Is your feature request related to a problem?
We need a way to validate list of custom rules against source index so that user can be informed if specific rule can be used with particular index.
What solution would you like?
Create new API ValidateRules which accepts list of rule ids of same category(for example: "windows") and index name. Result will contain list of rule ids of rules which are non-applicable to given index. These rules contain fields which are not present in either given index mappings or alias mappings for this rule category.
REQUEST:
GET /_plugins/_security_analytics/rules/validate
{
"rules": [
"ruleId1",
"ruleId2",
"ruleId3"
],
"index_name": "my_win2022_index_log"
}
Request body:
| param |
description |
| rules |
List of rule ids to validate |
| index_name |
Name of index to validate rules against |
RESPONSE:
{
"nonapplicable_rules": [
"ruleId1",
"ruleId3"
]
}
| param |
description |
| invalid_rules |
List of rule ids which are not applicable to given index |
What alternatives have you considered?
Validating rule during rule indexing.
Do you have any additional context?
Add any other context or screenshots about the feature request here.
Is your feature request related to a problem?
We need a way to validate list of custom rules against source index so that user can be informed if specific rule can be used with particular index.
What solution would you like?
Create new API ValidateRules which accepts list of rule ids of same category(for example: "windows") and index name. Result will contain list of rule ids of rules which are non-applicable to given index. These rules contain fields which are not present in either given index mappings or alias mappings for this rule category.
REQUEST:
Request body:
RESPONSE:
What alternatives have you considered?
Validating rule during rule indexing.
Do you have any additional context?
Add any other context or screenshots about the feature request here.