Prebuilt Security Detection Rules in policy or just install assets?

I do not see it documented anywhere but my assumption is the "Prebuilt Security Detection Rules" integration is there so we can install the assets in Elasticsearch and not actually add this integration to policies?

Can someone tell me if this should be added to policies and why?

Heya @ARDiver86 :wave:, that's a great question, let me try to resolve the confusion.

TL;DR: you don't need to add the "Prebuilt Security Detection Rules" integration to any agent policies; it's only used for shipping assets (in this case - prebuilt detection rules).

Prebuilt detection rules that you can install in Security Solution are being developed in GitHub - elastic/detection-rules: Rules for Elastic Security's detection engine. As part of their release process, a few times per each Kibana release Elastic packages them to a "Prebuilt Security Detection Rules" fleet package and publishes it to the official Elastic Package Registry. Once that happens, the updated rules become available in Fleet/Integrations as the "Prebuilt Security Detection Rules" integration.

A few details about it:

  • You can install, uninstall, or update this package and its assets manually from the corresponding page in Integrations
  • We install and update it to the latest version automatically once a user visits the Rules page in Security Solution. Users don't have to manually do it.
  • Adding this integration to an agent policy doesn't make sense, but shouldn't break anything either.

Let me know if this clears it up.

1 Like

I kind of figured it wouldn't need to be added but it does let you, so I was just trying to make sure there wasn't something I was missing. Thank you for the explanation!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.