Use cases for end to end implementations of detection-as-code (DAC) for security rules
Use cases for end to end implementations of detection-as-code (DAC)
use case | governance model | CC1 | CC2 | CC3 | CC4 | notes |
---|---|---|---|---|---|---|
infosec | GM1 | no DR repo usageuse of custom rulescreate detection rules in kibana and exportversioning?custom exceptions and actions managementcustom unit testslimited rule schema validationno detection logic validation | deploy via CI/CD and custom REST calls | manual management and tines | tines to push based on X trigger? (or schedule?) | need to verify; grimoire |
fork DR | GM1 | DR repo usageuse of custom rulescreate detection rules in kibana and exportversioning using lock filescustom exceptions and actions managementcustom unit testsrule schema validationdetection logic validation | use of detection-rules repo features for syncing | syncing handled via VCS with limited direct management in Elastic Security | not applicable or minimal use | Leveraging detection-rules repo for rule maintenance |
import DR | GM3 | import rules via detection-rules libraries | automated syncing to Elastic Security | manual rule management within Elastic Security | syncing back to VCS as part of dual sync process | Import libraries to assist dual sync |
platform centric MSSP | GM2 | secondary role of VCS | infrequent or batched syncing to Elastic Security | primary rule management within Elastic Security | infrequent syncing back to VCS, if at all | Elastic-centric rule management for multiple clients |
In practice, the Detection as Code (DaC) approach within Elastic Security leverages a series of GitHub Actions workflows to automate various synchronization tasks. These workflows facilitate the continuous integration and deployment of detection rules, ensuring that they are consistently aligned with the latest developments and threat intelligence. The following workflows can be found in the .github/workflows directory:
These workflows are essential tools in managing the lifecycle of detection rules, contributing to a robust and responsive security posture.