Automating Rule Creation for Kibana

I am trying to automate rule creation, updating and deletion via a Python script. I have tried both using curl and Python

I use curl to create the rule: curl -k -X POST "https://192.168.10.131:5601/api/detection_engine/rules/_bulk_action" -d"{"rule_id":"process_started_by_ms_office_program_possible_payload","risk_score":50,"description":"Process started by MS Office program","interval":"5m","name":"MS Office child process","severity":"low","tags":["child process","ms office"],"type":"query","from":"now-6m","query":"process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE","language":"kuery","filters":[{"query":{"match":{"event.action":{"query":"Process Create (rule: ProcessCreate)","type":"phrase"}}}}],"enabled":false},{"name":"Second bulk rule","description":"Query with a rule_id for referencing an external id","rule_id":"query-rule-id-2","risk_score":2,"severity":"low","type":"query","from":"now-6m","query":"user.name: root or user.name: admin"}" -H "Authorization: ApiKey ZXkzRElwQUJnYW9Td2d5emFZVkQ6a0w3N1BXdVlUQTZHakRmU2RRVXBYdw==" -H "kbn-xsrf: true"

I get the following error: {"statusCode":400,"error":"Bad Request","message":"[request body]: action: Invalid literal value, expected "delete", action: Invalid literal value, expected "disable", action: Invalid literal value, expected "enable", action: Invalid literal value, expected "export", action: Invalid literal value, expected "duplicate", and 2 more"}

Hi @Emin,

Welcome to the community! It looks like you're sending a malformed request:

The above error suggests your have an invalid value for the action options, which should match one of the options specified in the request body documentation. Can you try using one of those values?

Let us know if that resolves your issue.

Hi Carly.

Thank you for your response. I did find it helpful. I have managed to run the following code, without any errors.

                                                                                                                     
rule_data = {
"action": "enable",
    "rules": [
        {
            "rule_id": "test_rule_id",
            "name": "Test Rule",
            "description": "This is a test rule",
            "risk_score": 50,
            "severity": "low",
            "type": "eql",
            "from": "now-6m",
            "query": "process.parent.name:EXCEL.EXE",
            "language": "kuery",
            #"enabled": false
        }
    ]
}


def create_rule(json_parsed_data, token):
    # API endpoint for rule creation
    url = "https://192.168.10.131:5601/api/detection_engine/rules/_bulk_action"
    #url = "https://192.168.10.131:5601/api/detection_engine/rules"
    headers = {
        "Authorization": f"ApiKey {token}",
        "kbn-xsrf": "true",  # This header is often set to 'true' or '1'
        "Content-Type": "application/json"
    }

    # Make POST request to create a new rule
    response = requests.post(url, json=json_parsed_data, headers=headers, verify=False)

    try:
        response = requests.post(url, headers=headers, data=json.dumps(json_parsed_data), verify=False)
        response.raise_for_status()
        print("Rule created successfully")
    except requests.exceptions.HTTPError as err:
        print(f"Failed to create rule: {response.json()}")

However, I am still having trouble creating a rule. I mean how do you generate the rule? When I pass enable, the code runs without any errors, but when I try to pass edit as action I get this error:

Failed to create rule: 

{'statusCode': 400, 'error': 'Bad Request', 'message': '[request body]: action: Invalid literal value, expected "delete", action: Invalid literal value, expected "disable", action: Invalid literal value, expected "enable", action: Invalid literal value, expected "export", action: Invalid literal value, expected "duplicate", and 1 more'}

I would be very grateful, if you could be so kind, as to help me to resolve this matter and begin automatically generating and updating rules with this script.

Thank you once again.

Hi @Emin,

It looks like you are sending a malformed request to the edit request. Can you share the request you are sending that fails?

Looking at example 2 in the documentation there is an edit example that you can try to replicate.

Hope that helps!

Hi Carly. The request I am sending, which generates the error in my previous reply is below. Thanks you for your help so far.

rule_data = {
"action": "edit",
    "rules": [
        {
            "rule_id": "test_rule_id",
            "name": "Test Rule",
            "description": "This is a test rule",
            "risk_score": 50,
            "severity": "low",
            "type": "eql",
            "from": "now-6m",
            "query": "process.parent.name:EXCEL.EXE",
            "language": "kuery",
            #"enabled": false
        }
    ]
}

Hi @Emin,

Can you explain in simple terms what edit you're trying to make to the above rule? Comparing your example to the one in the documentation, I don't think it's formatted correctly.

Example 2 in the documentation has id, action and edit as the top level attributes:

POST api/detection_engine/rules/_bulk_action
{
  "ids":[
    "8bc7dad0-9320-11ec-9265-8b772383a08d",
    "8e5c1a40-9320-11ec-9265-8b772383a08d"
  ],
  "action": "edit",
  "edit": [{ "type": "add_tags", "value":["tag-1", "tag-2"] }]
}

Hi Carly. In simple terms, I am trying to create a brand new rule. Would you please help me to write a script that will automatically create a rule? I am just not sure which command to use to create a rule, whether in bulk or one by one, does not matter. Thank you.

Hello Carly. Would you please confirm whether it is possible to create rules with this API? Or if its possible to automatically create single rules with some other API?

Thank you kindly.

Hi @Emin,

Thanks for following up. It should be possible to create a rule using bulk actions. But for creating a single rule I would recommend using the create API:

There are some examples in the above documentation that should help.

Hi Carly.

