Using the API
You can create and manage detection rules programmatically instead of using the Kibana UI. This is useful for CI/CD pipelines, bulk rule management, rule-as-code workflows, and integrating detection management with external tooling.
If you prefer to use the UI for creating rules, refer to Using the UI.
Rules run in the background using the privileges of the user who last edited them. When you create or modify a rule, Elastic Security generates an API key that captures a snapshot of your current privileges. If a user without the required privileges (such as index read access) updates a rule, the rule can stop functioning correctly and no longer generate alerts. To fix this, a user with the right privileges to either modify the rule or update the API key. To learn more, refer to Detection rule concepts > Rule authorization.
The detection APIs are part of the Kibana API. Use the appropriate reference for your deployment type:
- Elastic Stack
- Security detections API: Create, read, update, delete, and bulk-manage detection rules. Also covers alert management (status, tags, assignees) and prebuilt rule installation. For a complete list of Elastic Security APIs, refer to Elastic Security APIs.
- Elastic Cloud Serverless
- Security detections API (Serverless): The same detection operations, scoped to Serverless projects.
| Task | Elastic Stack | Elastic Cloud Serverless |
|---|---|---|
| Create a rule | Stack | Serverless |
| List all rules | Stack | Serverless |
| Update a rule | Stack | Serverless |
| Bulk actions | Stack | Serverless |
| Import rules | Stack | Serverless |
| Export rules | Stack | Serverless |
| Install prebuilt rules | Stack | Serverless |
| Set alert status | Stack | Serverless |
| Manage rule exceptions | Stack | Serverless |
| Manage endpoint exceptions | Stack | Serverless |
| Manage value lists | Stack | Serverless |