Using the API
You can create and manage detection rules programmatically instead of using the Kibana UI. This is useful for CI/CD pipelines, bulk rule management, rule-as-code workflows, and integrating detection management with external tooling.
Create rules using the UI
If you prefer to use the UI for creating rules, refer to Using the UI.
The detection APIs are part of the Kibana API. Use the appropriate reference for your deployment type:
- Elastic Stack
- Security detections API: Create, read, update, delete, and bulk-manage detection rules. Also covers alert management (status, tags, assignees) and prebuilt rule installation. For a complete list of Elastic Security APIs, refer to Elastic Security APIs.
- Elastic Cloud Serverless
- Security detections API (Serverless): The same detection operations, scoped to Serverless projects.
| Task | Elastic Stack | Elastic Cloud Serverless |
|---|---|---|
| Create a rule | Stack | Serverless |
| List all rules | Stack | Serverless |
| Update a rule | Stack | Serverless |
| Bulk actions | Stack | Serverless |
| Import rules | Stack | Serverless |
| Export rules | Stack | Serverless |
| Install prebuilt rules | Stack | Serverless |
| Set alert status | Stack | Serverless |
| Manage rule exceptions | Stack | Serverless |
| Manage endpoint exceptions | Stack | Serverless |
| Manage value lists | Stack | Serverless |