[SecuritySolution][Detections] Allow bulk editing of Rules

[spong]

Describe the feature:
This feature would allow users to select a number of Rules and edit properties of these Rules in bulk.

Describe a specific use case for the feature:
Use cases are bountiful here, from assigning a default action to all pre-packaged Rules, to updating the underlying index patterns a rule is configured to run against, to selecting a certain group of rules and ensuring their threat tactic & techniques are up to date. Would be worth exploring bulk assignment of exception lists/items as well.

Requested by community: https://discuss.elastic.co/t/default-alert-action/258805

[hilt86]

Thanks for raising this @spong, this is sorely needed as is impractical to edit the 300 (default) rules and add a slack or web-hook action, especially so if you have custom rules or multiple installations.

Maybe we could have a default notification setting per space?

Other things I might want to do en-mass (but could be complicated):

• update a list of exceptions
• add an action
• change schedule that a rule runs or the lookback

[austinsonger]

As with my organization, we don't like the "cases" features and want to automatically create tickets in JIRA from every Detection Alert, because we need to track SLA's. And there is no setting we can do this by default.

Now the only way we can get around this, is by going into each individual rule and create that action to create a ticket in JIRA for over 300 rules and that is ridiculous.

[Bufferoverflovv]

Is there any updates on this feature request to create a default action for all rules?

Is the only way to do this is to use the bulk update actions API and set a regular interval via a script to search for all rules missing actions to have a new action added?

[spong]

@Bufferoverflovv, we're starting to make some headway here finally. In 8.1 (release notes) we've started surfacing bulk actions for index patterns, tags, and timeline templates in the UI, and since then we've been working to fill out the remaining fields like actions, scheduling and so forth. We've had to coordinate some changes with the platform teams to get this right, but these remaining actions should start showing up here in a nearterm release.

Is the only way to do this is to use the bulk update actions API and set a regular interval via a script to search for all rules missing actions to have a new action added?

Yeah, this'll be your best bet for the time being. Once we fill out the remaining actions though, you'll be able to use the edit param of the _bulk_action API (docs) to automate further.

[hilt86]

Maybe if someone comes up with a reference script it can be shared in the repo?

…

On Tue, 28 Jun 2022 at 12:08 pm, Garrett Spong ***@***.***> wrote: @Bufferoverflovv <https://github.com/Bufferoverflovv>, we're starting to make some headway here finally. In 8.1 (release notes <https://www.elastic.co/guide/en/security/8.1/whats-new.html#features-8.1>) we've started surfacing bulk actions for index patterns, tags, and timeline templates in the UI, and since then we've been working to fill out the remaining fields like actions, scheduling and so forth. We've had to coordinate some changes with the platform teams to get this right, but these remaining actions should start showing up here in a nearterm release. Is the only way to do this is to use the bulk update actions API and set a regular interval via a script to search for all rules missing actions to have a new action added? Yeah, this'll be your best bet for the time being. Once we fill out the remaining actions though, you'll be able to use the edit param of the _bulk_action API (docs <https://www.elastic.co/guide/en/security/current/bulk-actions-rules-api.html#bulk-edit-object-schema>) to automate further. — Reply to this email directly, view it on GitHub <#86198 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AADL3YHBETLEWPVIXXFJA2LVRJNDHANCNFSM4U6ULFVQ> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[Bufferoverflovv]

@spong Thanks for the update on this, I actually just noticed some bulk actions are exposed in the UI already which is nice to see. You mentioned in this post https://discuss.elastic.co/t/default-action/276208 that if you had time you would put up some gists with example curl commands for the bulk update api. Do you by any chance have those examples to add an action to all existing rules?

[spong]

Oh boy, I forgot about that one -- thanks for the reminder @Bufferoverflovv! 😅

So this gist comes un-tested with no guarantees/warranties, but should be a good place to build from. It fetches all rules (max 10k), then adds the action referenced in the ACTIONS variable and does a bulk update from there.

So to use, you'd want to update your username/pass, kibana URL, ACTIONS variable (id is going to be the id of the connector, easiest to just setup an action and export it and use that), and change throttle if you don't want it running on every rule execution. Note, this doesn't do an append with existing actions, so will probably override any existing. So that said, test and modify accordingly before running anywhere near a production cluster, or just wait a little bit longer while we get the remaining bulk actions added to the UI.

Hope this helps in the interim! 🙂

[spong]

Closing as this was added in 8.5 🙂 🎉 : #138900