[FR] Allow Addition of Custom Indices to Pre-Built Security Detection Rules #153745
Comments
|
Hey @MakoWish, thanks a lot for your feedback. You're right that this has been a major problem for many Security users. The good news is: we're working on addressing it. You can find some information in this issue and this document. This is work in progress right now. The use case with appending custom indices to rules, including CCS indices, is going to be addressed. |
banderror
added
Team:Detections and Resp
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
I see the |
|
@MakoWish No, this feature is not implemented in |
Is your feature request related to a problem? Please describe.
I am sure we are not the only customers with custom data sources from things like DLP or DAG, but we often want to include those indices into some of the pre-built Security Detection Rules. This is currently only possible by executing a
PATCH kbn:/api/detection_engine/rules ...command, but the unfortunate thing is, every time a rule is updated, those custom indices we added are removed. I used to clone pre-built Detection Rules, and modify those cloned rules, but we then miss out on any updates to logic, etc. that are applied to the originals.Describe the solution you'd like
Aside from adding Exceptions, the only other configurable options on a pre-built Detection Rule are for defining Actions. I would like to see a way to append custom indices to the list of indices that are predefined in the rule. These indices that are appended should not be overwritten when rules are updated.
Describe alternatives you've considered
None. I just have to remember to go through and
PATCHall the rules we previously modified any time rules are updated. This is quite a lot of manual work.Additional context
None
If this would be better suited in the Kibana repo, let me know, and I will move it there.
The text was updated successfully, but these errors were encountered: