Hello,
I have to create several rules-alerts that are very similar.
Is there a way to duplicate (copy/paste) a rule ?
Thank you.
Hi @ppic,
You can follow this instructions Manage detection rules | Elastic Security Solution [8.7] | Elastic. We introduced it in version 8.6 but if you have a previous version or you prefer so, you should be able to to export, then re-import and specify to use different IDs. You can also “script” them using the Kibana APIs Alerting APIs | Kibana Guide [8.7] | Elastic
Hi Julian,
Thank you for your suggestion. I forgot to specify I use v7.17.
Then, I tried to export, following Export rules | Elastic Security Solution [7.17] | Elastic
I tried something like the example in Kibana console:
POST api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson
{
"objects": [
{
"rule_id":"one_real_rule_id"
},
{
"rule_id":"another_real_rule_id"
}
]
}
and I got the response :
{
"error" : "no handler found for uri [/api/detection_engine/rules/_export?pretty=true] and method [POST]"
}
same if I prefix with the kibanaBaseUrl
I don't undestand...
If I try it with curl/cmd Dos
U:\>curl -X POST curl -X POST "https://edaas-noprod.kb.elasticaas.ocb.equant.com:9243/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" {"objects":[{"rule_id":"f70bb740-e5a8-11ed-8a4c-fbb45f1592a1"},{"rule_id":"4ee06690-e44c-11ed-9d70-65711c1fe732"}]}
response :
{"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}curl: (3) nested brace in URL position 10:
{objects:[{rule_id:f70bb740-e5a8-11ed-8a4c-fbb45f1592a1},{rule_id:4ee06690-e44c-11ed-9d70-65711c1fe732}]}
^
There is a kind of syntax error, but also a right issue.
I made other test from Get rule API | Kibana Guide [7.17] | Elastic with curl/cmd Dos:
> curl -X GET https://edaas-noprod.kb.elasticaas.ocb.equant.com:9243/api/alerting/rule/4ee06690-e44c-11ed-9d70-65711c1fe732
response :
{"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}
it looks like a rights issue.
Do you think the same ?
Thank you.
Hi @ppic,
You can't access the kibana API through the Dev Console but you can use the Saved Objects UI. Check out this link Create and manage rules | Kibana Guide [7.17] | Elastic
The curl issue is a rights issue, yes. You are missing the auth parameter in your curl request, check out this url REST API | Kibana Guide [7.17] | Elastic, it mentions the auth types available. You will also have to add these headers REST API | Kibana Guide [7.17] | Elastic to your request
Hi Julian,
The UI export is perfect. Thank you.
Best regards.
Hi Julian,
OK, I can export the rules, but the initial goal is to duplicate easily the rules with slight changes between them.
I made two alerts about two http test, only the URLs differs.
I have a dozen URLs to test.
I guess I can duplicate the export, change some values and import.
I made a comparizon between both exports.
The differences are in :
- the fields containing the URL ==> I change the URL
- date time fields (created, executed...)... ==> I think I can keep the same. OK ?
- version
- id
Which values should I put for "version" and "id" (and the dates, if they have to be changed) ?
Hi @ppic ,
You should be fine keeping the version but remove the id. When importing select "Create new objects with random IDs" so it generates an id for you.
Hi Julian,
Perfect !
Thank you.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.