diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/delete_rules_by_query.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/delete_rules_by_query.sh
new file mode 100755
index 0000000000000..d78726f9e23b5
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/delete_rules_by_query.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+#
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+#
+
+set -e
+./check_env_variables.sh
+
+QUERY=${1}
+
+# Example delete all rules
+# ./delete_rules_by_query.sh
+
+# Example delete rules with tag "test"
+# ./delete_rules_by_query.sh 'alert.attributes.tags: \"test\"'
+
+curl -s -k \
+ -H 'Content-Type: application/json' \
+ -H 'kbn-xsrf: 123' \
+ -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
+ -X POST ${KIBANA_URL}${SPACE_URL}/api/detection_engine/rules/_bulk_action \
+ --data "{
+  \"query\": \"$QUERY\",
+  \"action\": \"delete\"
+}" | jq .
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/disable_rules_by_query.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/disable_rules_by_query.sh
new file mode 100755
index 0000000000000..1c7f05f4057cf
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/disable_rules_by_query.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+#
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+#
+
+set -e
+./check_env_variables.sh
+
+QUERY=${1}
+
+# Example disable all rules
+# ./disable_rules_by_query.sh
+
+# Example disable rules with tag "test"
+# ./disable_rules_by_query.sh 'alert.attributes.tags: \"test\"'
+
+curl -s -k \
+ -H 'Content-Type: application/json' \
+ -H 'kbn-xsrf: 123' \
+ -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
+ -X POST ${KIBANA_URL}${SPACE_URL}/api/detection_engine/rules/_bulk_action \
+ --data "{
+  \"query\": \"$QUERY\",
+  \"action\": \"disable\"
+}" | jq .
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/duplicate_rules_by_query.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/duplicate_rules_by_query.sh
new file mode 100755
index 0000000000000..13da480d74f83
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/duplicate_rules_by_query.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+#
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+#
+
+set -e
+./check_env_variables.sh
+
+QUERY=${1}
+
+# Example duplicate all rules
+# ./duplicate_rules_by_query.sh
+
+# Example duplicate rules with tag "test"
+# ./duplicate_rules_by_query.sh 'alert.attributes.tags: \"test\"'
+
+curl -s -k \
+ -H 'Content-Type: application/json' \
+ -H 'kbn-xsrf: 123' \
+ -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
+ -X POST ${KIBANA_URL}${SPACE_URL}/api/detection_engine/rules/_bulk_action \
+ --data "{
+  \"query\": \"$QUERY\",
+  \"action\": \"duplicate\"
+}" | jq .
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/enable_rules_by_query.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/enable_rules_by_query.sh
new file mode 100755
index 0000000000000..52bb51b6dd6df
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/enable_rules_by_query.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+#
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+#
+
+set -e
+./check_env_variables.sh
+
+QUERY=${1}
+
+# Example enable all rules
+# ./enable_rules_by_query.sh
+
+# Example enable rules with tag "test"
+# ./enable_rules_by_query.sh 'alert.attributes.tags: \"test\"'
+
+curl -s -k \
+ -H 'Content-Type: application/json' \
+ -H 'kbn-xsrf: 123' \
+ -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
+ -X POST ${KIBANA_URL}${SPACE_URL}/api/detection_engine/rules/_bulk_action \
+ --data "{
+  \"query\": \"$QUERY\",
+  \"action\": \"enable\"
+}" | jq .
diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/export_rules_by_query.sh b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/export_rules_by_query.sh
new file mode 100755
index 0000000000000..954fc2104262b
--- /dev/null
+++ b/x-pack/plugins/security_solution/server/lib/detection_engine/scripts/export_rules_by_query.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+#
+# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+# or more contributor license agreements. Licensed under the Elastic License
+# 2.0; you may not use this file except in compliance with the Elastic License
+# 2.0.
+#
+
+set -e
+./check_env_variables.sh
+
+QUERY=${1}
+
+# Example export all rules
+# ./export_rules_by_query.sh
+
+# Example export rules with tag "test"
+# ./export_rules_by_query.sh 'alert.attributes.tags: \"test\"'
+
+curl -s -k \
+ -H 'Content-Type: application/json' \
+ -H 'kbn-xsrf: 123' \
+ -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
+ -X POST ${KIBANA_URL}${SPACE_URL}/api/detection_engine/rules/_bulk_action \
+ --data "{
+  \"query\": \"$QUERY\",
+  \"action\": \"export\"
+}"