Thank you very much for your help and support. I have managed to create a Python function, which creates single rules. However, I am having trouble with the function to delete any given rule found/returned by running a query to find all the rules. I am including evidence of the successful creation of the rules and the errors when I try to delete any rule:

Response Status Code: 200
Response Headers: {'elastic-api-version': '2023-10-31', 'x-content-type-options': 'nosniff', 'referrer-policy': 'strict-origin-when-cross-origin', 'permissions-policy': 'camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()', 'cross-origin-opener-policy': 'same-origin', 'content-security-policy': "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'", 'content-security-policy-report-only': "form-action 'report-sample' 'self'", 'kbn-name': 'ELK', 'kbn-license-sig': '5ae299c31b5c858a983f4c0f88424dceb65af842a09815eed2126b7702005236', 'content-type': 'application/json; charset=utf-8', 'cache-control': 'private, no-cache, no-store, must-revalidate', 'content-length': '794', 'Date': 'Thu, 18 Jul 2024 15:52:58 GMT', 'Connection': 'keep-alive', 'Keep-Alive': 'timeout=120'}
Response Text: {"name":"Test Custom Query Rule","description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","version":1,"tags":[],"enabled":true,"risk_score_mapping":[],"severity_mapping":[],"interval":"5m","from":"now-6m","to":"now","actions":[],"exceptions_list":[],"author":[],"false_positives":[],"references":[],"max_signals":100,"threat":[],"setup":"","id":"637615b9-2e4a-4fb1-8a5b-6db01a83c064","rule_id":"04972245-a681-406b-9432-43abce22701e","immutable":false,"updated_at":"2024-07-18T15:52:57.257Z","updated_by":"elastic","created_at":"2024-07-18T15:52:57.257Z","created_by":"elastic","revision":0,"related_integrations":[],"required_fields":[],"type":"query","index":["logs-*"],"query":"process.name: \"malicious.exe\"","language":"kuery"}
Response Status Code: 200
Response Headers: {'elastic-api-version': '2023-10-31', 'x-content-type-options': 'nosniff', 'referrer-policy': 'strict-origin-when-cross-origin', 'permissions-policy': 'camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()', 'cross-origin-opener-policy': 'same-origin', 'content-security-policy': "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'", 'content-security-policy-report-only': "form-action 'report-sample' 'self'", 'kbn-name': 'ELK', 'kbn-license-sig': '5ae299c31b5c858a983f4c0f88424dceb65af842a09815eed2126b7702005236', 'content-type': 'application/json; charset=utf-8', 'cache-control': 'private, no-cache, no-store, must-revalidate', 'vary': 'accept-encoding', 'content-encoding': 'gzip', 'Date': 'Thu, 18 Jul 2024 15:52:58 GMT', 'Connection': 'keep-alive', 'Keep-Alive': 'timeout=120', 'Transfer-Encoding': 'chunked'}
Response Text: {"page":1,"perPage":20,"total":15,"data":[{"id":"43ea88e7-6f69-4d4e-917c-d91d952f6caa","updated_at":"2024-07-17T16:00:46.621Z","updated_by":"elastic","created_at":"2024-07-12T21:03:07.357Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":false,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"33bf4870-0091-4548-a46d-ac5dac913557","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-17T15:56:36.851Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":71197}}}},{"id":"790af310-94e3-4996-916d-6c5b2c3e4c4e","updated_at":"2024-07-17T16:06:21.746Z","updated_by":"elastic","created_at":"2024-07-17T16:06:21.003Z","created_by":"elastic","name":"Test Custom Query Rule [Duplicate]","tags":[],"interval":"5m","enabled":false,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"397c6715-53bf-47ba-abc4-bcbf5562f55f","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[]},{"id":"bda76709-d0f8-4461-b5b6-b88518f74daf","updated_at":"2024-07-17T15:55:41.721Z","updated_by":"elastic","created_at":"2024-07-17T15:55:41.721Z","created_by":"elastic","name":"Test Custom Query Rule Two","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"cde491da-154e-4bb4-a948-0f44f42b30e5","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-18T15:52:35.883Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":34963}}}},{"id":"2a4714de-f6b2-497f-b000-8a5f8fa4a7e5","updated_at":"2024-07-12T20:34:55.170Z","updated_by":"elastic","created_at":"2024-07-12T20:34:55.170Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"08a4a98c-f3b9-4e39-8464-cb736325c78a","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-18T15:52:35.885Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":34909}}}},{"id":"cdfd0434-f633-4c58-86f2-1fb1764ca423","updated_at":"2024-07-11T21:09:35.371Z","updated_by":"elastic","created_at":"2024-07-11T21:09:35.371Z","created_by":"elastic","name":"Test Custom Query Rule Two","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"713ff16f-fcca-4ffb-8a84-c8b88179adf3","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-18T15:52:35.882Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":34909}}}},{"id":"d34e284c-0914-44c8-b7b2-659797aa1b0f","updated_at":"2024-07-12T20:33:10.014Z","updated_by":"elastic","created_at":"2024-07-12T20:33:10.014Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"0f3eaa19-03e3-462e-831d-71b58d231444","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-18T15:52:35.886Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":34909}}}},{"id":"7a4c2f24-20ac-4ead-90ed-7d09324a2596","updated_at":"2024-07-11T20:54:57.717Z","updated_by":"elastic","created_at":"2024-07-11T20:54:57.717Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"f2af7829-1fd8-4dfe-bdf0-e74316f12526","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-18T15:52:35.881Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":34909}}}},{"id":"9c3e97ab-c4bb-4d98-a7a8-df5528da73a5","updated_at":"2024-07-11T21:08:57.119Z","updated_by":"elastic","created_at":"2024-07-11T21:08:57.119Z","created_by":"elastic","name":"Test Custom Query Rule Two","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"62995514-34fe-4a29-8a04-585b12ff209e","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-18T15:52:38.893Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":34912}}}},{"id":"0bd477ae-e1f7-4893-b6e4-88048c6ce8c6","updated_at":"2024-07-17T15:52:40.162Z","updated_by":"elastic","created_at":"2024-07-17T15:52:40.162Z","created_by":"elastic","name":"Test Custom Query Rule Two","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"d9fee890-9d78-4fe1-a323-056ddfec5c91","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-18T15:52:38.894Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":34843}}}},{"id":"fcc1c99c-1e0e-4998-896e-541cd0b855c6","updated_at":"2024-07-11T20:57:50.811Z","updated_by":"elastic","created_at":"2024-07-11T20:57:50.811Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"f652c302-673c-4b74-a220-4621ad3e4da5","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-18T15:52:38.895Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":34912}}}},{"id":"c5d0f760-a299-40f4-ba00-f0448dc6f1ef","updated_at":"2024-07-14T08:52:15.140Z","updated_by":"elastic","created_at":"2024-07-14T08:52:15.140Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"67550e19-7d41-4e67-b53d-6a8066d9fad5","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-18T15:52:38.897Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":34909}}}},{"id":"d8e6c0a8-3142-4715-b180-982bc79cf523","updated_at":"2024-07-17T15:59:28.052Z","updated_by":"elastic","created_at":"2024-07-17T15:59:28.052Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"4ebb2130-6e77-4f66-b35e-d2aa87370d37","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-18T15:52:38.895Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":34738}}}},{"id":"11bc109e-094d-436c-9142-a442c35cf20a","updated_at":"2024-07-14T08:13:15.517Z","updated_by":"elastic","created_at":"2024-07-14T08:13:15.517Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"71c32e3c-40b5-446d-b638-fefcd82e9478","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-18T15:52:38.898Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":34912}}}},{"id":"2dac9f24-f623-4697-8e72-60f463893e8d","updated_at":"2024-07-12T20:36:41.508Z","updated_by":"elastic","created_at":"2024-07-12T20:36:41.508Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"b3516ea6-c785-461b-ad3b-6b91aa017d83","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-18T15:52:38.896Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":34912}}}},{"id":"637615b9-2e4a-4fb1-8a5b-6db01a83c064","updated_at":"2024-07-18T15:52:57.257Z","updated_by":"elastic","created_at":"2024-07-18T15:52:57.257Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"04972245-a681-406b-9432-43abce22701e","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[]}]}
All Rules Before Deletion:

