[Bug] [DAC] Add filtering to export-rules-from-repo

[eric-forte-elastic]

Pull Request

Issue link(s):

Resolves #5768

Summary - What I changed

The export-rules-from-repo command with --include-exceptions (-e) or --include-action-connectors (-ac) was adding all exception lists and all action connectors from the repo into the exported NDJSON, instead of only those linked to the rules being exported. kibana import-rules already scopes correctly via _matches_rule_ids; export now does the same.

Changes:

1. detection_rules/generic_loader.py

   • Added shared helper matches_rule_ids(item, rule_ids) that returns whether an exception or action-connector item’s metadata.rule_ids overlaps the given set. Uses getattr(item.contents.metadata, "rule_ids", []) so it works with existing metadata types.

2. detection_rules/main.py

   • In _export_rules():
     • Import matches_rule_ids from .generic_loader.
     • Before adding exceptions/action connectors: rule_ids = {r.id for r in rules}.
     • When building exceptions: only include items where isinstance(d.contents, TOMLExceptionContents) and matches_rule_ids(d, rule_ids).
     • When building action connectors: only include items where isinstance(d.contents, TOMLActionConnectorContents) and matches_rule_ids(d, rule_ids).

3. detection_rules/kbwrap.py

   • Import matches_rule_ids from .generic_loader (removed GenericCollectionTypes from import).
   • Removed the local _matches_rule_ids and use the shared matches_rule_ids(d, rule_ids) in both the exception and action-connector list comprehensions for kibana import-rules.

Result: Subset exports (e.g. --rule-id X -e -o out.ndjson) only include exception lists and action connectors whose metadata.rule_ids intersect the exported rules. Full-repo export still includes all exceptions/connectors that are linked to any exported rule (unchanged in practice when exporting all rules).

How To Test

1. Export a single rule with exceptions (repo must have at least one rule that references an exception list):

   python -m detection_rules export-rules-from-repo --rule-id <rule-id> -e -o /tmp/single.ndjson

   • Open /tmp/single.ndjson: it should contain one rule object plus only exception list object(s) whose metadata.rule_ids (or equivalent in API format) include <rule-id>, not every exception list in the repo.

2. Export with action connectors (if repo has rules that reference action connectors):

   python -m detection_rules export-rules-from-repo --rule-id <rule-id> -ac -o /tmp/single_ac.ndjson

   • Only action connectors linked to that rule should appear in the file.

3. kibana import-rules unchanged: Run existing flows that use kibana import-rules (e.g. with -e / -ac) to confirm behavior is unchanged; they now call the shared matches_rule_ids instead of the removed local helper.

Checklist

• Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
• Added the meta:rapid-merge label if planning to merge within 24 hours
• Secret and sensitive material has been managed correctly
• Automated testing was updated or added to match the most common scenarios
• Documentation and comments were added for features that require explanation

Contributor checklist

• Have you signed the contributor license agreement?
• Have you followed the contributor guidelines?

[github-actions]

Bug - Guidelines

These guidelines serve as a reminder set of considerations when addressing a bug in the code.

Documentation and Context

• Provide detailed documentation (description, screenshots, reproducing the bug, etc.) of the bug if not already documented in an issue.
• Include additional context or details about the problem.
• Ensure the fix includes necessary updates to the release documentation and versioning.

Code Standards and Practices

• Code follows established design patterns within the repo and avoids duplication.
• Ensure that the code is modular and reusable where applicable.

Testing

• New unit tests have been added to cover the bug fix or edge cases.
• Existing unit tests have been updated to reflect the changes.
• Provide evidence of testing and detecting the bug fix (e.g., test logs, screenshots).
• Validate that any rules affected by the bug are correctly updated.
• Ensure that performance is not negatively impacted by the changes.
• Verify that any release artifacts are properly generated and tested.
• Conducted system testing, including fleet, import, and create APIs (e.g., run make test-cli, make test-remote-cli, make test-hunting-cli)

Additional Checks

• Verify that the bug fix works across all relevant environments (e.g., different OS versions).
• Confirm that the proper version label is applied to the PR patch, minor, major.

[terrancedejesus]

Since we repeat for TOMLActionConnectorContents, should we dedicate a method and yield results? Not sure if we expect to do this for other TOML... related types.

[eric-forte-elastic]

This is a good idea, and probably something we should do, but I think that should be part of a more through re-work of the object handling, given some of the nuance of the different TOML... related types. Example: #5181 (comment)

[Mikaayenson]

IINM, anyone who previously used import-rules-into-repo with Kibana API exports will have exception/action connector TOML files with Kibana internal ids in metadata.rule_ids instead of rule_id UUIDs. Those items won't match in scoped exports until re-imported. Worth a note in release docs.

[Mikaayenson]

nit: This won't work on TomlAction since the Action has rule_id vs rule_ids. More of a type hinting issue atm but could cause an opaque bug in the future.

[Mikaayenson]

nit: with the isinstance(...) and matches_rule_ids(...) pattern repeats 4 times across main.py and kbwrap.py. A small helper on GenericCollection would centralize it.

[Mikaayenson]

nit: This may be confusing interchanging id and rule_id and later from_exceptions_dict, rule["id"]. It's a bit cosmetic so we should over index, but its worth a small comment in the code.