standards and Practices

• Code follows established design patterns within the repo and avoids duplication.
• Code changes do not introduce new warnings or errors.
• Variables and functions are well-named and descriptive.
• Any unnecessary / commented-out code is removed.
• Ensure that the code is modular and reusable where applicable.
• Check for proper exception handling and messaging.

Testing

• New unit tests have been added to cover the enhancement.
• Existing unit tests have been updated to reflect the changes.
• Provide evidence of testing and validating the enhancement (e.g., test logs, screenshots).
• Validate that any rules affected by the enhancement are correctly updated.
• Ensure that performance is not negatively impacted by the changes.
• Verify that any release artifacts are properly generated and tested.

Additional Schema Related Checks

• Ensure that the enhancement does not break existing functionality. (e.g., run make test-cli)
• Review the enhancement with a peer or team member for additional insights.
• Verify that the enhancement works across all relevant environments (e.g., different OS versions).
• Confirm that all dependencies are up-to-date and compatible with the changes.
• Link to the relevant Kibana PR or issue provided
• Exported detection rule(s) from Kibana to showcase the feature(s)
• Converted the exported ndjson file(s) to toml in the detection-rules repo
• Re-exported the toml rule(s) to ndjson and re-imported into Kibana
• Updated necessary unit tests to accommodate the feature
• Applied min_compat restrictions to limit the feature to a specified minimum stack version
• Executed all unit tests locally with a test toml rule to confirm passing
• Included Kibana PR implementer as an optional reviewer for insights on the feature
• Implemented requisite downgrade functionality
• Cross-referenced the feature with product documentation for consistency
• Incorporated a comprehensive test rule in unit tests for full schema coverage
• Conducted system testing, including fleet, import, and create APIs (e.g., run make test-remote-cli)
• Confirm that the proper version label is applied to the PR patch, minor, major.

[Mikaayenson]

We should double check that when the transform occurs, its still formatted correctly.

[Mikaayenson]

Seems a bit odd to type hint as Path when we explicitly set as a Path object. We also dont type hint the next field path.

[traut]

contents is dict[str, Any], so there is ambiguity in the calculation of the result type

[Mikaayenson]

Curious as to why this was a tuple

[traut]

no idea. I don't think there is a risk of mutation, so we might as well simplify and have list here

[Mikaayenson]

• Any reason why the build didn't run? Waiting for status to be reported
• Note, I think we need to run the lint tests locally and add to this PR (since the workflow won't run until the action is on main)
• We'll also want to open a maintenance window and test the backporting logic.

[eric-forte-elastic]

Currently am reliably seeing an error on the build-release command. Will dig into it and provide more info.

Looks to be an issue with the Techniques being loaded where many=False is supplied as an unexpected/not handled kwarg. This appears to be related to the Marshmallow update which now uses the many kwarg which is set to False by default to determine whether or not the input is a list of objects. Specifically, it fails in the Techniques class's set_score function. In our case for the Techniques, obj is dict[str, Any] which should determine that this object is a single dictionary, which may (and often does) contain lists.

At first pass, it looks like it can be mitigated with the following change.

    @pre_load
    def set_score(self, data: dict[str, Any], **kwargs):
        _ = kwargs # type: ignore[reportUnusedVariable]
        data["score"] = len(data["metadata"])
        return data

As an alternative, I tried also just handling the many keyword directly, but it appears that there are a number of keywords passed now including partial, which would need to be either enumerated/handled or ignored in some fashion like the above.

