SIEM Detection rule reload

PublicName · April 13, 2021, 5:54pm

Due to a rather nasty upgrade that resulted in a bugs. One of which is every SIEM rule no longer works each one has a different reason so going 1 by 1 isn't really an option.

Is it possible to wipe and reload all rules to match the current version of Kibana?

sholzhauer · April 14, 2021, 11:47am

Do you only have elastic pre-build rules or do you also have custom rules?

PublicName · April 14, 2021, 4:12pm

All Elastic. I stopped doing the custom ones a few versions back until the upgrades stop blowing up in my face. One cluster will work the other fails. They are in near lock step.

stephmilovic · April 14, 2021, 9:46pm

Hi @PublicName

This is possible by

Go to the Rules page
Put the "Rows per page" setting as high as it goes
Select all in table
Bulk Actions > Delete Selected
A button with Load Elastic prebuilt detection rules will appear once the delete has proccess and you can reload all the rules

PublicName · April 14, 2021, 10:07pm

That worked a treat all are normal again.

Alternate acceptable answer: Hey dummy open your eyes.

system · May 12, 2021, 10:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.