Update field on all SIEM detection Rules in one go

Hello all,
We have created almost 400 + security rule under SIEM tab in Kibana. Now the new requirement come like they need to update one common field present in all the 400 rules.
Can any one guide me how to achieve this rather than doing this manually one by by

Using the API you will have to create a script which retrieves all detections and uses the patch method to update them.

Thank you for your question, @mangeshmj1992 . As @sholzhauer pointed out, you can use the bulk_update API to perform these updates. Here is the documentation for the latest version of this API: Bulk rule actions | Elastic Security Solution [8.1] | Elastic ... you should be able to find equivalent documentation for the version that you're using.

Just hopping on this :partying_face: thread to mention that we've started surfacing Bulk Edit Actions in the UI starting in 8.1 (release notes on it).

We're working through the remaining fields (like actions, risk score/severity, etc) in upcoming releases, but for now you can at least bulk edit Index Patterns and Tags from the UI ala:

2 Likes

@spong Bulk action in 8.x ... You just made my day. Tx to everyone making this possible, as rule mgmt on a large scale is very difficult currently.

2 Likes

Awesome @willemdh! We appreciate it, thank you! :grinning:

And we 100% understand the current difficulties around large scale rule management -- the upcoming releases should do quite a bit to start addressing these though :slightly_smiling_face: . Wish we could've started addressing these sooner for you all, but there've been some underlying dependencies we've had to get in place before we could start executing on all these enhancements. With most of those in place now though, you're going to start seeing improvements around Rule Searching/Filtering, the Rule Upgrade Flow, Rule/Exceptions/Actions Import & Export, and waaay better Rule Monitoring as well!

Thank you for your patience here, and of course for all the feedback you provide throughout the forums. We :elasticheart: you all in the community here and it just makes my day to be able to be building Elastic Security out in the open together!

Cheers!
Garrett

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.