It also appears that this tactic will be needed in integrations.py as well e.g.

    def transform_policy_template(self, data: dict[str, Any], **kwargs):
        _ = kwargs # type: ignore[reportUnusedVariable]
        if "policy_templates" in data:
            data["policy_templates"] = [policy["name"] for policy in data["policy_templates"]]
        return data

Output with code change

❯ python -m detection_rules dev build-release --generate-navigator

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

[+] Building package 9.1
 - 4 rules excluded from package
Rule changes detected!
 - 1424 changed rules
 - 9 new rules
 - 0 newly deprecated rules
run `build-release --update-version-lock` to update version.lock.json and deprecated_rules.json
Package saved to: /home/forteea1/Code/dac_demo/dac_clean/detection-rules/releases/9.1
loaded security_detection_engine manifests from the following package versions: ['9.0.6', '9.0.5', '9.0.4', '9.0.3', '9.0.2', '9.0.1', '8.17.7']
[+] Limit historical rule versions in the release package for version 9.1.0: 3 versions
[+] Adding historical rules from 9.0.6 package
- sha256: f8659de9b5ceaf918adc6ee7430a5722fb185f3298b4799473dcc5ba77606e0e
- 1436 rules included

Details

Terminal Output

detection-rules on  style-fixes is  v1.3.15 via  v3.12.11 (detection-rules-build) on  eric.forte 
❯ python -m detection_rules dev build-release --generate-navigator

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

[+] Building package 9.1
 - 4 rules excluded from package
Rule changes detected!
 - 1424 changed rules
 - 9 new rules
 - 0 newly deprecated rules
run `build-release --update-version-lock` to update version.lock.json and deprecated_rules.json
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/home/forteea1/Code/dac_demo/dac_clean/detection-rules/detection_rules/__main__.py", line 36, in <module>
    main()
  File "/home/forteea1/Code/dac_demo/dac_clean/detection-rules/detection_rules/__main__.py", line 33, in main
    root(prog_name="detection_rules")
  File "/home/forteea1/Code/dac_demo/dac_clean/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1161, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/dac_demo/dac_clean/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1082, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/dac_demo/dac_clean/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1697, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/dac_demo/dac_clean/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1697, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/dac_demo/dac_clean/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1443, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/dac_demo/dac_clean/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 788, in invoke
    return __callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/dac_demo/dac_clean/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/decorators.py", line 33, in new_func
    return f(get_current_context(), *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/dac_demo/dac_clean/detection-rules/detection_rules/devtools.py", line 158, in build_release
    package.save(verbose=verbose)
  File "/home/forteea1/Code/dac_demo/dac_clean/detection-rules/detection_rules/packaging.py", line 223, in save
    self.save_release_files(extras_dir, self.changed_ids, self.new_ids, self.removed_ids)
  File "/home/forteea1/Code/dac_demo/dac_clean/detection-rules/detection_rules/packaging.py", line 176, in save_release_files
    _ = self.generate_attack_navigator(Path(directory))
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/dac_demo/dac_clean/detection-rules/detection_rules/packaging.py", line 433, in generate_attack_navigator
    return lb.save_all(save_dir, verbose=False)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/dac_demo/dac_clean/detection-rules/detection_rules/navigator.py", line 292, in save_all
    for built in self.build_all():
                 ^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/dac_demo/dac_clean/detection-rules/detection_rules/navigator.py", line 262, in build_all
    built.append(self.build_navigator(layer_name))
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/dac_demo/dac_clean/detection-rules/detection_rules/navigator.py", line 244, in build_navigator
    techniques = Techniques.from_dict(rules_data)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/dac_demo/dac_clean/detection-rules/detection_rules/mixins.py", line 122, in from_dict
    return schema.load(obj)
           ^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/dac_demo/dac_clean/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/marshmallow_dataclass/__init__.py", line 973, in load
    all_loaded = super().load(data, many=many, **kwargs)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/dac_demo/dac_clean/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/marshmallow/schema.py", line 792, in load
    return self._do_load(
           ^^^^^^^^^^^^^^
  File "/home/forteea1/Code/dac_demo/dac_clean/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/marshmallow/schema.py", line 941, in _do_load
    processed_data = self._invoke_load_processors(
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/dac_demo/dac_clean/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/marshmallow/schema.py", line 1180, in _invoke_load_processors
    return self._invoke_processors(
           ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/dac_demo/dac_clean/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/marshmallow/schema.py", line 1305, in _invoke_processors
    data = processor(data, many=many, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: Techniques.set_score() got an unexpected keyword argument 'many'

