I'd like to make some suggestions about the Elastic SIEM rule management.
Monday we had a major hardware failure of a network card of on of our hot data nodes. The node in particular was not completely offline and had about 20 to 80 % packet loss. Very long story short, we got through a lot of issues and for now this node has been removed from the cluster.
But a result of the issues was that all of our SIEM rules generated search errors (which was weird as the red indices causing issues were from several weeks ago)..
To reduce the load, I had to temporarily deactivate all SIEM rules. Today I want to enable them all again and I'm struggling to find a way to only enable the rules which have not been duplicated, but not enable the default rules which have been duplicated. I thought I could filter on the Elastic tag, but some rules (such as AWS) don't have the Elastic tag. Also there seems to be no way to select all rules which do NOT have a certain tag. Anway, I'm going to have to browse through all rules manually and only select those which have not been duplicated, which is a very annoying job.
Thanks for considering a way in the future to be able to filter on rules which do NOT have a certain tag and or maybe add a 'default' tag to rules which have been imported, but not edited or cloned (or at least add Elastic everywhere). We can/could of course remove this 'default' tag (or Elastic) when duplicating a rule.
It would also be nice if we could sort on 'Severity', 'Risk Score' , 'last Run', 'Last Response'.
One more thing, when you select a tag, then select all rules with that tag and delete them, you end up with 0 rules in the Rule overview and it's impossible to deselect the selected tag, because it's not there any more.. (only solution is a hard refresh.. or go back and return to this page..)