Loading

Using the API

You can create and manage detection rules programmatically instead of using the Kibana UI. This is useful for CI/CD pipelines, bulk rule management, rule-as-code workflows, and integrating detection management with external tooling.

Create rules using the UI

If you prefer to use the UI for creating rules, refer to Using the UI.

Important

Ensure that only users with the appropriate access edit rules. Refer to Detection rule concepts > Rule authorization for more details.

The detection APIs are part of the Kibana API. For a full operation list, refer to endpoint-security-detections-api for Elastic Stack and endpoint-security-detections-api for Serverless. Other Elastic Security endpoints are at solutions/security/apis.

Function Elastic Stack Elastic Cloud Serverless
Creates a new detection rule. detection_engine/rules detection_engine/rules
Returns a paginated list of detection rules. detection_engine/rules/_find detection_engine/rules/_find
Updates an existing detection rule. detection_engine/rules detection_engine/rules
Applies bulk edit, duplicate, or delete actions to multiple rules. detection_engine/rules/_bulk_action detection_engine/rules/_bulk_action
Imports detection rules from an NDJSON file. detection_engine/rules/_import detection_engine/rules/_import
Exports detection rules to NDJSON. detection_engine/rules/_export detection_engine/rules/_export
Installs and updates Elastic prebuilt detection rules and Timelines. detection_engine/rules/prepackaged detection_engine/rules/prepackaged
Function Elastic Stack Elastic Cloud Serverless
Sets the status of one or more detection alerts. detection_engine/signals/status detection_engine/signals/status
Function Elastic Stack Elastic Cloud Serverless
Manages exception lists and items for detection rules. exception_lists exception_lists
Manages Elastic Endpoint rule exception lists and items. endpoint_list endpoint_list
Manages value lists used with detection rule exceptions. lists lists