Import rules
editImport rules
editImports rules from an .ndjson
file. The following configuration items are also included in the .ndjson
file:
- Actions
- Exception lists
When used with API key authentication, the user’s key gets assigned to the affected rules. If the user’s key gets deleted or the user becomes inactive, the rules will stop running.
If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.
You need at least Read
privileges for the Action and Connectors
feature to import rules with actions. If you’re importing rules without actions, Action and Connectors
feature privileges are not required. Refer to Enable and access detections for more information.
Although detection rule actions are included in the exported file, the connectors used by the actions are not included. Use the Saved Objects UI in Kibana (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to export and import any necessary connectors before you export and import the detection rules.
Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the Upload value lists UI (Detect → Rules → Upload value lists) to export and import value lists separately.
Request URL
editPOST <kibana host>:<port>/api/detection_engine/rules/_import
The request must include:
-
The
Content-Type: multipart/form-data
HTTP header. -
A link to the
.ndjson
file containing the rules.
For example, using cURL:
curl -X POST "<KibanaURL>/api/detection_engine/rules/_import" -u <username>:<password> -H 'kbn-xsrf: true' -H 'Content-Type: multipart/form-data' --form "file=@<link to file>"
URL query parameters
editName | Type | Description | Required |
---|---|---|---|
|
Boolean |
Determines whether existing rules with the same
|
No, defaults to |
|
Boolean |
Determines whether existing exception lists
with the same |
No, defaults to |
Example request
editImports the rules in the detection_rules.ndjson
file and overwrites
existing rules with the same rule_id
values:
curl -X POST "api/detection_engine/rules/_import?overwrite=true" -H 'kbn-xsrf: true' -H 'Content-Type: multipart/form-data' --form "file=@detection_rules.ndjson"