Managing Synced Detection Rules

Update or delete a synced detection rule

Synced detection rules cannot be updated or deleted via web client or API.

To update a synced detection rule, update the YAML file it was synced from and check in the changes. The detection rule will be updated in the next sync.

To delete a synced detection rule, delete the YAML file it was synced from or remove the schema comment from the file. The detection rule will be deleted in the next sync.

Permissions

If RBAC is enabled, sync sources have resource permissions. Any role that has Read permission on the sync source has Read permission on the detection rules synced from that source.

Since synced detection rules cannot be created, updated, or deleted via web client or API, Create, Update, and Delete permissions do not apply.

Delete a sync source

When a sync source is deleted, the Read permissions of the sync source will be propagated to all the detection rules synced from that source. All roles that had Read access to the detection rule will continue to have Read access. The detection rules can now be updated or deleted via web client or API.

There is also an option to delete all the detection rules from the sync.