Import rules

Imports rules from an .ndjson file.

Console supports Elasticsearch APIs only. Console doesn’t allow interactions with Kibana APIs. You must use curl or another HTTP tool instead. For more information, refer to Run Elasticsearch API requests. Please also note this API supports Token-based authentication only.

You need at least Read privileges for the Action and Connectors feature to import rules with actions. If you’re importing rules without actions, Action and Connectors feature privileges are not required. Refer to Enable and access detections for more information.

Detection rule actions are included in the exported file, but the connectors used by the actions are not included.

Use the Saved Objects UI in Kibana (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to export and import any connectors used by your detection rule actions before you export and import the detection rules.

Request URL

edit

POST <kibana host>:<port>/api/detection_engine/rules/_import

The request must include:

The Content-Type: multipart/form-data HTTP header.
A link to the .ndjson file containing the rules.

For example, using cURL:

curl -X POST "<KibanaURL>/api/detection_engine/rules/_import"
-u <username>:<password> -H 'kbn-xsrf: true'
-H 'Content-Type: multipart/form-data'
--form "file=@<link to file>"

The relative link to the .ndjson file containing the rules.

URL query parameters

edit

Name	Type	Description	Required
`overwrite`	Boolean	Determines whether existing rules with the same `rule_id` are overwritten.	No, defaults to `false`.

Example request

edit

Imports the rules in the detection_rules.ndjson file and overwrites existing rules with the same rule_id values:

curl -X POST "api/detection_engine/rules/_import?overwrite=true"
-H 'kbn-xsrf: true' -H 'Content-Type: multipart/form-data'
--form "file=@detection_rules.ndjson"

Response code

edit

200: Indicates a successful call.

« Tags endpoint Export rules »