Exporting rules to ndjson generates incomplete file

I'm trying to export all the 722 rules into an ndjson file, but the file is incomplete. There are two sets of rule: Elastic rules and Custom rules.

I go to Security > Overview > Rules > Select all 722 rules > Bulk Actions > Export selected.

However, the resulting output contains the following, which is NOT what I need.

This is what I get when selecting Elastic rules:

This is what I get when selecting the 20 Custom rules, which is the output I need:

Any idea on how to fix this? Or am I doing something wrong?

Thanks for your help!

1 Like

@ElasticUser11 As of now, exporting prebuilt Elastic rules is not supported. Users can export only custom rules.

This is why you get the "exported_rules_count":0 in the ndjson file when you select Elastic rules (702) and try to export them.

Can you please share why would you need to export prebuilt rules?

We wanted to created a script containing the rules, descriptions, and tags to analyze the query structure and possibly improve them. We could do that manually, copying and pasting each one of them (722 x 3) is a bit discouraging, hence the exporting.

@ElasticUser11 If you need to fetch your rules as JSON to do some analysis on them, maybe you could use the rules/_find endpoint? This endpoint can return both prebuilt and custom rules.

Just specify a big enough per_page parameter to fetch all of them in a single request.

That's perfect! Thanks!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.