You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
We should be able to upload rules from this repository directly to the detection engine without needing to wait for the next release. This command will help users that want to try rules out without upgrading their stack, and
Describe the solution you'd like
We should have a simple command to do this. Give it the path to the TOML (or a rule ID, not sure which is better) and take any additional arguments needed to communicate with the stack.
There are a few edge cases to consider, and make sure we handle well:
what if the rule already exists in the detection engine?
we should show an error, and return a non-zero exit code
what if a rule doesn't work with that version of Kibana?
we might need to add more information to [metadata], such as the minimum stack version. or we assume that the API validation will handle this correctly
what if we upload a rule as a custom rule, then later it retrieves the same rule from a stack update?
will the rule uuid clash? will things break? do we raise an error message?
Describe alternatives you've considered
N/A
Additional context
Just #17. Meta issue coming soon
The text was updated successfully, but these errors were encountered:
We should have a simple command to do this. Give it the path to the TOML (or a rule ID, not sure which is better) and take any additional arguments needed to communicate with the stack.
ID is much simpler but the biggest issue here is we would need to load and parse all the files first in order to do this
what if the rule already exists in the detection engine?
what if we upload a rule as a custom rule, then later it retrieves the same rule from a stack update?
We should dynamically generate a random UUID anyway for these cases. Then we could do something crafty like pass the original rule_id to the notes like original_rule_id = <rule_id> to reference back to a rule.
version also doesn't exist within the rule, so we would need to insert that.
It might also be nice to have the inverse workflow as well, where a user could retrieve a custom rule, load it into a Rule object for validation, and then save/process
The ability to update without updating the stack to the latest version would be very useful.
Also having something to help identify rules that already exist, we often duplicate rules and modify for our needs, knowing that a rule has been updated would help us keep them upto date with our changes.
One of the modifications is that we lowercase alot of fields via logstash to remove the case sensitivity. Many of the rules that use folders are uppercase/lowercase. We may also be adding exclusions etc
Is your feature request related to a problem? Please describe.
We should be able to upload rules from this repository directly to the detection engine without needing to wait for the next release. This command will help users that want to try rules out without upgrading their stack, and
Related to #17
Describe the solution you'd like
We should have a simple command to do this. Give it the path to the TOML (or a rule ID, not sure which is better) and take any additional arguments needed to communicate with the stack.
There are a few edge cases to consider, and make sure we handle well:
we should show an error, and return a non-zero exit code
we might need to add more information to
[metadata]
, such as the minimum stack version. or we assume that the API validation will handle this correctlywill the rule uuid clash? will things break? do we raise an error message?
Describe alternatives you've considered
N/A
Additional context
Just #17. Meta issue coming soon
The text was updated successfully, but these errors were encountered: