---
title: Using the API
description: Create and manage detection rules programmatically using the Security detections API for CI/CD and bulk operations.
url: https://www.elastic.co/elastic/docs-builder/docs/3031/solutions/security/detect-and-alert/using-the-api
products:
  - Elastic Cloud Serverless
  - Elastic Security
applies_to:
  - Serverless Security projects: Generally available
  - Elastic Stack: Generally available
---

# Using the API
You can create and manage detection rules programmatically instead of using the Kibana UI. This is useful for CI/CD pipelines, bulk rule management, rule-as-code workflows, and integrating detection management with external tooling.
<admonition title="Create rules using the UI">
  If you prefer to use the UI for creating rules, refer to [Using the UI](https://www.elastic.co/elastic/docs-builder/docs/3031/solutions/security/detect-and-alert/using-the-rule-ui).
</admonition>

<important>
  Rules run in the background using the privileges of the user who last edited them. When you create or modify a rule, Elastic Security generates an [API key](https://www.elastic.co/elastic/docs-builder/docs/3031/deploy-manage/api-keys/elasticsearch-api-keys) that captures a snapshot of your current privileges. If a user without the required privileges (such as index read access) updates a rule, the rule can stop functioning correctly and no longer generate alerts. To fix this, a user with the right privileges to either modify the rule or update the API key. To learn more, refer to [Detection rule concepts > Rule authorization](/elastic/docs-builder/docs/3031/solutions/security/detect-and-alert/detection-rule-concepts#rule-authorization-concept).
</important>


## API endpoints

The detection APIs are part of the Kibana API. For a full operation list, refer to [`endpoint-security-detections-api`](https://www.elastic.co/docs/api/doc/kibana//group/endpoint-security-detections-api) for Elastic Stack and [`endpoint-security-detections-api`](https://www.elastic.co/docs/api/doc/serverless//group/endpoint-security-detections-api) for Serverless. Other Elastic Security endpoints are at [`solutions/security/apis`](https://www.elastic.co/elastic/docs-builder/docs/3031/solutions/security/apis).

### Detection rules APIs

<table>
  | Function                                                             | Elastic Stack                                                                                                                            | Elastic Cloud Serverless                                                                                                                     |
  |----------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------|
  | Creates a new detection rule.                                        | [`detection_engine/rules`](https://www.elastic.co/docs/api/doc/kibana//operation/operation-createrule)                                   | [`detection_engine/rules`](https://www.elastic.co/docs/api/doc/serverless//operation/operation-createrule)                                   |
  | Returns a paginated list of detection rules.                         | [`detection_engine/rules/_find`](https://www.elastic.co/docs/api/doc/kibana//operation/operation-findrules)                              | [`detection_engine/rules/_find`](https://www.elastic.co/docs/api/doc/serverless//operation/operation-findrules)                              |
  | Updates an existing detection rule.                                  | [`detection_engine/rules`](https://www.elastic.co/docs/api/doc/kibana//operation/operation-updaterule)                                   | [`detection_engine/rules`](https://www.elastic.co/docs/api/doc/serverless//operation/operation-updaterule)                                   |
  | Applies bulk edit, duplicate, or delete actions to multiple rules.   | [`detection_engine/rules/_bulk_action`](https://www.elastic.co/docs/api/doc/kibana//operation/operation-performrulesbulkaction)          | [`detection_engine/rules/_bulk_action`](https://www.elastic.co/docs/api/doc/serverless//operation/operation-performrulesbulkaction)          |
  | Imports detection rules from an NDJSON file.                         | [`detection_engine/rules/_import`](https://www.elastic.co/docs/api/doc/kibana//operation/operation-importrules)                          | [`detection_engine/rules/_import`](https://www.elastic.co/docs/api/doc/serverless//operation/operation-importrules)                          |
  | Exports detection rules to NDJSON.                                   | [`detection_engine/rules/_export`](https://www.elastic.co/docs/api/doc/kibana//operation/operation-exportrules)                          | [`detection_engine/rules/_export`](https://www.elastic.co/docs/api/doc/serverless//operation/operation-exportrules)                          |
  | Installs and updates Elastic prebuilt detection rules and Timelines. | [`detection_engine/rules/prepackaged`](https://www.elastic.co/docs/api/doc/kibana//operation/operation-installprebuiltrulesandtimelines) | [`detection_engine/rules/prepackaged`](https://www.elastic.co/docs/api/doc/serverless//operation/operation-installprebuiltrulesandtimelines) |
</table>


### Detection alerts APIs

<table>
  | Function                                         | Elastic Stack                                                                                                        | Elastic Cloud Serverless                                                                                                 |
  |--------------------------------------------------|----------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------|
  | Sets the status of one or more detection alerts. | [`detection_engine/signals/status`](https://www.elastic.co/docs/api/doc/kibana//operation/operation-setalertsstatus) | [`detection_engine/signals/status`](https://www.elastic.co/docs/api/doc/serverless//operation/operation-setalertsstatus) |
</table>


### Exceptions and lists APIs

<table>
  | Function                                                 | Elastic Stack                                                                                                  | Elastic Cloud Serverless                                                                                           |
  |----------------------------------------------------------|----------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------|
  | Manages exception lists and items for detection rules.   | [`exception_lists`](https://www.elastic.co/docs/api/doc/kibana//group/endpoint-security-exceptions-api)        | [`exception_lists`](https://www.elastic.co/docs/api/doc/serverless//group/endpoint-security-exceptions-api)        |
  | Manages Elastic Endpoint rule exception lists and items. | [`endpoint_list`](https://www.elastic.co/docs/api/doc/kibana//group/endpoint-security-endpoint-exceptions-api) | [`endpoint_list`](https://www.elastic.co/docs/api/doc/serverless//group/endpoint-security-endpoint-exceptions-api) |
  | Manages value lists used with detection rule exceptions. | [`lists`](https://www.elastic.co/docs/api/doc/kibana//group/endpoint-security-lists-api)                       | [`lists`](https://www.elastic.co/docs/api/doc/serverless//group/endpoint-security-lists-api)                       |
</table>