Export Detections

To get started or to adopt detection as code after already adding detections to your account the RunReveal CLI has the commands necessary to bootstrap a code repo from nothing, so you can

Once you're logged into the CLI from the getting started steps, you can utilize the export functionality to download all detection state into a directory of your choosing.

:) runreveal detections export -d ~/detection-as-code
:) ls -l ~/detection-as-code 
total 0
drwxr--r--   4 evan  staff   128 Jun 18 09:42 1password
drwxr--r--   8 evan  staff   256 Jun 18 09:42 cf-audit
drwxr--r--  16 evan  staff   512 Jun 18 09:42 cloudtrail
drwxr--r--  16 evan  staff   512 Jun 18 09:42 gcp
drwxr--r--  20 evan  staff   640 Jun 18 09:42 google-workspace
drwxr--r--   8 evan  staff   256 Jun 18 09:42 gsuite
drwxr--r--  18 evan  staff   576 Jun 18 09:42 notion
drwxr--r--  18 evan  staff   576 Jun 18 09:42 okta
drwxr--r--   6 evan  staff   192 Jun 18 09:42 tailscale-audit
drwxr--r--  60 evan  staff  1920 Jun 18 09:42 uncategorized

These detections are categorized by sourceType and will be sorted into directories by the categories tag if they match the name of any sourceType within RunReveal.

After exporting each detection will be output into two files. The detection query and the detection configuration and metadata.

Here's an example containing both the yaml and sql for our Okta detection of a user reporting a suspicious action.

:) cat okta-user-suspicious-report.sql 
select * from okta_logs where
  eventType='user.account.report_suspicious_activity_by_enduser'
  and receivedAt > {from:DateTime} and receivedAt < {to:DateTime}%

:) cat okta-user-suspicious-report.yaml
name: okta-user-suspicious-report
displayName: Okta User Reported Suspicious Activity
description: Suspicious activity reported by end user
file: okta-user-suspicious-report.sql
categories:
- signal
- okta
sourceTypes:
- okta
schedule: "*/15 * * * *"
notificationNames: []
mitreAttacks:
- initial-access
severity: ""
riskScore: 0

First time you export

The first time you export existing detections that were made in the web ui you'll first need to upload them and force overwrite them from the CLI before your CI/CD system can use them.

This step will force overwrite all detections that you have in the repo so they will be managed via detection as code going forward.

$ runreveal detections sync -o -d ~/detection-as-code

Related Documentation

Now that you've exported your detections, explore these related guides:

• Detections, Signals & Alerts Quick Start Guide - Complete setup guide for your detection workflow
• Getting Started with Detection as Code - Learn the basics of detection-as-code
• Test/Upload Detections - Learn how to test, lint, and upload your detections
• Deployment - Set up CI/CD pipelines for automated deployment
• Detection as Code - Overview of detection-as-code features