I'm trying to export all the 722 rules into an ndjson file, but the file is incomplete. There are two sets of rule: Elastic rules and Custom rules.
I go to Security > Overview > Rules > Select all 722 rules > Bulk Actions > Export selected.
However, the resulting output contains the following, which is NOT what I need.
This is what I get when selecting Elastic rules:
This is what I get when selecting the 20 Custom rules, which is the output I need:
Any idea on how to fix this? Or am I doing something wrong?
Thanks for your help!
@ElasticUser11 As of now, exporting prebuilt Elastic rules is not supported. Users can export only custom rules.
This is why you get the
"exported_rules_count":0 in the ndjson file when you select
Elastic rules (702) and try to export them.
Can you please share why would you need to export prebuilt rules?
We wanted to created a script containing the rules, descriptions, and tags to analyze the query structure and possibly improve them. We could do that manually, copying and pasting each one of them (722 x 3) is a bit discouraging, hence the exporting.
@ElasticUser11 If you need to fetch your rules as JSON to do some analysis on them, maybe you could use the
rules/_find endpoint? This endpoint can return both prebuilt and custom rules.
Just specify a big enough
per_page parameter to fetch all of them in a single request.