[Bug] [DAC] Custom Rules Filter Discrepancy on 8.18 #4935
Description
Describe the Bug
A customer reported that on Elastic Stack 8.18 there is a discrepancy between the rules exported with kibana export-rules -cro and the custom rules that are shown in the UI.
While using the export-rules command to only export custom rules. We are seeing a discrepancy in the number of rules being exported as compared to the number of rules we can from UI. We have 236 custom rules as per UI.
Command we use - python -m detection_rules kibana --ignore-ssl-errors true export-rules -d 'custom-rules/rules' -s -sv -nt -cro
Output -
130 results exported
58 rules converted
0 exceptions exported
0 action connectors exported
58 rules saved to custom-rules/rules
72 errors saved to custom-rules/rules/_errors.txt
It is worth noting that without the custom rules filter, all of the custom rules and pre-built rules are exported correctly. Also, as I have noted in the draft PR, the content returned from the API changes based on whether or not a query is supplied, leading to a small logging typo that is addressed in the PR. It is possible that there is an issue with Kibana's handling of the request. This is generally unclear.
To Reproduce
This is difficult to reproduce. Originally, I thought there might be a difference between 9.0 and 8.18 for the internal indexes used and that the filter alert.attributes.params.ruleSource.type: "internal" but based on some initial testing that I did in an 8.18 stack, this filter appears to work.
I expect that the issue is related to the filter query supplied to the bulk actions API from the detection rules repo, or an issue with the API endpoint itself and what it returns. The first step in addressing this should be to reproduce and isolate the issue, as it is unclear.
Expected Behavior
No response
Screenshots
No response
Desktop - OS
None
Desktop - Version
No response
Additional Context
Elastic stack version 8.18.1