Security Detection Rule Management
Manage Elastic Kibana detection-engine rules (CRUD, bulk, export/import, preview) from an agent via the documented REST API paths used by rule_manager.py.
Install
npx skills add https://github.com/elastic/agent-skills --skill security-detection-rule-managementWhat is this skill?
- Maps 11+ Detection Engine operations: _find, CRUD, _bulk_action, _export/_import NDJSON, preview, tags
- Documents GET/POST/PATCH/PUT/DELETE paths for rules identified by uuid or stable rule_id
- Pairs with rule_manager.py for agent-driven rule automation in Elastic stacks
- Supports export/import and bulk actions for rule sets across environments
Adoption & trust: 1k installs on skills.sh; 502 GitHub stars; 3/3 security scanners passed (skills.sh audits).
Recommended Skills
Azure Compliancemicrosoft/azure-skills
Openclaw Secure Linux Cloudxixu-me/skills
Entra Agent Idmicrosoft/azure-skills
Firebase Security Rules Auditorfirebase/agent-skills
Firestore Security Rules Auditorfirebase/agent-skills
Skill Vetteruseai-pro/openclaw-skills-security
Journey fit
Common Questions / FAQ
Is Security Detection Rule Management safe to install?
skills.sh reports 3 of 3 security scanners passed. Review the Security Audits panel on this page before installing in production.
SKILL.md
READMESKILL.md - Security Detection Rule Management
# Kibana Detection Engine API Reference Quick reference for the detection rules and exceptions APIs used by `rule_manager.py`. ## Detection rules | Operation | Method | Path | | --------------------- | ------ | ----------------------------------------------------------------- | | Find / list rules | GET | `/api/detection_engine/rules/_find` | | Get single rule | GET | `/api/detection_engine/rules?id=<uuid>` or `?rule_id=<stable_id>` | | Create rule | POST | `/api/detection_engine/rules` | | Patch rule (partial) | PATCH | `/api/detection_engine/rules` | | Update rule (full) | PUT | `/api/detection_engine/rules` | | Delete rule | DELETE | `/api/detection_engine/rules?id=<uuid>` | | Bulk action | POST | `/api/detection_engine/rules/_bulk_action` | | Export rules (NDJSON) | POST | `/api/detection_engine/rules/_export` | | Import rules (NDJSON) | POST | `/api/detection_engine/rules/_import` | | Preview rule | POST | `/api/detection_engine/rules/preview` | | Get tags | GET | `/api/detection_engine/tags` | ### Rule types | `type` value | Language | Description | | ------------------ | ------------------- | ---------------------------------------------- | | `query` | `kuery` or `lucene` | Custom KQL / Lucene query | | `eql` | `eql` | Event Query Language (sequences, joins) | | `esql` | `esql` | ES\|QL aggregation-based rules | | `threshold` | `kuery` | Alert when field value count exceeds threshold | | `machine_learning` | — | Anomaly-based (requires ML job) | | `threat_match` | `kuery` | Indicator match / threat intel | | `new_terms` | `kuery` | Alert on previously unseen field values | ### Key create/patch body fields | Field | Type | Notes | | --------------------- | -------- | ----------------------------------- | | `name` | string | Required | | `description` | string | Required | | `type` | string | See rule types above | | `query` | string | Detection query | | `language` | string | `kuery`, `lucene`, `eql`, `esql` | | `index` | string[] | Index patterns (not for ES\|QL) | | `severity` | string | `low`, `medium`, `high`, `critical` | | `risk_score` | int | 0-100 | | `interval` | string | e.g. `5m`, `1h` | | `from` | string | Lookback, e.g. `now-6m` | | `tags` | string[] | Categorization tags | | `enabled` | bool | Default `true` | | `threat` | object[] | MITRE ATT&CK mapping | | `false_positives` | string[] | Known FP descriptions | | `note` | string | Investigation guide (markdown) | | `max_signals` | int | Max alerts per run (default 100) | | `exceptions_list` | object[] | Attached exception lists | | `alert_suppression` | object | Suppress duplicate alerts | | `building_block_type` | string | `"default"` for building blocks | ### MITRE ATT&CK `threat` field struct