[FR] Add command to upload a rule from TOML to Kibana #48
Comments
ID is much simpler but the biggest issue here is we would need to load and parse all the files first in order to do this
We should dynamically generate a random UUID anyway for these cases. Then we could do something crafty like pass the original
It might also be nice to have the inverse workflow as well, where a user could retrieve a custom rule, load it into a |
|
The ability to update without updating the stack to the latest version would be very useful. Also having something to help identify rules that already exist, we often duplicate rules and modify for our needs, knowing that a rule has been updated would help us keep them upto date with our changes. One of the modifications is that we lowercase alot of fields via logstash to remove the case sensitivity. Many of the rules that use folders are uppercase/lowercase. We may also be adding exclusions etc |
Is your feature request related to a problem? Please describe.
We should be able to upload rules from this repository directly to the detection engine without needing to wait for the next release. This command will help users that want to try rules out without upgrading their stack, and
Related to #17
Describe the solution you'd like
We should have a simple command to do this. Give it the path to the TOML (or a rule ID, not sure which is better) and take any additional arguments needed to communicate with the stack.
There are a few edge cases to consider, and make sure we handle well:
we should show an error, and return a non-zero exit code
we might need to add more information to
[metadata], such as the minimum stack version. or we assume that the API validation will handle this correctlywill the rule uuid clash? will things break? do we raise an error message?
Describe alternatives you've considered
N/A
Additional context
Just #17. Meta issue coming soon
The text was updated successfully, but these errors were encountered: