Is there a way to see which data sources and components are needed for a predefined rule to be triggered? Just like how MITRE ATT&CK shows which data sources/components are needed for a detection technique.
I am asking because it would give me visibility on where it would make sense to activate a rule, and where not, and/or what data sources do I need to ingest for a particular rule.
Thank you for your time!
Hey there @Barbarossa
So starting here soon you'll be able to see the
Required Fields and
Related Integrations for the Prebuilt Security Detection Rules on the Rules Table & Rule Details page. While this feature will be ready starting in 8.3 (see this PR for more details), we still need finish updating the prebuilt rules with this metadata, so stay tuned for a out-of-band rule update that'll start providing this data.
Hope this helps -- cheers!