Import detection rules | Kibana Serverless API

Import detection rules Beta

POST /api/detection_engine/rules/_import

Import detection rules from an .ndjson file, including actions and exception lists. The request must include:

The Content-Type: multipart/form-data HTTP header.
A link to the .ndjson file containing the rules.

Query parameters

overwrite boolean

Determines whether existing rules with the same rule_id are overwritten.

Default value is false.
overwrite_exceptions boolean

Determines whether existing exception lists with the same list_id are overwritten.

Default value is false.
overwrite_action_connectors boolean

Determines whether existing actions with the same kibana.alert.rule.actions.id are overwritten.

Default value is false.
as_new_list boolean

Generates a new list ID for each imported exception list.

Default value is false.

multipart/form-data; Elastic-Api-Version=2023-10-31

Body Required

file string(binary)

The .ndjson file containing the rules.

Responses

200 application/json; Elastic-Api-Version=2023-10-31

Indicates a successful call.
Hide response attributes Show response attributes object
- action_connectors_errors array[object] Required
  
  Hide action_connectors_errors attributes Show action_connectors_errors attributes object
  
  error object Required
  
  Additional properties are allowed.
  
  Hide error attributes Show error attributes object
  
  message string Required
  
  status_code integer Required
  
  Minimum value is 400.
  
  id string
  
  item_id string
  
  Minimum length is 1.
  
  list_id string
  
  Minimum length is 1.
  
  rule_id string
  
  Could be any string, not necessarily a UUID
- action_connectors_success boolean Required
- action_connectors_success_count integer Required
  
  Minimum value is 0.
- action_connectors_warnings array[object] Required
  
  Hide action_connectors_warnings attributes Show action_connectors_warnings attributes object
  
  actionPath string Required
  
  buttonLabel string
  
  message string Required
  
  type string Required
- errors array[object] Required
  
  Hide errors attributes Show errors attributes object
  
  error object Required
  
  Additional properties are allowed.
  
  Hide error attributes Show error attributes object
  
  message string Required
  
  status_code integer Required
  
  Minimum value is 400.
  
  id string
  
  item_id string
  
  Minimum length is 1.
  
  list_id string
  
  Minimum length is 1.
  
  rule_id string
  
  Could be any string, not necessarily a UUID
- exceptions_errors array[object] Required
  
  Hide exceptions_errors attributes Show exceptions_errors attributes object
  
  error object Required
  
  Additional properties are allowed.
  
  Hide error attributes Show error attributes object
  
  message string Required
  
  status_code integer Required
  
  Minimum value is 400.
  
  id string
  
  item_id string
  
  Minimum length is 1.
  
  list_id string
  
  Minimum length is 1.
  
  rule_id string
  
  Could be any string, not necessarily a UUID
- exceptions_success boolean Required
- exceptions_success_count integer Required
  
  Minimum value is 0.
- rules_count integer Required
  
  Minimum value is 0.
- success boolean Required
- success_count integer Required
  
  Minimum value is 0.

POST /api/detection_engine/rules/_import

curl \
 -X POST https://localhost:5601/api/detection_engine/rules/_import \
 -H "Content-Type: multipart/form-data; Elastic-Api-Version=2023-10-31"

Response examples (200)

{
  "action_connectors_errors": [
    {
      "error": {
        "message": "string",
        "status_code": 42
      },
      "id": "string",
      "item_id": "string",
      "list_id": "string",
      "rule_id": "string"
    }
  ],
  "action_connectors_success": true,
  "action_connectors_success_count": 42,
  "action_connectors_warnings": [
    {
      "actionPath": "string",
      "buttonLabel": "string",
      "message": "string",
      "type": "string"
    }
  ],
  "errors": [
    {
      "error": {
        "message": "string",
        "status_code": 42
      },
      "id": "string",
      "item_id": "string",
      "list_id": "string",
      "rule_id": "string"
    }
  ],
  "exceptions_errors": [
    {
      "error": {
        "message": "string",
        "status_code": 42
      },
      "id": "string",
      "item_id": "string",
      "list_id": "string",
      "rule_id": "string"
    }
  ],
  "exceptions_success": true,
  "exceptions_success_count": 42,
  "rules_count": 42,
  "success": true,
  "success_count": 42
}