fleet icon indicating copy to clipboard operation
fleet copied to clipboard
verified publisher icon fleetdm

How to deploy Yara rules on fleet using API isn't documented

Open antoine-enalean opened this issue 9 months ago • 2 comments

Problem

I want to deploy my YARA rules on fleet. In Remote deployment of YARA rules guide it is indicated that this can be done using API. However how to do it is not documented.

What have you tried?

I finally found that you need to use the /api/v1/fleet/config endpoint and provide "yara_rules" parameter. In body of the PATCH request we have something like that : { "yara_rules": [ { "name": "rule_X", "contents": "rule X { ... }" }, { "name": "rule_Y", "contents": "rule Y { ... }" } ] }

Potential solutions

At the very least, the missing parameter yara_rules should be added to the table describing parameters of the endpoint who allow to modify fleet config.

antoine-enalean avatar Mar 27 '25 14:03 antoine-enalean

@antoine-enalean thanks! What do you think? https://github.com/fleetdm/fleet/pull/27800

noahtalerman avatar Apr 02 '25 18:04 noahtalerman

Thanks for the PR 🙂 Mmmhhhh i think we should also add the missing parameter yara_rules to the table describing parameters of the endpoint. Image

ghost avatar Apr 03 '25 10:04 ghost

Thanks @antoine-enalean!

Opened a PR here: #27976

noahtalerman avatar Apr 08 '25 14:04 noahtalerman

@antoine-enalean PR is merged and docs are updated!

Closing this issue but please let me know if we're missing anything.

noahtalerman avatar Apr 15 '25 20:04 noahtalerman

API path unveils, YARA rules take flight in code, Secured, peace instilled.

fleet-release avatar Apr 15 '25 20:04 fleet-release