I'm trying to use yara rules with kolide across my fleet. Has anyone messed around to see if there is a way to do this without having to place all the .sig file on each individual host?
Of course, you could write an extension that supports automatically downloading the signatures from the TLS endpoint
t
Tim
04/21/2020, 8:18 PM
Yeah, that's actually the exact page I was using to set up my test system.
I was hoping to not have to write another service or anything to get these files out there when we want to use a new rule
s
sundsta
04/21/2020, 8:25 PM
Presumably, you have Ansible or similar for servers and MDM of some sort for endpoints. Either of those could push out new rules and then Fleet can update the osquery configuration
t
Tim
04/21/2020, 8:43 PM
yeah we have a few ways to push out new rules. When pushing a new config using fleetctl will the new config overwrite the current config or append?