Create an API key in Kibana under Stack Management > API Keys and copy it for use in the x-elastic-product-origin and Authorization: ApiKey YOUR_API_KEY headers.
List existing rules with GET {kibana-url}/api/detection_engine/rules/_find to audit current coverage before making changes.
Create a new rule with POST {kibana-url}/api/detection_engine/rules, supplying a JSON body with fields including type (query, eql, threshold, etc.), index, query, severity, risk_score, name, and enabled.
Bulk-import rules from an ndjson file (exported from the Elastic detection-rules GitHub repo) via POST {kibana-url}/api/detection_engine/rules/_import with Content-Type: multipart/form-data.
Enable or disable rules in bulk using POST {kibana-url}/api/detection_engine/rules/_bulk_action with a body containing action: enable or disable and a list of rule IDs.
Known gotchas
The rule id is auto-generated and cannot be set at creation time; use rule_id (a stable custom string you supply) to reliably reference rules across environments.
Importing rules with overwrite: false will silently skip existing rule_ids; set overwrite: true only after confirming you want to replace existing tuning.
The Detections API endpoint prefix changed in Elastic 8.x from /api/detection_engine to paths documented under the Kibana API group; verify your cluster version against the current docs.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp