From 663c9c14ddac9923d1ce7e2bafbd8c6303b3edc7 Mon Sep 17 00:00:00 2001
From: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Date: Wed, 13 Nov 2024 11:17:08 +0530
Subject: [PATCH] Account for CCS '::' index pattern (#4258)

(cherry picked from commit 04e1fc1436d255934817f82e432b8d2031da5c98)
---
 detection_rules/beats.py | 4 ++--
 detection_rules/ecs.py   | 4 ++--
 pyproject.toml           | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/detection_rules/beats.py b/detection_rules/beats.py
index 8d695df735d..ed2a1d9b9e6 100644
--- a/detection_rules/beats.py
+++ b/detection_rules/beats.py
@@ -288,11 +288,11 @@ def parse_beats_from_index(index: Optional[list]) -> List[str]:
     """Parse beats schema types from index."""
     indexes = index or []
     beat_types = []
-    # Need to split on : to support cross-cluster search
+    # Need to split on : or :: to support cross-cluster search
     # e.g. mycluster:logs-* -> logs-*
     for index in indexes:
         if "beat-*" in index:
-            index_parts = index.split(':', 1)
+            index_parts = index.replace('::', ':').split(':', 1)
             last_part = index_parts[-1]
             beat_type = last_part.split("-")[0]
             beat_types.append(beat_type)
diff --git a/detection_rules/ecs.py b/detection_rules/ecs.py
index ab6664a9573..e3fe2a66247 100644
--- a/detection_rules/ecs.py
+++ b/detection_rules/ecs.py
@@ -187,7 +187,7 @@ def get_custom_index_schema(index_name: str, stack_version: str = None):
     """Load custom schema."""
     custom_schemas = get_custom_schemas(stack_version)
     index_schema = custom_schemas.get(index_name, {})
-    ccs_schema = custom_schemas.get(index_name.split(":", 1)[-1], {})
+    ccs_schema = custom_schemas.get(index_name.replace('::', ':').split(":", 1)[-1], {})
     index_schema.update(ccs_schema)
     return index_schema
 
@@ -197,7 +197,7 @@ def get_index_schema(index_name):
     """Load non-ecs schema."""
     non_ecs_schema = get_non_ecs_schema()
     index_schema = non_ecs_schema.get(index_name, {})
-    ccs_schema = non_ecs_schema.get(index_name.split(":", 1)[-1], {})
+    ccs_schema = non_ecs_schema.get(index_name.replace('::', ':').split(":", 1)[-1], {})
     index_schema.update(ccs_schema)
     return index_schema
 
diff --git a/pyproject.toml b/pyproject.toml
index 8f7c223b9e6..ffa859a282f 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "0.1.7"
+version = "0.2.0"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"