[Bug] [DAC] Kibana Export Rules Rule Name Filter Exports All Rules #4916
Description
Describe the Bug
Summary
When using the rule name filter e.g. python -m detection_rules kibana --space test_local export-rules -rn "My Test Rule" -d dac_test/rules/ -sv, if rule(s) are found that match the name it will correctly export just those that match. However, if there are no matches, the command will export all rules.
This is due to the required nature of the bulk export function. This function requires the rule_ids list to be optional (as one does not have to have a rule id restriction). However, this can also occur if no ids are found that match a name filter.
def export_rules(cls, rule_ids: Optional[List[str]] = None,
exclude_export_details: bool = True) -> List['RuleResource']:
"""Export a list of rules from Kibana using the _export API."""
url = f'{cls.BASE_URI}/_export'
if rule_ids:
rule_ids = {'objects': [{'rule_id': r} for r in rule_ids]}
else:
rule_ids = None
params = dict(exclude_export_details=stringify_bool(exclude_export_details))
response = Kibana.current().post(url, params=params, data=rule_ids, raw=True)
data = [json.loads(r) for r in response.text.splitlines()]
return [cls(r) for r in data]To Reproduce
- Export rules with a rule name filter that matches a known rule.
- Observe output filters correctly
- Export rules with a rule name filter that does not match any rules
- Observe that output is not filtered correctly
Example
Expected Behavior
Filter should not export any rules if it does not match any rules.
Screenshots
No response
Desktop - OS
Linux
Desktop - Version
No response
Additional Context
No response