[Security Solution][Detections] Add ability to import/export Rule Actions #100956
Comments
spong
added
enhancement
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
peluja1012
added
Feature:Rule Actions
|
did you find any solution for this please ? |
|
Initial groundwork for this has been merged as of #109722, and you can follow along this issue #109169 for exposing Detection Rules/Actions/Connectors/Exceptions via the Saved Object Manager under There's currently open discussion on the migration of existing actions to ensure they're available and functioning post-upgrade. You can following along that here: #112327 All these changes should result in much more flexibility for you with regards to 1-click exports and the importing/exporting of all objects of a specific type (Rules), or that object and all related objects (Rules, Actions, Connectors, Exceptions, Timeline Templates, etc). This'll also open up the sharing/moving of these between objects spaces (#100067). |
|
Hello can you help me more, please!! I'm new in elastic :( |
|
Great news @bilelmeddeb 🎉 -- this functionality was just merged as of #115243, so you can expect to see this in the upcoming Kibana Going to close this issue as it is resolved via #115243. |
|
@bilelmeddeb I would suggest choosing one of our "good first issue" And seeing this post of ours: Once you have a PR made, ping one of us. |
Currently Rule Actions are not exported as part of the Security Detection Rule, and there is no other dedicated way of backing up and restoring the actions on a rule. With #50266, Rules, Connectors, and in turn Actions (via SO references)) will be exportable via the SO Management UI, since there is potential that Detection Rules might not be exportable via this method, we will potentially need to support the exporting/importing of actions via the dedicated Security Solution import/export flow.
Currently, whether exporting a single rule by ID, or exporting all rules, the ruleActions object is not provided, and so will end up being an empty array when exporting.
Note: As mentioned above, Actions are currently stored in the SO References array on the alerting object, however the SO References array is not exposed to consumers. This issue (#87992) should be resolved by the 7.15 timeframe, and so could be used for exporting the actions directly from the rule, however there may be additional effort required here since we maintain a separate alerting SO for managing actions configured to fire at specific intervals.
Action as returned from Read Rules API
Sample Exported Rule showing now `action` (expanded from `ndjson`):
{ "id": "29b2a240-be86-11eb-b868-a966afda346b", "updated_at": "2021-05-28T20:09:43.912Z", "updated_by": "spong", "created_at": "2021-05-27T00:55:00.352Z", "created_by": "spong", "name": "Test Export Rule", "tags": [], "interval": "5m", "enabled": false, "description": "Test Export Rule", "risk_score": 21, "severity": "low", "license": "", "output_index": ".siem-signals-spong-default", "timeline_id": "817a4ecc-d008-4b6b-87cc-04ee404bcad7", "timeline_title": "Best Template Ever", "meta": { "from": "1m", "kibana_siem_app_url": "http://localhost:5601/gew/app/security" }, "author": [], "false_positives": [], "from": "now-360s", "rule_id": "b0b83c5b-5c7a-4c67-97f3-a84ee1843403", "max_signals": 100, "risk_score_mapping": [], "severity_mapping": [], "threat": [], "to": "now", "references": [], "version": 4, "exceptions_list": [ { "list_id": "c79da945-641e-4f8f-9486-cf31f3937c0e", "namespace_type": "single", "id": "31997dd0-be86-11eb-b868-a966afda346b", "type": "detection" } ], "immutable": false, "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*", "test-index-constant-keyword-delme", "test-index-keyword-delme" ], "query": "host.name:*", "filters": [], "throttle": "no_actions", "actions": [] }The text was updated successfully, but these errors were encountered: