A project by @br0k3ns0und | br0k3nlab
Welcome to the Rule Explorer!
This is a collection and breakdown of several of the most popular open security detection rules for analysis and exploration, enabled by the powerful search and visualization capabilities of the Elastic stack!
This is also home to the Detection Engineering Threat Report (DETR)!
The DETR is an interactive threat report, from the perspective of detection engineering, and specifically rule development. It is built on top of the REx project and data, visualized through Kibana dashboards and visualizations.
For more details on the DETR, check out the DETR section!
What is this?
This project provides a mechanism for interacting with various popular rule sets, in order to have a better understanding of the detection landscape, and quickly survey and compare multiple approaches.
The data is refreshed every 24 hours, and consists of
- a snapshot of each respective repo’s primary branch
- all new and changed rule files over time
- unique techniques and fields from the detection logic
Some rule sets additionally filter out certain rules (i.e. elastic deprecated or Azure moved rule placeholders).
Details of the data and their respective indexes and schemas can be found in the schema section.
The release blog can be found here .
Maintenance-free update flow
The data remains fresh and auto-updates every 24 hours, with the following maintenance-free flow:
Snapshot of statistical breakdown of imported rules
Below is a breakdown of the cumulative repos’ primary branch snapshots as of June 2024:
For live stats, refer to this dashboard
Check out the How to Use This and schema sections to learn how to use this project!
Accessing the DETR and data
To access the data within the stack, simply click the links in the navigation bar above:
Visualize
Leveraging Kibana dashboards, this is where the DETR resides
Search
Take advantage of searching Elasticsearch in Kibana Discover, and search the rules data with:
- ES|QL
- KQL
- Lucene
- DSL filters
Graph
If exploring via a graph visualization is more your style, explore across vertices and connections using Kibana Graph
Included rule sets
The targeted rule sets include some of the most popular and prominent open security rules, including the following:
Questions
- Do I intend to add more rule sets in the future? Likely, yes - stay tuned in the meantime
- Can I request a rule set to be added? Sure - just ping me on Twitter
- Can I suggest new visualizations for the DETR? Yep
- Is there an API for this? Not yet, but maybe at some point
© A project by @br0k3ns0und | br0k3nlab