As you can see, the function creates the rule without any problems. The issues I am facing now, is with the deletion of any rule returned by the query (shown below)

The rule deletion attempt

Attempting to delete rule with ID: 11bc109e-094d-436c-9142-a442c35cf20a
Response Status Code: 404
Response Headers: {'X-Content-Type-Options': 'nosniff', 'Referrer-Policy': 'strict-origin-when-cross-origin', 'Permissions-Policy': 'camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()', 'Cross-Origin-Opener-Policy': 'same-origin', 'Content-Security-Policy': "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'", 'Content-Security-Policy-Report-Only': "form-action 'report-sample' 'self'", 'kbn-name': 'ELK', 'kbn-license-sig': '5ae299c31b5c858a983f4c0f88424dceb65af842a09815eed2126b7702005236', 'content-type': 'application/json; charset=utf-8', 'cache-control': 'private, no-cache, no-store, must-revalidate', 'content-length': '60', 'Date': 'Thu, 18 Jul 2024 15:52:58 GMT', 'Connection': 'keep-alive', 'Keep-Alive': 'timeout=120'}
Response Text: {"statusCode":404,"error":"Not Found","message":"Not Found"}
Failed to delete rule with ID: 11bc109e-094d-436c-9142-a442c35cf20a, verifying existence...
Response Status Code: 200
Response Headers: {'elastic-api-version': '2023-10-31', 'x-content-type-options': 'nosniff', 'referrer-policy': 'strict-origin-when-cross-origin', 'permissions-policy': 'camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()', 'cross-origin-opener-policy': 'same-origin', 'content-security-policy': "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'", 'content-security-policy-report-only': "form-action 'report-sample' 'self'", 'kbn-name': 'ELK', 'kbn-license-sig': '5ae299c31b5c858a983f4c0f88424dceb65af842a09815eed2126b7702005236', 'content-type': 'application/json; charset=utf-8', 'cache-control': 'private, no-cache, no-store, must-revalidate', 'vary': 'accept-encoding', 'content-encoding': 'gzip', 'Date': 'Thu, 18 Jul 2024 15:52:58 GMT', 'Connection': 'keep-alive', 'Keep-Alive': 'timeout=120', 'Transfer-Encoding': 'chunked'}
Response Text: {"page":1,"perPage":20,"total":15,"data":[{"id":"43ea88e7-6f69-4d4e-917c-d91d952f6caa","updated_at":"2024-07-17T16:00:46.621Z","updated_by":"elastic","created_at":"2024-07-12T21:03:07.357Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":false,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"33bf4870-0091-4548-a46d-ac5dac913557","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-17T15:56:36.851Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":71197}}}},{"id":"790af310-94e3-4996-916d-6c5b2c3e4c4e","updated_at":"2024-07-17T16:06:21.746Z","updated_by":"elastic","created_at":"2024-07-17T16:06:21.003Z","created_by":"elastic","name":"Test Custom Query Rule [Duplicate]","tags":[],"interval":"5m","enabled":false,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"397c6715-53bf-47ba-abc4-bcbf5562f55f","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[]},{"id":"bda76709-d0f8-4461-b5b6-b88518f74daf","updated_at":"2024-07-17T15:55:41.721Z","updated_by":"elastic","created_at":"2024-07-17T15:55:41.721Z","created_by":"elastic","name":"Test Custom Query Rule Two","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"cde491da-154e-4bb4-a948-0f44f42b30e5","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-18T15:52:35.883Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":34963}}}},{"id":"2a4714de-f6b2-497f-b000-8a5f8fa4a7e5","updated_at":"2024-07-12T20:34:55.170Z","updated_by":"elastic","created_at":"2024-07-12T20:34:55.170Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"08a4a98c-f3b9-4e39-8464-cb736325c78a","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-18T15:52:35.885Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":34909}}}},{"id":"cdfd0434-f633-4c58-86f2-1fb1764ca423","updated_at":"2024-07-11T21:09:35.371Z","updated_by":"elastic","created_at":"2024-07-11T21:09:35.371Z","created_by":"elastic","name":"Test Custom Query Rule Two","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"713ff16f-fcca-4ffb-8a84-c8b88179adf3","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-18T15:52:35.882Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":34909}}}},{"id":"d34e284c-0914-44c8-b7b2-659797aa1b0f","updated_at":"2024-07-12T20:33:10.014Z","updated_by":"elastic","created_at":"2024-07-12T20:33:10.014Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"0f3eaa19-03e3-462e-831d-71b58d231444","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-18T15:52:35.886Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":34909}}}},{"id":"7a4c2f24-20ac-4ead-90ed-7d09324a2596","updated_at":"2024-07-11T20:54:57.717Z","updated_by":"elastic","created_at":"2024-07-11T20:54:57.717Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"f2af7829-1fd8-4dfe-bdf0-e74316f12526","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-18T15:52:35.881Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":34909}}}},{"id":"9c3e97ab-c4bb-4d98-a7a8-df5528da73a5","updated_at":"2024-07-11T21:08:57.119Z","updated_by":"elastic","created_at":"2024-07-11T21:08:57.119Z","created_by":"elastic","name":"Test