The SIEM app is now a part of the Elastic Security solution. Click here to view SIEM documentation for previous releases.

› › ›

Prebuilt rules

The prepackaged endpoint is for retrieving rule statuses and loading Elastic prebuilt detection rules.

Loads and updates Elastic prebuilt rules.

By default, all loaded prebuilt rules are disabled.

PUT <kibana host>:<port>/api/detection_engine/rules/prepackaged

PUT api/detection_engine/rules/prepackaged

A JSON object listing the number of loaded and updated prebuilt rules.

Example response:

{
  "rules_installed": 112,
  "rules_updated": 0
}

Returns rule statuses.

GET <kibana host>:<port>/api/detection_engine/rules/prepackaged/_status

GET api/detection_engine/rules/prepackaged/_status

A JSON object listing rule statuses.

Example response:

{
  "rules_custom_installed": 0,
  "rules_installed": 0,
  "rules_not_installed": 112,
  "rules_not_updated": 0
}