Bulk rule actions
editBulk rule actions
editYou can bulk create, update, and delete rules.
The Kibana Console supports only Elasticsearch APIs. You cannot interact with the Kibana APIs with the Console and must use curl
or another HTTP tool instead. For more information, refer to Console.
Bulk create
editCreates new rules.
Request URL
editPOST <kibana host>:<port>/api/detection_engine/rules/_bulk_create
Request body
editA JSON array of rules, where each rule contains the required fields.
Example request
editPOST api/detection_engine/rules/_bulk_create [ { "rule_id": "process_started_by_ms_office_program_possible_payload", "risk_score": 50, "description": "Process started by MS Office program - possible payload", "interval": "5m", "name": "MS Office child process", "severity": "low", "tags": [ "child process", "ms office" ], "type": "query", "from": "now-6m", "query": "process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE", "language": "kuery", "filters": [ { "query": { "match": { "event.action": { "query": "Process Create (rule: ProcessCreate)", "type": "phrase" } } } } ], "enabled": false }, { "name": "Second bulk rule", "description": "Query with a rule_id for referencing an external id", "rule_id": "query-rule-id-2", "risk_score": 2, "severity": "low", "type": "query", "from": "now-6m", "query": "user.name: root or user.name: admin" } ]
Response code
edit-
200
- Indicates a successful call.
Response payload
editA JSON array that includes a unique ID for each rule. A unique rule ID is
generated for all rules that did not include a rule_id
field.
Bulk delete
editDeletes multiple rules.
Request URL
editDELETE <kibana host>:<port>/api/detection_engine/rules/_bulk_delete
Request body
editA JSON array of id
or rule_id
fields of the rules you want to delete.
Example request
editDELETE api/detection_engine/rules/_bulk_delete [ { "rule_id": "process_started_by_ms_office_program_possible_payload" }, { "id": "51658332-a15e-4c9e-912a-67214e2e2359" } ]
Response code
edit-
200
- Indicates a successful call.
Response payload
editA JSON array containing the deleted rules.
Bulk update
editUpdates multiple rules.
You can use PUT
or PATCH
methods to bulk update rules, where:
-
PUT
replaces the original rule and deletes fields that are not specified. -
PATCH
updates the specified fields.
Request URL
editPUT <kibana host>:<port>/api/detection_engine/rules/_bulk_update
PATCH <kibana host>:<port>/api/detection_engine/rules/_bulk_update
Request body
editA JSON array where each element includes:
-
The
id
orrule_id
field of the rule you want to update. - The fields you want to modify.
If you call PUT
to update rules, all unspecified fields are
deleted. You cannot modify the id
or rule_id
values.
For PATCH
calls, any of the fields can be modified. For PUT
calls,
some fields are required (see Update rule for a list of required
fields).
Example request
editPATCH api/detection_engine/rules/_bulk_update [ { "threat": [ { "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "reference": "https://attack.mitre.org/tactics/TA0001", "name": "Initial Access" }, "technique": [ { "id": "T1193", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1193" } ] } ], "rule_id": "process_started_by_ms_office_program_possible_payload" }, { "name": "New name", "id": "56b22b65-173e-4a5b-b27a-82599cb1433e" } ]
Response code
edit-
200
- Indicates a successful call.
Response payload
editA JSON array containing the updated rules.