Download a file
Download a file from an endpoint.
curl \
--request GET https://localhost:5601/api/endpoint/action/{action_id}/file/{file_id}/download
{}
The identifier for the rule.
curl \
--request POST https://localhost:5601/api/alerting/rule/{id}/_disable \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"untrack":true}'
# Headers
kbn-xsrf: true
# Payload
{
"untrack": true
}
The identifier for the rule.
The identifier for the alert.
curl \
--request POST https://localhost:5601/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute \
--header "kbn-xsrf: true"
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
curl \
--request GET https://localhost:5601/api/apm/settings/agent-configuration \
--header "elastic-api-version: 2023-10-31"
{
"configurations": [
{
"@timestamp": 1730194190636,
"agent_name": "string",
"applied_by_agent": true,
"etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
"service": {
"environment": "prod",
"name": "node"
},
"settings": {
"additionalProperty1": "string",
"additionalProperty2": "string"
}
}
]
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}
Configure APM agent keys to authorize requests from APM agents to the APM Server.
Annotate visualizations in the APM app with significant events. Annotations enable you to easily see how events are impacting the performance of your applications.
Create a new annotation for a specific service.
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
A required header to protect against CSRF attacks
The name of the service
curl \
--request POST https://localhost:5601/api/apm/services/{serviceName}/annotation \
--header "Content-Type: application/json" \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true" \
--data '{"@timestamp":"string","message":"string","service":{"environment":"string","version":"string"},"tags":["string"]}'
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true
# Payload
{
"@timestamp": "string",
"message": "string",
"service": {
"environment": "string",
"version": "string"
},
"tags": [
"string"
]
}
{
"_id": "string",
"_index": "string",
"_source": {
"@timestamp": "string",
"annotation": {
"title": "string",
"type": "string"
},
"event": {
"created": "string"
},
"message": "string",
"service": {
"environment": "string",
"name": "string",
"version": "string"
},
"tags": [
"string"
]
}
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Forbidden",
"message": "string",
"statusCode": 403
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}
Search for annotations related to a specific service.
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
The name of the service
The environment to filter annotations by
The start date for the search
The end date for the search
curl \
--request GET https://localhost:5601/api/apm/services/{serviceName}/annotation/search \
--header "elastic-api-version: 2023-10-31"
{
"annotations": [
{
"@timestamp": 42.0,
"id": "string",
"text": "string",
"type": "version"
}
]
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Internal Server Error",
"message": "string",
"statusCode": 500
}
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
A required header to protect against CSRF attacks
Source map identifier
Successful response
Additional properties are NOT allowed.
Bad Request response
Unauthorized response
Forbidden response
Internal Server Error response
Not Implemented response
curl \
--request DELETE https://localhost:5601/api/apm/sourcemaps/{id} \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true"
{}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Forbidden",
"message": "string",
"statusCode": 403
}
{
"error": "Internal Server Error",
"message": "string",
"statusCode": 500
}
{
"error": "Not Implemented",
"message": "Not Implemented",
"statusCode": 501
}
You must have all
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating. NOTE: Each case can have a maximum of 1,000 alerts.
The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
The add comment to case API request body varies depending on whether you are adding an alert or a comment.
Defines properties for case comment requests when type is alert.
The alert identifiers. It is required only when type
is alert
. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; index
must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
The alert indices. It is required only when type
is alert
. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the alertId
array. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
The application that owns the cases: Stack Management, Observability, or Elastic Security.
Values are cases
, observability
, or securitySolution
.
The rule that is associated with the alerts. It is required only when type
is alert
. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
Additional properties are allowed.
The type of comment.
Value is alert
.
curl \
--request POST https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"type":"user","owner":"cases","comment":"A new comment."}'
{
"type": "user",
"owner": "cases",
"comment": "A new comment."
