Import rules from public detection rules repo

Hi
I want to import new rules from the repo but the rule's format is json or toml but SIEM only accepts ndjson files. should i manually convert them? is there a tool you recommend?

Hi @bornatalebi, thanks for posting. I'd recommend using node to convert the files. There is a nice recursive solution posted on this gist.

1 Like

Hello @bornatalebi,

We have a workflow for this, but it goes the other way. Instead, you push rules into Kibana using the kibana-upload command. There's some "use at your own risk" disclaimers, and we still recommend waiting for stack releases to get the latest, production-ready rules. But if you want to live on the edge and use the repository, check out the CLI guide

2 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.