Bulk rule actions
editBulk rule actions
editYou can bulk create, update, and delete rules.
Bulk create
editCreates new rules.
Request URL
editPOST <kibana host>:<port>/api/detection_engine/rules/_bulk_create
Request body
editA JSON array of rules, where each rule contains the required fields.
Example request
editPOST api/detection_engine/rules/_bulk_create [ { "rule_id": "process_started_by_ms_office_program_possible_payload", "risk_score": 50, "description": "Process started by MS Office program - possible payload", "interval": "5m", "name": "MS Office child process", "severity": "low", "tags": [ "child process", "ms office" ], "type": "query", "from": "now-6m", "query": "process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE", "language": "kuery", "filters": [ { "query": { "match": { "event.action": { "query": "Process Create (rule: ProcessCreate)", "type": "phrase" } } } } ], "enabled": false }, { "name": "Second bulk rule", "description": "Query with a rule_id for referencing an external id", "rule_id": "query-rule-id-2", "risk_score": 2, "severity": "low", "type": "query", "from": "now-6m", "query": "user.name: root or user.name: admin" } ]
Response code
edit-
200
- Indicates a successful call.
Response payload
editA JSON array that includes a unique ID for each rule. A unique rule ID is
generated for all rules that did not include a rule_id
field.
Bulk delete
editDeletes multiple rules.
Request URL
editDELETE <kibana host>:<port>/api/detection_engine/rules/_bulk_delete
Request body
editA JSON array of id
or rule_id
fields of the rules you want to delete.
Example request
editDELETE api/detection_engine/rules/_bulk_delete [ { "rule_id": "process_started_by_ms_office_program_possible_payload" }, { "id": "51658332-a15e-4c9e-912a-67214e2e2359" } ]
Response code
edit-
200
- Indicates a successful call.
Response payload
editA JSON array containing the deleted rules.
Bulk update
editUpdates multiple rules.
You can use PUT
or PATCH
methods to bulk update rules, where:
-
PUT
replaces the original rule and deletes fields that are not specified. -
PATCH
updates the specified fields.
Request URL
editPUT <kibana host>:<port>/api/detection_engine/rules/_bulk_update
PATCH <kibana host>:<port>/api/detection_engine/rules/_bulk_update
Request body
editA JSON array where each element includes:
-
The
id
orrule_id
field of the rule you want to update. - The fields you want to modify.
If you call PUT
to update rules, all unspecified fields are
deleted. You cannot modify the id
or rule_id
values.
For PATCH
calls, any of the fields can be modified. For PUT
calls,
some fields are required (see Update rule for a list of required
fields).
Example request
editPATCH api/detection_engine/rules/_bulk_update [ { "threat": [ { "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "reference": "https://attack.mitre.org/tactics/TA0001", "name": "Initial Access" }, "technique": [ { "id": "T1193", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1193" } ] } ], "rule_id": "process_started_by_ms_office_program_possible_payload" }, { "name": "New name", "id": "56b22b65-173e-4a5b-b27a-82599cb1433e" } ]
Response code
edit-
200
- Indicates a successful call.
Response payload
editA JSON array containing the updated rules.