Export detection rules
Export detection rules to an .ndjson file. The following configuration items are also included in the .ndjson file:
- Actions
- Exception lists
Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules.
You can use Kibana’s Saved Objects UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to export and import any necessary connectors before importing detection rules.
Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the Manage value lists UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately.
Query parameters
-
exclude_export_details
boolean Determines whether a summary of the exported rules is returned.
Default value is
false. -
file_name
string File name for saving the exported rules.
When using cURL to export rules to a file, use the -O and -J options to save the rules to the file name specified in the URL.
Default value is
export.ndjson.
curl -X POST "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'
{
"objects": [
{
"rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900"
},
{
"rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d"
}
]
}
{
"objects": [
{
"rule_id": "string"
}
]
}@file