lgc validate

This command ensures the detections are correctly formatted, typed, and consistent. In short, the validate command is a linter for security detections and this command shines in a CI/CD or locally to validate the detections before even attempting to deploy them.

% lgc validate
ERROR validation failed on 'rules/splunk/some-detection.yaml': field: 'parameters.disabled', error: invalid type: string "fals", expected a boolean
%

If no errors are encountered, lgc exits gracefully:

% lgc validate
INFO all good, no problems identified
%

The validation is specific to each technology (see plugins).

Example

Both Splunk and Microsoft Sentinel plugins implement the validate command, but they perform different validations:

• Splunk have a field disabled that has to be set to a boolean value (true or false). The validation process ensure that if the field disabled is specified, it has an appropriate value.
• For Microsoft Sentinel, the same validation exists, except it is performed on the field enabled because the field disabled simply doesn't exists.

Policies

The validate command also ensures that detection rules comply with internal policies.

Options

--quiet/-q

The --quiet option instructs validate to stay quiet, except if errors are encountered.

% lgc validate --quiet
%

When errors occur

% lgc validate -q
ERROR validation failed on 'some-detection.yml'
%