Using the API
You can create and manage detection rules programmatically instead of using the Kibana UI. This is useful for CI/CD pipelines, bulk rule management, rule-as-code workflows, and integrating detection management with external tooling.
If you prefer to use the UI for creating rules, refer to Using the UI.
Rules run in the background using the privileges of the user who last edited them. When you create or modify a rule, Elastic Security generates an API key that captures a snapshot of your current privileges. If a user without the required privileges (such as index read access) updates a rule, the rule can stop functioning correctly and no longer generate alerts. To fix this, a user with the right privileges to either modify the rule or update the API key. To learn more, refer to Detection rule concepts > Rule authorization.
The detection APIs are part of the Kibana API. For a full operation list, refer to endpoint-security-detections-api for Elastic Stack and endpoint-security-detections-api for Serverless. Other Elastic Security endpoints are at solutions/security/apis.
| Function | Elastic Stack | Elastic Cloud Serverless |
|---|---|---|
| Creates a new detection rule. | detection_engine/rules |
detection_engine/rules |
| Returns a paginated list of detection rules. | detection_engine/rules/_find |
detection_engine/rules/_find |
| Updates an existing detection rule. | detection_engine/rules |
detection_engine/rules |
| Applies bulk edit, duplicate, or delete actions to multiple rules. | detection_engine/rules/_bulk_action |
detection_engine/rules/_bulk_action |
| Imports detection rules from an NDJSON file. | detection_engine/rules/_import |
detection_engine/rules/_import |
| Exports detection rules to NDJSON. | detection_engine/rules/_export |
detection_engine/rules/_export |
| Installs and updates Elastic prebuilt detection rules and Timelines. | detection_engine/rules/prepackaged |
detection_engine/rules/prepackaged |
| Function | Elastic Stack | Elastic Cloud Serverless |
|---|---|---|
| Sets the status of one or more detection alerts. | detection_engine/signals/status |
detection_engine/signals/status |
| Function | Elastic Stack | Elastic Cloud Serverless |
|---|---|---|
| Manages exception lists and items for detection rules. | exception_lists |
exception_lists |
| Manages Elastic Endpoint rule exception lists and items. | endpoint_list |
endpoint_list |
| Manages value lists used with detection rule exceptions. | lists |
lists |