[Meta] MacOS Detection Rules Dilemma #4456
Assignees
Labels
Comments
Update March 14Review of MacOS Detection Rules is complete. I am going through now and tuning each rule (which has not been done in some time). After I create the tuning PR I will move to evaluate which Endpoint Rule I want to move over to Detection Rules and start that PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Epic Link
https://github.com/elastic/ia-trade-team/issues/273
Meta Summary
I need to figure out what to do with MacOS detection rules. Right now I see no delineating factor for detection rule creation vs endpoint rules. One could say detection rules could be rules that are more broad in scope meant to be tuned by users but if we are leading with SIEM and our detection rules are many clients first impression of us then putting out a bunch of noisy rules that require manual tuning for client environments in order to be safe and effective doesn't sound like a winning strategy. So I need to either find a clear goal for detection rules or duplicate Endpoint Rules to Detection Rules. This Meta will be used to explore this dilemma and put into action a plan that will ensure our detection rules for macOS are useful, meaningful and actionable going forward.
Estimated Time to Complete
TBD
Potential Blockers
None at the moment
Tasking
Meta Tasks
Potential References
No response
The text was updated successfully, but these errors were encountered: