security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
main
sigma-rules/docs-dev/deprecating.md
T
Mika Ayenson, PhD b6886f310c [FR] Add enforcement for deprecated_reason (#5953)
2026-04-23 17:15:47 +05:30

1.4 KiB
Raw Permalink Blame History

Deprecating rules

Rules that have been version locked (added to version.lock.json), which also means they have been added to the detection engine in Kibana, must be properly deprecated.

If a rule was never version locked (not yet pushed to Kibana or still in non-production maturity), the rule can simply be removed with no additional changes, or updated the maturity = "development", which will leave it out of the release package to Kibana.

Steps to properly deprecate a rule

  1. Update the maturity to deprecated
  2. Move the rule file to rules/_deprecated
  3. Add deprecation_date and update updated_date to match
  4. Add deprecated_reason in [metadata] with a short explanation (e.g. "Replaced by "). Required in the same PR that flips maturity = "deprecated"; surfaced in Kibana on stacks >= 9.4 and ignored on older stacks.

Next time the versions are locked, the rule will be added to the deprecated_rules.json file, and deprecated_reason is copied into the package asset (gated at build time by MIN_STACK_VERSION_DEPRECATED_STUBS).

Using the deprecate-rule command

Alternatively, you can run python -m detection_rules dev deprecate-rule <rule-file>, which will perform all the steps

Reference in New Issue View Git Blame Copy Permalink