[shashank-elastic]

Tested some commands

Export Command

python -m detection_rules kibana export-rules -d /Users/shashankks/elastic_workspace/detection-rules/custom_rules --skip-errors
0 rules converted
0 exceptions exported
0 action connectors exported
0 rules saved to /Users/shashankks/elastic_workspace/detection-rules/custom_rules
0 exception lists saved to None
0 action connectors saved to None
1440 errors saved to /Users/shashankks/elastic_workspace/detection-rules/custom_rules/_errors.txt

python -m detection_rules kibana export-rules -d /Users/shashankks/elastic_workspace/detection-rules/custom_rules/rules -sv --skip-errors
- skipping System Time Discovery - ValidationError
1440 results exported
1384 rules converted
0 exceptions exported
0 action connectors exported
1384 rules saved to /Users/shashankks/elastic_workspace/detection-rules/custom_rules/rules
0 exception lists saved to None
0 action connectors saved to None
56 errors saved to /Users/shashankks/elastic_workspace/detection-rules/custom_rules/rules/_errors.txt

Lock versions

❯ python -m detection_rules dev build-release --update-version-lock
Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

[+] Building package 9.1
 - 4 rules excluded from package
Rule changes detected!
 - 1424 changed rules
 - 9 new rules
 - 0 newly deprecated rules
run `build-release --update-version-lock` to update version.lock.json and deprecated_rules.json
Rule changes detected!
 - 1424 changed rules
 - 9 new rules
 - 0 newly deprecated rules
Detailed changes: 
  A: f0cc239b-67fa-46fc-89d4-f861753a40f5, new version: 3
    - min_stack_version added: 8.17.0
  A: 0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0, new version: 102
    - min_stack_version added: 8.17.0
  A: 2d6f5332-42ea-11f0-b09a-f661ea17fbcd, new version: 1
    - min_stack_version added: 8.17.0
  A: 35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc, new version: 105
    - min_stack_version added: 8.17.0
  A: 375132c6-25d5-11f0-8745-f661ea17fbcd, new version: 2
    - min_stack_version added: 8.17.0
  A: 0d3d2254-2b4a-11f0-a019-f661ea17fbcc, new version: 2
    - min_stack_version added: 8.17.0
  A: 017de1e4-ea35-11ee-a417-f661ea17fbce, new version: 6
    - min_stack_version added: 8.16.0
  A: 06f3a26c-ea35-11ee-a417-f661ea17fbce, new version: 5
    - min_stack_version added: 8.16.0
  A: 0f615fe4-eaa2-11ee-ae33-f661ea17fbce, new version: 6
    - min_stack_version added: 8.16.0
  A: eb804972-ea34-11ee-a417-f661ea17fbce, new version: 6
    - min_stack_version added: 8.16.0
  A: f2c3caa6-ea34-11ee-a417-f661ea17fbce, new version: 6
    - min_stack_version added: 8.16.0
  A: f87e6122-ea34-11ee-a417-f661ea17fbce, new version: 6
    - min_stack_version added: 8.16.0
  A: 0c74cd7e-ea35-11ee-a417-f661ea17fbce, new version: 6
    - min_stack_version added: 8.16.0
