---
title: Using the API
description: Create and manage detection rules programmatically using the Security detections API for CI/CD and bulk operations.
url: https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/using-the-api
products:
  - Elastic Cloud Serverless
  - Elastic Security
applies_to:
  - Serverless Security projects: Generally available
  - Elastic Stack: Generally available
---

# Using the API
You can create and manage detection rules programmatically instead of using the Kibana UI. This is useful for CI/CD pipelines, bulk rule management, rule-as-code workflows, and integrating detection management with external tooling.
<admonition title="Create rules using the UI">
  If you prefer to use the UI for creating rules, refer to [Using the UI](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/using-the-rule-ui).
</admonition>

<important>
  Rules run in the background using the privileges of the user who last edited them. When you create or modify a rule, Elastic Security generates an [API key](https://www.elastic.co/elastic/docs-builder/docs/3016/deploy-manage/api-keys/elasticsearch-api-keys) that captures a snapshot of your current privileges. If a user without the required privileges (such as index read access) updates a rule, the rule can stop functioning correctly and no longer generate alerts. To fix this, a user with the right privileges to either modify the rule or update the API key. To learn more, refer to [Detection rule concepts > Rule authorization](/elastic/docs-builder/docs/3016/solutions/security/detect-and-alert/detection-rule-concepts#rule-authorization-concept).
</important>


## API reference

The detection APIs are part of the Kibana API. Use the appropriate reference for your deployment type:
<definitions>
  <definition term="Elastic Stack">
    [Security detections API](https://www.elastic.co/docs/api/doc/kibana//group/endpoint-security-detections-api): Create, read, update, delete, and bulk-manage detection rules. Also covers alert management (status, tags, assignees) and prebuilt rule installation. For a complete list of Elastic Security APIs, refer to [Elastic Security APIs](https://www.elastic.co/elastic/docs-builder/docs/3016/solutions/security/apis).
  </definition>
  <definition term="Elastic Cloud Serverless">
    [Security detections API (Serverless)](https://www.elastic.co/docs/api/doc/serverless//group/endpoint-security-detections-api): The same detection operations, scoped to Serverless projects.
  </definition>
</definitions>


## Common operations


| Task                       | Elastic Stack                                                                                             | Elastic Cloud Serverless                                                                                           |
|----------------------------|-----------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------|
| Create a rule              | [Stack](https://www.elastic.co/docs/api/doc/kibana//operation/operation-createrule)                       | [Serverless](https://www.elastic.co/docs/api/doc/serverless//operation/operation-createrule)                       |
| List all rules             | [Stack](https://www.elastic.co/docs/api/doc/kibana//operation/operation-findrules)                        | [Serverless](https://www.elastic.co/docs/api/doc/serverless//operation/operation-findrules)                        |
| Update a rule              | [Stack](https://www.elastic.co/docs/api/doc/kibana//operation/operation-updaterule)                       | [Serverless](https://www.elastic.co/docs/api/doc/serverless//operation/operation-updaterule)                       |
| Bulk actions               | [Stack](https://www.elastic.co/docs/api/doc/kibana//operation/operation-performrulesbulkaction)           | [Serverless](https://www.elastic.co/docs/api/doc/serverless//operation/operation-performrulesbulkaction)           |
| Import rules               | [Stack](https://www.elastic.co/docs/api/doc/kibana//operation/operation-importrules)                      | [Serverless](https://www.elastic.co/docs/api/doc/serverless//operation/operation-importrules)                      |
| Export rules               | [Stack](https://www.elastic.co/docs/api/doc/kibana//operation/operation-exportrules)                      | [Serverless](https://www.elastic.co/docs/api/doc/serverless//operation/operation-exportrules)                      |
| Install prebuilt rules     | [Stack](https://www.elastic.co/docs/api/doc/kibana//operation/operation-installprebuiltrulesandtimelines) | [Serverless](https://www.elastic.co/docs/api/doc/serverless//operation/operation-installprebuiltrulesandtimelines) |
| Set alert status           | [Stack](https://www.elastic.co/docs/api/doc/kibana//operation/operation-setalertsstatus)                  | [Serverless](https://www.elastic.co/docs/api/doc/serverless//operation/operation-setalertsstatus)                  |
| Manage rule exceptions     | [Stack](https://www.elastic.co/docs/api/doc/kibana//group/endpoint-security-exceptions-api)               | [Serverless](https://www.elastic.co/docs/api/doc/serverless//group/endpoint-security-exceptions-api)               |
| Manage endpoint exceptions | [Stack](https://www.elastic.co/docs/api/doc/kibana//group/endpoint-security-endpoint-exceptions-api)      | [Serverless](https://www.elastic.co/docs/api/doc/serverless//group/endpoint-security-endpoint-exceptions-api)      |
| Manage value lists         | [Stack](https://www.elastic.co/docs/api/doc/kibana//group/endpoint-security-lists-api)                    | [Serverless](https://www.elastic.co/docs/api/doc/serverless//group/endpoint-security-lists-api)                    |