You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Issue #258 has got me thinking about how best to document the various different YML config stanzas, required/optional fields and expected values, as, particularly for detections, defining a rule definition from scratch (i.e. without contentctl new) is somewhat of a trial and error process.
I appreciate there are still a lot of planned enhancements and updating the documentation is probably (understandably) quite low in the list of priorities, however there is probably a good middle ground to help others begin to adopt contentctl, and hopefully feed back/provide contributions on further enhancements.
Couple of ideas that go hand-in-hand that I'd love to get your thoughts on @pyth0n1c :
Have contentctl init provide example YML definitions covering the various different stanzas, required/optional fields and expected values. For example it's not immediately apparent that the tags.message field is the risk message, or that enabled_by_default is a supported field. I've started this effort within a forked branch, primarily for my own benefit but I'd be happy to contribute back once it's got a bit more substance.
Enable the use of templated YML files for ease of use - It would be neat if build|validate|test ignored YML files beginning with an underscore so that we could provide some cookie cutter templates that can be copied and used to produce new detections, stories, etc...
The text was updated successfully, but these errors were encountered:
Issue #258 has got me thinking about how best to document the various different YML config stanzas, required/optional fields and expected values, as, particularly for detections, defining a rule definition from scratch (i.e. without
contentctl new) is somewhat of a trial and error process.I appreciate there are still a lot of planned enhancements and updating the documentation is probably (understandably) quite low in the list of priorities, however there is probably a good middle ground to help others begin to adopt contentctl, and hopefully feed back/provide contributions on further enhancements.
Couple of ideas that go hand-in-hand that I'd love to get your thoughts on @pyth0n1c :
contentctl initprovide example YML definitions covering the various different stanzas, required/optional fields and expected values. For example it's not immediately apparent that thetags.messagefield is the risk message, or thatenabled_by_defaultis a supported field. I've started this effort within a forked branch, primarily for my own benefit but I'd be happy to contribute back once it's got a bit more substance.build|validate|testignored YML files beginning with an underscore so that we could provide some cookie cutter templates that can be copied and used to produce new detections, stories, etc...The text was updated successfully, but these errors were encountered: