Having defined multiple alerts before starting to use Enterprise Security, is there a way to convert the existing alerts to correlation searches ?
Instead of sending emails as action, they will add some risk score, notable event etc
How can I accomplish this without creating manually all the correlation searches from scratch.
There is no UI trick to convert an alert into a correlation search. The best option, IMO, is to copy the search text from alert to CS using separate browser tabs.
You may be able to edit the savedsearches.conf file and add CS attributes
action.correlationsearch = 0
action.correlationsearch.enabled = 1
action.correlationsearch.label = "foo"
but then you'd also have to add a bunch of action.notable settings, making sure to get them just right. It's less error-prone to use the UI.
View solution in original post