eric-forte-elastic
commented
2 months ago Hi @acumen-kevinr thanks for reaching out! Yes, you can do this using the DAC code. This code is currently in alpha on the DAC-feature branch of detection rules. The command I think you would be most interested in is the detection_rules kibana export-rules command (documentation). This will export all of the custom rules from your Kibana instance (you can also specify a specific space to use via --space) to toml files in your repo. Also there is an accompanying import-rules command you can run to push the rules from your repo to Kibana.
Here are some reference materials that might be useful:
- An example Github Action workflow that pulls custom rules from a specified space and makes a PR to the fork of detection rules: link
- Example Github Action workflow that pushes the rules back to Kibana: link
- Demo video walking through the example setup we have in that repo: link
Please let us know if you run into any trouble or have any additional feedback, we are happy to help! Thanks!
Repository Feature
Detections-as-Code (DaC) - (primarily custom rule management)
Problem Description
We have over 1,000 rules that we utilise within Kibana and we would like to transition to DAC as a methodology...is there a way for us to export our entire ruleset and have them generated in the relevant way (i.e. toml) within the DAC code?
I know we can do one rule at a time, kind of, but realistically we'd want to be able to do them all in bulk.
Let me know if there are any plans to add this or if theres a workaround.
Desired Solution
As above - ability to import all rules
Considered Alternatives
No response
Additional Context
No response