You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When deploying lgc for the first time, we might not have our detections written as YAML files so we need to create custom scripts to convert existing detections rules which is time consuming.
Solution
We would need a lgc import command that will connect to a service and create YAML files from scratch and from what's live in the target system.
Examples: lgc import prod --service splk-prod
Maybe a templating system would solve the below pitfalls, for example:
With the desired fields described in my-template.yaml
Pitfall
Each plugin would require a unique set of parameters. For example, the Splunk API returns every parameters regardless of having their default values. This would create crazy big yaml files. Consider something like lgc import --service splk-prod --filter cron_schedule --filter disabled --filter description --filter search
Splunk also uses namespace (app/user) to access knowledge objects, so we could need something like lgc import --service splk-prod --kv app=MyApp
Alternatives
For Splunk, all savedsearches are contained within a single file savedsearches.conf. An alternative would be to parse that file. The benefit is that we would get only user-defined parameters. Something like lgc import --from-file savedsearches.conf --service splk-prod
The text was updated successfully, but these errors were encountered:
Problem
When deploying
lgc
for the first time, we might not have our detections written as YAML files so we need to create custom scripts to convert existing detections rules which is time consuming.Solution
We would need a
lgc import
command that will connect to a service and create YAML files from scratch and from what's live in the target system.Examples:
lgc import prod --service splk-prod
Maybe a templating system would solve the below pitfalls, for example:
With the desired fields described in my-template.yaml
Pitfall
lgc import --service splk-prod --filter cron_schedule --filter disabled --filter description --filter search
lgc import --service splk-prod --kv app=MyApp
Alternatives
savedsearches.conf
. An alternative would be to parse that file. The benefit is that we would get only user-defined parameters. Something likelgc import --from-file savedsearches.conf --service splk-prod
The text was updated successfully, but these errors were encountered: