Import detection rules
Import detection rules from an .ndjson
file, including actions and exception lists. The request must include:
- The
Content-Type: multipart/form-data
HTTP header. - A link to the
.ndjson
file containing the rules.
Query parameters
-
overwrite boolean
Determines whether existing rules with the same
rule_id
are overwritten.Default value is
false
. -
overwrite_exceptions boolean
Determines whether existing exception lists with the same
list_id
are overwritten.Default value is
false
. -
overwrite_action_connectors boolean
Determines whether existing actions with the same
kibana.alert.rule.actions.id
are overwritten.Default value is
false
. -
as_new_list boolean
Generates a new list ID for each imported exception list.
Default value is
false
.
POST /api/detection_engine/rules/_import
curl \
-X POST https://localhost:5601/api/detection_engine/rules/_import \
-H "Content-Type: multipart/form-data; Elastic-Api-Version=2023-10-31"
Response examples (200)
{
"action_connectors_errors": [
{
"error": {
"message": "string",
"status_code": 42
},
"id": "string",
"item_id": "string",
"list_id": "string",
"rule_id": "string"
}
],
"action_connectors_success": true,
"action_connectors_success_count": 42,
"action_connectors_warnings": [
{
"actionPath": "string",
"buttonLabel": "string",
"message": "string",
"type": "string"
}
],
"errors": [
{
"error": {
"message": "string",
"status_code": 42
},
"id": "string",
"item_id": "string",
"list_id": "string",
"rule_id": "string"
}
],
"exceptions_errors": [
{
"error": {
"message": "string",
"status_code": 42
},
"id": "string",
"item_id": "string",
"list_id": "string",
"rule_id": "string"
}
],
"exceptions_success": true,
"exceptions_success_count": 42,
"rules_count": 42,
"success": true,
"success_count": 42
}