[Security Solution][Detections] Add ability to import/export Rule Actions #100956
Labels
enhancement
New value added to drive a business result
Feature:Rule Actions
Security Solution Detection Rule Actions area
Feature:Rule Management
Security Solution Detection Rule Management area
Team:Detections and Resp
Security Detection Response Team
Team:Security Solution Platform
Security Solution Platform Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
v7.16.0
Currently Rule Actions are not exported as part of the Security Detection Rule, and there is no other dedicated way of backing up and restoring the actions on a rule. With #50266, Rules, Connectors, and in turn Actions (via SO references)) will be exportable via the SO Management UI, since there is potential that Detection Rules might not be exportable via this method, we will potentially need to support the exporting/importing of actions via the dedicated Security Solution import/export flow.
Currently, whether exporting a single rule by ID, or exporting all rules, the ruleActions object is not provided, and so will end up being an empty array when exporting.
Note: As mentioned above, Actions are currently stored in the SO References array on the alerting object, however the SO References array is not exposed to consumers. This issue (#87992) should be resolved by the 7.15 timeframe, and so could be used for exporting the actions directly from the rule, however there may be additional effort required here since we maintain a separate alerting SO for managing actions configured to fire at specific intervals.
Action as returned from Read Rules API
Sample Exported Rule showing now `action` (expanded from `ndjson`):
The text was updated successfully, but these errors were encountered: