The Scenario
Your SOC team has a quarterly security review coming up on Friday. The compliance lead sent a message this morning: she needs a sheet showing every detection rule in Kibana — name, severity, risk score, enabled/disabled status, and tags — so the team can identify coverage gaps before the review meeting.
You open Kibana's Detection Engine. There are 150 rules. The UI lets you filter and sort but has no clean export path that gives you all the fields in a spreadsheet-ready format.
The bad version:
- Screenshot the Detection Engine table, realize it only shows 25 rules per page, and start transcribing manually.
- Try the Kibana export — get a NDJSON file that's designed for re-importing, not for reading by a human.
- Spend 45 minutes trying to extract severity and risk score from nested JSON objects before giving up and asking the platform engineer to write a script.
The platform engineer is fielding three other things this week. The sheet lands on your plate either way.
The Easy Way: One Prompt in SheetXAI
SheetXAI is an AI agent that lives inside your Google Sheet. It reads the Detection Engine API, structures the output, and writes it to your sheet — with whatever sorting or flagging you need baked in.
Fetch all detection engine rules from Kibana, sorted by risk score descending, and write each rule's name, severity, risk score, enabled status, and tags to this sheet.
What You Get
- Column A: rule name
- Column B: severity (low, medium, high, critical)
- Column C: risk score (0–100)
- Column D: enabled status (true/false)
- Column E: tags as a comma-separated string
- Rows sorted highest risk score first, making coverage gaps immediately visible
What If the Data Is Not Quite Ready
You only need the disabled rules
The compliance lead specifically wants to know which rules have been switched off — and for how long:
List all disabled Kibana detection rules and paste their IDs, names, and last-updated timestamps into this sheet, then add a column E note 'Needs Review' for any rule disabled for more than 30 days.
The tags need to be split into separate columns
Your team's reporting template expects each tag in its own column:
Fetch all Kibana detection rules and write their names, severity, and risk scores to this sheet. For each rule, split the tags field and write the first tag to column D, second to column E, and third to column F, leaving blank if fewer tags exist.
You want rules grouped by severity for an executive summary
The CISO wants a summary view, not a row-per-rule dump:
From the Kibana detection rules already in this sheet, create a summary table in columns H and I showing how many rules exist at each severity level (low, medium, high, critical) and what percentage of all rules each represents.
Pull all rules, flag coverage gaps, and prepare the review sheet in one shot
Fetch all Kibana detection rules, write each rule's name, severity, risk score, enabled status, and tags to this sheet sorted by severity descending, then in column F mark 'Gap' for any severity 'critical' or 'high' rule that is currently disabled, and add a summary row at the bottom counting total rules, enabled rules, and flagged gaps.
The pattern: rather than pulling the data and applying the logic in two separate steps, you fold the conditional flagging into the same prompt.
Try It
Get the 7-day free trial of SheetXAI and open a sheet you're using for a security review or compliance audit, then ask it to pull your full detection rule inventory from Kibana with whatever severity filters you need. You can also explore Bulk Create Kibana Cases From a Google Sheet or see the full Kibana integration guide.