Import rules from public detection rules repo

I want to import new rules from the repo but the rule's format is json or toml but SIEM only accepts ndjson files. should i manually convert them? is there a tool you recommend?

Hi @bornatalebi, thanks for posting. I'd recommend using node to convert the files. There is a nice recursive solution posted on this gist.

1 Like

Hello @bornatalebi,

We have a workflow for this, but it goes the other way. Instead, you push rules into Kibana using the kibana-upload command. There's some "use at your own risk" disclaimers, and we still recommend waiting for stack releases to get the latest, production-ready rules. But if you want to live on the edge and use the repository, check out the CLI guide


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.