}
{
"id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzIzMzgsMV0=",
"category": null,
"comments": [
{
"id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
"type": "user",
"owner": "cases",
"comment": "A new comment.",
"version": "WzIwNDMxLDFd",
"created_at": "2022-10-02T00:49:47.716Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null
}
}
],
"duration": null,
"settings": {
"syncAlerts": false
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2022-03-24T00:37:03.906Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2022-06-03T00:49:47.716Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "A case description.",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "Field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": true
}
],
"totalComment": 1,
"external_service": null
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Attach a file to a case. You must have all
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating. The request must include:
Content-Type: multipart/form-data
HTTP header.The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
curl \
--request POST https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/files \
--header "Content-Type: multipart/form-data" \
--header "kbn-xsrf: string" \
--form "file=@file" \
--form "filename=string"
{
"id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzIzMzgsMV0=",
"category": null,
"comments": [
{
"id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
"type": "user",
"owner": "cases",
"comment": "A new comment.",
"version": "WzIwNDMxLDFd",
"created_at": "2022-10-02T00:49:47.716Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null
}
}
],
"duration": null,
"settings": {
"syncAlerts": false
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2022-03-24T00:37:03.906Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2022-06-03T00:49:47.716Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "A case description.",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "Field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": true
}
],
"totalComment": 1,
"external_service": null
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Get setting details such as the closure type, custom fields, templatse, and the default connector for cases. You must have read
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on where the cases were created.
A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.
curl \
--request GET https://localhost:5601/api/cases/configure
[
{
"id": "856ee650-6c82-11ee-a20a-6164169afa58",
"error": null,
"owner": "cases",
"version": "WzEyLDNd",
"mappings": [],
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"templates": [
{
"key": "505932fe-ee3a-4960-a661-c781b5acdb05",
"name": "template-1",
"tags": [
"Template tag 1"
],
"caseFields": {
"tags": [
"Default case tag"
],
"title": "Default case title",
"category": "Default-category",
"settings": {
"syncAlerts": false
},
"assignees": [
{
"uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
}
],
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"description": "A default description for cases.",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "Default text field value."
}
]
},
"description": "A description of the template."
}
],
"created_at": "2024-07-01T17:07:17.767Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null
},
"updated_at": null,
"updated_by": null,
"closure_type": "close-by-user",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"label": "my-text-field",
"required": false,
"defaultValue": "Custom text field value."
}
]
}
]
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
An identifier for the connector.
The type of connector.
The display name for the connector.
The connector configuration details.
Defines properties for connectors when type is .bedrock
.
Defines secrets for connectors when type is .bedrock
.
curl \
--request POST https://localhost:5601/api/actions/connector/{id} \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"name":"email-connector-1","config":{"from":"tester@example.com","host":"https://example.com","port":1025,"secure":false,"hasAuth":true,"service":"other"},"secrets":{"user":"username","password":"password"},"connector_type_id":".email"}'
{
"name": "email-connector-1",
"config": {
"from": "tester@example.com",
"host": "https://example.com",
"port": 1025,
"secure": false,
"hasAuth": true,
"service": "other"
},
"secrets": {
"user": "username",
"password": "password"
},
"connector_type_id": ".email"
}
{
"name": "my-connector",
"config": {
"index": "test-index"
},
"connector_type_id": ".index"
}
{
"name": "my-webhook-connector",
"config": {
"url": "https://example.com",
"method": "post",
"authType": "webhook-authentication-ssl",
"certType": "ssl-crt-key"
},
"secrets": {
"crt": "QmFnIEF0dH...",
"key": "LS0tLS1CRUdJ...",
"password": "my-passphrase"
},
"connector_type_id": ".webhook"
}
{
"name": "my-xmatters-connector",
"config": {
"usesBasic": false
},
"secrets": {
"secretsUrl": "https://example.com?apiKey=xxxxx"
},
"connector_type_id": ".xmatters"
}
{
"id": "90a82c60-478f-11ee-a343-f98a117c727f",
"name": "email-connector-1",
"config": {
"from": "tester@example.com",
"host": "https://example.com",
"port": 1025,
"secure": false,
"hasAuth": true,
"service": "other",
"clientId": null,
"tenantId": null,
"oauthTokenUrl": null
},
"is_deprecated": false,
"is_preconfigured": false,
"is_system_action": false,
"connector_type_id": ".email",
"is_missing_secrets": false
}
{
"id": "c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad",
"name": "my-connector",
"config": {
"index": "test-index",
"refresh": false,
"executionTimeField": null
},
"is_deprecated": false,
"is_preconfigured": false,
"is_system_action": false,
"connector_type_id": ".index",
"is_missing_secrets": false
}
{
"id": "900eb010-3b9d-11ee-a642-8ffbb94e38bd",
"name": "my-webhook-connector",
"config": {
"url": "https://example.com",
"method": "post",
"hasAuth": true,
"headers": null,
"authType": "webhook-authentication-ssl",
"certType": "ssl-crt-key",
"verificationMode": "full"
},
"is_deprecated": false,
"is_preconfigured": false,
"is_system_action": false,
"connector_type_id": ".webhook",
"is_missing_secrets": false
}
{
"id": "df770e30-8b8b-11ed-a780-3b746c987a81",
"name": "my_server_log_connector",
"config": {},
"is_deprecated": false,
"is_preconfigured": false,
"is_system_action": false,
"connector_type_id": ".server-log",
"is_missing_secrets": false
}
WARNING: When you delete a connector, it cannot be recovered.
