Merge branch 'main' into 2700-bug-missing-spaces-between-logic-operators-does-not-raise-error

Author: eric-forte-elastic

.github/CODEOWNERS

@@ -1,14 +1,16 @@
 # detection-rules code owners
 # POC: Elastic Security Intelligence and Analytics Team
 
-tests/**/*.py     @mikaayenson @eric-forte-elastic @terrancedejesus
-detection_rules/  @mikaayenson @eric-forte-elastic @terrancedejesus
-tests/            @mikaayenson @eric-forte-elastic @terrancedejesus
-lib/              @mikaayenson @eric-forte-elastic @terrancedejesus
-hunting/          @mikaayenson @eric-forte-elastic @terrancedejesus
+tests/**/*.py     @mikaayenson @eric-forte-elastic @traut
+detection_rules/  @mikaayenson @eric-forte-elastic @traut
+tests/            @mikaayenson @eric-forte-elastic @traut
+lib/              @mikaayenson @eric-forte-elastic @traut
+hunting/**/*.py          @mikaayenson @eric-forte-elastic @traut
 
 # skip rta-mapping to avoid the spam
-detection_rules/etc/packages.yaml @mikaayenson @eric-forte-elastic @terrancedejesus
-detection_rules/etc/*.json        @mikaayenson @eric-forte-elastic @terrancedejesus
-detection_rules/etc/*.json        @mikaayenson @eric-forte-elastic @terrancedejesus
-detection_rules/etc/*/*           @mikaayenson @eric-forte-elastic @terrancedejesus
+detection_rules/etc/packages.yaml @mikaayenson @eric-forte-elastic @traut
+detection_rules/etc/*.json        @mikaayenson @eric-forte-elastic @traut
+detection_rules/etc/*/*           @mikaayenson @eric-forte-elastic @traut
+
+# exclude files from code owners
+detection_rules/etc/non-ecs-schema.json

.github/ISSUE_TEMPLATE/new_meta.yaml

@@ -37,7 +37,7 @@ body:
   - type: textarea
     attributes:
       label: Tasking
-      value: "```[tasklist]\n### Meta Tasks\n- [ ] Provide Week 1 Update Comment\n- [ ] Provide Week 2 Update or Closeout Comment\n```"
+      value: "\n### Meta Tasks\n- [ ] Provide Week 1 Update Comment\n- [ ] Provide Week 2 Update or Closeout Comment\n"
       render:
 
   - type: textarea

.github/PULL_REQUEST_GUIDELINES/bug_guidelines.md

@@ -11,11 +11,7 @@ These guidelines serve as a reminder set of considerations when addressing a bug
 ### Code Standards and Practices
 
 - [ ] Code follows established design patterns within the repo and avoids duplication.
-- [ ] Code changes do not introduce new warnings or errors.
-- [ ] Variables and functions are well-named and descriptive.
-- [ ] Any unnecessary / commented-out code is removed.
 - [ ] Ensure that the code is modular and reusable where applicable.
-- [ ] Check for proper exception handling and messaging.
 
 ### Testing
 
@@ -25,11 +21,9 @@ These guidelines serve as a reminder set of considerations when addressing a bug
 - [ ] Validate that any rules affected by the bug are correctly updated.
 - [ ] Ensure that performance is not negatively impacted by the changes.
 - [ ] Verify that any release artifacts are properly generated and tested.
+- [ ] Conducted system testing, including fleet, import, and create APIs (e.g., run `make test-cli`, `make test-remote-cli`, `make test-hunting-cli`)
 
 ### Additional Checks
 
-- [ ] Ensure that the bug fix does not break existing functionality.
-- [ ] Review the bug fix with a peer or team member for additional insights.
 - [ ] Verify that the bug fix works across all relevant environments (e.g., different OS versions).
-- [ ] Confirm that all dependencies are up-to-date and compatible with the changes.
 - [ ] Confirm that the proper version label is applied to the PR `patch`, `minor`, `major`.

