lgc import

[c-x]

Problem

When deploying lgc for the first time, we might not have our detections written as YAML files so we need to create custom scripts to convert existing detections rules which is time consuming.

Solution

We would need a lgc import command that will connect to a service and create YAML files from scratch and from what's live in the target system.

Examples:
lgc import prod --service splk-prod

Maybe a templating system would solve the below pitfalls, for example:

lgc import prod --service splk-prod --template my-template.yaml

With the desired fields described in my-template.yaml

Pitfall

• Each plugin would require a unique set of parameters. For example, the Splunk API returns every parameters regardless of having their default values. This would create crazy big yaml files. Consider something like lgc import --service splk-prod --filter cron_schedule --filter disabled --filter description --filter search
• Splunk also uses namespace (app/user) to access knowledge objects, so we could need something like lgc import --service splk-prod --kv app=MyApp

Alternatives

• For Splunk, all savedsearches are contained within a single file savedsearches.conf. An alternative would be to parse that file. The benefit is that we would get only user-defined parameters. Something like lgc import --from-file savedsearches.conf --service splk-prod