Error using BulkEditAction[] object

M_S · June 5, 2023, 7:02pm

Hi , I am using Elasticsearch - 8.7.1 and I am trying to update my security rules in EDR with a email action in bulk. I have tried the following --

PUT api/detection_engine/rules/_bulk_action
{
	"action": "edit",
  "edit": [{ "type": "add_rule_actions", "value":{ "actions":[{"action_type_id":".email","params":{"to":"email-id","subject":"{{alert.actionGroup}}{{alert.actionSubgroup}}{{alert.actionGroupName}}","message":"Rule {{context.rule.name}} generated {{state.signals_count}} alerts"}}] , "throttle": "rule" } }]
}

However it says -

{
  "error": "no handler found for uri [/api/detection_engine/rules/_bulk_action?pretty=true] and method [PUT]"
}

Also tried curl -

curl -X POST "https://url:9200/api/detection_engine/rules/_bulk_action?pretty" -H 'Content-Type: application/json' -d'
{
	"action": "edit",
  "edit": [{ "type": "add_rule_actions", "value":{ "actions":[{"action_type_id":".email","params":{"to":"email-id","subject":"{{alert.actionGroup}}{{alert.actionSubgroup}}{{alert.actionGroupName}}","message":"Rule {{context.rule.name}} generated {{state.signals_count}} alerts"}}] , "throttle": "rule" } }]
}
'

Any idea what might be wrong in the approach? Also, I have tried POST instead of PUT with same error.

jamesspi · June 6, 2023, 5:51pm

Hi @M_S , since this is a Kibana API, you need to add kbn: to the start of the API endpoint:

PUT kbn:api/detection_engine/rules/_bulk_action
{
	"action": "edit",
  "edit": [{ "type": "add_rule_actions", "value":{ "actions":[{"action_type_id":".email","params":{"to":"email-id","subject":"{{alert.actionGroup}}{{alert.actionSubgroup}}{{alert.actionGroupName}}","message":"Rule {{context.rule.name}} generated {{state.signals_count}} alerts"}}] , "throttle": "rule" } }]
}

And, for curl, use your Kibana URL, not Elasticsearch.

M_S · June 6, 2023, 6:35pm

Hi , thanks for replying. I tried the following curl now --

curl -u "user:password" -k -X PUT "https://url:5601/kbn:api/detection_engine/rules/_bulk_action"  -H 'Content-Type: application/json' -d'
{    "action": "edit",
  "edit": [{ "type": "add_rule_actions", "value":{ "actions":[{"action_type_id":".email","params":{"to":"mail-id","subject":"{{alert.actionGroup}}{{alert.actionSubgroup}}{{alert.actionGroupName}}","message":"Rule {{context.rule.name}} generated {{state.signals_count}} alerts"}}] , "throttle": "rule" } }]
}'

But its giving me

{"statusCode":404,"error":"Not Found","message":"Not Found"}

Also, tried the follwing request in Dev-tools kibana -

PUT kbn:api/detection_engine/rules/_bulk_action
{
	"action": "edit",
  "edit": [{ "type": "add_rule_actions", "value":{ "actions":[{"action_type_id":".email","params":{"to":"email-id","subject":"{{alert.actionGroup}}{{alert.actionSubgroup}}{{alert.actionGroupName}}","message":"Rule {{context.rule.name}} generated {{state.signals_count}} alerts"}}] , "throttle": "rule" } }]
}

Same error 404.

Ok, one update - I browsed https://url:5601/api/status . And detection_engine api call was not listed in it. Is it because I am using version 8.7.1 ?

jamesspi · June 7, 2023, 11:57pm

Hi @M_S ,

kbn: should only be used in dev tools, as it implies that you want to use Kibana APIs, not Elasticsearch. So, if using a client like cURL, you just need the Kibana URL.

Additionally, you should be using POST , not PUT. Sorry, should have called this out in the first reply.

James

M_S · June 8, 2023, 7:22pm

Ok. I used below lines in dev tools.

POST kbn:api/detection_engine/rules/_bulk_action
{
	"action": "edit",
  "edit": [{ "type": "add_rule_actions", "value":{ "actions":[{"action_type_id":".email","params":{"to":"email-id","subject":"{{alert.actionGroup}}{{alert.actionSubgroup}}{{alert.actionGroupName}}","message":"Rule {{context.rule.name}} generated {{state.signals_count}} alerts"}}] , "throttle": "rule" } }]
}

But its giving same error.


  "statusCode": 400,
  "error": "Bad Request",
  "message": "[request body]: Invalid value \"edit\" supplied to \"action\",Invalid value \"add_rule_actions\" supplied to \"edit,type\",Invalid value \"{\"actions\":[{\"action_type_id\":\".email\",\"params\":{\"to\":\"email@company.com\",\"subject\":\"{{alert.actionGroup}}{{alert.actionSubgroup}}{{alert.actionGroupName}}\",\"message\":\"Rule {{context.rule.name}} generated {{state.signals_count}} alerts\"}}],\"throttle\":\"rule\"}\" supplied to \"edit,value\",Invalid value \"undefined\" supplied to \"edit,value,timeline_id\",Invalid value \"undefined\" supplied to \"edit,value,timeline_title\",Invalid value \"undefined\" supplied to \"edit,value,actions,group\",Invalid value \"undefined\" supplied to \"edit,value,actions,id\",Invalid value \"undefined\" supplied to \"edit,value,interval\",Invalid value \"undefined\" supplied to \"edit,value,lookback\""
}

However I see message body part of error has now changed a bit.

jamesspi · June 8, 2023, 8:59pm

M_S:

 supplied to \"action\",Invalid value \"add_rule_actions\" supplied to \"edit,type\",Invalid value \"{\"actions\":[{\"action_type_id\":\".email\",\"params\":{\"to\":\"email@company.com\",\"subject\":\"{{alert.actionGroup}}{{alert.actionSubgroup}}{{alert.actionGroupName}}\",\"message\":\"Rule {{context.rule.name}} generated {{state.signals_count}} alerts\"}}],\"throttle\":\"rule\"}\" supplied to \"edit,value\",Invalid value \"undefined\" supplied to \"edit,value,timeline_id\",Invalid value \"undefined\" supplied to \"edit,value,timeline_title\",Invalid value \"undefined\" supplied to \"edit,value,actions,group\",Invalid value \"undefined\" supplied to \"edit,value,actions,id\",Invalid value \"undefined\" supplied to \"edit,value,interval\",Invalid value \"undefined\" supplied to \"edit,value,lookback\""
}

It's a different error it's means your request isn't formatted properly. You're almost there!

system · July 6, 2023, 8:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.