After upgrading from Security Analytics version 8.2.8 to 8.3.1, rules are no longer working.

There is a conversion required to convert all "legacy" 8.2.x rules to the new SQL 8.3.1 format.

You can continue to run reports using the old indicators and rules, but new rule hits will not function with traffic captured post-8.3.1 upgrade until the legacy rules are converted.  This process requires intervention by Security Analytics engineering.  In order to convert the rules and indicators, technical support will need the following information:

• A CSR from each sensor that has unique rules.  If all rules are the same across all sensors, only one CSR is needed.  If you have sensors with unique rules, generate a CSR from each individual sensor
• Open a support case and request assistance for rule conversion post-8.3.1 upgrade.

Once engineering has converted the files, you will receive a .jsonl file back that you can import by going to Settings > System > Import Indicators, Rules, and Integration Providers and browse for the jsonl file that was provided and click Import.