[Bug] [DAC] Custom Rules Filter Discrepancy on Stacks Upgraded to 8.18 (#4945)

* Update Custom Rules KQL

* Bump Patch Version

* Update detection_rules/kbwrap.py

Co-authored-by: Marshall Main <[email protected]>

* Use or instead of and

* Bump patch version

* Fix results len typo

---------

Co-authored-by: Marshall Main <[email protected]>

(cherry picked from commit a726da5)

Author: eric-forte-elastic

detection_rules/kbwrap.py

@@ -29,7 +29,7 @@
 from .rule import TOMLRule, TOMLRuleContents, downgrade_contents_from_rule
 from .rule_loader import RawRuleCollection, RuleCollection, update_metadata_from_file
 from .schemas import definitions  # noqa: TC001
-from .utils import format_command_options, rulename_to_filename
+from .utils import CUSTOM_RULES_KQL, format_command_options, rulename_to_filename
 
 RULES_CONFIG = parse_rules_config()
 
@@ -303,9 +303,7 @@ def kibana_export_rules(  # noqa: PLR0912, PLR0913, PLR0915
         query = (
             export_query
             if not custom_rules_only
-            else (
-                f'alert.attributes.params.ruleSource.type: "internal"{f" and ({export_query})" if export_query else ""}'
-            )
+            else (f"({CUSTOM_RULES_KQL}){f' and ({export_query})' if export_query else ''}")
         )
 
         results = (  # type: ignore[reportUnknownVariableType]
@@ -336,8 +334,10 @@ def kibana_export_rules(  # noqa: PLR0912, PLR0913, PLR0915
     rules_results = results  # type: ignore[reportUnknownVariableType]
     action_connector_results = []
     exception_results = []
+    results_len = len(results)  # type: ignore[reportUnknownVariableType]
     if kibana_include_details:
         # Assign counts to variables
+        results_len = results_len - 1
         rules_count = results[-1]["exported_rules_count"]  # type: ignore[reportUnknownVariableType]
         exception_list_count = results[-1]["exported_exception_list_count"]  # type: ignore[reportUnknownVariableType]
         exception_list_item_count = results[-1]["exported_exception_list_item_count"]  # type: ignore[reportUnknownVariableType]
@@ -497,7 +497,7 @@ def kibana_export_rules(  # noqa: PLR0912, PLR0913, PLR0915
 
         saved_action_connectors.append(action)
 
-    click.echo(f"{len(results)} results exported")  # type: ignore[reportUnknownArgumentType]
+    click.echo(f"{results_len} results exported")  # type: ignore[reportUnknownArgumentType]
     click.echo(f"{len(exported)} rules converted")
     click.echo(f"{len(exceptions)} exceptions exported")
     click.echo(f"{len(action_connectors)} action connectors exported")

detection_rules/utils.py

@@ -34,6 +34,7 @@
 ROOT_DIR = CURR_DIR.parent
 ETC_DIR = ROOT_DIR / "detection_rules" / "etc"
 INTEGRATION_RULE_DIR = ROOT_DIR / "rules" / "integrations"
+CUSTOM_RULES_KQL = 'alert.attributes.params.ruleSource.type: "internal" or alert.attributes.params.immutable: false'
 
 
 class DateTimeEncoder(json.JSONEncoder):

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.3.21"
+version = "1.3.22"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"