.github/PULL_REQUEST_GUIDELINES/enhancement_guidelines.md

@@ -11,11 +11,7 @@ These guidelines serve as a reminder set of considerations when addressing addin
 ### Code Standards and Practices
 
 - [ ] Code follows established design patterns within the repo and avoids duplication.
-- [ ] Code changes do not introduce new warnings or errors.
-- [ ] Variables and functions are well-named and descriptive.
-- [ ] Any unnecessary / commented-out code is removed.
 - [ ] Ensure that the code is modular and reusable where applicable.
-- [ ] Check for proper exception handling and messaging.
 
 ### Testing
 
@@ -25,11 +21,9 @@ These guidelines serve as a reminder set of considerations when addressing addin
 - [ ] Validate that any rules affected by the enhancement are correctly updated.
 - [ ] Ensure that performance is not negatively impacted by the changes.
 - [ ] Verify that any release artifacts are properly generated and tested.
+- [ ] Conducted system testing, including fleet, import, and create APIs (e.g., run `make test-cli`, `make test-remote-cli`, `make test-hunting-cli`)
 
 ### Additional Checks
 
-- [ ] Ensure that the enhancement does not break existing functionality.
-- [ ] Review the enhancement with a peer or team member for additional insights.
 - [ ] Verify that the enhancement works across all relevant environments (e.g., different OS versions).
-- [ ] Confirm that all dependencies are up-to-date and compatible with the changes.
 - [ ] Confirm that the proper version label is applied to the PR `patch`, `minor`, `major`.

.github/PULL_REQUEST_GUIDELINES/schema_enhancement_guidelines.md

@@ -11,11 +11,7 @@ These guidelines serve as a reminder set of considerations when addressing addin
 ### Code Standards and Practices
 
 - [ ] Code follows established design patterns within the repo and avoids duplication.
-- [ ] Code changes do not introduce new warnings or errors.
-- [ ] Variables and functions are well-named and descriptive.
-- [ ] Any unnecessary / commented-out code is removed.
 - [ ] Ensure that the code is modular and reusable where applicable.
-- [ ] Check for proper exception handling and messaging.
 
 ### Testing
 
@@ -25,23 +21,21 @@ These guidelines serve as a reminder set of considerations when addressing addin
 - [ ] Validate that any rules affected by the enhancement are correctly updated.
 - [ ] Ensure that performance is not negatively impacted by the changes.
 - [ ] Verify that any release artifacts are properly generated and tested.
+- [ ] Conducted system testing, including fleet, import, and create APIs (e.g., run `make test-cli`, `make test-remote-cli`, `make test-hunting-cli`)
 
 ### Additional Schema Related Checks
 
-- [ ] Ensure that the enhancement does not break existing functionality. (e.g., run `make test-cli`)
-- [ ] Review the enhancement with a peer or team member for additional insights.
 - [ ] Verify that the enhancement works across all relevant environments (e.g., different OS versions).
-- [ ] Confirm that all dependencies are up-to-date and compatible with the changes.
 - [ ] Link to the relevant Kibana PR or issue provided
-- [ ] Exported detection rule(s) from Kibana to showcase the feature(s)
-- [ ] Converted the exported ndjson file(s) to toml in the detection-rules repo
-- [ ] Re-exported the toml rule(s) to ndjson and re-imported into Kibana
+- [ ] Test export/import flow:
+  - [ ] Exported detection rule(s) from Kibana to showcase the feature(s)
+  - [ ] Converted the exported ndjson file(s) to toml in the detection-rules repo
+  - [ ] Re-exported the toml rule(s) to ndjson and re-imported into Kibana
 - [ ] Updated necessary unit tests to accommodate the feature
+- [ ] Incorporated a comprehensive test rule in unit tests for full schema coverage
 - [ ] Applied min_compat restrictions to limit the feature to a specified minimum stack version
 - [ ] Executed all unit tests locally with a test toml rule to confirm passing
 - [ ] Included Kibana PR implementer as an optional reviewer for insights on the feature
 - [ ] Implemented requisite downgrade functionality
 - [ ] Cross-referenced the feature with product documentation for consistency
-- [ ] Incorporated a comprehensive test rule in unit tests for full schema coverage
-- [ ] Conducted system testing, including fleet, import, and create APIs (e.g., run `make test-remote-cli`)
 - [ ] Confirm that the proper version label is applied to the PR `patch`, `minor`, `major`.

.github/workflows/attack-coverage-update.yml

@@ -0,0 +1,49 @@
+name: Code checks
+
+on:
+  push:
+    branches: [ "main", "7.*", "8.*", "9.*" ]
+  pull_request:
+    branches: [ "*" ]
+    paths:
+      - 'detection_rules/**/*.py'
+      - 'hunting/**/*.py'
+      - 'tests/**/*.py'
+      - 'lib/**/*.py'
+
+jobs:
+  code-checks:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 1
+
+    - name: Set up Python 3.13
+      uses: actions/setup-python@v5
+      with:
+        python-version: '3.13'
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip cache purge
+        pip install .[dev]
+
+    - name: Linting check
+      run: |
+        ruff check --exit-non-zero-on-fix
+
+    - name: Formatting check
+      run: |
+        ruff format --check
+
+    - name: Pyright check
+      run: |
+        pyright
+
+    - name: Python License Check
+      run: |
+        python -m detection_rules dev license-check

.github/workflows/code-checks.yml

@@ -0,0 +1,23 @@
+name: docs-build
+
+on:
+  push:
+    branches:
+      - main
+  pull_request_target: ~
+
+jobs:
+  preview:
+    uses: elastic/docs-builder/.github/workflows/preview-build.yml@main
+    with:
+      continue-on-error: false
+      strict: true
+      path-pattern: |
+        docs/**
+        rules/**
+        rules_building_block/**
+    permissions:
+      deployments: write
+      id-token: write
+      contents: read
+      pull-requests: write

.github/workflows/docs-build.yml

@@ -0,0 +1,14 @@
+name: docs-cleanup
+
+on:
+  pull_request_target:
+    types:
+      - closed
+
+jobs:
+  preview:
+    uses: elastic/docs-builder/.github/workflows/preview-cleanup.yml@main
+    permissions:
+      contents: none
+      id-token: write
+      deployments: write

.github/workflows/docs-cleanup.yml

@@ -10,14 +10,15 @@ on:
 jobs:
   create_issue:
     runs-on: ubuntu-latest
+    env:
+      KIBANA_ISSUE_NUMBER: 166152  # Define the Kibana issue number as a variable
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
       - name: Get MITRE Attack changed files
-        if: false
         id: changed-attack-files
-        uses: tj-actions/changed-files@v44
+        uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46.0.1
         with:
           files: detection_rules/etc/attack-v*.json.gz
 
@@ -29,20 +30,14 @@ jobs:
         run: |
           VERSION=$(echo $ADDED_FILE[0] | grep -o 'v[^json]*')
           echo "::set-output name=version::$VERSION"
-
-      - name: Create issue in elastic/kibana repository
+      
+      - name: Add Kibana Issue Comment
         run: |
-          ISSUE_TITLE="[Security Solution] Update MITRE ATT&CK to ${{ steps.extract_version.outputs.version }}"
-          ISSUE_BODY="The detection rules MITRE ATT&CK version has been updated to ${{ steps.extract_version.outputs.version }} Please update the MITRE ATT&CK version in Kibana accordingly."
-
-          curl -X POST \
-            -H "Authorization: token ${{ secrets.WRITE_KIBANA_DETECTION_RULES_TOKEN }}" \
+            echo "Adding comment to Kibana issue #${KIBANA_ISSUE_NUMBER}"
+            curl -L \
+            -X POST \
             -H "Accept: application/vnd.github.v3+json" \
-            https://api.github.com/repos/elastic/kibana/issues \
-            -d '{
-              "title": "'"$ISSUE_TITLE"'",
-              "body": "'"$ISSUE_BODY"'"
-            }'
-
-        env:
-          GITHUB_TOKEN: ${{ secrets.WRITE_KIBANA_DETECTION_RULES_TOKEN }}
+            -H "Authorization: token ${{ secrets.WRITE_KIBANA_DETECTION_RULES_TOKEN }}" \
+            https://api.github.com/repos/elastic/kibana/issues/${KIBANA_ISSUE_NUMBER}/comments \
+            -d '{"body":"The detection rules MITRE ATT&CK version has been updated to ${{ steps.extract_version.outputs.version }} Please help in scheduling the MITRE ATT&CK version upgrade in Kibana accordingly @banderror @approksiu. cc @elastic/threat-research-and-detection-engineering"}'
+            exit $?