diff --git a/detection_rules/beats.py b/detection_rules/beats.py index 8d695df735d..ed2a1d9b9e6 100644 --- a/detection_rules/beats.py +++ b/detection_rules/beats.py @@ -288,11 +288,11 @@ def parse_beats_from_index(index: Optional[list]) -> List[str]: """Parse beats schema types from index.""" indexes = index or [] beat_types = [] - # Need to split on : to support cross-cluster search + # Need to split on : or :: to support cross-cluster search # e.g. mycluster:logs-* -> logs-* for index in indexes: if "beat-*" in index: - index_parts = index.split(':', 1) + index_parts = index.replace('::', ':').split(':', 1) last_part = index_parts[-1] beat_type = last_part.split("-")[0] beat_types.append(beat_type) diff --git a/detection_rules/ecs.py b/detection_rules/ecs.py index ab6664a9573..e3fe2a66247 100644 --- a/detection_rules/ecs.py +++ b/detection_rules/ecs.py @@ -187,7 +187,7 @@ def get_custom_index_schema(index_name: str, stack_version: str = None): """Load custom schema.""" custom_schemas = get_custom_schemas(stack_version) index_schema = custom_schemas.get(index_name, {}) - ccs_schema = custom_schemas.get(index_name.split(":", 1)[-1], {}) + ccs_schema = custom_schemas.get(index_name.replace('::', ':').split(":", 1)[-1], {}) index_schema.update(ccs_schema) return index_schema @@ -197,7 +197,7 @@ def get_index_schema(index_name): """Load non-ecs schema.""" non_ecs_schema = get_non_ecs_schema() index_schema = non_ecs_schema.get(index_name, {}) - ccs_schema = non_ecs_schema.get(index_name.split(":", 1)[-1], {}) + ccs_schema = non_ecs_schema.get(index_name.replace('::', ':').split(":", 1)[-1], {}) index_schema.update(ccs_schema) return index_schema diff --git a/pyproject.toml b/pyproject.toml index 8f7c223b9e6..ffa859a282f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "0.1.7" +version = "0.2.0" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"