Using the API
You can create and manage detection rules programmatically instead of using the Kibana UI. This is useful for CI/CD pipelines, bulk rule management, rule-as-code workflows, and integrating detection management with external tooling.
The detection APIs are part of the Kibana API. Use the appropriate reference for your deployment type:
- Elastic Stack
- Security detections API: Create, read, update, delete, and bulk-manage detection rules. Also covers alert management (status, tags, assignees) and prebuilt rule installation.
- Elastic Cloud Serverless
- Security detections API (Serverless): The same detection operations, scoped to Serverless projects.
For rule exceptions and value lists, use these additional APIs:
- Exceptions API: Create and manage rule exceptions and shared exception lists.
- Endpoint exceptions API: Manage endpoint-specific exceptions.
- Lists API: Create source event value lists for use with rule exceptions.
For a complete list of Elastic Security APIs, refer to Elastic Security APIs.
| Task | Endpoint |
|---|---|
| Create a rule | POST /api/detection_engine/rules |
| List all rules | GET /api/detection_engine/rules/_find |
| Update a rule | PUT /api/detection_engine/rules |
| Bulk actions (enable, export, duplicate, delete) | POST /api/detection_engine/rules/_bulk_action |
| Import rules | POST /api/detection_engine/rules/_import |
| Export rules | POST /api/detection_engine/rules/_export |
| Install prebuilt rules | PUT /api/detection_engine/rules/prepackaged |
| Set alert status | POST /api/detection_engine/signals/status |