The SIEM app is now a part of the Elastic Security solution. Click here to view SIEM documentation for previous releases.
« Tags endpoint Export rules »
Elastic Docs Elastic Security Solution [7.9] Elastic Security APIs Detections API

Import rules

edit

Import rules

edit

Imports rules from an ndjson file.

Request URL

edit

POST <kibana host>:<port>/api/detection_engine/rules/_import

The request must include:

  • The Content-Type: multipart/form-data HTTP header.
  • A link to the ndjson file containing the rules.

For example, using cURL:

curl -X POST "<KibanaURL>/api/detection_engine/rules/_import"
-u <username>:<password> -H 'kbn-xsrf: true'
-H 'Content-Type: multipart/form-data'
--form "file=@<link to file>"

The relative link to the ndjson file containing the rules.

URL query parameters

edit
Name Type Description Required

overwrite

Boolean

Determines whether existing rules with the same rule_id are overwritten.

No, defaults to false.

Example request

edit

Imports the rules in the detection_rules.ndjson file and overwrites existing rules with the same rule_id values:

curl -X POST "api/detection_engine/rules/_import?overwrite=true"
-H 'kbn-xsrf: true' -H 'Content-Type: multipart/form-data'
--form "file=@detection_rules.ndjson"

Response code

edit
200
Indicates a successful call.
« Tags endpoint Export rules »