Giters

elastic / detection-rules

Home Page:https://www.elastic.co/guide/en/security/current/detection-engine-overview.html

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[Bug] exclude_export_details export flag also excludes exceptions and exception lists

Vexil-Derivative opened this issue · comments

commented

Describe the Bug

When exporting detection rules via the API, setting exclude_export_details to true will only output the rule objects, excluding the exceptions and exception lists. Setting it to false exports the rules, exceptions, exception lists, and a summary line at the end of the file. The documentation states this flag should only exclude the summary line, so this behavior is unexpected.

To Reproduce

  1. Create at least 1 custom rule and add an exception
  2. Run the following 2 POST requests:
    POST <kibana host>:<port>/api/detection_engine/rules/_export
    POST <kibana host>:<port>/api/detection_engine/rules/_export?exclude_export_details
  3. Compare the two responses, note the second one does not include the exception logic.

Expected Behavior

The exclude_export_details flag should only exclude the final summary line. All rules and exception objects should be output regardless as to how this flag is set.

Screenshots

No response

Desktop - OS

None

Desktop - Version

No response

Additional Context

Tested on 8.15.1, but we also noticed the issue on 8.13 previously.