SIEM Detection rule reload

PublicName · April 13, 2021, 5:54pm

Due to a rather nasty upgrade that resulted in a bugs. One of which is every SIEM rule no longer works each one has a different reason so going 1 by 1 isn't really an option.

Is it possible to wipe and reload all rules to match the current version of Kibana?

sholzhauer · April 14, 2021, 11:47am

Do you only have elastic pre-build rules or do you also have custom rules?

PublicName · April 14, 2021, 4:12pm

All Elastic. I stopped doing the custom ones a few versions back until the upgrades stop blowing up in my face. One cluster will work the other fails. They are in near lock step.

stephmilovic · April 14, 2021, 9:46pm

Hi @PublicName

This is possible by

Go to the Rules page
Put the "Rows per page" setting as high as it goes
Select all in table
Bulk Actions > Delete Selected
A button with Load Elastic prebuilt detection rules will appear once the delete has proccess and you can reload all the rules

PublicName · April 14, 2021, 10:07pm

That worked a treat all are normal again.

Alternate acceptable answer: Hey dummy open your eyes.

system · May 12, 2021, 10:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Upgrading/Updating SIEM rules SIEM	3	545	March 24, 2022
Update field on all SIEM detection Rules in one go SIEM	6	437	April 18, 2022
Detection Custom Rule not working SIEM elastic-stack-alerting , detection-rules	8	1370	May 27, 2021
Elastic Security Detection Rule Management - Update of Duplicates Elasticsearch elastic-stack-security , detection-rules	1	266	August 1, 2023
Update detection rules from elastic github repository to on-premises SIEM	3	669	September 1, 2020

SIEM Detection rule reload

Related topics