rex-logo

A project by @br0k3ns0und | br0k3nlab

Welcome to the Rule Explorer!

This is a collection and breakdown of several of the most popular open security detection rules for analysis and exploration, enabled by the powerful search and visualization capabilities of the Elastic stack!

This is also home to the Detection Engineering Threat Report (DETR)!

The DETR is an interactive threat report, from the perspective of detection engineering, and specifically rule development. It is built on top of the REx project and data, visualized through Kibana dashboards and visualizations.

For more details on the DETR, check out the DETR section!

What is this?

This project provides a mechanism for interacting with various popular rule sets, in order to have a better understanding of the detection landscape, and quickly survey and compare multiple approaches.

The data is refreshed every 24 hours, and consists of

  • a snapshot of each respective repo’s primary branch
  • all new and changed rule files over time
  • unique techniques and fields from the detection logic

Some rule sets additionally filter out certain rules (i.e. elastic deprecated or Azure moved rule placeholders).

Details of the data and their respective indexes and schemas can be found in the schema section.

The release blog can be found here .

Maintenance-free update flow

The data remains fresh and auto-updates every 24 hours, with the following maintenance-free flow:

REx flow

Snapshot of statistical breakdown of imported rules

Below is a breakdown of the cumulative repos’ primary branch snapshots as of June 2024:

REx counts

For live stats, refer to this dashboard

Check out the How to Use This and schema sections to learn how to use this project!

Accessing the DETR and data

To access the data within the stack, simply click the links in the navigation bar above:

REx counts

Visualize

Leveraging Kibana dashboards, this is where the DETR resides

visualize

Take advantage of searching Elasticsearch in Kibana Discover, and search the rules data with:

  • ES|QL
  • KQL
  • Lucene
  • DSL filters
search

Graph

If exploring via a graph visualization is more your style, explore across vertices and connections using Kibana Graph

graph

Included rule sets

The targeted rule sets include some of the most popular and prominent open security rules, including the following:

Questions

  • Do I intend to add more rule sets in the future? Likely, yes - stay tuned in the meantime
  • Can I request a rule set to be added? Sure - just ping me on Twitter
  • Can I suggest new visualizations for the DETR? Yep
  • Is there an API for this? Not yet, but maybe at some point

© A project by @br0k3ns0und | br0k3nlab