elastic
[FR] Support for actions in the CLI
Repository Feature
Detections-as-Code (DaC) - (primarily custom rule management)
Problem Description
I'm trying to use the structure described in managing custom rules they don't seem to be used by any of the CLI.
Only the action_connectors and exceptions directories are used in from the config in the CUSTOM_RULES_DIR but they are not exported even if they are loaded by the
https://github.com/elastic/detection-rules/blob/5d69eb19badf1af854b3e5cdb9445f214b733ead/detection_rules/main.py#L499-L511
Desired Solution
When using the export commands such as kibana export-rules, if the action_dir is defined, then the should be extracted from the rule and placed in its own toml file in the actions/ directory.
When using the import commands such as kibana import-rules or export-rules-from-repo, the actions in the actions directory should be added
Considered Alternatives
No response
Additional Context
I'd like to use the DAC on custom rules to be able to maintain common rules but deploy to different spaces or clusters and the actions in each space/cluster and these different environments would have different actions (for example, a test webhook for the development space and prod webhook in a production space)
Hi @pberba 👋 Thanks for creating the issue! Do you have an example export Kibana rule with an action without an actions connector from Kibana that can trigger this? Ideally through the kibana export-rules path?
In either case, we will be taking a look at this and see how we can address the issue. Thanks!
Just want to drop in to mention that import-rules currently does not support action as well
https://github.com/elastic/detection-rules/blob/f52aedf41d6b9203647ff37588b14095137e49d2/detection_rules/kbwrap.py#L182-L201
Just out of curiosity, what do you have in mind for the user experience of the shared actions in the actions folder? this is more of a question for Elastic