Export Rules -- Getting BAD request

I'm trying to extract my created detection rules.

From my python script I receive the following debug messages:

2022-02-02 17:57:22,859 __main__     INFO     Selected the following elastic host for requests: dw-prodkib-00.mydom.country
2022-02-02 17:57:22,859 __main__     DEBUG    Executing POST request against Kibana with http://dw-prodkib-00.mydom.country:5601/api/detection_engine/rules/_export?file_name=/tmp/exportedRulesProduction.ndjson
2022-02-02 17:57:22,859 __main__     DEBUG    elasticRequest.auth=('elastic', 'TopSecretPassword')
2022-02-02 17:57:22,859 __main__     DEBUG    elasticRequest.headers={'content-type': 'application/json', 'Accept-Charset': 'UTF-8'}
2022-02-02 17:57:22,860 urllib3.connectionpool DEBUG    Starting new HTTP connection (1): dw-prodkib-00.mydom.country:5601
2022-02-02 17:57:22,914 urllib3.connectionpool DEBUG    http://dw-prodkib-00.mydom.country:5601 "POST /api/detection_engine/rules/_export?file_name=/tmp/exportedRulesProduction.ndjson HTTP/1.1" 400 92
2022-02-02 17:57:22,915 __main__     ERROR    An Http Error occurred:HTTPError('400 Client Error: Bad Request for url: http://dw-prodkib-00.mydom.country:5601/api/detection_engine/rules/_export?file_name=/tmp/exportedRulesProduction.ndjson')
2022-02-02 17:57:22,916 __main__     ERROR    An exception occurred while processing export rules request

I already tried without any parameter, but the error remains the same.

Hi @Detlef , as I mentioned on the community slack, it looks like you haven't added a kbn-xsrf header, which is needed for any API call to Kibana.

That was the trick.

2022-02-03 11:50:10,513 __main__     INFO     Selected the following elastic host for requests: dw-prodkib-00.<my
2022-02-03 11:50:10,513 __main__     DEBUG    Executing POST request against Kibana with http://dw-prodkib-00.mydom.country:5601/api/detection_engine/rules/_export?file_name=/tmp/exportedRulesProduction.ndjson
2022-02-03 11:50:10,513 __main__     DEBUG    kibanaRequest.auth=('elastic', 'TopSecretPassword')
2022-02-03 11:50:10,513 __main__     DEBUG    kibanaRequest.headers={'content-type': 'application/json', 'Accept-Charset': 'UTF-8', 'kbn-xsrf': 'true'}
2022-02-03 11:50:10,515 urllib3.connectionpool DEBUG    Starting new HTTP connection (1): dw-prodkib-00.mydom.country:5601
2022-02-03 11:50:12,115 urllib3.connectionpool DEBUG    http://dw-prodkib-00.mydom.country:5601 "POST /api/detection_engine/rules/_export?file_name=/tmp/exportedRulesProduction.ndjson HTTP/1.1" 200 297
2022-02-03 11:50:12,117 __main__     INFO     Rules have been exported successfully
2022-02-03 11:50:12,118 __main__     INFO     to file /tmp/exportedRulesProduction.ndjson

Thanks to @jamesspi

Great!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.