I see there is a https://github.com/elastic/detection-rules. It seems like when I installed Endpoint Security and did generate rules it created a lot of the rules. Yeah some are still missing. Is there a way to get the lists synched up instead of cloning the repo and then one by one importing into Kibana the rules? If we have to download the files is there a command to just mass upload them or would that create overlapping duplicate rules?
Hello, it sounds like getting all the rules that have merged in detection-rules uploaded en masse is one of your objectives. Fortunately the detection-rules CLI offers a way to import a directory of rules, described here. Use the import-rules method with the "-d" flag, and note that we occasionally merge rules which require features released in an upcoming GA build. If you're importing rules from main this is less likely to occur, generally speaking.
I think I am doing something wrong. I would like to get the files into kibana as rules. When I look over the documentation it says -d for import_rules but doesn't include any information about elastic or kibana. That is under the upload_rules which doesn't have the -d options. So at this point I have done a git-clone have the files all set from the detection rules git page. I did the pip install requirements. Now I would like all the rules to be brought up into Kibana.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.