Custom Query Rule Two","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"62995514-34fe-4a29-8a04-585b12ff209e","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-18T15:52:38.893Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":34912}}}},{"id":"0bd477ae-e1f7-4893-b6e4-88048c6ce8c6","updated_at":"2024-07-17T15:52:40.162Z","updated_by":"elastic","created_at":"2024-07-17T15:52:40.162Z","created_by":"elastic","name":"Test Custom Query Rule Two","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"d9fee890-9d78-4fe1-a323-056ddfec5c91","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-18T15:52:38.894Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":34843}}}},{"id":"fcc1c99c-1e0e-4998-896e-541cd0b855c6","updated_at":"2024-07-11T20:57:50.811Z","updated_by":"elastic","created_at":"2024-07-11T20:57:50.811Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"f652c302-673c-4b74-a220-4621ad3e4da5","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-18T15:52:38.895Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":34912}}}},{"id":"c5d0f760-a299-40f4-ba00-f0448dc6f1ef","updated_at":"2024-07-14T08:52:15.140Z","updated_by":"elastic","created_at":"2024-07-14T08:52:15.140Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"67550e19-7d41-4e67-b53d-6a8066d9fad5","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-18T15:52:38.897Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":34909}}}},{"id":"d8e6c0a8-3142-4715-b180-982bc79cf523","updated_at":"2024-07-17T15:59:28.052Z","updated_by":"elastic","created_at":"2024-07-17T15:59:28.052Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"4ebb2130-6e77-4f66-b35e-d2aa87370d37","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-18T15:52:38.895Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":34738}}}},{"id":"11bc109e-094d-436c-9142-a442c35cf20a","updated_at":"2024-07-14T08:13:15.517Z","updated_by":"elastic","created_at":"2024-07-14T08:13:15.517Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"71c32e3c-40b5-446d-b638-fefcd82e9478","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-18T15:52:38.898Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":34912}}}},{"id":"2dac9f24-f623-4697-8e72-60f463893e8d","updated_at":"2024-07-12T20:36:41.508Z","updated_by":"elastic","created_at":"2024-07-12T20:36:41.508Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"b3516ea6-c785-461b-ad3b-6b91aa017d83","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-18T15:52:38.896Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":34912}}}},{"id":"637615b9-2e4a-4fb1-8a5b-6db01a83c064","updated_at":"2024-07-18T15:52:57.257Z","updated_by":"elastic","created_at":"2024-07-18T15:52:57.257Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"04972245-a681-406b-9432-43abce22701e","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[]}]}
Attempting to delete rule with ID: 2a4714de-f6b2-497f-b000-8a5f8fa4a7e5
Response Status Code: 404
Response Headers: {'X-Content-Type-Options': 'nosniff', 'Referrer-Policy': 'strict-origin-when-cross-origin', 'Permissions-Policy': 'camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()', 'Cross-Origin-Opener-Policy': 'same-origin', 'Content-Security-Policy': "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'", 'Content-Security-Policy-Report-Only': "form-action 'report-sample' 'self'", 'kbn-name': 'ELK', 'kbn-license-sig': '5ae299c31b5c858a983f4c0f88424dceb65af842a09815eed2126b7702005236', 'content-type': 'application/json; charset=utf-8', 'cache-control': 'private, no-cache, no-store, must-revalidate', 'content-length': '60', 'Date': 'Thu, 18 Jul 2024 15:52:58 GMT', 'Connection': 'keep-alive', 'Keep-Alive': 'timeout=120'}
Response Text: {"statusCode":404,"error":"Not Found","message":"Not Found"}
Failed to delete rule with ID: 2a4714de-f6b2-497f-b000-8a5f8fa4a7e5, verifying existence...


I would really appreciate it, if you could be so kind to help me resolve this problem.

Thank you.

Hi @Emin,

I assume you are using the Delete Rule API?

It looks like you are receiving 404 errors for a subset of the rules. Can you confirm that the IDs are correct, the rule with that ID existis, and that those rules have been created within the default Kibana space? As covered in the documentation if the space is not specified it will assume the default space.

Hope that helps!

