Default action?

Elastic Security
1

I think I've brought this up before but is there a way we can have a default action for detection rules please?

Manually editing 600 rules is not my cup of tea!

1 Like
2

Or is it possible to update this via the api until it is available in the UI?

3

Oh hey there @hilt86 :wave:

I think I've brought this up before but is there a way we can have a default action for detection rules please?

I think I've been here before as well too, haha :sweat_smile:. Was about to link you off to [SecuritySolution][Detections] Allow bulk editing of Rules · Issue #86198 · elastic/kibana · GitHub, then realized I made that enhancement request based off your last post.

Needless to say, I know it's been a bit since that post but we hear you loud and clear, and as a developer I promise you that! We've got a lot of things in the hopper right now to improve the overall alerting experience, and bulk actions and a smooth upgrade experience are definitely on that list and will be making it into the product here at some point.

In the interim though, you should be able to use the Bulk Update API and supply an actions payload ala:

  "actions": [
    {
      "group": "default",
      "id": "e3a55670-d547-11eb-b8df-9bc3e4551c46",
      "params": {
        "message": "Rule {{context.rule.name}} generated {{state.signals_count}} alerts"
      },
      "action_type_id": ".slack"
    }
  ],

to programmatically update your rules with a default action. Here's the source from the Bulk API where those ruleActions will be applied.

Note, there is a little bit of :rabbit: :tophat: happening here depending on the action interval you choose (rule execution, vs timed interval), where some extra state objects are created, so you may have to do some tinkering to get it just right (and here's the Actions UI source from the Edit Rule page for good measure), but no reason this can't be automated via the API.

If I get a few spare cycles I'll throw up a gist with a few curl commands for accomplishing this, but till then, godspeed @hilt86 and thank you for all your feedback, we really do appreciate it and it's folks like you that make me love being a part of the security community! :heart:

Cheers!
Garrett

1 Like
4

Hey @spong :wave: - glad to be a part of this community and have enthusiastic people like yourself here too!

Thanks for the workaround - I'll have a look when I get a decent sized gap in my schedule :slight_smile:

1 Like
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.