Detection Rules Searching

Hi all,
Is there anyway to search within the content of detection rules?
Use case is:
When a new threat intel report comes in, with, for example, specific CMD IOC’s, we dont want to duplicate effort by creating new custom alerts if there are already alerts/rules setup. Currently, the name of the detection rules dont necessarily correlate to what the rule actually contains…This makes it hard to find what is/is not already configured

Thanks,

If you are referring to ABA rules - then no, there is not a built in feature in the web ui that can allow you to search the content of ABA rules.
However you can play with InsightIDR private API in order to dump all ABA detection rules - including ABA rules content.
Below is a powershell abomination that will gather all ABA rules and dump them in a variable called $aba:

$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession
$session.Cookies.Add((New-Object System.Net.Cookie(“IPIMS_SESSION”, “xx-xx-xx-xx-xx”, “/”, “.insight.rapid7.com”)))
$aba=@()
foreach ($i in $(0…29)){$aba+=$(Invoke-WebRequest -UseBasicParsing -Uri “https://eu.api.insight.rapid7.com/idr/v1/rules/_search?size=100-Method "POST"
-WebSession $session -Headers @{ "authority"="eu.api.insight.rapid7.com" "method"="POST" "scheme"="https" "accept"="*/*" "accept-encoding"="gzip, deflate, br" "accept-language"="en-US,en;q=0.9,bg;q=0.8" "accept-version"="quest-preview" "dnt"="1" "origin"="https://eu.idr.insight.rapid7.com" "r7-consumer"="bifrost-frontend-production" "r7-orgproduct-token"="xxxxxxxxxxxxxxxxxxxxxxxxxxxx" "sec-ch-ua"=""Microsoft Edge";v="113", "Chromium";v="113", "Not-A.Brand";v="24"" "sec-ch-ua-mobile"="?0" "sec-ch-ua-platform"=""Windows"" "sec-fetch-dest"="empty" "sec-fetch-mode"="cors" "sec-fetch-site"="same-site" }
-ContentType “application/json” -Body "{"filters":[{"type":"AND","filters":[{"type":"NOT","filters":[{"target":"event_types","type":"ANY","values":["ids","rapid7_product_alert"]}]}]}],"sortFieldOrders":[{"target":"last_modified_date",“order":“DESC`”}]}”)}

You would need to populate the value of “r7-orgproduct-token” and “IPIMS_SESSION” cookie.
One way to get those values is to navigate to ABA page in InsightIDR, open browser’s built in DevTools, navigate to the network tab, click on the “Next” button on the ABA page. Then look in the DevTool for something like

/idr/v1/rules/_search?

Then right click on that entry > Copy > Copy as PowerShell. Paste the output in a text editor and find the values.

Once $aba is populate then you get the content of the $aba variable by doing:
$aba.Content|set-Clipboard
Then paste the output in a text editor and review the content of the LEQL fields. Since the content of $aba will be JSON you can use MS Excel in order to transform the data in a more readable format.

All in all it is very convoluted process.

Hi Ross, whilst this doesn’t currently exist, the ability to search through our Detection Library for specific IoCs that we match on is on the roadmap, currently for this year.

And I’ve just seen the above reply and will have a think about it and comment in a bit.

So, a few quick thoughts - firstly the process described above is very convoluted and we can definitely make some improvements here. The API used is due to be made public (with documentation) in the next month or so, and that might help streamline a bit, but I don’t think that alone will solve the real problem due to the use of subqueries in the rule logic.
Being able to search for IoCs contained within those subqueries is the main capability that is planned I was referring to above, but it would appear that having a way to export the rule library as a csv might also be useful?
Additionally, we could consider expanding the current (very) simple search to include searching the rule logic directly. Although neither of the latter suggestions would solve the initial ask they would serve different purposes and solve different problems, so worth doing all three, I think.

Thanks both for your responses!

Nick, for your benefit, i was asking not only for the duplication of rules reason in my original message, but also would have been useful during a recent support case (04470388).
I agree, as much granularity in the search/export as possible would be awesome!

Thanks,