in detection_rules/utils.py [0:0]
def load_rule_contents(rule_file: Path, single_only=False) -> list:
"""Load a rule file from multiple formats."""
_, extension = os.path.splitext(rule_file)
raw_text = rule_file.read_text()
if extension in ('.ndjson', '.jsonl'):
# kibana exported rule object is ndjson with the export metadata on the last line
contents = [json.loads(line) for line in raw_text.splitlines()]
if len(contents) > 1 and 'exported_count' in contents[-1]:
contents.pop(-1)
if single_only and len(contents) > 1:
raise ValueError('Multiple rules not allowed')
return contents or [{}]
elif extension == '.toml':
rule = pytoml.loads(raw_text)
elif extension.lower() in ('yaml', 'yml'):
rule = load_dump(str(rule_file))
else:
return []
if isinstance(rule, dict):
return [rule]
elif isinstance(rule, list):
return rule
else:
raise ValueError(f"Expected a list or dictionary in {rule_file}")