I do not see it documented anywhere but my assumption is the "Prebuilt Security Detection Rules" integration is there so we can install the assets in Elasticsearch and not actually add this integration to policies?
Can someone tell me if this should be added to policies and why?
Heya @ARDiver86 , that's a great question, let me try to resolve the confusion.
TL;DR: you don't need to add the "Prebuilt Security Detection Rules" integration to any agent policies; it's only used for shipping assets (in this case - prebuilt detection rules).
Prebuilt detection rules that you can install in Security Solution are being developed in GitHub - elastic/detection-rules: Rules for Elastic Security's detection engine. As part of their release process, a few times per each Kibana release Elastic packages them to a "Prebuilt Security Detection Rules" fleet package and publishes it to the official Elastic Package Registry. Once that happens, the updated rules become available in Fleet/Integrations as the "Prebuilt Security Detection Rules" integration.
A few details about it:
You can install, uninstall, or update this package and its assets manually from the corresponding page in Integrations
We install and update it to the latest version automatically once a user visits the Rules page in Security Solution. Users don't have to manually do it.
Adding this integration to an agent policy doesn't make sense, but shouldn't break anything either.
I kind of figured it wouldn't need to be added but it does let you, so I was just trying to make sure there wasn't something I was missing. Thank you for the explanation!
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.