SIEM Detection rule reload

Due to a rather nasty upgrade that resulted in a bugs. One of which is every SIEM rule no longer works each one has a different reason so going 1 by 1 isn't really an option.

Is it possible to wipe and reload all rules to match the current version of Kibana?

Do you only have elastic pre-build rules or do you also have custom rules?

All Elastic. I stopped doing the custom ones a few versions back until the upgrades stop blowing up in my face. One cluster will work the other fails. They are in near lock step.

Hi @PublicName

This is possible by

  1. Go to the Rules page
  2. Put the "Rows per page" setting as high as it goes
  3. Select all in table
  4. Bulk Actions > Delete Selected
  5. A button with Load Elastic prebuilt detection rules will appear once the delete has proccess and you can reload all the rules

That worked a treat all are normal again.

Alternate acceptable answer: Hey dummy open your eyes.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.