Bulk rule actions

edit

You can bulk create, update, and delete rules.

Bulk create

edit

Creates new rules.

Request URL

edit

POST <kibana host>:<port>/api/detection_engine/rules/_bulk_create

Request body

edit

A JSON array of rules, where each rule contains the required fields.

Example request
edit
POST api/detection_engine/rules/_bulk_create
[
  {
    "rule_id": "process_started_by_ms_office_program_possible_payload",
    "risk_score": 50,
    "description": "Process started by MS Office program - possible payload",
    "interval": "5m",
    "name": "MS Office child process",
    "severity": "low",
    "tags": [
     "child process",
     "ms office"
     ],
    "type": "query",
    "from": "now-6m",
    "query": "process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE",
    "language": "kuery",
    "filters": [
       {
        "query": {
           "match": {
              "event.action": {
                 "query": "Process Create (rule: ProcessCreate)",
                 "type": "phrase"
              }
           }
        }
       }
    ],
    "enabled": false
  },
  {
    "name": "Second bulk rule",
    "description": "Query with a rule_id for referencing an external id",
    "rule_id": "query-rule-id-2",
    "risk_score": 2,
    "severity": "low",
    "type": "query",
    "from": "now-6m",
    "query": "user.name: root or user.name: admin"
  }
]

Response code

edit
200
Indicates a successful call.

Response payload

edit

A JSON array that includes a unique ID for each rule. A unique rule ID is generated for all rules that did not include a rule_id field.

Bulk delete

edit

Deletes multiple rules.

Request URL

edit

DELETE <kibana host>:<port>/api/detection_engine/rules/_bulk_delete

Request body

edit

A JSON array of id or rule_id fields of the rules you want to delete.

Example request
edit
DELETE api/detection_engine/rules/_bulk_delete
[
  {
    "rule_id": "process_started_by_ms_office_program_possible_payload"
  },
  {
    "id": "51658332-a15e-4c9e-912a-67214e2e2359"
  }
]

Response code

edit
200
Indicates a successful call.

Response payload

edit

A JSON array containing the deleted rules.

Bulk update

edit

Updates multiple rules.

You can use PUT or PATCH methods to bulk update rules, where:

  • PUT replaces the original rule and deletes fields that are not specified.
  • PATCH updates the specified fields.

Request URL

edit

PUT <kibana host>:<port>/api/detection_engine/rules/_bulk_update

PATCH <kibana host>:<port>/api/detection_engine/rules/_bulk_update

Request body

edit

A JSON array where each element includes:

  • The id or rule_id field of the rule you want to update.
  • The fields you want to modify.

If you call PUT to update rules, all unspecified fields are deleted. You cannot modify the id or rule_id values.

For PATCH calls, any of the fields can be modified. For PUT calls, some fields are required (see Update rule for a list of required fields).

Example request
edit
PATCH api/detection_engine/rules/_bulk_update
[
  {
    "threat": [
     {
        "framework": "MITRE ATT&CK",
        "tactic": {
           "id": "TA0001",
           "reference": "https://attack.mitre.org/tactics/TA0001",
           "name": "Initial Access"
        },
        "technique": [
           {
              "id": "T1193",
              "name": "Spearphishing Attachment",
              "reference": "https://attack.mitre.org/techniques/T1193"
           }
        ]
     }
   ],
    "rule_id": "process_started_by_ms_office_program_possible_payload"
  },
  {
    "name": "New name",
    "id": "56b22b65-173e-4a5b-b27a-82599cb1433e"
  }
]

Response code

edit
200
Indicates a successful call.

Response payload

edit

A JSON array containing the updated rules.