How to extract rules and connector using elastic API

Elastic Security Endpoint Security
1

i want to export rules and connector from elastic using API
i created this request :

curl -X POST -u elastic:pass https://myHOST:9243/api/detection_engine/rules/_export?exclude_export_details=true -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'
{
"objects": [
{
"rule_id":"73c903d0-b0dc-11ec-bf76-67173033ecd8"
}
]
}
' -o exported-rules.ndjson

but i'm getting error:

{"exported_count":0,"exported_rules_count":0,"missing_rules":[{"rule_id":"73c903d0-b0dc-11ec-bf76-67173033ecd8"}],"missing_rules_count":1,"exported_exception_list_count":0,"exported_exception_list_item_count":0,"missing_exception_list_item_count":0,"missing_exception_list_items":,"missing_exception_lists":,"missing_exception_lists_count":0}

and for connectors i didn't find in the documentation how to export them.
could you please help with this case?

2

Hey there @waelboss :wave:

So looks like you've got the export request correct, but there's an issue exporting that specific ruleId. There's a few things to check out and some other options as well.

Things to verify:

  • Is this the correct space? There is no space in the URL, so this request will only try to export rules from the default space.
  • Is this a custom rule or prebuilt Elastic rule? Only custom rules are exportable at the moment, so you would need to duplicate the prebuilt rule for it to be exportable
  • Double-check you're using the correct rule_id of the rule and not id
  • Can you try this same request without the objects payload and see if all rules are exported?
  • What stack version are you on?

Additional options:
Depending on your version, as of I believe 8.2 there's a bulk export API you could try that might a bit more ergonomic. You can see this being called when exporting via the UI:

Rules_-_Kibana
Rules_-_Kibana1920×1336 163 KB

As for Connectors, as mentioned in the docs (second callout) they can be exported via the UI following this documentation, or via the API using the Export Objects API.

Let me know if any of the above helps!

Cheers!
Garrett

1 Like
3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.