SIEM Detection rule reload

PublicName · April 13, 2021, 5:54pm

Due to a rather nasty upgrade that resulted in a bugs. One of which is every SIEM rule no longer works each one has a different reason so going 1 by 1 isn't really an option.

Is it possible to wipe and reload all rules to match the current version of Kibana?

sholzhauer · April 14, 2021, 11:47am

Do you only have elastic pre-build rules or do you also have custom rules?

PublicName · April 14, 2021, 4:12pm

All Elastic. I stopped doing the custom ones a few versions back until the upgrades stop blowing up in my face. One cluster will work the other fails. They are in near lock step.

stephmilovic · April 14, 2021, 9:46pm

Hi @PublicName

This is possible by

Go to the Rules page
Put the "Rows per page" setting as high as it goes
Select all in table
Bulk Actions > Delete Selected
A button with Load Elastic prebuilt detection rules will appear once the delete has proccess and you can reload all the rules

PublicName · April 14, 2021, 10:07pm

That worked a treat all are normal again.

Alternate acceptable answer: Hey dummy open your eyes.

Topic		Replies	Views
Upgrading/Updating SIEM rules SIEM	3	632	March 24, 2022
Update detection rules from elastic github repository to on-premises SIEM	3	739	September 1, 2020
Managing SIEM rules is harder then it should SIEM	3	492	March 11, 2021
Update field on all SIEM detection Rules in one go SIEM	6	508	April 18, 2022
SIEM Rules Bulk duplicate Elastic Security elastic-stack-alerting	1	292	October 1, 2021

SIEM Detection rule reload

Related topics