Hi,
We are using SIEM in Kibana for threat detection.
We have a rule which uses a saved query that we duplicated. On the new rule we changed chose custom query and inserted a different query in kql. What happens is that on the new rule it still shows the saved query name of the old rule and when activated despite we entirely changed the query it still runs the saved query from the old rule. I also tried to duplicate rule without saved query (custom kql) which has an id generated by Kibana as saved query name. Once duplicating this rule and changing the query i see that is still has the same id.
any guidance on how to duplicate rule properly in order to just change the query between rules?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.