  A: 10f3d520-ea35-11ee-a417-f661ea17fbce, new version: 6
    - min_stack_version added: 8.16.0
  A: de67f85e-2d43-11f0-b8c9-f661ea17fbcc, new version: 2
    - min_stack_version added: 8.17.0
  A: 26f68dba-ce29-497b-8e13-b4fde1db5a2d, new version: 414
    - min_stack_version added: 8.17.0
  A: 36188365-f88f-4f70-8c1d-0b9554186b9c, new version: 2
    - min_stack_version added: 8.17.0
  A: 3805c3dc-f82c-4f8d-891e-63c24d3102b0, new version: 415
    - min_stack_version added: 8.15.0
  A: e08ccd49-0380-4b2b-8d71-8000377d6e49, new version: 416
    - min_stack_version added: 8.15.0
  A: 50887ba8-7ff7-11ee-a038-f661ea17fbcd, new version: 210
    - min_stack_version added: 8.15.0
  A: cc382a2e-7e52-11ee-9aac-f661ea17fbcd, new version: 306
    - min_stack_version added: 8.15.0
  A: 94e734c0-2cda-11ef-84e1-f661ea17fbce, new version: 205
    - min_stack_version added: 8.15.0
  A: 95b99adc-2cda-11ef-84e1-f661ea17fbce, new version: 205
    - min_stack_version added: 8.15.0
  A: 42bf698b-4738-445b-8231-c834ddefd8a0, new version: 416
    - min_stack_version added: 8.15.0
  A: 8a0fbd26-867f-11ee-947c-f661ea17fbcd, new version: 211
    - min_stack_version added: 8.15.0
  A: 23f18264-2d6d-11ef-9413-f661ea17fbce, new version: 205
    - min_stack_version added: 8.15.0
  A: 97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7, new version: 417
    - min_stack_version added: 8.15.0
  A: cdbebdc1-dc97-43c6-a538-f26a20c0a911, new version: 415
    - min_stack_version added: 8.15.0
  A: 8a5c1e5f-ad63-481e-b53a-ef959230f7f1, new version: 414
    - min_stack_version added: 8.15.0
  A: c749e367-a069-4a73-b1f2-43a3798153ad, new version: 414
    - min_stack_version added: 8.15.0
  A: 6649e656-6f85-11ef-8876-f661ea17fbcc, new version: 209
    - min_stack_version added: 8.15.0
  A: b719a170-3bdb-4141-b0e3-13e3cf627bfe, new version: 414
    - min_stack_version added: 8.15.0
  A: cc92c835-da92-45c9-9f29-b4992ad621a0, new version: 415
    - min_stack_version added: 8.15.0
  A: b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9, new version: 414
    - min_stack_version added: 8.15.0
  A: d5d86bf5-cf0c-4c06-b688-53fdc072fdfd, new version: 414
    - min_stack_version added: 8.15.0
  A: e48236ca-b67a-4b4e-840c-fdc7782bc0c3, new version: 414
    - min_stack_version added: 8.15.0
  A: 6731fbf2-8f28-49ed-9ab9-9a918ceb5a45, new version: 414
    - min_stack_version added: 8.15.0
  A: 000047bb-b27a-47ec-8b62-ef1a5d2c9e19, new version: 415
    - min_stack_version added: 8.15.0
  A: e90ee3af-45fc-432e-a850-4a58cf14a457, new version: 416
    - min_stack_version added: 8.15.0
  A: 676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7, new version: 414
    - min_stack_version added: 8.15.0
  A: edb91186-1c7e-4db8-b53e-bfa33a1a0a8a, new version: 414
    - min_stack_version added: 8.15.0
  A: d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f, new version: 413
