[FR] Allow Addition of Custom Indices to Pre-Built Security Detection Rules #153745
Labels
💝community
enhancement
New value added to drive a business result
Feature:Prebuilt Detection Rules
Security Solution Prebuilt Detection Rules
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Is your feature request related to a problem? Please describe.
I am sure we are not the only customers with custom data sources from things like DLP or DAG, but we often want to include those indices into some of the pre-built Security Detection Rules. This is currently only possible by executing a
PATCH kbn:/api/detection_engine/rules ...
command, but the unfortunate thing is, every time a rule is updated, those custom indices we added are removed. I used to clone pre-built Detection Rules, and modify those cloned rules, but we then miss out on any updates to logic, etc. that are applied to the originals.Describe the solution you'd like
Aside from adding Exceptions, the only other configurable options on a pre-built Detection Rule are for defining Actions. I would like to see a way to append custom indices to the list of indices that are predefined in the rule. These indices that are appended should not be overwritten when rules are updated.
Describe alternatives you've considered
None. I just have to remember to go through and
PATCH
all the rules we previously modified any time rules are updated. This is quite a lot of manual work.Additional context
None
If this would be better suited in the Kibana repo, let me know, and I will move it there.
The text was updated successfully, but these errors were encountered: