I think it would be very valuable to include a directory that loads the prebuilt SIEM rules_export.ndjson file in the filebeat configuration. This way if we need to change the default indicies we could modify the json as needed. Thoughts on this?
I don't understand what you are getting at, but anyhow. You should go and create a Enhancement Request in github.
Make sure you add [Filebeat] so it is label correctly.
I also don't understand what ur asking for. The built-in siem rules have nothing to do with filebeat. The built in rules are compiled into the elasticsearch release, not filebeat.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.