    - min_stack_version added: 8.15.0
  A: c74fd275-ab2c-4d49-8890-e2943fa65c09, new version: 413
    - min_stack_version added: 8.15.0
  A: e6e3ecff-03dd-48ec-acbd-54a04de10c68, new version: 413
    - min_stack_version added: 8.15.0
  A: 6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd, new version: 210
    - min_stack_version added: 8.15.0
  A: 260486ee-7d98-11ee-9599-f661ea17fbcd, new version: 210
    - min_stack_version added: 8.15.0
  A: ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e, new version: 311
    - min_stack_version added: 8.15.0
  A: 4edd3e1a-3aa0-499b-8147-4d2ea43b1613, new version: 414
    - min_stack_version added: 8.15.0
  A: 2e56e1bc-867a-11ee-b13e-f661ea17fbcd, new version: 305
    - min_stack_version added: 8.15.0
  A: 1ceb05c4-7d25-11ee-9562-f661ea17fbcd, new version: 210
    - min_stack_version added: 8.15.0
  A: 1502a836-84b2-11ef-b026-f661ea17fbcc, new version: 208
    - min_stack_version added: 8.15.0
  A: f994964f-6fce-4d75-8e79-e16ccc412588, new version: 413
    - min_stack_version added: 8.15.0
  A: 621e92b6-7e54-11ee-bdc0-f661ea17fbcd, new version: 211
    - min_stack_version added: 8.15.0
  A: 6885d2ae-e008-4762-b98a-e8e1cd3a81e9, new version: 413
    - min_stack_version added: 8.15.0
  A: b8075894-0b62-46e5-977c-31275da34419, new version: 413
    - min_stack_version added: 8.15.0
  A: f06414a6-f2a4-466d-8eba-10f85e8abf71, new version: 413
    - min_stack_version added: 8.15.0
  A: 96b9f4ea-0e8c-435b-8d53-2096e75fcac5, new version: 413
    - min_stack_version added: 8.15.0
  A: 729aa18d-06a6-41c7-b175-b65b739b1181, new version: 414
    - min_stack_version added: 8.15.0
  A: cd89602e-9db0-48e3-9391-ae3bf241acd8, new version: 416
    - min_stack_version added: 8.15.0
  A: 29b53942-7cd4-11ee-b70e-f661ea17fbcd, new version: 209
    - min_stack_version added: 8.15.0
  A: cd16fb10-0261-46e8-9932-a0336278cdbe, new version: 414
    - min_stack_version added: 8.15.0
  A: 5610b192-7f18-11ee-825b-f661ea17fbcd, new version: 210
    - min_stack_version added: 8.15.0
  A: bd1eadf6-3ac6-4e66-91aa-4a1e6711915f, new version: 4
    - min_stack_version added: 8.18.0
  A: 0cbbb5e0-f93a-47fe-ab72-8213366c38f1, new version: 4
    - min_stack_version added: 8.18.0
  A: 5eac16ab-6d4f-427b-9715-f33e1b745fc7, new version: 4
    - min_stack_version added: 8.18.0
  A: a300dea6-e228-40e1-9123-a339e207378b, new version: 4
    - min_stack_version added: 8.18.0
  A: 8c9ae3e2-f0b1-4b2c-9eba-bd87c2db914f, new version: 4
    - min_stack_version added: 8.18.0
  A: a8f7187f-76d6-4c1d-a1d5-1ff301ccc120, new version: 4
    - min_stack_version added: 8.18.0
  A: fbb10f1e-77cb-42f9-994e-5da17fc3fc15, new version: 4
    - min_stack_version added: 8.18.0
  A: 3278313c-d6cd-4d49-aa24-644e1da6623c, new version: 4
    - min_stack_version added: 8.18.0
  A: aa28f01d-bc93-4c8f-bc01-6f67f2a0a833, new version: 4
