Delete Rule
Permanently delete a detection rule.
Endpoint
Authentication
Requires JWT token with Admin role.
Only Admins can delete rules. Analysts can undeploy but not delete.
Path Parameters
| Parameter | Type | Description |
|---|
id | string | Rule UUID |
Example Request
curl -X DELETE \
-H "Authorization: Bearer eyJ..." \
-H "X-CSRF-Token: abc123..." \
https://chad.example.com/api/rules/abc-123
Response
No response body on success.
What Gets Deleted
- Rule record
- All version history
- Associated exceptions
- Percolator (if deployed)
What’s Preserved
- Alert history (alerts reference rule but persist)
- Audit log entries
Error Responses
404 Not Found
{
"detail": "Rule not found"
}
403 Forbidden
{
"detail": "Admin role required"
}
401 Unauthorized
{
"detail": "Could not validate credentials"
}
Alternative: Undeploy
Instead of deleting, consider undeploying:
POST /api/rules/abc-123/undeploy
Bulk Delete
Delete multiple rules:
POST /api/rules/bulk/delete
Content-Type: application/json
{
"ids": ["abc-123", "def-456"]
}
{
"deleted": 2,
"failed": []
}
Code Examples
Python
import requests
response = requests.delete(
f"{BASE_URL}/api/rules/abc-123",
headers={
"Authorization": f"Bearer {JWT_TOKEN}",
"X-CSRF-Token": csrf_token
}
)
if response.status_code == 204:
print("Rule deleted successfully")
elif response.status_code == 404:
print("Rule not found")
elif response.status_code == 403:
print("Admin role required")
JavaScript
const response = await fetch(
'https://chad.example.com/api/rules/abc-123',
{
method: 'DELETE',
headers: {
'Authorization': `Bearer ${jwtToken}`,
'X-CSRF-Token': csrfToken
}
}
);
if (response.status === 204) {
console.log('Rule deleted');
} else {
const error = await response.json();
console.error(error.detail);
}
