Detection Rules as Code

What is detection rules as code?

Users can define detection rules in YAML files and use GitHub to manage detection rules. This allows teams to collaborate on detection rules and review changes.

Scanner provides a GitHub integration for syncing detection rules. Users can connect their GitHub repositories to Scanner and Scanner will automatically sync detection rules from GitHub.

Scanner's detection rules as code feature also allows for tests to be specified in the YAML files. The tests are run in Scanner and must pass before detection rules are synced.

Architecture: To understand how Scanner's detection engine works under the hood and why it can efficiently run hundreds of detection rules simultaneously, see Detection Rule Engine.

To get started, see Getting Started.

How syncing works

Scanner regularly syncs detection rules from GitHub repositories. When a sync is triggered, Scanner will read any changes in the repository, then validate and run tests for all rules. Then

• If all rules pass, Scanner will create, update, or delete managed detection rules based on the current state of the YAML files in the GitHub repository.

• If any rule fails, Scanner will not sync any changes (including those that passed) and will notify the user with an error.