Bulk rule actions

edit

You can bulk create, update, and delete rules.

The Kibana Console supports only Elasticsearch APIs. You cannot interact with the Kibana APIs with the Console and must use curl or another HTTP tool instead. For more information, refer to Console.

Bulk create

edit

Creates new rules.

Request URL

edit

POST <kibana host>:<port>/api/detection_engine/rules/_bulk_create

Request body

edit

A JSON array of rules, where each rule contains the required fields.

Example request
edit
POST api/detection_engine/rules/_bulk_create
[
  {
    "rule_id": "process_started_by_ms_office_program_possible_payload",
    "risk_score": 50,
    "description": "Process started by MS Office program - possible payload",
    "interval": "5m",
    "name": "MS Office child process",
    "severity": "low",
    "tags": [
     "child process",
     "ms office"
     ],
    "type": "query",
    "from": "now-6m",
    "query": "process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE",
    "language": "kuery",
    "filters": [
       {
        "query": {
           "match": {
              "event.action": {
                 "query": "Process Create (rule: ProcessCreate)",
                 "type": "phrase"
              }
           }
        }
       }
    ],
    "enabled": false
  },
  {
    "name": "Second bulk rule",
    "description": "Query with a rule_id for referencing an external id",
    "rule_id": "query-rule-id-2",
    "risk_score": 2,
    "severity": "low",
    "type": "query",
    "from": "now-6m",
    "query": "user.name: root or user.name: admin"
  }
]

Response code

edit
200
Indicates a successful call.

Response payload

edit

A JSON array that includes a unique ID for each rule. A unique rule ID is generated for all rules that did not include a rule_id field.

Bulk delete

edit

Deletes multiple rules.

Request URL

edit

DELETE <kibana host>:<port>/api/detection_engine/rules/_bulk_delete

Request body

edit

A JSON array of id or rule_id fields of the rules you want to delete.

Example request
edit
DELETE api/detection_engine/rules/_bulk_delete
[
  {
    "rule_id": "process_started_by_ms_office_program_possible_payload"
  },
  {
    "id": "51658332-a15e-4c9e-912a-67214e2e2359"
  }
]

Response code

edit
200
Indicates a successful call.

Response payload

edit

A JSON array containing the deleted rules.

Bulk update

edit

Updates multiple rules.

You can use PUT or PATCH methods to bulk update rules, where:

  • PUT replaces the original rule and deletes fields that are not specified.
  • PATCH updates the specified fields.

Request URL

edit

PUT <kibana host>:<port>/api/detection_engine/rules/_bulk_update

PATCH <kibana host>:<port>/api/detection_engine/rules/_bulk_update

Request body

edit

A JSON array where each element includes:

  • The id or rule_id field of the rule you want to update.
  • The fields you want to modify.

If you call PUT to update rules, all unspecified fields are deleted. You cannot modify the id or rule_id values.

For PATCH calls, any of the fields can be modified. For PUT calls, some fields are required (see Update rule for a list of required fields).

Example request
edit
PATCH api/detection_engine/rules/_bulk_update
[
  {
    "threat": [
     {
        "framework": "MITRE ATT&CK",
        "tactic": {
           "id": "TA0001",
           "reference": "https://attack.mitre.org/tactics/TA0001",
           "name": "Initial Access"
        },
        "technique": [
           {
              "id": "T1193",
              "name": "Spearphishing Attachment",
              "reference": "https://attack.mitre.org/techniques/T1193"
           }
        ]
     }
   ],
    "rule_id": "process_started_by_ms_office_program_possible_payload"
  },
  {
    "name": "New name",
    "id": "56b22b65-173e-4a5b-b27a-82599cb1433e"
  }
]

Response code

edit
200
Indicates a successful call.

Response payload

edit

A JSON array containing the updated rules.