Find rules

edit

Retrieves a paginated subset of detection rules. By default, the first page is returned with 20 results per page.

Console supports only Elasticsearch APIs. Console doesn’t allow interactions with Kibana APIs. You must use curl or another HTTP tool instead. For more information, refer to Run Elasticsearch API requests.

Request URL

edit

GET <kibana host>:<port>/api/detection_engine/rules/_find

URL query parameters

edit

All parameters are optional:

Name Type Description

page

Integer

The page number to return.

per_page

Integer

The number of rules to return per page.

sort_field

String

Determines which field is used to sort the results.

sort_order

String

Determines the sort order, which can be desc or asc.

filter

String

Filters the returned results according to the value of the specified field, using the alert.attributes.<field name>:<field value> syntax, where <field name> can be:

  • name
  • enabled
  • tags
  • createdBy
  • interval
  • updatedBy

Even though the JSON rule object uses created_by and updated_by fields, you must use createdBy and updatedBy fields in the filter.

Example request

edit

Retrieves the first five rules with the word windows in their names, sorted in ascending order:

GET api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows

Response code

edit
200
Indicates a successful call.

Response payload

edit

A JSON object containing a summary and the returned rules.

Example response:

{
  "page": 1,
  "perPage": 5,
  "total": 4,
  "data": [
    {
      "created_at": "2020-02-02T10:05:19.613Z",
      "updated_at": "2020-02-02T10:05:19.830Z",
      "created_by": "elastic",
      "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.",
      "enabled": false,
      "false_positives": [],
      "from": "now-6m",
      "id": "89761517-fdb0-4223-b67b-7621acc48f9e",
      "immutable": true,
      "index": [
        "winlogbeat-*"
      ],
      "interval": "5m",
      "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc",
      "language": "kuery",
      "max_signals": 33,
      "risk_score": 21,
      "name": "Windows Script Executing PowerShell",
      "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"wscript.exe\" or \"cscript.exe\") and process.name:\"powershell.exe\"",
      "references": [],
      "severity": "low",
      "updated_by": "elastic",
      "tags": [
        "Elastic",
        "Windows"
      ],
      "to": "now",
      "type": "query",
      "threat": [
        {
          "framework": "MITRE ATT&CK",
          "tactic": {
            "id": "TA0002",
            "name": "Execution",
            "reference": "https://attack.mitre.org/tactics/TA0002/"
          },
          "technique": [
            {
              "id": "T1193",
              "name": "Spearphishing Attachment",
              "reference": "https://attack.mitre.org/techniques/T1193/"
            }
          ]
        }
      ],
      "execution_summary": {                      
        "last_execution": {
          "date": "2022-03-23T16:06:12.787Z",
          "status": "partial failure",
          "status_order": 20,
          "message": "This rule attempted to query data from Elasticsearch indices listed in the \"Index pattern\" section of the rule definition, but no matching index was found.",
          "metrics": {
              "total_search_duration_ms": 135,
              "total_indexing_duration_ms": 15,
              "execution_gap_duration_s": 0,
          }
        }
      },
      "version": 1
    },
    ...
  ]
}

[dev] This functionality is in development and may be changed or removed completely in a future release. These features are unsupported and not subject to the support SLA of official GA features. execution_summary is under development and its schema may change.