Skip to content

[FR] [DAC] Add Arbitrary File location Support for Local Creation Date #4891

New issue
New issue
Open
Enhancement
#4915
Open
[FR] [DAC] Add Arbitrary File location Support for Local Creation Date#4891
Enhancement
#4915
Assignees
eric-forte-elastic
Labels
Team: TRADEcommunityenhancementNew feature or request
@eric-forte-elastic

Description

@eric-forte-elastic
eric-forte-elastic
opened on Jul 9, 2025

Repository Feature

Detections-as-Code (DaC) - (primarily custom rule management)

Problem Description

When using the —local-creation-date flag with export-rules this only works if the existing rule file is within the base directory specified with the -d flag, if you are organizing your rules into sub directories this date does not get preserved.

The current logic determines if a rule is the equivalent rule based on its generated file location. This is done to prevent needing to load all of the rules from disk in order to determine their location every time one wants to import rules.

Desired Solution

We should add a flag to support arbitrary file location where the rules are loaded first instead of using the existing optimization. It should be noted that with this flag the rule import will be significantly slower (as it requires loading all of the custom rules). However, we should make this available as an option to support the above workflow.

Considered Alternatives

No response

Additional Context

Related to #3625

Community Slack Thread: Link

Metadata

Metadata

Assignees

Labels

Team: TRADEcommunityenhancementNew feature or request

Type

Enhancement

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions