IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Tags endpoint Export rules »
Elastic Docs Elastic Security Solution [7.15] Elastic Security APIs Detections API

Import rules

edit

Import rules

edit

This API supports Token-based authentication only.

Imports rules from an ndjson file.

The Kibana Console supports only Elasticsearch APIs. Console doesn’t allow interactions with Kibana APIs. You must use curl or another HTTP tool instead. For more information, refer to Console.

Request URL

edit

POST <kibana host>:<port>/api/detection_engine/rules/_import

The request must include:

  • The Content-Type: multipart/form-data HTTP header.
  • A link to the ndjson file containing the rules.

For example, using cURL:

curl -X POST "<KibanaURL>/api/detection_engine/rules/_import"
-u <username>:<password> -H 'kbn-xsrf: true'
-H 'Content-Type: multipart/form-data'
--form "file=@<link to file>"

The relative link to the ndjson file containing the rules.

URL query parameters

edit
Name Type Description Required

overwrite

Boolean

Determines whether existing rules with the same rule_id are overwritten.

No, defaults to false.

Example request

edit

Imports the rules in the detection_rules.ndjson file and overwrites existing rules with the same rule_id values:

curl -X POST "api/detection_engine/rules/_import?overwrite=true"
-H 'kbn-xsrf: true' -H 'Content-Type: multipart/form-data'
--form "file=@detection_rules.ndjson"

Response code

edit
200
Indicates a successful call.
« Tags endpoint Export rules »