"Run now" action for SIEM rule


Not sure if there is already a way to do this or if this is already on some to do list, but imho it would be super nice if we could trigger a "Run Now" on a rule.


Let me know if this seems an interesting addition and I'll create a GH enhancement request.



Hey there @willemdh! :wave:

While there isn't a dedicated way to immediately run a rule, a way of achieving this now would be to de-activate/activate the rule. This will immediately schedule the rule to run, and subsequent executions will follow the configured interval based on when it was re-enabled.

In addition to the above Run now feature, we'd like to expose a way of scheduling an ad-hoc run, in situations where you'd like to re-run a rule over a specific time period (whether you're covering a gap, testing a rule tuning, etc). For tracking these efforts, please see these two tickets, and feel free to comment or :+1: so we can better prioritize these efforts :slightly_smiling_face:

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.