Bulk rule actions
editBulk rule actions
editYou can bulk create, update, and delete rules.
Bulk create
editCreates new rules.
Request URL
editPOST <kibana host>:<port>/api/detection_engine/rules/_bulk_create
Request body
editA JSON array of rules, where each rule contains the required fields.
Example request
editPOST api/detection_engine/rules/_bulk_create
[
{
"rule_id": "process_started_by_ms_office_program_possible_payload",
"risk_score": 50,
"description": "Process started by MS Office program - possible payload",
"interval": "5m",
"name": "MS Office child process",
"severity": "low",
"tags": [
"child process",
"ms office"
],
"type": "query",
"from": "now-6m",
"query": "process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE",
"language": "kuery",
"filters": [
{
"query": {
"match": {
"event.action": {
"query": "Process Create (rule: ProcessCreate)",
"type": "phrase"
}
}
}
}
],
"enabled": false
},
{
"name": "Second bulk rule",
"description": "Query with a rule_id for referencing an external id",
"rule_id": "query-rule-id-2",
"risk_score": 2,
"severity": "low",
"type": "query",
"from": "now-6m",
"query": "user.name: root or user.name: admin"
}
]
Response code
edit-
200 - Indicates a successful call.
Response payload
editA JSON array that includes a unique ID for each rule. A unique rule ID is
generated for all rules that did not include a rule_id field.
Bulk delete
editDeletes multiple rules.
Request URL
editDELETE <kibana host>:<port>/api/detection_engine/rules/_bulk_delete
Request body
editA JSON array of id or rule_id fields of the rules you want to delete.
Example request
editDELETE api/detection_engine/rules/_bulk_delete
[
{
"rule_id": "process_started_by_ms_office_program_possible_payload"
},
{
"id": "51658332-a15e-4c9e-912a-67214e2e2359"
}
]
Response code
edit-
200 - Indicates a successful call.
Response payload
editA JSON array containing the deleted rules.
Bulk update
editUpdates multiple rules.
You can use PUT or PATCH methods to bulk update rules, where:
-
PUTreplaces the original rule and deletes fields that are not specified. -
PATCHupdates the specified fields.
Request URL
editPUT <kibana host>:<port>/api/detection_engine/rules/_bulk_update
PATCH <kibana host>:<port>/api/detection_engine/rules/_bulk_update
Request body
editA JSON array where each element includes:
-
The
idorrule_idfield of the rule you want to update. - The fields you want to modify.
If you call PUT to update rules, all unspecified fields are
deleted. You cannot modify the id or rule_id values.
For PATCH calls, any of the fields can be modified. For PUT calls,
some fields are required (see Update rule for a list of required
fields).
Example request
editPATCH api/detection_engine/rules/_bulk_update
[
{
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0001",
"reference": "https://attack.mitre.org/tactics/TA0001",
"name": "Initial Access"
},
"technique": [
{
"id": "T1193",
"name": "Spearphishing Attachment",
"reference": "https://attack.mitre.org/techniques/T1193"
}
]
}
],
"rule_id": "process_started_by_ms_office_program_possible_payload"
},
{
"name": "New name",
"id": "56b22b65-173e-4a5b-b27a-82599cb1433e"
}
]
Response code
edit-
200 - Indicates a successful call.
Response payload
editA JSON array containing the updated rules.