Skip to content

Commit 3c1de72

Browse files
MikaayensonMikaayenson
authored
[FR] Add support for 5 group_by fields in threshold rules (>=9.2) (#5040)
1 parent b4db783 commit 3c1de72

File tree

3 files changed

+32
-2
lines changed

3 files changed

+32
-2
lines changed

detection_rules/rule.py

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -810,6 +810,36 @@ class ThresholdCardinality:
810810
threshold: ThresholdMapping
811811
alert_suppression: ThresholdAlertSuppression | None = field(metadata={"metadata": {"min_compat": "8.12"}}) # type: ignore[reportIncompatibleVariableOverride]
812812

813+
def validate(self, meta: RuleMeta) -> None:
814+
"""Validate threshold fields count based on stack version."""
815+
current_min_stack = load_current_package_version()
816+
min_stack_raw = meta.min_stack_version or current_min_stack
817+
min_stack = Version.parse(min_stack_raw, optional_minor_and_patch=True)
818+
cutoff = Version.parse("9.2.0")
819+
820+
default_cap_lt_9_2 = 3
821+
default_cap_ge_9_2 = 5
822+
is_ge_9_2 = min_stack >= cutoff
823+
max_fields_allowed = default_cap_ge_9_2 if is_ge_9_2 else default_cap_lt_9_2
824+
825+
fields = self.threshold.field or []
826+
if len(fields) > max_fields_allowed:
827+
# Tailored hint based on stack cap in effect
828+
if is_ge_9_2:
829+
hint = f" Reduce to {max_fields_allowed} or fewer fields."
830+
else:
831+
hint = (
832+
f" Reduce to {max_fields_allowed} or fewer fields, or set "
833+
"metadata.min_stack_version to 9.2.0+ "
834+
f"to allow up to {default_cap_ge_9_2}."
835+
)
836+
837+
raise ValidationError(
838+
f"threshold field supports at most {max_fields_allowed} field(s) for min_stack_version "
839+
f"{min_stack_raw or 'unspecified (<9.2 assumed)'}. "
840+
f"Received {len(fields)} group_by fields." + hint
841+
)
842+
813843

814844
@dataclass(frozen=True, kw_only=True)
815845
class NewTermsRuleData(QueryRuleData):

detection_rules/schemas/definitions.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -230,7 +230,7 @@ def validator_wrapper(value: Any) -> Any:
230230
BranchVer = Annotated[str, fields.String(validate=validate.Regexp(BRANCH_PATTERN))]
231231
CardinalityFields = Annotated[
232232
list[NonEmptyStr],
233-
fields.List(NON_EMPTY_STRING_FIELD, validate=validate.Length(min=0, max=3)),
233+
fields.List(NON_EMPTY_STRING_FIELD, validate=validate.Length(min=0, max=5)),
234234
]
235235
ConditionSemVer = Annotated[str, fields.String(validate=validate.Regexp(CONDITION_VERSION_PATTERN))]
236236
Date = Annotated[str, fields.String(validate=validate.Regexp(DATE_PATTERN))]

pyproject.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[project]
22
name = "detection_rules"
3-
version = "1.3.28"
3+
version = "1.3.29"
44
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
55
readme = "README.md"
66
requires-python = ">=3.12"

0 commit comments

Comments
 (0)