    - min_stack_version added: 8.18.0
  A: 138520d2-11ff-4288-a80e-a45b36dca4b1, new version: 4
    - min_stack_version added: 8.18.0
  A: 02b4420d-eda2-4529-9e46-4a60eccb7e2d, new version: 4
    - min_stack_version added: 8.18.0
  A: 178770e0-5c20-4246-b430-e216a2888b23, new version: 4
    - min_stack_version added: 8.18.0
  A: 751b0329-7295-4682-b9c7-4473b99add69, new version: 4
    - min_stack_version added: 8.18.0
  A: 097ef0b8-fb21-4e45-ad89-d81666349c6a, new version: 4
    - min_stack_version added: 8.18.0
  A: 6fb2280a-d91a-4e64-a97e-1332284d9391, new version: 4
    - min_stack_version added: 8.18.0
  A: 37cca4d4-92ab-4a33-a4f8-44a7a380ccda, new version: 4
    - min_stack_version added: 8.18.0
  A: 2bca4fcd-5228-4472-9071-148903a31057, new version: 4
    - min_stack_version added: 8.18.0
  A: fb5d91d0-3b94-4f91-bf20-b6fbc4b2480a, new version: 4
    - min_stack_version added: 8.18.0
  A: 27569131-560e-441e-b556-0b9180af3332, new version: 4
    - min_stack_version added: 8.18.0
  A: d2703b82-f92c-4489-a4a7-62aa29a62542, new version: 4
    - min_stack_version added: 8.18.0
  A: 08be5599-3719-4bbd-8cbc-7e9cff556881, new version: 4
    - min_stack_version added: 8.18.0
  A: 7b981906-86b7-4544-8033-c30ec6eb45fc, new version: 105
    - min_stack_version added: 8.16.0
  A: ddf26e25-3e30-42b2-92db-bde8eb82ad67, new version: 4
    - min_stack_version added: 8.14.0
  A: 28eb3afe-131d-48b0-a8fc-9784f3d54f3c, new version: 110
    - min_stack_version added: 8.16.0
  A: ff9bc8b9-f03b-4283-be58-ee0a16f5a11b, new version: 112
    - min_stack_version added: 8.16.0
  A: 6756ee27-9152-479b-9b73-54b5bbda301c, new version: 2
    - min_stack_version added: 8.17.0
  A: 4d169db7-0323-4157-9ad3-ea5ece9019c9, new version: 3
    - min_stack_version added: 8.14.0
  A: 85e2d45e-a3df-4acf-83d3-21805f564ff4, new version: 2
    - min_stack_version added: 8.17.0
  A: f38633f4-3b31-4c80-b13d-e77c70ce8254, new version: 2
    - min_stack_version added: 8.17.0
  A: c18975f5-676c-4091-b626-81e8938aa2ee, new version: 3
    - min_stack_version added: 8.14.0
  A: 79543b00-28a5-4461-81ac-644c4dc4012f, new version: 105
    - min_stack_version added: 9.0.0
  A: e72f87d0-a70e-4f8d-8443-a6407bc34643, new version: 311
    - min_stack_version added: 8.15.0
Updated /Users/shashankks/elastic_workspace/detection-rules/detection_rules/etc/version.lock.json file
Package saved to: /Users/shashankks/elastic_workspace/detection-rules/releases/9.1
loaded security_detection_engine manifests from the following package versions: ['9.0.7', '9.0.6', '9.0.5', '9.0.4', '9.0.3', '9.0.2', '9.0.1', '8.17.7']
[+] Limit historical rule versions in the release package for version 9.1.0: 3 versions
[+] Adding historical rules from 9.0.7 package
- sha256: f8659de9b5ceaf918adc6ee7430a5722fb185f3298b4799473dcc5ba77606e0e
- 1436 rules included
(.venv)

