Hello everyone
Is there a way to see which data sources and components are needed for a predefined rule to be triggered? Just like how MITRE ATT&CK shows which data sources/components are needed for a detection technique.
I am asking because it would give me visibility on where it would make sense to activate a rule, and where not, and/or what data sources do I need to ingest for a particular rule.
Thank you for your time!
Cheers
Hey there @Barbarossa 
So starting here soon you'll be able to see the Required Fields and Related Integrations for the Prebuilt Security Detection Rules on the Rules Table & Rule Details page. While this feature will be ready starting in 8.3 (see this PR for more details), we still need finish updating the prebuilt rules with this metadata, so stay tuned for a out-of-band rule update that'll start providing this data. 
Hope this helps -- cheers!
Garrett
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.