Added logic to main.py to use the created_at and updated_at values if they exist

[aarju]

Summary - What I changed

During testing I found that for my custom rules when exported from a cluster for the first time the creation_date and updated_date values were being set to todays date instead of using the created_at and updated_at values from the detection rules.

This update adds logic to main.py (line 250) within the import_rules_into_repo function to use the values from the contents of the rule if those fields exist. This fixes the issue and now when rules are imported for the first time they retain the original values from the cluster.

How To Test

import existing custom detection rules from a cluster to a repo where the created_at and updated_at dates are prior to today. Verify that the creation_date and updated_date use the correct date from the rule file and are not set to today.

Checklist

• Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
• Documentation and comments were added for features that require explanation

Contributor checklist

• Have you signed the contributor license agreement?
• Have you followed the contributor guidelines?

[eric-forte-elastic]

👋 Thanks for the PR, unless I am mistaken, generally speaking when this code was implemented the decision was made that created and updated dates are specific to the toml file rather than the rule file from Kibana. I am certainly open to this change, but as the code sits currently, this is intended behavior.

Given that I expect the outcome will be that we will want to include the functionality from the PR, we can continue to review and merge when we are satisfied, just wanting to note that this will be a change (or alternative) to the original import pipeline 👍

[eric-forte-elastic]

Instead of using these try, except blocks, it would be better to match the style/formatting we use in this function by using .get(). The addition is smaller and does not need to add additional exception handling.

It could look something like this instead for this PR:

        # Parse created_at and updated_at to creation_date and updated_date if they exist in contents
        now = datetime.now(UTC).strftime("%Y-%m-%dT%H:%M:%S.%fZ")
        contents["creation_date"] = datetime.strptime(
            contents.get("created_at", now), "%Y-%m-%dT%H:%M:%S.%fZ"
        ).strftime("%Y/%m/%d")
        contents["updated_date"] = datetime.strptime(contents.get("updated_at", now), "%Y-%m-%dT%H:%M:%S.%fZ").strftime(
            "%Y/%m/%d"
        )

[aarju]

Thanks for the help, I just updated the functions to use the .get() function using your code.

[aarju]

just wanting to note that this will be a change (or alternative) to the original import pipeline

@eric-forte-elastic do you think this is a big enough change to justify wrapping this code in a new commandline option to allow users to enable it if they want it?