From bb907a4d76c27df01b7537a32ec896a785d1a6b9 Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Mon, 1 Apr 2024 11:52:46 -0500 Subject: [PATCH] [FR] Add support for investigation_fields (#3550) --- detection_rules/rule.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/detection_rules/rule.py b/detection_rules/rule.py index fb891b6a8dd..a6dad2bde61 100644 --- a/detection_rules/rule.py +++ b/detection_rules/rule.py @@ -240,6 +240,12 @@ class ThresholdAlertSuppression: @dataclass(frozen=True) class BaseRuleData(MarshmallowDataclassMixin, StackCompatMixin): + """Base rule data.""" + + @dataclass + class InvestigationFields: + field_names: List[definitions.NonEmptyStr] + @dataclass class RequiredFields: name: definitions.NonEmptyStr @@ -264,6 +270,7 @@ class RelatedIntegrations: # trailing `_` required since `from` is a reserved word in python from_: Optional[str] = field(metadata=dict(data_key="from")) interval: Optional[definitions.Interval] + investigation_fields: Optional[InvestigationFields] = field(metadata=dict(metadata=dict(min_compat="8.11"))) max_signals: Optional[definitions.MaxSignals] meta: Optional[Dict[str, Any]] name: definitions.RuleName