I think it would be very valuable to include a directory that loads the prebuilt SIEM rules_export.ndjson file in the filebeat configuration. This way if we need to change the default indicies we could modify the json as needed. Thoughts on this?
I don't understand what you are getting at, but anyhow. You should go and create a
Enhancement Request in github.
Make sure you add
[Filebeat] so it is label correctly.
I also don't understand what ur asking for. The built-in siem rules have nothing to do with filebeat. The built in rules are compiled into the elasticsearch release, not filebeat.