Import rulesedit
Imports rules from an .ndjson file. The following configuration items are also included in the .ndjson file:
- Actions
- Exception lists
This API supports Token-based authentication only.
You need at least Read privileges for the Action and Connectors feature to import rules with actions. If you’re importing rules without actions, Action and Connectors feature privileges are not required. Refer to Enable and access detections for more information.
Although detection rule actions are included in the exported file, the connectors used by the actions are not included. Use the Saved Objects UI in Kibana (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to export and import any necessary connectors before you export and import the detection rules.
Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the Import value lists UI (Manage → Rules → Import value lists) to export and import value lists separately.
Request URLedit
POST <kibana host>:<port>/api/detection_engine/rules/_import
The request must include:
-
The
Content-Type: multipart/form-dataHTTP header. -
A link to the
.ndjsonfile containing the rules.
For example, using cURL:
curl -X POST "<KibanaURL>/api/detection_engine/rules/_import" -u <username>:<password> -H 'kbn-xsrf: true' -H 'Content-Type: multipart/form-data' --form "file=@<link to file>"
URL query parametersedit
| Name | Type | Description | Required |
|---|---|---|---|
|
Boolean |
Determines whether existing rules with the same
|
No, defaults to |
|
Boolean |
Determines whether existing exception lists
with the same |
No, defaults to |
Example requestedit
Imports the rules in the detection_rules.ndjson file and overwrites
existing rules with the same rule_id values:
curl -X POST "api/detection_engine/rules/_import?overwrite=true" -H 'kbn-xsrf: true' -H 'Content-Type: multipart/form-data' --form "file=@detection_rules.ndjson"