Hi Carly. Thank you for your response. I am including the Python code which creates and attempts to delete rules.

import requests
import json
import urllib3
from collections import defaultdict

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

base_url = "https://192.168.10.131:5601"

def create_rule(rule_data, token):
    url = f"{base_url}/api/detection_engine/rules"
    headers = {
        "Authorization": f"ApiKey {token}",
        "kbn-xsrf": "true",
        "Content-Type": "application/json"
    }
    response = requests.post(url, json=rule_data, headers=headers, verify=False)
    print_response(response)
    return response.json()["id"]

def fetch_all_rules(token):
    url = f"{base_url}/api/detection_engine/rules/_find"
    headers = {
        "Authorization": f"ApiKey {token}",
        "kbn-xsrf": "true",
        "Content-Type": "application/json"
    }
    response = requests.get(url, headers=headers, verify=False)
    print_response(response)
    return response.json()["data"]

def delete_rule(rule_id, token):
    url = f"{base_url}/api/detection_engine/rules/{rule_id}"
    headers = {
        "Authorization": f"ApiKey {token}",
        "kbn-xsrf": "true",
        "Content-Type": "application/json"
    }
    response = requests.delete(url, headers=headers, verify=False)
    print_response(response)
    return response.status_code == 200

def print_response(response):
    print("Response Status Code:", response.status_code)
    print("Response Headers:", response.headers)
    print("Response Text:", response.text)

token = "UXkzN0o1QUJnYW9Td2d5ejNJd3Q6dG1kTjhPSkpTN0N5RzRhOXloZkd2UQ=="

rule_data = {
    "description": "This is a test rule to detect suspicious activity.",
    "name": "Test Custom Query Rule",
    "risk_score": 50,
    "severity": "high",
    "type": "query",
    "query": "process.name: \"malicious.exe\"",
    "interval": "5m",
    "from": "now-6m",
    "to": "now",
    "enabled": True,
    "index": ["logs-*"],
    "language": "kuery"
}

rule_id = create_rule(rule_data, token)

all_rules = fetch_all_rules(token)
print("All Rules Before Deletion:")
for rule in all_rules:
    print(json.dumps(rule, indent=2))

rule_names = defaultdict(list)
for rule in all_rules:
    rule_names[rule['name']].append(rule['id'])

print("\nDuplicate Rules:")
for name, ids in rule_names.items():
    if len(ids) > 1:
        print(f"Rule Name: {name}")
        for rule_id in ids:
            print(f"  - Rule ID: {rule_id}")

for name, ids in rule_names.items():
    if len(ids) > 1:
        ids_to_delete = sorted(ids)[:-1]
        for rule_id in ids_to_delete:
            print(f"Attempting to delete rule with ID: {rule_id}")
            if delete_rule(rule_id, token):
                print(f"Deleted rule with ID: {rule_id}")
            else:
                print(f"Failed to delete rule with ID: {rule_id}, verifying existence...")
                all_rules = fetch_all_rules(token)
                existing_ids = [rule['id'] for rule in all_rules]
                if rule_id not in existing_ids:
                    print(f"Rule with ID: {rule_id} does not exist. Skipping...")

all_rules_after_deletion = fetch_all_rules(token)

print("\nAll Rules After Deletion:")
for rule in all_rules_after_deletion:
    print(json.dumps(rule, indent=2))

I am writing another reply to your last response, as the output of the code here want fit in this reply.

And this is part of the output I get when I run the code in the previous reply:

