Account for CCS '::' index pattern (#4258)

(cherry picked from commit 04e1fc1)

detection_rules/beats.py

@@ -288,11 +288,11 @@ def parse_beats_from_index(index: Optional[list]) -> List[str]:
     """Parse beats schema types from index."""
     indexes = index or []
     beat_types = []
-    # Need to split on : to support cross-cluster search
+    # Need to split on : or :: to support cross-cluster search
     # e.g. mycluster:logs-* -> logs-*
     for index in indexes:
         if "beat-*" in index:
-            index_parts = index.split(':', 1)
+            index_parts = index.replace('::', ':').split(':', 1)
             last_part = index_parts[-1]
             beat_type = last_part.split("-")[0]
             beat_types.append(beat_type)

detection_rules/ecs.py

@@ -187,7 +187,7 @@ def get_custom_index_schema(index_name: str, stack_version: str = None):
     """Load custom schema."""
     custom_schemas = get_custom_schemas(stack_version)
     index_schema = custom_schemas.get(index_name, {})
-    ccs_schema = custom_schemas.get(index_name.split(":", 1)[-1], {})
+    ccs_schema = custom_schemas.get(index_name.replace('::', ':').split(":", 1)[-1], {})
     index_schema.update(ccs_schema)
     return index_schema
 
@@ -197,7 +197,7 @@ def get_index_schema(index_name):
     """Load non-ecs schema."""
     non_ecs_schema = get_non_ecs_schema()
     index_schema = non_ecs_schema.get(index_name, {})
-    ccs_schema = non_ecs_schema.get(index_name.split(":", 1)[-1], {})
+    ccs_schema = non_ecs_schema.get(index_name.replace('::', ':').split(":", 1)[-1], {})
     index_schema.update(ccs_schema)
     return index_schema
 

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "0.1.7"
+version = "0.2.0"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"