How to duplicate a rule?

Hello,
I have to create several rules-alerts that are very similar.
Is there a way to duplicate (copy/paste) a rule ?
Thank you.

Hi @ppic,

You can follow this instructions Manage detection rules | Elastic Security Solution [8.7] | Elastic. We introduced it in version 8.6 but if you have a previous version or you prefer so, you should be able to to export, then re-import and specify to use different IDs. You can also “script” them using the Kibana APIs Alerting APIs | Kibana Guide [8.7] | Elastic

Hi Julian,
Thank you for your suggestion. I forgot to specify I use v7.17.
Then, I tried to export, following Export rules | Elastic Security Solution [7.17] | Elastic
I tried something like the example in Kibana console:

POST api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson
{
  "objects": [
    {
      "rule_id":"one_real_rule_id"
    },
    {
      "rule_id":"another_real_rule_id"
    }
  ]
}

and I got the response :

{
  "error" : "no handler found for uri [/api/detection_engine/rules/_export?pretty=true] and method [POST]"
}

same if I prefix with the kibanaBaseUrl
I don't undestand...

If I try it with curl/cmd Dos

U:\>curl -X POST curl -X POST "https://edaas-noprod.kb.elasticaas.ocb.equant.com:9243/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" {"objects":[{"rule_id":"f70bb740-e5a8-11ed-8a4c-fbb45f1592a1"},{"rule_id":"4ee06690-e44c-11ed-9d70-65711c1fe732"}]}

response :

{"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}curl: (3) nested brace in URL position 10:
{objects:[{rule_id:f70bb740-e5a8-11ed-8a4c-fbb45f1592a1},{rule_id:4ee06690-e44c-11ed-9d70-65711c1fe732}]}
         ^

There is a kind of syntax error, but also a right issue.

I made other test from Get rule API | Kibana Guide [7.17] | Elastic with curl/cmd Dos:

> curl -X GET https://edaas-noprod.kb.elasticaas.ocb.equant.com:9243/api/alerting/rule/4ee06690-e44c-11ed-9d70-65711c1fe732

response :

{"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}

it looks like a rights issue.
Do you think the same ?
Thank you.

Hi @ppic,

You can't access the kibana API through the Dev Console but you can use the Saved Objects UI. Check out this link Create and manage rules | Kibana Guide [7.17] | Elastic

The curl issue is a rights issue, yes. You are missing the auth parameter in your curl request, check out this url REST API | Kibana Guide [7.17] | Elastic, it mentions the auth types available. You will also have to add these headers REST API | Kibana Guide [7.17] | Elastic to your request

Hi Julian,
The UI export is perfect. Thank you.
Best regards.

Hi Julian,

OK, I can export the rules, but the initial goal is to duplicate easily the rules with slight changes between them.
I made two alerts about two http test, only the URLs differs.
I have a dozen URLs to test.
I guess I can duplicate the export, change some values and import.
I made a comparizon between both exports.
The differences are in :

  • the fields containing the URL ==> I change the URL
  • date time fields (created, executed...)... ==> I think I can keep the same. OK ?
  • version
  • id

Which values should I put for "version" and "id" (and the dates, if they have to be changed) ?

Hi @ppic ,

You should be fine keeping the version but remove the id. When importing select "Create new objects with random IDs" so it generates an id for you.

Hi Julian,

Perfect !
Thank you.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.