View Rule

❯ python -m detection_rules view-rule /Users/shashankks/elastic_workspace/detection-rules/rules/integrations/aws/collection_cloudtrail_logging_created.toml
Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

{
  "author": [
    "Elastic"
  ],
  "description": "Identifies the creation of an AWS log trail that specifies the settings for delivery of log data.",
  "false_positives": [
    "Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Trail creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule."
  ],
  "from": "now-60m",
  "index": [
    "filebeat-*",
    "logs-aws.cloudtrail-*"
  ],
  "interval": "10m",
  "language": "kuery",
  "license": "Elastic License v2",
  "name": "AWS CloudTrail Log Created",
  "note": "## Triage and analysis  > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.  ### Investigating AWS CloudTrail Log Created  AWS CloudTrail is a service that enables governance, compliance, and operational and risk auditing of your AWS account. It logs API calls and related events, providing visibility into user activity. Adversaries may create new trails to capture sensitive data or cover their tracks. The detection rule identifies successful trail creation, signaling potential unauthorized activity, aiding in early threat detection.  ### Possible investigation steps  - Review the AWS CloudTrail logs to identify the user or role associated with the CreateTrail event by examining the user identity information in the event logs. - Check the time and date of the CreateTrail event to determine if it aligns with any known maintenance or administrative activities. - Investigate the configuration of the newly created trail to understand what specific log data it is set to capture and where it is being delivered. - Assess whether the trail creation was authorized by cross-referencing with change management records or by contacting relevant personnel. - Analyze other recent AWS CloudTrail events associated with the same user or role to identify any suspicious or unusual activities that may indicate malicious intent. - Evaluate the permissions and access policies of the user or role involved in the event to ensure they align with the principle of least privilege.  ### False positive analysis  - Routine administrative actions by authorized personnel can trigger this rule. Regularly review and document legitimate trail creation activities to differentiate them from unauthorized actions. - Automated processes or scripts that create trails for compliance or monitoring purposes may cause false positives. Identify and whitelist these processes to prevent unnecessary alerts. - Third-party security tools or services that integrate with AWS and create trails for enhanced logging might be mistaken for suspicious activity. Verify these integrations and exclude them from the rule if they are part of your security strategy. - Changes in organizational policy or structure that require new trail creation can lead to false positives. Ensure that such changes are communicated to the security team to adjust the rule settings accordingly.  ### Response and remediation  - Immediately review the newly created CloudTrail log to verify its legitimacy. Check the user or service account that initiated the trail creation and confirm if it aligns with expected administrative activities. - If the trail creation is unauthorized, disable or delete the trail to prevent further data capture by potential adversaries. - Conduct a thorough audit of recent API calls and user activities associated with the account that created the trail to identify any other suspicious actions or configurations. - Escalate the incident to the security operations team for further investigation and to determine if additional AWS resources have been compromised. - Implement additional monitoring and alerting for any future unauthorized CloudTrail modifications or creations to enhance early detection capabilities. - Review and tighten IAM policies and permissions to ensure that only authorized personnel have the ability to create or modify CloudTrail configurations. - Consider enabling AWS CloudTrail log file integrity validation to ensure that log files have not been altered or deleted, providing an additional layer of security.  ## Setup",
  "query": "event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:CreateTrail and event.outcome:success\n",
  "references": [
    "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html",
    "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html"
  ],
  "related_integrations": [
    {
      "integration": "cloudtrail",
      "package": "aws",
      "version": "^3.0.0"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "event.action",
      "type": "keyword"
    },
    {
      "ecs": true,
      "name": "event.dataset",
      "type": "keyword"
    },
    {
      "ecs": true,
      "name": "event.outcome",
      "type": "keyword"
    },
    {
      "ecs": true,
      "name": "event.provider",
      "type": "keyword"
    }
  ],
  "risk_score": 21,
  "rule_id": "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed",
  "setup": "The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
  "severity": "low",
  "tags": [
    "Domain: Cloud",
    "Data Source: AWS",
    "Data Source: Amazon Web Services",
    "Use Case: Log Auditing",
    "Tactic: Collection",
    "Resources: Investigation Guide"
  ],
  "threat": [
    {
      "framework": "MITRE ATT&CK",
      "tactic": {
        "id": "TA0009",
        "name": "Collection",
        "reference": "https://attack.mitre.org/tactics/TA0009/"
      },
      "technique": [
        {
          "id": "T1530",
          "name": "Data from Cloud Storage",
          "reference": "https://attack.mitre.org/techniques/T1530/"
        }
      ]
    }
  ],
  "timestamp_override": "event.ingested",
  "type": "query",
  "version": 211
}
(.venv) 
detection-rules on  style-fixes [$!?] is 📦 v1.3.15 via 🐍 v3.12.8 (.venv) on ☁️  [email protected] 

[shashank-elastic]

I will take a look at this some more and try more of release oriented commands on this branch. But am curious why the build here is not kicked off!