Export Rules -- Getting BAD request

Detlef · February 2, 2022, 5:13pm

I'm trying to extract my created detection rules.

From my python script I receive the following debug messages:

2022-02-02 17:57:22,859 __main__     INFO     Selected the following elastic host for requests: dw-prodkib-00.mydom.country
2022-02-02 17:57:22,859 __main__     DEBUG    Executing POST request against Kibana with http://dw-prodkib-00.mydom.country:5601/api/detection_engine/rules/_export?file_name=/tmp/exportedRulesProduction.ndjson
2022-02-02 17:57:22,859 __main__     DEBUG    elasticRequest.auth=('elastic', 'TopSecretPassword')
2022-02-02 17:57:22,859 __main__     DEBUG    elasticRequest.headers={'content-type': 'application/json', 'Accept-Charset': 'UTF-8'}
2022-02-02 17:57:22,860 urllib3.connectionpool DEBUG    Starting new HTTP connection (1): dw-prodkib-00.mydom.country:5601
2022-02-02 17:57:22,914 urllib3.connectionpool DEBUG    http://dw-prodkib-00.mydom.country:5601 "POST /api/detection_engine/rules/_export?file_name=/tmp/exportedRulesProduction.ndjson HTTP/1.1" 400 92
2022-02-02 17:57:22,915 __main__     ERROR    An Http Error occurred:HTTPError('400 Client Error: Bad Request for url: http://dw-prodkib-00.mydom.country:5601/api/detection_engine/rules/_export?file_name=/tmp/exportedRulesProduction.ndjson')
2022-02-02 17:57:22,916 __main__     ERROR    An exception occurred while processing export rules request

I already tried without any parameter, but the error remains the same.

jamesspi · February 3, 2022, 10:42am

Hi @Detlef , as I mentioned on the community slack, it looks like you haven't added a kbn-xsrf header, which is needed for any API call to Kibana.

Detlef · February 3, 2022, 10:56am

That was the trick.

2022-02-03 11:50:10,513 __main__     INFO     Selected the following elastic host for requests: dw-prodkib-00.<my
2022-02-03 11:50:10,513 __main__     DEBUG    Executing POST request against Kibana with http://dw-prodkib-00.mydom.country:5601/api/detection_engine/rules/_export?file_name=/tmp/exportedRulesProduction.ndjson
2022-02-03 11:50:10,513 __main__     DEBUG    kibanaRequest.auth=('elastic', 'TopSecretPassword')
2022-02-03 11:50:10,513 __main__     DEBUG    kibanaRequest.headers={'content-type': 'application/json', 'Accept-Charset': 'UTF-8', 'kbn-xsrf': 'true'}
2022-02-03 11:50:10,515 urllib3.connectionpool DEBUG    Starting new HTTP connection (1): dw-prodkib-00.mydom.country:5601
2022-02-03 11:50:12,115 urllib3.connectionpool DEBUG    http://dw-prodkib-00.mydom.country:5601 "POST /api/detection_engine/rules/_export?file_name=/tmp/exportedRulesProduction.ndjson HTTP/1.1" 200 297
2022-02-03 11:50:12,117 __main__     INFO     Rules have been exported successfully
2022-02-03 11:50:12,118 __main__     INFO     to file /tmp/exportedRulesProduction.ndjson

Thanks to @jamesspi

jamesspi · February 3, 2022, 12:09pm

Great!

system · March 3, 2022, 12:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can't export rules using the detections api Elasticsearch elastic-stack-security	0	113	May 3, 2024
Detection Rule Export API not working SIEM detection-rules	3	547	December 16, 2021
How to use Kibana export API? Kibana elastic-stack-monitoring , elastic-stack-alerting	0	8	October 29, 2024
Detection Custom Rule not working SIEM elastic-stack-alerting , detection-rules	8	1370	May 27, 2021
How to duplicate a rule? Kibana elastic-stack-alerting	8	649	June 7, 2023

Export Rules -- Getting BAD request

Related topics