I was working on an alert and ended up closing all of the alerts on the server. Is there a way to reopen the ones I closed at a certain time? I assume I need to be able to see when I did it first. Thanks in advance.
Hi David,
Thanks for reaching out. When you say you were working on an alert, is it possible for you to tell what interface/page/URL you were on? Also, I'm curious to know how you closed all alerts. Is it also possible for you to provide a screenshot or some more context?
At this point, I'm assuming they were Endpoint alerts from your server, if yes, did you try and visit the Alerts page (/app/security/alerts) and try to find the alerts you closed?
I was working on an alert and didn't notice that while working on it, I didn't filter out the 1 I was doing. I was working on the main set. I selected the large number and closed everything. The alerts that are closed still exist, but now I have 3300 alerts to go back and re-open. Is there a method to filter out the time, date and user to help me change the status back to open?
Hello! Not sure, you can do it from UI, but in Kibana Console you can try this request
POST /.alerts-security*/_update_by_query
{
"script": {
"source": "ctx._source['kibana.alert.workflow_status'] = 'open';",
"lang": "painless"
},
"query": {
"bool": {
"must": [
{
"term": {
"kibana.alert.workflow_user": "you_user_id"
}
},
{
"range": {
"kibana.alert.workflow_status_updated_at": {
"gte": "now-10m",
"lte": "now"
}
}
}
]
}
}
}
please change your workflow_user and workflow_status_updated_at for you use case
this should open alerts in this time range for you user