Detections API

edit

You can create rules that automatically turn events and external alerts sent to Elastic Security into detection alerts. These alerts are displayed on the Detections page.

The Kibana Console supports only Elasticsearch APIs. You cannot interact with the Kibana APIs with the Console and must use curl or another HTTP tool instead. For more information, refer to Console.

For more information on detection alerts, and the difference between events, external alerts, and detection alerts, see detections terminology.

The API has these endpoints:

  • <kibana host>:<port>/api/detection_engine/rules - Detection rules CRUD functions
  • <kibana host>:<port>/api/detection_engine/index - Signal index operations (used to store detection alerts)
  • <kibana host>:<port>/api/detection_engine/tags - Aggregates and returns rule tags
  • <kibana host>:<port>/api/detection_engine/_import - Imports rules from an .ndjson file
  • <kibana host>:<port>/api/detection_engine/_export - Exports rules to an .ndjson file
  • <kibana host>:<port>/api/detection_engine/privileges - Returns the user’s Kibana space and signal index permissions, and whether the user is authenticated
  • <kibana host>:<port>/api/detection_engine/signals - Aggregates, queries, and returns alerts, and updates their statuses
  • <kibana host>:<port>/api/detection_engine/prepackaged - Loads and retrieves the status of Elastic prebuilt rules

You can view and download a Detections API Postman collection here.

Kibana role requirements

edit

To create and run rules, the user role for the Kibana space must have:

  • Kibana space All privileges for the Security and Saved Objects Management features (see Feature access based on user privileges).
  • read and write privileges for the .siem-signals-* index (the system index used for storing detection alerts created from rules).

See Detections prerequisites and requirements for a complete list of requirements.