Skip to content

Rule suggestion process #4636

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
richlv opened this issue Apr 21, 2025 · 2 comments
Open

Rule suggestion process #4636

richlv opened this issue Apr 21, 2025 · 2 comments
Assignees
@w0rk3r
Labels
community

Comments

@richlv
Copy link

richlv commented Apr 21, 2025
edited
Loading

The prebuilt detection rules sometimes produce false positive alerts either during normal system operation or due to some popular software triggering them. Additionally, the highlighted fields sometimes do not include relevant information and could be improved.
When rule improvements have been reported in the support system, there have been very different responses, including:

  • A suggestion to add manual rule exceptions.
  • A suggestion to wait for Elastic 9.0 and modify the upstream rules.
  • A response that the suggestion has been passed to a "Product Management team" (which might or might not be different from the rule maintainers).
  • A response that the rule maintainers have evaluated the suggestion and rejected it (a fairly rare occurrence) or included it (in most of the cases so far).
  • A suggestion to report this in https://github.com/elastic/detection-rules only.
  • A suggestion to report this twice - in https://github.com/elastic/detection-rules and in the support system to make it more likely the suggestion will be looked at.

As it seems highly desirable to have such improvements upstream-ed both from the customer (no need to maintain them, especially in multiple installations) and Elastic (all customers would benefit from the rules being moreuseful) point of view, seeking an official position on the best process here.

This is a companion issue to a case in the support system.
@w0rk3r
Copy link
Contributor

w0rk3r commented Apr 24, 2025

@richlv, I'm currently planning to work with the support engineers in our next cycle to improve our knowledge bases to reduce such discrepancies. This feedback suggests that we’re heading in the right direction, I appreciate it.

From an effectiveness point of view, reporting FPs directly here in the repo or communicating it to us via community slack is probably the way that will take less time to get them to our attention, as we—the detection developers—are monitoring the repository and the Slack channel. In contrast, we only get to know about support tickets when escalated. The disadvantage is that there is no SLA in the repository, and we may miss issues for some time eventually.

Community contribution is always welcome, through issues or PRs, and we'd have a contributor program: https://www.elastic.co/community/contributor

@w0rk3r w0rk3r self-assigned this Apr 24, 2025
@w0rk3r
Copy link
Contributor

w0rk3r commented Apr 24, 2025

cc @approksiu

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@w0rk3r w0rk3r

Labels
community
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@richlv @w0rk3r