Account for CCS '::' index pattern

shashank-elastic · shashank-elastic · commit 77a101716f07 · 2024-11-07T22:34:51.000+05:30
diff --git a/detection_rules/beats.py b/detection_rules/beats.py
@@ -288,11 +288,11 @@ def parse_beats_from_index(index: Optional[list]) -> List[str]:
     """Parse beats schema types from index."""
     indexes = index or []
     beat_types = []
-    # Need to split on : to support cross-cluster search
+    # Need to split on : or :: to support cross-cluster search
     # e.g. mycluster:logs-* -> logs-*
     for index in indexes:
         if "beat-*" in index:
-            index_parts = index.split(':', 1)
+            index_parts = index.replace('::', ':').split(':', 1) 
             last_part = index_parts[-1]
             beat_type = last_part.split("-")[0]
             beat_types.append(beat_type)
diff --git a/detection_rules/ecs.py b/detection_rules/ecs.py
@@ -187,7 +187,7 @@ def get_custom_index_schema(index_name: str, stack_version: str = None):
     """Load custom schema."""
     custom_schemas = get_custom_schemas(stack_version)
     index_schema = custom_schemas.get(index_name, {})
-    ccs_schema = custom_schemas.get(index_name.split(":", 1)[-1], {})
+    ccs_schema = custom_schemas.get(index_name.replace('::', ':').split(":", 1)[-1], {})
     index_schema.update(ccs_schema)
     return index_schema
 
@@ -197,7 +197,7 @@ def get_index_schema(index_name):
     """Load non-ecs schema."""
     non_ecs_schema = get_non_ecs_schema()
     index_schema = non_ecs_schema.get(index_name, {})
-    ccs_schema = non_ecs_schema.get(index_name.split(":", 1)[-1], {})
+    ccs_schema = non_ecs_schema.get(index_name.replace('::', ':').split(":", 1)[-1], {})
     index_schema.update(ccs_schema)
     return index_schema
 
