-
Notifications
You must be signed in to change notification settings - Fork 520
/
Copy path_config.yaml
74 lines (68 loc) · 2.97 KB
/
_config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# detection-rules config file
bbr_rules_dirs:
- ../../rules_building_block
rule_dirs:
- ../../rules
files:
deprecated_rules: deprecated_rules.json
packages: packages.yaml
stack_schema_map: stack-schema-map.yaml
version_lock: version.lock.json
normalize_kql_keywords: False
# Set the versioning strategy.
# 1. Set to False to use version.lock.json file
# 2. Set to True to either:
# - Explicitly set within rule.version in the TOML file
# - Defer to kibana versions (never manually set)
# bypass_version_lock: false
# directories:
# action_dir: actions
# exception_dir: exceptions
# action_connector_dir: action_connectors
# to set up a custom rules directory, copy this file to the root of the custom rules directory, which is set
# using the environment variable CUSTOM_RULES_DIR
# example structure:
# custom-rules
# ├── _config.yaml
# └── rules
# ├── example_rule_1.toml
# ├── example_rule_2.toml
# └── etc
# ├── deprecated_rules.json
# ├── packages.yaml
# ├── stack-schema-map.yaml
# └── version.lock.json
# └── actions
## ├── action_1.toml
## ├── action_2.toml
# └── exceptions
## ├── exception_1.toml
## ├── exception_2.toml
#
# update custom-rules/_config.yaml with:
# deprecated_rules: etc/deprecated_rules.json
# packages: etc/packages.yaml
# stack_schema_map: etc/stack-schema-map.yaml
# version_lock: etc/version.lock.json
#
# the paths in this file are relative to the custom rules directory (CUSTOM_RULES_DIR/)
#
# Refer to each original source file for purpose and proper formatting
#
# testing:
# config: etc/example_test_config.yaml
# To turn on automatic schema generation for non-ecs fields via custom schemas use a line like the following.
# This will generate a schema file in the specified location that will be used to add entries for each field
# and index combination that is not already in a known schema. This will also automatically add it to your
# stack-schema-map.yaml file when using a custom rules directory and config.
# auto_gen_schema_file: "etc/auto-gen-schema.json"
# To on bulk disable elastic validation for optional fields, use the following line
# bypass_optional_elastic_validation: True
# This points to the testing config file (see example under detection_rules/etc/example_test_config.yaml)
# This can either be set here or as the environment variable `DETECTION_RULES_TEST_CONFIG`, with precedence
# going to the environment variable if both are set. Having both these options allows for configuring testing on
# prebuilt Elastic rules without specifying a rules _config.yaml.
#
# If set in this file, the path should be relative to the location of this config. If passed as an environment variable,
# it should be the full path
# Note: Using the `custom-rules setup-config <name>` command will generate a config called `test_config.yaml`