Export rulesedit

Exports rules to an .ndjson file. The following configuration items are also included in the .ndjson file:

  • Actions
  • Exception lists

You cannot export prebuilt rules, but they are available at https://github.com/elastic/detection-rules/tree/main/rules/.

Console supports Elasticsearch APIs only. Console doesn’t allow interactions with Kibana APIs. You must use curl or another HTTP tool instead. For more information, refer to Run Elasticsearch API requests.

Although detection rule actions are included in the exported file, the connectors used by the actions are not included. Use the Saved Objects UI in Kibana (Stack ManagementKibanaSaved Objects) or the Saved Objects APIs (experimental) to export and import any necessary connectors before you export and import the detection rules.

Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the Upload value lists UI (DetectRulesUpload value lists) to export and import value lists separately.

Request URLedit

POST <kibana host>:<port>/api/detection_engine/rules/_export

URL query parametersedit

Name Type Description Required

exclude_export_details

Boolean

Determines whether a summary of the exported rules is returned.

No, defaults to false.

file_name

String

File name for saving the exported rules.

No, defaults to export.ndjson

When using cURL to export rules to a file, use the -O and -J options to save the rules to the file name specified in the URL.

Request bodyedit

An optional JSON objects array containing the rule_id fields of the rules you want to export:

Name Type Description Required

objects

String[]

Array of rule_id fields.

No, exports all rules when unspecified.

Example requestedit

Exports two rules without details and saves them to the exported_rules.ndjson file:

POST api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson
{
  "objects": [
    {
      "rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900"
    },
    {
      "rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d"
    }
  ]
}

Response codeedit

200
Indicates a successful call.

Response payloadedit

An .ndjson file containing the returned rules.

Each line in the file represents an object (a rule, exception list parent container, or exception list item), and the last line includes a summary of what was exported.

Example response payload:

{"id":"d4db8800-30df-11ec-88a5-fb21b48c9b4e","rule_id":"query-with-single-exception-list"[....]} // Rule
{"id":"cd62f410-30de-11ec-88a5-fb21b48c9b4e","list_id":"simple_list"[...]} // Exception list parent container
{"id":"e54ffbe0-30de-11ec-88a5-fb21b48c9b4e","item_id":"my-exception-item","list_id":"simple_list"[...]} // Exception list item
{"exported_rules_count":1,"missing_rules":[],"missing_rules_count":0,"exported_exception_list_count":1,"exported_exception_list_item_count":1,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0} // Export summary