Due to a rather nasty upgrade that resulted in a bugs. One of which is every SIEM rule no longer works each one has a different reason so going 1 by 1 isn't really an option.
Is it possible to wipe and reload all rules to match the current version of Kibana?
Do you only have elastic pre-build rules or do you also have custom rules?
All Elastic. I stopped doing the custom ones a few versions back until the upgrades stop blowing up in my face. One cluster will work the other fails. They are in near lock step.
That worked a treat all are normal again.
Alternate acceptable answer: Hey dummy open your eyes.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.