The SIEM app is now a part of the Elastic Security solution. Click here to view SIEM documentation for previous releases.

› › ›

Prebuilt rules

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Prebuilt rules

edit

The prepackaged endpoint is for retrieving rule statuses and loading Elastic prebuilt detection rules.

Load prebuilt rules

edit

Loads and updates Elastic prebuilt rules.

By default, all loaded prebuilt rules are disabled.

Request URL

edit

PUT <kibana host>:<port>/api/detection_engine/rules/prepackaged

Example request

edit

PUT api/detection_engine/rules/prepackaged

Copy as curl

Response code

edit

200: Indicates a successful call.

Response payload

edit

A JSON object listing the number of loaded and updated prebuilt rules.

Example response:

{
  "rules_installed": 112,
  "rules_updated": 0
}

Get rule status

edit

Returns rule statuses.

Request URL

edit

GET <kibana host>:<port>/api/detection_engine/rules/prepackaged/_status

Example request

edit

GET api/detection_engine/rules/prepackaged/_status

Copy as curl

Response code

edit

200: Indicates a successful call.

Response payload

edit

A JSON object listing rule statuses.

Example response:

{
  "rules_custom_installed": 0,
  "rules_installed": 0,
  "rules_not_installed": 112,
  "rules_not_updated": 0
}

« Signals endpoint Exceptions API »

Was this helpful?

Feedback

The Search AI Company

ELK Stack

Elastic Cloud

Generative AI

Search

Security

Observability

By solution

Industries

Customer spotlight

Research

Build

Learn

Connect

Prebuilt rules

Prebuilt rules

Load prebuilt rules

Request URL

Example request

Response code

Response payload

Get rule status

Request URL

Example request

Response code

Response payload

Follow us

About us

Join us

Partners

Trust & Security

Investor relations

Excellence Awards

About us

Join us

Partners

Trust & Security

Investor relations

Excellence Awards