Response Status Code: 200
Response Headers: {'elastic-api-version': '2023-10-31', 'x-content-type-options': 'nosniff', 'referrer-policy': 'strict-origin-when-cross-origin', 'permissions-policy': 'camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()', 'cross-origin-opener-policy': 'same-origin', 'content-security-policy': "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'", 'content-security-policy-report-only': "form-action 'report-sample' 'self'", 'kbn-name': 'ELK', 'kbn-license-sig': '5ae299c31b5c858a983f4c0f88424dceb65af842a09815eed2126b7702005236', 'content-type': 'application/json; charset=utf-8', 'cache-control': 'private, no-cache, no-store, must-revalidate', 'content-length': '794', 'Date': 'Wed, 24 Jul 2024 20:04:48 GMT', 'Connection': 'keep-alive', 'Keep-Alive': 'timeout=120'}
Response Text: {"name":"Test Custom Query Rule","description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","version":1,"tags":[],"enabled":true,"risk_score_mapping":[],"severity_mapping":[],"interval":"5m","from":"now-6m","to":"now","actions":[],"exceptions_list":[],"author":[],"false_positives":[],"references":[],"max_signals":100,"threat":[],"setup":"","id":"f289f429-94c2-41fa-9525-904159b94588","rule_id":"70690b3c-c4bc-4539-8edf-b6b555f38ca9","immutable":false,"updated_at":"2024-07-24T20:04:46.681Z","updated_by":"elastic","created_at":"2024-07-24T20:04:46.681Z","created_by":"elastic","revision":0,"related_integrations":[],"required_fields":[],"type":"query","index":["logs-*"],"query":"process.name: \"malicious.exe\"","language":"kuery"}
Response Status Code: 200
Response Headers: {'elastic-api-version': '2023-10-31', 'x-content-type-options': 'nosniff', 'referrer-policy': 'strict-origin-when-cross-origin', 'permissions-policy': 'camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()', 'cross-origin-opener-policy': 'same-origin', 'content-security-policy': "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'", 'content-security-policy-report-only': "form-action 'report-sample' 'self'", 'kbn-name': 'ELK', 'kbn-license-sig': '5ae299c31b5c858a983f4c0f88424dceb65af842a09815eed2126b7702005236', 'content-type': 'application/json; charset=utf-8', 'cache-control': 'private, no-cache, no-store, must-revalidate', 'vary': 'accept-encoding', 'content-encoding': 'gzip', 'Date': 'Wed, 24 Jul 2024 20:04:48 GMT', 'Connection': 'keep-alive', 'Keep-Alive': 'timeout=120', 'Transfer-Encoding': 'chunked'}
Response Text: {"page":1,"perPage":20,"total":16,"data":[{"id":"790af310-94e3-4996-916d-6c5b2c3e4c4e","updated_at":"2024-07-19T13:51:51.491Z","updated_by":"elastic","created_at":"2024-07-17T16:06:21.003Z","created_by":"elastic","name":"Test Custom Query Rule [Duplicate]","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"397c6715-53bf-47ba-abc4-bcbf5562f55f","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:36.989Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39711}}}},{"id":"43ea88e7-6f69-4d4e-917c-d91d952f6caa","updated_at":"2024-07-19T13:51:48.853Z","updated_by":"elastic","created_at":"2024-07-12T21:03:07.357Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"33bf4870-0091-4548-a46d-ac5dac913557","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:36.989Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39711}}}},{"id":"cdfd0434-f633-4c58-86f2-1fb1764ca423","updated_at":"2024-07-11T21:09:35.371Z","updated_by":"elastic","created_at":"2024-07-11T21:09:35.371Z","created_by":"elastic","name":"Test Custom Query Rule Two","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"713ff16f-fcca-4ffb-8a84-c8b88179adf3","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:36.990Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39711}}}},{"id":"7a4c2f24-20ac-4ead-90ed-7d09324a2596","updated_at":"2024-07-11T20:54:57.717Z","updated_by":"elastic","created_at":"2024-07-11T20:54:57.717Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"f2af7829-1fd8-4dfe-bdf0-e74316f12526","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:36.988Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39711}}}},{"id":"fcc1c99c-1e0e-4998-896e-541cd0b855c6","updated_at":"2024-07-11T20:57:50.811Z","updated_by":"elastic","created_at":"2024-07-11T20:57:50.811Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"f652c302-673c-4b74-a220-4621ad3e4da5","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:36.986Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39708}}}},{"id":"d8e6c0a8-3142-4715-b180-982bc79cf523","updated_at":"2024-07-17T15:59:28.052Z","updated_by":"elastic","created_at":"2024-07-17T15:59:28.052Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"4ebb2130-6e77-4f66-b35e-d2aa87370d37","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:36.988Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39711}}}},{"id":"2a4714de-f6b2-497f-b000-8a5f8fa4a7e5","updated_at":"2024-07-12T20:34:55.170Z","updated_by":"elastic","created_at":"2024-07-12T20:34:55.170Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"08a4a98c-f3b9-4e39-8464-cb736325c78a","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:36.987Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39711}}}},{"id":"d34e284c-0914-44c8-b7b2-659797aa1b0f","updated_at":"2024-07-12T20:33:10.014Z","updated_by":"elastic","created_at":"2024-07-12T20:33:10.014Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"0f3eaa19-03e3-462e-831d-71b58d231444","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:36.991Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39708}}}},{"id":"9c3e97ab-c4bb-4d98-a7a8-df5528da73a5","updated_at":"2024-07-11T21:08:57.119Z","updated_by":"elastic","created_at":"2024-07-11T21:08:57.119Z","created_by":"elastic","name":"Test Custom Query Rule Two","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"62995514-34fe-4a29-8a04-585b12ff209e","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:36.986Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39711}}}},{"id":"11bc109e-094d-436c-9142-a442c35cf20a","updated_at":"2024-07-14T08:13:15.517Z","updated_by":"elastic","created_at":"2024-07-14T08:13:15.517Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"71c32e3c-40b5-446d-b638-fefcd82e9478","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:31.009Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39710}}}},{"id":"0bd477ae-e1f7-4893-b6e4-88048c6ce8c6","updated_at":"2024-07-17T15:52:40.162Z","updated_by":"elastic","created_at":"2024-07-17T15:52:40.162Z","created_by":"elastic","name":"Test Custom Query Rule Two","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"d9fee890-9d78-4fe1-a323-056ddfec5c91","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:31.007Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39710}}}},{"id":"637615b9-2e4a-4fb1-8a5b-6db01a83c064","updated_at":"2024-07-18T15:52:57.257Z","updated_by":"elastic","created_at":"2024-07-18T15:52:57.257Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"04972245-a681-406b-9432-43abce22701e","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:31.004Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39710}}}},{"id":"2dac9f24-f623-4697-8e72-60f463893e8d","updated_at":"2024-07-12T20:36:41.508Z","updated_by":"elastic","created_at":"2024-07-12T20:36:41.508Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"b3516ea6-c785-461b-ad3b-6b91aa017d83","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:31.009Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39710}}}},{"id":"c5d0f760-a299-40f4-ba00-f0448dc6f1ef","updated_at":"2024-07-14T08:52:15.140Z","updated_by":"elastic","created_at":"2024-07-14T08:52:15.140Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"67550e19-7d41-4e67-b53d-6a8066d9fad5","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:31.010Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39710}}}},{"id":"bda76709-d0f8-4461-b5b6-b88518f74daf","updated_at":"2024-07-17T15:55:41.721Z","updated_by":"elastic","created_at":"2024-07-17T15:55:41.721Z","created_by":"elastic","name":"Test Custom Query Rule Two","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"cde491da-154e-4bb4-a948-0f44f42b30e5","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:31.010Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39710}}}},{"id":"f289f429-94c2-41fa-9525-904159b94588","updated_at":"2024-07-24T20:04:46.681Z","updated_by":"elastic","created_at":"2024-07-24T20:04:46.681Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"70690b3c-c4bc-4539-8edf-b6b555f38ca9","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[]}]}

And then this:

