Sigma rule activation in bulk

[iMaxGit]

Version

2.4.211

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

4

RAM

16

Storage for /

65

Storage for /nsm

130

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi,

in soc > config > server > modules > elastalertengine > enabledSigmaRules > default I can specify which rules should be enabled upon initial import, according to the documentation. Is there also a way, to add new rules in bulk later on? Changing the settings here and doing a full resync did not seem to do the trick (unless I have missed something else somewhere).

Thanks!

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[RBrownSoME]

In the Detections module, you can filter for the rules you want to enable then click the "check all box". When you do that a bulk action drop-down will appear that let's you enable them all.

[iMaxGit]

Ah, I seem to have missed that, thank you!