The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The script fetch-endpoint-rule-from-github.js retrieves detection rule definitions from the official Elastic protections-artifacts repository on GitHub.
Evidence: Fetches from https://raw.githubusercontent.com/elastic/protections-artifacts/main/ to retrieve TOML rule definitions.
Context: This allows the agent to analyze the underlying logic of prepackaged endpoint rules, which is not stored in the Elasticsearch cluster itself. This targets a well-known service and a trusted organization.
[COMMAND_EXECUTION]: The skill includes several Node.js scripts designed to manage detection rules and endpoint exceptions via the Kibana REST API.
Evidence: scripts/rule-manager.js and scripts/add-endpoint-exception.js implement administrative wrappers for create, patch, and delete operations on security rules.
Context: These capabilities are the primary purpose of the skill and require authenticated access to a Kibana instance.
[DATA_EXFILTRATION]: The skill provides an export function that allows extracting detection rule configurations in NDJSON format.
Evidence: The export command in scripts/rule-manager.js calls the Kibana _export API endpoint to retrieve rule objects.
Context: This is a standard administrative feature for backup and rule portability.
[PROMPT_INJECTION]: The skill processes rule metadata and alert data which represent a potential surface for indirect prompt injection.
Ingestion points: Alert details from Elasticsearch indices (via noisy-rules) and rule definitions fetched from GitHub.
Boundary markers: No explicit delimiters are used in the scripts when processing these external strings for presentation to the agent.
Capability inventory: The skill possesses credentials for the Elastic Stack and can modify security rules, delete exceptions, and write files to the local workspace.
Sanitization: The scripts do not explicitly sanitize or validate the content of retrieved rule names or descriptions before processing.

security-detection-rule-management