[Meta] MacOS Detection Rules Dilemma

[DefSecSentinel]

Epic Link

https://github.com/elastic/ia-trade-team/issues/273

Meta Summary

I need to figure out what to do with MacOS detection rules. Right now I see no delineating factor for detection rule creation vs endpoint rules. One could say detection rules could be rules that are more broad in scope meant to be tuned by users but if we are leading with SIEM and our detection rules are many clients first impression of us then putting out a bunch of noisy rules that require manual tuning for client environments in order to be safe and effective doesn't sound like a winning strategy. So I need to either find a clear goal for detection rules or duplicate Endpoint Rules to Detection Rules. This Meta will be used to explore this dilemma and put into action a plan that will ensure our detection rules for macOS are useful, meaningful and actionable going forward.

Estimated Time to Complete

TBD

Potential Blockers

None at the moment

Tasking

### Meta Tasks
- [x] Review current Detection ruleset for MacOS
- [x] Review current MacOS Detection rule adoption metrics
- [x] Discern the true purpose of detection rules

Potential References

No response

[DefSecSentinel]

Update March 14

Review of MacOS Detection Rules is complete. I am going through now and tuning each rule (which has not been done in some time). After I create the tuning PR I will move to evaluate which Endpoint Rule I want to move over to Detection Rules and start that PR.

[DefSecSentinel]

Update March 24

MacOS Detection Rule have been tuned (#4546) and a single rule deprecated (#4547).

Moving on to evaluate Endpoint rules for conversion to Detection rules.

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[botelastic]

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.