IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› › ›

Export rules

edit

Export rules

edit

Exports rules to an .ndjson file. The following configuration items are also included in the .ndjson file:

Actions
Exception lists

You cannot export prebuilt rules, but they are available at https://github.com/elastic/detection-rules/tree/main/rules/.

Although detection rule actions are included in the exported file, the connectors used by the actions are not included. Use the Saved Objects UI in Kibana (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to export and import any necessary connectors before you export and import the detection rules.

Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the Import value lists UI (Manage → Rules → Import value lists) to export and import value lists separately.

Request URL

edit

POST <kibana host>:<port>/api/detection_engine/rules/_export

URL query parameters

edit

Name	Type	Description	Required
`exclude_export_details`	Boolean	Determines whether a summary of the exported rules is returned.	No, defaults to `false`.
`file_name`	String	File name for saving the exported rules.	No, defaults to `export.ndjson`

When using cURL to export rules to a file, use the -O and -J options to save the rules to the file name specified in the URL.

Request body

edit

An optional JSON objects array containing the rule_id fields of the rules you want to export:

Name	Type	Description	Required
`objects`	String[]	Array of `rule_id` fields.	No, exports all rules when unspecified.

Example request

edit

Exports two rules without details and saves them to the exported_rules.ndjson file:

POST api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson
{
  "objects": [
    {
      "rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900"
    },
    {
      "rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d"
    }
  ]
}

Response code

edit

200: Indicates a successful call.

Response payload

edit

An .ndjson file containing the returned rules.

Each line in the file represents an object (a rule, exception list parent container, or exception list item), and the last line includes a summary of what was exported.

Example response payload:

{"id":"d4db8800-30df-11ec-88a5-fb21b48c9b4e","rule_id":"query-with-single-exception-list"[....]} // Rule
{"id":"cd62f410-30de-11ec-88a5-fb21b48c9b4e","list_id":"simple_list"[...]} // Exception list parent container
{"id":"e54ffbe0-30de-11ec-88a5-fb21b48c9b4e","item_id":"my-exception-item","list_id":"simple_list"[...]} // Exception list item
{"exported_rules_count":1,"missing_rules":[],"missing_rules_count":0,"exported_exception_list_count":1,"exported_exception_list_item_count":1,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0} // Export summary

« Import rules Privileges endpoint »