in detection_rules/rule_validators.py [0:0]
def validate(self, data: QueryRuleData, meta: RuleMeta, max_attempts: int = 10) -> None:
"""Validate the query, called from the parent which contains [metadata] information."""
if meta.query_schema_validation is False or meta.maturity == "deprecated":
# syntax only, which is done via self.ast
return
if isinstance(data, QueryRuleData) and data.language != 'lucene':
packages_manifest = load_integrations_manifests()
package_integrations = TOMLRuleContents.get_packaged_integrations(data, meta, packages_manifest)
for _ in range(max_attempts):
validation_checks = {"stack": None, "integrations": None}
# validate the query against fields within beats
validation_checks["stack"] = self.validate_stack_combos(data, meta)
if package_integrations:
# validate the query against related integration fields
validation_checks["integrations"] = self.validate_integration(data, meta, package_integrations)
if (validation_checks["stack"] and not package_integrations):
# if auto add, try auto adding and then call stack_combo validation again
if validation_checks["stack"].error_msg == "Unknown field" and RULES_CONFIG.auto_gen_schema_file:
# auto add the field and re-validate
self.auto_add_field(validation_checks["stack"], data.index_or_dataview[0])
else:
raise validation_checks["stack"]
if (validation_checks["stack"] and validation_checks["integrations"]):
# if auto add, try auto adding and then call stack_combo validation again
if validation_checks["stack"].error_msg == "Unknown field" and RULES_CONFIG.auto_gen_schema_file:
# auto add the field and re-validate
self.auto_add_field(validation_checks["stack"], data.index_or_dataview[0])
else:
click.echo(f"Stack Error Trace: {validation_checks["stack"]}")
click.echo(f"Integrations Error Trace: {validation_checks["integrations"]}")
raise ValueError("Error in both stack and integrations checks")
else:
break
else:
raise ValueError(f"Maximum validation attempts exceeded for {data.rule_id} - {data.name}")