Attempting to delete rule with ID: 11bc109e-094d-436c-9142-a442c35cf20a
Response Status Code: 404
Response Headers: {'X-Content-Type-Options': 'nosniff', 'Referrer-Policy': 'strict-origin-when-cross-origin', 'Permissions-Policy': 'camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()', 'Cross-Origin-Opener-Policy': 'same-origin', 'Content-Security-Policy': "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'", 'Content-Security-Policy-Report-Only': "form-action 'report-sample' 'self'", 'kbn-name': 'ELK', 'kbn-license-sig': '5ae299c31b5c858a983f4c0f88424dceb65af842a09815eed2126b7702005236', 'content-type': 'application/json; charset=utf-8', 'cache-control': 'private, no-cache, no-store, must-revalidate', 'content-length': '60', 'Date': 'Wed, 24 Jul 2024 20:04:48 GMT', 'Connection': 'keep-alive', 'Keep-Alive': 'timeout=120'}
Response Text: {"statusCode":404,"error":"Not Found","message":"Not Found"}
Failed to delete rule with ID: 11bc109e-094d-436c-9142-a442c35cf20a, verifying existence...
Response Status Code: 200
Response Headers: {'elastic-api-version': '2023-10-31', 'x-content-type-options': 'nosniff', 'referrer-policy': 'strict-origin-when-cross-origin', 'permissions-policy': 'camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()', 'cross-origin-opener-policy': 'same-origin', 'content-security-policy': "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'", 'content-security-policy-report-only': "form-action 'report-sample' 'self'", 'kbn-name': 'ELK', 'kbn-license-sig': '5ae299c31b5c858a983f4c0f88424dceb65af842a09815eed2126b7702005236', 'content-type': 'application/json; charset=utf-8', 'cache-control': 'private, no-cache, no-store, must-revalidate', 'vary': 'accept-encoding', 'content-encoding': 'gzip', 'Date': 'Wed, 24 Jul 2024 20:04:49 GMT', 'Connection': 'keep-alive', 'Keep-Alive': 'timeout=120', 'Transfer-Encoding': 'chunked'}
Response Text: {"page":1,"perPage":20,"total":16,"data":[{"id":"790af310-94e3-4996-916d-6c5b2c3e4c4e","updated_at":"2024-07-19T13:51:51.491Z","updated_by":"elastic","created_at":"2024-07-17T16:06:21.003Z","created_by":"elastic","name":"Test Custom Query Rule [Duplicate]","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"397c6715-53bf-47ba-abc4-bcbf5562f55f","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:36.989Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39711}}}},{"id":"43ea88e7-6f69-4d4e-917c-d91d952f6caa","updated_at":"2024-07-19T13:51:48.853Z","updated_by":"elastic","created_at":"2024-07-12T21:03:07.357Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"33bf4870-0091-4548-a46d-ac5dac913557","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:36.989Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39711}}}},{"id":"cdfd0434-f633-4c58-86f2-1fb1764ca423","updated_at":"2024-07-11T21:09:35.371Z","updated_by":"elastic","created_at":"2024-07-11T21:09:35.371Z","created_by":"elastic","name":"Test Custom Query Rule Two","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"713ff16f-fcca-4ffb-8a84-c8b88179adf3","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:36.990Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39711}}}},{"id":"7a4c2f24-20ac-4ead-90ed-7d09324a2596","updated_at":"2024-07-11T20:54:57.717Z","updated_by":"elastic","created_at":"2024-07-11T20:54:57.717Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"f2af7829-1fd8-4dfe-bdf0-e74316f12526","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:36.988Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39711}}}},{"id":"fcc1c99c-1e0e-4998-896e-541cd0b855c6","updated_at":"2024-07-11T20:57:50.811Z","updated_by":"elastic","created_at":"2024-07-11T20:57:50.811Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"f652c302-673c-4b74-a220-4621ad3e4da5","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:36.986Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39708}}}},{"id":"d8e6c0a8-3142-4715-b180-982bc79cf523","updated_at":"2024-07-17T15:59:28.052Z","updated_by":"elastic","created_at":"2024-07-17T15:59:28.052Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"4ebb2130-6e77-4f66-b35e-d2aa87370d37","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:36.988Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39711}}}},{"id":"2a4714de-f6b2-497f-b000-8a5f8fa4a7e5","updated_at":"2024-07-12T20:34:55.170Z","updated_by":"elastic","created_at":"2024-07-12T20:34:55.170Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"08a4a98c-f3b9-4e39-8464-cb736325c78a","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:36.987Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39711}}}},{"id":"d34e284c-0914-44c8-b7b2-659797aa1b0f","updated_at":"2024-07-12T20:33:10.014Z","updated_by":"elastic","created_at":"2024-07-12T20:33:10.014Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"0f3eaa19-03e3-462e-831d-71b58d231444","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:36.991Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39708}}}},{"id":"9c3e97ab-c4bb-4d98-a7a8-df5528da73a5","updated_at":"2024-07-11T21:08:57.119Z","updated_by":"elastic","created_at":"2024-07-11T21:08:57.119Z","created_by":"elastic","name":"Test Custom Query Rule Two","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"62995514-34fe-4a29-8a04-585b12ff209e","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:36.986Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39711}}}},{"id":"11bc109e-094d-436c-9142-a442c35cf20a","updated_at":"2024-07-14T08:13:15.517Z","updated_by":"elastic","created_at":"2024-07-14T08:13:15.517Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"71c32e3c-40b5-446d-b638-fefcd82e9478","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:31.009Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39710}}}},{"id":"0bd477ae-e1f7-4893-b6e4-88048c6ce8c6","updated_at":"2024-07-17T15:52:40.162Z","updated_by":"elastic","created_at":"2024-07-17T15:52:40.162Z","created_by":"elastic","name":"Test Custom Query Rule Two","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"d9fee890-9d78-4fe1-a323-056ddfec5c91","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:31.007Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39710}}}},{"id":"637615b9-2e4a-4fb1-8a5b-6db01a83c064","updated_at":"2024-07-18T15:52:57.257Z","updated_by":"elastic","created_at":"2024-07-18T15:52:57.257Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"04972245-a681-406b-9432-43abce22701e","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:31.004Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39710}}}},{"id":"2dac9f24-f623-4697-8e72-60f463893e8d","updated_at":"2024-07-12T20:36:41.508Z","updated_by":"elastic","created_at":"2024-07-12T20:36:41.508Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"b3516ea6-c785-461b-ad3b-6b91aa017d83","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:31.009Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39710}}}},{"id":"c5d0f760-a299-40f4-ba00-f0448dc6f1ef","updated_at":"2024-07-14T08:52:15.140Z","updated_by":"elastic","created_at":"2024-07-14T08:52:15.140Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"67550e19-7d41-4e67-b53d-6a8066d9fad5","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:31.010Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39710}}}},{"id":"bda76709-d0f8-4461-b5b6-b88518f74daf","updated_at":"2024-07-17T15:55:41.721Z","updated_by":"elastic","created_at":"2024-07-17T15:55:41.721Z","created_by":"elastic","name":"Test Custom Query Rule Two","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"cde491da-154e-4bb4-a948-0f44f42b30e5","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[],"execution_summary":{"last_execution":{"date":"2024-07-24T20:03:31.010Z","status":"partial failure","status_order":20,"message":"This rule is attempting to query data from Elasticsearch indices listed in the \"Index patterns\" section of the rule definition, however no index matching: [\"logs-*\"] was found. This warning will continue to appear until a matching index is created or this rule is disabled.","metrics":{"execution_gap_duration_s":39710}}}},{"id":"f289f429-94c2-41fa-9525-904159b94588","updated_at":"2024-07-24T20:04:46.681Z","updated_by":"elastic","created_at":"2024-07-24T20:04:46.681Z","created_by":"elastic","name":"Test Custom Query Rule","tags":[],"interval":"5m","enabled":true,"revision":0,"description":"This is a test rule to detect suspicious activity.","risk_score":50,"severity":"high","output_index":"","author":[],"false_positives":[],"from":"now-6m","rule_id":"70690b3c-c4bc-4539-8edf-b6b555f38ca9","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"query","language":"kuery","index":["logs-*"],"query":"process.name: \"malicious.exe\"","actions":[]}]}
Attempting to delete rule with ID: 2a4714de-f6b2-497f-b000-8a5f8fa4a7e5
Response Status Code: 404 ..... and so forth

