Same action for every SIEM detection rule

Hello, I am testing the Gold license and I thought it would be a good idea to send an E-Mail for every alert detected by the SIEM ("Alert" tab).

I generally found out how to do that. I created a connector i.e. Mail connector and tested it.
Then I go to the rule and edit the action for the rule to use the connector. Then I edit the body, title etc. so it uses data from the rule.

Now I have 660 Rules that would need to be update. Is there a way to bulk-update the action or do I really have to manually edit each rule action?!

Also I would like to know if I can use the {{}} references to add information from the alerted event itself and not only from the static rule properties. E.g. "The alerted process was {{process.name.text}}".

1 Like

Hi, no there is no way to bulk update rules in the UI.

Best option you have at this moment is creating a script which will retrieve all detections and update each rule through the API.

That is sad

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.