[Bug] Fix Filter Support for Import Rules (#4852)

* Fix Filter Support for Import Rules

* Patch Bump

* Update Remove CLI Test Script

* Ruff formatting

(cherry picked from commit 898be50)

Author: eric-forte-elastic

detection_rules/etc/test_remote_cli.bash

@@ -14,9 +14,18 @@ python -m detection_rules kibana search-alerts
 
 echo "Performing a rule export..."
 mkdir tmp-export 2>/dev/null
-python -m detection_rules kibana export-rules -d tmp-export -sv --skip-errors
+python -m detection_rules kibana export-rules -d tmp-export -sv --skip-errors -r 565d6ca5-75ba-4c82-9b13-add25353471c
 ls tmp-export
 echo "Removing generated files..."
 rm -rf tmp-export
 
-echo "Detection-rules CLI tests completed!"
+echo "Performing a rule import..."
+
+python -m detection_rules custom-rules setup-config tmp-custom
+export CUSTOM_RULES_DIR=./tmp-custom
+cp rules/threat_intel/threat_intel_indicator_match_address.toml tmp-custom/rules/
+python -m detection_rules kibana import-rules -o -e -ac
+rm -rf tmp-custom
+set -e CUSTOM_RULES_DIR
+
+echo "Detection-rules Remote CLI tests completed!"

detection_rules/kbwrap.py

@@ -23,7 +23,7 @@
 from .cli_utils import multi_collection
 from .config import parse_rules_config
 from .exception import TOMLException, TOMLExceptionContents, build_exception_objects, parse_exceptions_results_from_api
-from .generic_loader import GenericCollection
+from .generic_loader import GenericCollection, GenericCollectionTypes
 from .main import root
 from .misc import add_params, get_kibana_client, kibana_options, nested_set, raise_client_error
 from .rule import TOMLRule, TOMLRuleContents, downgrade_contents_from_rule
@@ -159,6 +159,10 @@ def _parse_list_id(s: str) -> str | None:
                 )
                 click.echo()
 
+    def _matches_rule_ids(item: GenericCollectionTypes, rule_ids: set[str]) -> bool:
+        """Check if the item matches any of the rule IDs in the provided set."""
+        return any(rule_id in rule_ids for rule_id in item.contents.metadata.get("rule_ids", []))
+
     def _process_imported_items(
         imported_items_list: list[list[dict[str, Any]]],
         item_type_description: str,
@@ -173,13 +177,18 @@ def _process_imported_items(
 
     kibana = ctx.obj["kibana"]
     rule_dicts = [r.contents.to_api_format() for r in rules]
+    rule_ids = {rule["rule_id"] for rule in rule_dicts}
     with kibana:
         cl = GenericCollection.default()
         exception_dicts = [
-            d.contents.to_api_format() for d in cl.items if isinstance(d.contents, TOMLExceptionContents)
+            d.contents.to_api_format()
+            for d in cl.items
+            if isinstance(d.contents, TOMLExceptionContents) and _matches_rule_ids(d, rule_ids)
         ]
         action_connectors_dicts = [
-            d.contents.to_api_format() for d in cl.items if isinstance(d.contents, TOMLActionConnectorContents)
+            d.contents.to_api_format()
+            for d in cl.items
+            if isinstance(d.contents, TOMLActionConnectorContents) and _matches_rule_ids(d, rule_ids)
         ]
         response, successful_rule_ids, results = RuleResource.import_rules(  # type: ignore[reportUnknownMemberType]
             rule_dicts,

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.3.4"
+version = "1.3.5"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"