Export detection rules

POST /api/detection_engine/rules/_export
Api key auth Basic auth

Export detection rules to an .ndjson file. The following configuration items are also included in the .ndjson file:

  • Actions
  • Exception lists

Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules.

You can use Kibana’s Saved Objects UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to export and import any necessary connectors before importing detection rules.

Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the Manage value lists UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately.

Query parameters

  • exclude_export_details boolean

    Determines whether a summary of the exported rules is returned.

    Default value is false.

  • file_name string

    File name for saving the exported rules.

    When using cURL to export rules to a file, use the -O and -J options to save the rules to the file name specified in the URL.

    Default value is export.ndjson.

application/json

Body

  • objects array[object] Required

    Array of rule_id fields. Exports all rules when unspecified.

    Hide objects attribute Show objects attribute object
    • rule_id string Required

      A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

Responses

  • 200 application/ndjson

    Indicates a successful call.

    An .ndjson file containing the returned rules.

    Each line in the file represents an object (a rule, exception list parent container, or exception list item), and the last line includes a summary of what was exported.
POST /api/detection_engine/rules/_export 
curl -X POST "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'
{
  "objects": [
    {
      "rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900"
    },
    {
      "rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d"
    }
  ]
}
Request examples 
{
  "objects": [
    {
      "rule_id": "string"
    }
  ]
}
Response examples (200) 
@file