Hello Carly. Thank you once again for your help and support so far!

I have managed to create a working delete function, which uses the delete API. However, I am now having problem with the Update API, well, not the API itself, but the function I have written. It uses the Update API, but when I run it, I get the following error:

Updating rule ID: e4e52120-6fff-4a30-9c28-29556435f053
Response Status Code: 400
Response Headers: {'X-Content-Type-Options': 'nosniff', 'Referrer-Policy': 'strict-origin-when-cross-origin', 'Permissions-Policy': 'camera=(), display-capture=(), fullscreen=(self), geolocation=(), microphone=(), web-share=()', 'Cross-Origin-Opener-Policy': 'same-origin', 'Content-Security-Policy': "script-src 'report-sample' 'self'; worker-src 'report-sample' 'self' blob:; style-src 'report-sample' 'self' 'unsafe-inline'", 'Content-Security-Policy-Report-Only': "form-action 'report-sample' 'self'", 'kbn-name': 'ELK', 'kbn-license-sig': '5ae299c31b5c858a983f4c0f88424dceb65af842a09815eed2126b7702005236', 'content-type': 'application/json; charset=utf-8', 'cache-control': 'private, no-cache, no-store, must-revalidate', 'content-length': '111', 'Date': 'Thu, 08 Aug 2024 20:49:03 GMT', 'Connection': 'keep-alive', 'Keep-Alive': 'timeout=120'}
Response Text: {"statusCode":400,"error":"Bad Request","message":"[request body.enabled]: definition for this key is missing"}
Failed to update rule with ID: e4e52120-6fff-4a30-9c28-29556435f053

This is the function code:

def update_rules_on_criteria(rules, token):
    for rule in rules:
        if rule['severity'] == 'high' and rule['risk_score'] < 75:
            rule_details = fetch_rule(rule['id'], token)
            update_data = {
                "name": rule_details.get('name', ''),
                "tags": rule_details.get('tags', []),
                "enabled": rule_details.get('enabled', True),
                "params": rule_details.get('params', {}),
                "schedule": rule_details.get('schedule', {}),
                "actions": rule_details.get('actions', []),
                "throttle": rule_details.get('throttle', None),
                "notify_when": rule_details.get('notify_when', 'onActionGroupChange'),
                "risk_score": 75,  # Update risk_score to 75
                "description": rule_details.get('params', {}).get('description', ''),
                "from": rule_details.get('params', {}).get('from', 'now-6m'),
                "to": rule_details.get('params', {}).get('to', 'now'),
                "index": rule_details.get('params', {}).get('index', []),
                "language": rule_details.get('params', {}).get('language', 'kuery'),
                "query": rule_details.get('params', {}).get('query', '')
            }
            print(f"Updating rule ID: {rule['id']}")
            if update_rule(rule['id'], update_data, token):
                print(f"Updated rule with ID: {rule['id']}")
            else:
                print(f"Failed to update rule with ID: {rule['id']}")

Would you please be so kind, as to help me figure out what am I doing wrong?

Thank you kindly.

Hi @Emin,

To confirm, it's the detection rules update rule API that you are using? Are you using the PUT or PATCH functionality?

It looks like it's an issue with the enabled field. Can you try removing that item from your code? As per the documentation it is an optional attribute that defaults to true, which form your code looks like what you need.

As an aside, it appears that you are adding all fields to the update request? Are the values always different on update? If not I would recommend only updating what you need using the PATCH protocol if you can.

Hope that helps!