Threat Research

The Engineer’s Guide to Elastic Detections as Code

Elastic.co
The Engineer’s Guide to Elastic Detections as Code

Detections as Code (DaC) applies software development practices to detection rule creation and management, and Elastic has extended its detection-rules repository so users can author, test, version, and deploy rules as code across environments. The post details feature milestones (alpha → beta → general availability), new export filters and local loading options, schema auto-generation, CI/CD and unit testing examples, and training resources to help teams adopt DaC. #Elastic #DetectionRules

Keypoints

  • Detections as Code (DaC) treats detection rules like software: version control, automated tests, peer reviews, and automated deployments to improve consistency and agility.
  • Elastic updated the detection-rules repository to support user-managed custom rules, exceptions, actions, and an interactive CLI for rule creation and management.
  • Milestones: May 2024 alpha (custom rules dir, selective tests, exceptions/actions), Aug 2024 beta (bulk import/export, configurable tests, version lock), and March–Aug 2025 general availability with Elastic Security 8.18+ support.
  • New export filtering flags (e.g., -cro to export only custom rules, -eq for query filters) and local rule-loading (-lr) let teams precisely control which rules are synced and where files are placed.
  • Local-loading enhancements include preserving local creation dates and improved auto-generation of schemas that inherit field types from existing indices to reduce manual schema edits.
  • DaC implementation examples include GitLab CI/CD pipelines, custom unit testing patterns (e.g., enforcing Team: tags), custom schemas for validation, and hands-on Instruqt training for practitioners.

MITRE Techniques

  • [N/A ] No specific MITRE techniques mentioned – ‘The article references MITRE ATT&CK information in folder structure but does not specify particular technique IDs or Txxxx identifiers.’

Indicators of Compromise

  • [File names ] Examples of rule and config files referenced as artifacts in DaC workflows – my_test_rule.toml, high_number_of_process_and_or_service_terminations.toml
  • [Config & script files ] Examples of test and configuration files used in the repository and CI/CD examples – test_custom_rules.py, config.yaml (and other repo config files)

Read more: https://www.elastic.co/security-labs/detection-as-code-timeline-and-new-features