Bulk rule actionsedit
You can bulk create, update, and delete rules.
Console supports only Elasticsearch APIs and doesn’t allow interactions with Kibana APIs. You must use curl
or another HTTP tool instead. For more information, refer to Run Elasticsearch API requests.
Bulk createedit
This API supports Token-based authentication only.
Creates new rules.
Request URLedit
POST <kibana host>:<port>/api/detection_engine/rules/_bulk_create
Request bodyedit
A JSON array of rules, where each rule contains the required fields.
Example requestedit
POST api/detection_engine/rules/_bulk_create [ { "rule_id": "process_started_by_ms_office_program_possible_payload", "risk_score": 50, "description": "Process started by MS Office program - possible payload", "interval": "5m", "name": "MS Office child process", "severity": "low", "tags": [ "child process", "ms office" ], "type": "query", "from": "now-6m", "query": "process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE", "language": "kuery", "filters": [ { "query": { "match": { "event.action": { "query": "Process Create (rule: ProcessCreate)", "type": "phrase" } } } } ], "enabled": false }, { "name": "Second bulk rule", "description": "Query with a rule_id for referencing an external id", "rule_id": "query-rule-id-2", "risk_score": 2, "severity": "low", "type": "query", "from": "now-6m", "query": "user.name: root or user.name: admin" } ]
Response codeedit
-
200
- Indicates a successful call.
Response payloadedit
A JSON array that includes a unique ID for each rule. A unique rule ID is
generated for all rules that did not include a rule_id
field.
Bulk deleteedit
Deletes multiple rules.
Request URLedit
DELETE <kibana host>:<port>/api/detection_engine/rules/_bulk_delete
Request bodyedit
A JSON array of id
or rule_id
fields of the rules you want to delete.
Example requestedit
DELETE api/detection_engine/rules/_bulk_delete [ { "rule_id": "process_started_by_ms_office_program_possible_payload" }, { "id": "51658332-a15e-4c9e-912a-67214e2e2359" } ]
Response codeedit
-
200
- Indicates a successful call.
Response payloadedit
A JSON array containing the deleted rules.
Bulk updateedit
This API supports Token-based authentication only.
Updates multiple rules.
You can use PUT
or PATCH
methods to bulk update rules, where:
-
PUT
replaces the original rule and deletes fields that are not specified. -
PATCH
updates the specified fields.
Request URLedit
PUT <kibana host>:<port>/api/detection_engine/rules/_bulk_update
PATCH <kibana host>:<port>/api/detection_engine/rules/_bulk_update
Request bodyedit
A JSON array where each element includes:
-
The
id
orrule_id
field of the rule you want to update. - The fields you want to modify.
If you call PUT
to update rules, all unspecified fields are
deleted. You cannot modify the id
or rule_id
values.
For PATCH
calls, any of the fields can be modified. For PUT
calls,
some fields are required (see Update rule for a list of required
fields).
Example requestedit
PATCH api/detection_engine/rules/_bulk_update [ { "threat": [ { "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "reference": "https://attack.mitre.org/tactics/TA0001", "name": "Initial Access" }, "technique": [ { "id": "T1193", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1193" } ] } ], "rule_id": "process_started_by_ms_office_program_possible_payload" }, { "name": "New name", "id": "56b22b65-173e-4a5b-b27a-82599cb1433e" } ]
Response codeedit
-
200
- Indicates a successful call.
Response payloadedit
A JSON array containing the updated rules.
Bulk actionedit
Applies a bulk action to multiple rules. The bulk action is applied to all rules that match the filter.
Request URLedit
POST <kibana host>:<port>/api/detection_engine/rules/_bulk_action
Request bodyedit
A JSON object with two required parameters:
-
query
- A string containing a KQL search query to match the rules. -
action
- A bulk action to apply. Possible values:enable
,disable
,delete
,duplicate
, andexport
Example requestedit
The following request will activate all rules that have the test
tag:
POST api/detection_engine/rules/_bulk_action { "query": "alert.attributes.tags: \"test\"", "action": "enable" }
Response codeedit
-
200
- Indicates a successful call.
Response payloadedit
For enable
, disable
, delete
, and duplicate
actions, a JSON object containing the outcome of the call and the number of affected rules:
{ "success": true, "rules_count": 4280 }
For an export
action, an .ndjson
file containing exported rules.