fix: Change bulk rule actions by updating deprecated rule_ids to ids

[IOITI]

Pull Request

Issue link(s): N/A

Summary - What I changed

Kibana’s bulk action API for detection rules has changed: the rule_ids field is no longer valid and has been replaced by ids.

Without this update, any bulk action request using rule IDs is interpreted as targeting all rules, which can unintentionally delete or disable the entire rule set instead of just the intended subset.

This update ensures bulk actions correctly apply only to the specified rule IDs.

How To Test

from kibana import RuleResource

custom_rules = list(RuleResource.find())
rule_ids = [
    rule["id"]
    for rule in custom_rules
    if rule.get("id")
]

kibana_ids_to_delete = rule_ids[:2]

RuleResource.bulk_delete(rule_ids=kibana_ids_to_delete)

Checklist

• Automated testing was updated or added to match the most common scenarios --> N/A
• Documentation and comments were added for features that require explanation --> N/A

Contributor checklist

• Have you signed the contributor license agreement?
  • Yes

[eric-forte-elastic]

I expect there will need to be more updates that just what is currently in the PR. We may also need to change the ndjson payload handling as well 🤔

[eric-forte-elastic]

Just for reference for reviewers, this is an update request for the kibana library in this repo, for a function we provide as part of the library.

This function is not used in any DaC workflows, etc. that path has already been updated to the rule_ids route. The primary consideration for this PR is whether we should keep unused commands up to date or remove them.

DaC path uses (ref)

        response = Kibana.current().post(url, params=params, data=rule_ids, raw=True)

[IOITI]

@eric-forte-elastic As community testimony, we use many of theses class methods inside our internal MSSP DaC tool.

graph LR
    user@{ label: "👨‍💻 SOC Analyst", shape: stadium}
    cicd@{ label: "⚙️ CI/CD", shape: stadium }
    user -. "interacts with frequently" ..-> UI
    subgraph "MSSP DaC System"
        UI["UI<br/>(React + Elastic UI)"]
        API["API<br/>(FastAPI)"]
        CLI["CLI<br/>(Python Click / library)"]
    end
    cicd -. "interacts for validation and deployment" .-> CLI
    
    subgraph "Elastic library"
        DR["detection-rules<br/>(Python library)"]
    end
    user -. "interacts with to export rules from Kibana" .-> DR
    UI -- "/api/*" --> API
    API <-- "reads / writes" --> REPO["Git Repository<br/>rules · customers_dac · custom_rules"]
    CLI <-- "reads / writes" --> REPO
    CLI -- "ask validation / upload / import ..." --> DR
    DR -- "reads / writes" --> REPO
    API -- "delegates" --> CLI
    DR -- "Kibana REST" --> KIBANA["Kibana"]

Loading

(the tool will be presented in demo to @approksiu on 03/26/2026, if you're interested)

And we done the cleaning of Kibana by this call to method:

RuleResource.bulk_delete(rule_ids=kibana_ids_to_delete)

For us, it's very usefull to have this code part maintened by your team, it's litteraly a "trust the editor".

Maybe kibana will have an official python library in the future ?

[eric-forte-elastic]

Thanks for the detailed diagram @IOITI ! If it is used by the community (clearly based on your input it is), then I absolutely agree we should maintain these.

Will review/approve this shortly and create a broader issue to track making other updates as needed to these functions (I think there are a few other things we may want to do as well).