Export rules
editExport rules
editExports rules to an .ndjson
file. The following configuration items are also included in the .ndjson
file:
- Actions
- Exception lists
You cannot export prebuilt rules, but they are available at https://github.com/elastic/detection-rules/tree/main/rules/.
Although detection rule actions are included in the exported file, the connectors used by the actions are not included. Use the Saved Objects UI in Kibana (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to export and import any necessary connectors before you export and import the detection rules.
Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the Import value lists UI (Manage → Rules → Import value lists) to export and import value lists separately.
Request URL
editPOST <kibana host>:<port>/api/detection_engine/rules/_export
URL query parameters
editName | Type | Description | Required |
---|---|---|---|
|
Boolean |
Determines whether a summary of the exported rules is returned. |
No, defaults to |
|
String |
File name for saving the exported rules. |
No, defaults to
|
When using cURL to export rules to a file, use the -O
and -J
options
to save the rules to the file name specified in the URL.
Request body
editAn optional JSON objects
array containing the rule_id
fields of the rules
you want to export:
Name | Type | Description | Required |
---|---|---|---|
|
String[] |
Array of |
No, exports all rules when unspecified. |
Example request
editExports two rules without details and saves them to the exported_rules.ndjson
file:
POST api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson { "objects": [ { "rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900" }, { "rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d" } ] }
Response code
edit-
200
- Indicates a successful call.
Response payload
editAn .ndjson
file containing the returned rules.
Each line in the file represents an object (a rule, exception list parent container, or exception list item), and the last line includes a summary of what was exported.
Example response payload:
{"id":"d4db8800-30df-11ec-88a5-fb21b48c9b4e","rule_id":"query-with-single-exception-list"[....]} // Rule {"id":"cd62f410-30de-11ec-88a5-fb21b48c9b4e","list_id":"simple_list"[...]} // Exception list parent container {"id":"e54ffbe0-30de-11ec-88a5-fb21b48c9b4e","item_id":"my-exception-item","list_id":"simple_list"[...]} // Exception list item {"exported_rules_count":1,"missing_rules":[],"missing_rules_count":0,"exported_exception_list_count":1,"exported_exception_list_item_count":1,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0} // Export summary