Closed brokensound77 closed 2 weeks ago
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Most of this was completed in https://github.com/elastic/detection-rules/pull/3407 - however, since it remains in a feature branch during testing, we can leave the issue open until merged to main (or deemed as not viable)
With the exception of this issue https://github.com/elastic/detection-rules/issues/3962. This has been completed with DAC-feature merging to main https://github.com/elastic/detection-rules/pull/3889.
related to #3298
While the repo technically supports both the
actions
andexceptions
fields within the defined schema, it is not actually practical to populate those fields in any prebuilt rules. This is because it would create a situation where the rules would get out of sync from a versioning perspective and be in the same situation as modifying prebuilt rules.The easiest solution would be to decouple them completely.
rule_id
as the key and an array of entries respectivelyto_api_format
method as well as a parameter for building packages