Data enrichment rules can be created with one or more indicators (or criteria). It is possible that if an indicator is deleted and there were no other indicators assigned to that rule, the rule may also get deleted.
Release : 8.2.5-55424
When you delete an indicator, you may see the following dialog box:
Always check if the rules are deleted after you delete any indicators. You may have to recreate them if they are deleted. This will be resolved in a future release of Security Analytics.
Messages you can search for in /var/log/messages:
INDICATOR DELETED:
2023-02-15T00:06:00+05:30 hostname httpd[11265]: snlog: sn="##:##:##:##:##:##" id="DS" m="85" c="11" event="EVENT_FAVORITE_DELETED" category="FAVORITE" ip="192.168.1.5" model="DSPORT" msg="logmsg=\"model.sys_log::options.event.audit.deepsee_favorite_deleted\", user=\"cmc_proxy1_admin\", remote_ip=\"10.0.1.50\", name=\"java_user_agent\""
RULE DELETED:
2023-02-15T00:27:20+05:30 hostname httpd[21244]: snlog: sn="##:##:##:##:##:##" id="DS" m="88" c="12" event="EVENT_ACTION_DELETED" category="ACTION" ip="192.168.1.5" model="DSPORT" msg="logmsg=\"model.sys_log::options.event.audit.action_deleted, user=\"cmc_proxy1\", remote_ip=\"10.0.1.50\", action_name=\"java_user_agent_rule_1\""