Hi, we are currently in the process of migrating off of our old SIEM and into elastic siem. We have created a bunch of detection rules already in Elastic but we still need to move over all the exceptions for those rules from our old SIEM and into Elastic. Over the years we've created a large amount of exceptions in our legacy SIEM and we want to avoid having to enter them all in manually. We're looking to try to write a script that will transfer all the exceptions from our old SIEM and into our Elastic SIEM, but I can't seem to find the index where the detections are stored in elastic.
My assumption is that elastic has some index that stores all the detections and within each detection entry there's a section that lists all the exceptions for that detection. Ideally I would like to be able to test adding an exception to an existing detection rule using just a simple POST or PUT request in Kibana's Dev Tools and if I can get that working then I could use the API to edit the detections in bulk. The only issue is I can't seem to find any documentation online regarding what index or API end point I would need to edit in order to add an exception to an existing detection rule.
If anyone has done something similar in the past and can tell me which index stores detection rule configs or can maybe point me to the documentation where I could find such a thing I would greatly appreciate it. This is all assuming that I am correct in guessing that these detections are stored in an index and could be edited with an API call - if that assumption is incorrect I would also appreciate knowing that!
Thanks in advance!