TomonoriSoejima · August 13, 2025 00:07
diff --git a/extract_rule_names.sh b/extract_rule_names.sh
 #!/bin/bash

 # Script to extract rule names from Kibana detection engine files based on IDs in id_list
 # Alternative version without ag dependency
 # Usage: ./extract_rule_names_simple.sh


 # Extract top 50 siem.eqlRule IDs from logs/kibana.service and save to top_siem_ids.txt
 if [[ -f "logs/kibana.service" ]]; then
    echo "Extracting top 50 siem.eqlRule IDs from logs/kibana.service..."
    awk -F'siem.eqlRule:' '/siem.eqlRule:/ {split($2, a, " "); print a[1]}' logs/kibana.service  | sort | uniq -c | sort -k 1 -nr | head -50 > top_siem_ids.txt
    echo "Top 50 siem.eqlRule IDs written to top_siem_ids.txt."
 else
    echo "logs/kibana.service not found, skipping siem.eqlRule extraction."
 fi

 # Check if required tools are available
 for tool in jq grep; do
    if ! command -v "$tool" &> /dev/null; then
        echo "Error: $tool is required but not installed."
        exit 1
    fi
 done

 # Check if id_list file exists, if not, use top_siem_ids.txt if available
 if [[ ! -f "id_list" ]]; then
    if [[ -f "top_siem_ids.txt" ]]; then
        echo "id_list file not found. Using top_siem_ids.txt as id_list."
        cp top_siem_ids.txt id_list
    else
        echo "Error: id_list file not found in current directory and top_siem_ids.txt is not available."
        exit 1
    fi
 fi

 echo "Processing IDs from id_list..."
 echo "Count | ID | Rule Name"
 echo "------|----|-----------"

 # Read id_list line by line
 while IFS=' ' read -r count id; do
    # Skip empty lines
    [[ -z "$id" ]] && continue
    
    # Search for the ID in detection engine files using grep
    files=$(grep -l "$id" kibana_detection_engine_rules_installed_*.json 2>/dev/null)
    
    if [[ -n "$files" ]]; then
        # Process each matching file (usually there should be only one)
        for file in $files; do
            # Use jq to find the rule name directly by filtering on id
            rule_name=$(cat "$file" | jq -r ".data[] | select(.id == \"$id\") | .name" 2>/dev/null)
            
            if [[ -n "$rule_name" && "$rule_name" != "null" ]]; then
                echo "$count | $id | $rule_name"
            else
                echo "$count | $id | [Name not found]"
            fi
            break  # Only process the first matching file
        done
    else
        echo "$count | $id | [Not found in detection engine files]"
    fi
 done < id_list

 echo ""
 echo "Processing complete."
	#!/bin/bash

	# Script to extract rule names from Kibana detection engine files based on IDs in id_list
	# Alternative version without ag dependency
	# Usage: ./extract_rule_names_simple.sh


	# Extract top 50 siem.eqlRule IDs from logs/kibana.service and save to top_siem_ids.txt
	if [[ -f "logs/kibana.service" ]]; then
	echo "Extracting top 50 siem.eqlRule IDs from logs/kibana.service..."
	awk -F'siem.eqlRule:' '/siem.eqlRule:/ {split($2, a, " "); print a[1]}' logs/kibana.service \| sort \| uniq -c \| sort -k 1 -nr \| head -50 > top_siem_ids.txt
	echo "Top 50 siem.eqlRule IDs written to top_siem_ids.txt."
	else
	echo "logs/kibana.service not found, skipping siem.eqlRule extraction."
	fi

	# Check if required tools are available
	for tool in jq grep; do
	if ! command -v "$tool" &> /dev/null; then
	echo "Error: $tool is required but not installed."
	exit 1
	fi
	done

	# Check if id_list file exists, if not, use top_siem_ids.txt if available
	if [[ ! -f "id_list" ]]; then
	if [[ -f "top_siem_ids.txt" ]]; then
	echo "id_list file not found. Using top_siem_ids.txt as id_list."
	cp top_siem_ids.txt id_list
	else
	echo "Error: id_list file not found in current directory and top_siem_ids.txt is not available."
	exit 1
	fi
	fi

	echo "Processing IDs from id_list..."
	echo "Count \| ID \| Rule Name"
	echo "------\|----\|-----------"

	# Read id_list line by line
	while IFS=' ' read -r count id; do
	# Skip empty lines
	[[ -z "$id" ]] && continue

	# Search for the ID in detection engine files using grep
	files=$(grep -l "$id" kibana_detection_engine_rules_installed_*.json 2>/dev/null)

	if [[ -n "$files" ]]; then
	# Process each matching file (usually there should be only one)
	for file in $files; do
	# Use jq to find the rule name directly by filtering on id
	rule_name=$(cat "$file" \| jq -r ".data[] \| select(.id == \"$id\") \| .name" 2>/dev/null)

	if [[ -n "$rule_name" && "$rule_name" != "null" ]]; then
	echo "$count \| $id \| $rule_name"
	else
	echo "$count \| $id \| [Name not found]"
	fi
	break # Only process the first matching file
	done
	else
	echo "$count \| $id \| [Not found in detection engine files]"
	fi
	done < id_list

	echo ""
	echo "Processing complete."
No results found