in cortado/rules.py [0:0]
def normalize_rule(rule_body: dict[str, Any], rule_path: Path) -> Rule:
rule = rule_body.get("rule")
if not rule:
raise ValueError("No `rule` block found in the rule body")
if not isinstance(rule, dict):
raise ValueError("Unknown value for `rule` in the rule body")
# `rule_id` in `detection-rules`
# `uuid` in `endpoint-rules`
is_endpoint_rule = rule.get("rule_id") is None # type: ignore
rule_id: str | None = rule.get("uuid") or rule.get("rule_id") # type: ignore
if not rule_id:
raise ValueError("Rule ID is not found in `rule` block in the rule body")
rule_type = rule.get("type") # type: ignore
if not rule_type:
log.debug("Rule type is not found in `rule` block in the rule body, assuming `endpoint`")
rule_type = "endpoint"
name = rule.get("name") # type: ignore
if not name:
raise ValueError("Rule name is not found in `rule` block in the rule body")
# Maturity is only set in the rules in `detection-rules` repo
maturity = rule_body.get("metadata", {}).get("maturity")
# Release labes are only set in the rules in `endpoint-rules` repo
releases = rule_body.get("internal", {}).get("release")
return Rule(
id=rule_id, # type: ignore
name=name, # type: ignore
rule=rule, # type: ignore
type=rule_type, # type: ignore
# Note, some rules do not have `language` specified, like machine learning jobs.
language=rule.get("language"), # type: ignore
path=rule_path,
maturity=maturity,
releases=releases or [],
is_endpoint_rule=is_endpoint_rule,
)