I use curl to create the rule: curl -k -X POST "https://192.168.10.131:5601/api/detection_engine/rules/_bulk_action" -d"{"rule_id":"process_started_by_ms_office_program_possible_payload","risk_score":50,"description":"Process started by MS Office program","interval":"5m","name":"MS Office child process","severity":"low","tags":["child process","ms office"],"type":"query","from":"now-6m","query":"process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE","language":"kuery","filters":[{"query":{"match":{"event.action":{"query":"Process Create (rule: ProcessCreate)","type":"phrase"}}}}],"enabled":false},{"name":"Second bulk rule","description":"Query with a rule_id for referencing an external id","rule_id":"query-rule-id-2","risk_score":2,"severity":"low","type":"query","from":"now-6m","query":"user.name: root or user.name: admin"}" -H "Authorization: ApiKey ZXkzRElwQUJnYW9Td2d5emFZVkQ6a0w3N1BXdVlUQTZHakRmU2RRVXBYdw==" -H "kbn-xsrf: true"
I get the following error: {“statusCode”:400,“error”:“Bad Request”,“message”:“[request body]: action: Invalid literal value, expected “delete”, action: Invalid literal value, expected “disable”, action: Invalid literal value, expected “enable”, action: Invalid literal value, expected “export”, action: Invalid literal value, expected “duplicate”, and 2 more”}