[FR] Adopt DAC with current ruleset

[acumen-kevinr]

Repository Feature

Detections-as-Code (DaC) - (primarily custom rule management)

Problem Description

We have over 1,000 rules that we utilise within Kibana and we would like to transition to DAC as a methodology...is there a way for us to export our entire ruleset and have them generated in the relevant way (i.e. toml) within the DAC code?

I know we can do one rule at a time, kind of, but realistically we'd want to be able to do them all in bulk.

Let me know if there are any plans to add this or if theres a workaround.

Desired Solution

As above - ability to import all rules

Considered Alternatives

No response

Additional Context

No response

[eric-forte-elastic]

Hi @acumen-kevinr thanks for reaching out! Yes, you can do this using the DAC code. This code is currently in alpha on the DAC-feature branch of detection rules. The command I think you would be most interested in is the detection_rules kibana export-rules command (documentation). This will export all of the custom rules from your Kibana instance (you can also specify a specific space to use via --space) to toml files in your repo. Also there is an accompanying import-rules command you can run to push the rules from your repo to Kibana.

Here are some reference materials that might be useful:

• An example Github Action workflow that pulls custom rules from a specified space and makes a PR to the fork of detection rules: link
• Example Github Action workflow that pushes the rules back to Kibana: link
• Demo video walking through the example setup we have in that repo: link

Please let us know if you run into any trouble or have any additional feedback, we are happy to help! Thanks!

[eric-forte-elastic]

Now we have merged in the DAC-feature branch #3889 in main, these features are now in beta. Please check out our quick start guide for how to get started.