DetectionsDetection as CodeTest/Upload Detections

Test/Upload Detections

When it’s time to upload detections, RunReveal’s CLI provides comprehensive testing and validation tools to ensure your detections are properly formatted and error-free before deployment. This guide walks you through the complete workflow from validation to deployment.

Validate your detection syntax with lint

Before uploading, validate your detection files for syntax errors and best practices using the lint command. This step catches common issues early and ensures your detections will deploy successfully.

Basic lint syntax

# Lint Sigma detections
runreveal lint sigma <file-or-directory>
 
# Lint SQL detections  
runreveal lint sql <file-or-directory>

Lint Sigma detections

Validate Sigma rule files for proper YAML syntax and Sigma specification compliance:

# Lint a single Sigma file
runreveal lint sigma ~/detection-as-code/1password/1password-unusual-client.yaml
 
# Lint all Sigma files in a directory
runreveal lint sigma ~/detection-as-code/sigma/
 
# Lint multiple directories
runreveal lint sigma ~/detection-as-code/1password/ ~/detection-as-code/cf-audit/

Lint SQL detections

Format and validate SQL detection files using ClickHouse standards:

# Lint a single SQL file
runreveal lint sql ~/detection-as-code/sql/privilege-escalation.sql
 
# Lint all SQL files in a directory
runreveal lint sql ~/detection-as-code/sql/
 
# Lint multiple directories
runreveal lint sql ~/detection-as-code/sql/ ~/detection-as-code/custom-sql/

Lint output examples

Successful lint (no errors):

$ runreveal lint sigma ~/detection-as-code/1password/1password-unusual-client.yaml
 All Sigma files passed validation

Failed lint (with errors):

$ runreveal lint sigma ~/detection-as-code/invalid-rule.yaml
 Validation failed for invalid-rule.yaml:
   - Missing required field: 'title'
   - Invalid YAML syntax at line 5

Test your upload

When you want to test to ensure that each detection is properly formatted and see which detections have been updated, deleted, or created, the dry run flag will show you exactly the information you want.

$ runreveal detections sync -d ~/detection-as-code --dry-run                                                            
processing '/Users/evan/detection-as-code/1password/1password-unusual-client.yaml'                                           
processing '/Users/evan/detection-as-code/cf-audit/anomalous-api-key-usage.yaml'                                             
processing '/Users/evan/detection-as-code/cf-audit/new-cloudflare-api-key.yaml'                                              
processing '/Users/evan/detection-as-code/cf-audit/user-added-removed-cloudflare.yaml
...
{                                                                                                                            
     "detections": {                                                                                                         
         "added": [                                                                                                                                                                                                                                       
             "1password-unusual-client",                                                                                                                                                                                                             
             "anomalous-api-key-usage",                                                                                                                                                                                                                 
             "new-cloudflare-api-key",                                                                                                                                                                                                                        
         ],
         "deleted": [],                                                                                                                                                                                                                                   
         "updated": [                                                                                                                                                                                                                                     
             "user-added-removed-cloudflare"                                                                                         
         ]                                                                                                                   
     },                                                                                                                      
     "dryRun": true                                                                                                          
 }                          

Uploading

The only difference between uploading and performing a dryrun is the --dry-run flag. Remove the --dry-run flag and your detections will be uploaded.

$ runreveal detections sync -d ~/detection-as-code

If you created a detection in the UI, and then attempt to upload your detection from the CLI you will see an error message the first time you attempt to overwrite your UI detection.

It will look a little something like this:

$ runreveal detections sync -d ~/detection-as-code --dry-run                                                            
processing '/Users/evan/detection-as-code/1password/1password-unusual-client.yaml'                                           
processing '/Users/evan/detection-as-code/cf-audit/anomalous-api-key-usage.yaml'                                             
processing '/Users/evan/detection-as-code/cf-audit/new-cloudflare-api-key.yaml'                                              
processing '/Users/evan/detection-as-code/cf-audit/user-added-removed-cloudflare.yaml
ERROR  This detection name is already in use, please choose a different name. If you're trying to upload your detections using detection as code, try the -o flag to overwrite existing detections created in the UI.

If you see this error, then adding the -o flag will overwrite the existing detection and convert the detection from being web managed to being cli managed.

Force uploading with overwrite

If you receive an error because the detections are managed with the web interface, you’ll need to run the following command to convert your detections to managed by the CLI:

runreveal detections sync -o -d ~/detection-as-code
  1. Lint your detections - Validate syntax and format
  2. Dry run - Preview changes without deployment
  3. Upload - Deploy validated detections
  4. Monitor - Check for any runtime issues

This workflow ensures your detections are properly validated before reaching production.