Exporting rules to ndjson generates incomplete file

ElasticUser11 · November 4, 2022, 8:02pm

I'm trying to export all the 722 rules into an ndjson file, but the file is incomplete. There are two sets of rule: Elastic rules and Custom rules.

I go to Security > Overview > Rules > Select all 722 rules > Bulk Actions > Export selected.

However, the resulting output contains the following, which is NOT what I need.

This is what I get when selecting Elastic rules:

This is what I get when selecting the 20 Custom rules, which is the output I need:

Any idea on how to fix this? Or am I doing something wrong?

Thanks for your help!

georgii · November 8, 2022, 12:00pm

@ElasticUser11 As of now, exporting prebuilt Elastic rules is not supported. Users can export only custom rules.

This is why you get the "exported_rules_count":0 in the ndjson file when you select Elastic rules (702) and try to export them.

Can you please share why would you need to export prebuilt rules?

ElasticUser11 · November 8, 2022, 3:01pm

We wanted to created a script containing the rules, descriptions, and tags to analyze the query structure and possibly improve them. We could do that manually, copying and pasting each one of them (722 x 3) is a bit discouraging, hence the exporting.

georgii · November 8, 2022, 3:47pm

@ElasticUser11 If you need to fetch your rules as JSON to do some analysis on them, maybe you could use the rules/_find endpoint? This endpoint can return both prebuilt and custom rules.

Just specify a big enough per_page parameter to fetch all of them in a single request.

ElasticUser11 · November 9, 2022, 2:52pm

That's perfect! Thanks!

system · December 7, 2022, 2:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.