An identifier for the connector.
curl \
--request DELETE https://localhost:5601/api/actions/connector/{id} \
--header "kbn-xsrf: true"
The name of the runtime field.
An identifier for the data view.
curl \
--request DELETE https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field/hour_of_day
{
"error": "Not Found",
"message": "Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found",
"statusCode": 404
}
curl \
--request GET https://localhost:5601/api/data_views/default
{
"data_view_id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f"
}
{
"error": "Bad Request",
"message": "string",
"statusCode": 400
}
[Required authorization] Route required privileges: ALL of [fleet-agents-all].
curl \
--request POST https://localhost:5601/api/fleet/agents/{agentId}/unenroll \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"force":true,"revoke":true}'
# Headers
kbn-xsrf: true
# Payload
{
"force": true,
"revoke": true
}
Get an agent binary download source by ID.
[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].
curl \
--request GET https://localhost:5601/api/fleet/agent_download_sources/{sourceId}
{
"item": {
"host": "https://example.com",
"id": "string",
"is_default": false,
"name": "string",
"proxy_id": "string"
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Get a list of outputs associated with agent policy by policy id.
[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].
curl \
--request GET https://localhost:5601/api/fleet/agent_policies/{agentPolicyId}/outputs
{
"item": {
"agentPolicyId": "string",
"data": {
"integrations": [
{
"id": "string",
"integrationPolicyName": "string",
"name": "string",
"pkgName": "string"
}
],
"output": {
"id": "string",
"name": "string"
}
},
"monitoring": {
"output": {
"id": "string",
"name": "string"
}
}
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
curl \
--request GET https://localhost:5601/api/fleet/agent_status
{
"results": {
"active": 42.0,
"all": 42.0,
"error": 42.0,
"events": 42.0,
"inactive": 42.0,
"offline": 42.0,
"online": 42.0,
"orphaned": 42.0,
"other": 42.0,
"unenrolled": 42.0,
"uninstalled": 42.0,
"updating": 42.0
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
[Required authorization] Route required privileges: ALL of [fleet-agents-read].
curl \
--request POST https://localhost:5601/api/fleet/agents \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"actionIds":["string"]}'
# Headers
kbn-xsrf: true
# Payload
{
"actionIds": [
"string"
]
}
{
"items": [
"string"
]
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Delete a file uploaded by an agent.
[Required authorization] Route required privileges: ALL of [fleet-agents-all].
curl \
--request DELETE https://localhost:5601/api/fleet/agents/files/{fileId} \
--header "kbn-xsrf: true"
{
"deleted": true,
"id": "string"
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].
curl \
--request GET https://localhost:5601/api/fleet/agents/setup
{
"is_secrets_storage_enabled": true,
"is_space_awareness_enabled": true,
"isReady": true,
"missing_optional_features": [
"encrypted_saved_object_encryption_key_required"
],
"missing_requirements": [
"security_required"
],
"package_verification_key_id": "string"
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].
curl \
--request POST https://localhost:5601/api/fleet/epm/custom_integrations \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"datasets":[{"name":"string","type":"logs"}],"force":true,"integrationName":"string"}'
# Headers
kbn-xsrf: true
# Payload
{
"datasets": [
{
"name": "string",
"type": "logs"
}
],
"force": true,
"integrationName": "string"
}
{
"_meta": {
"install_source": "string"
},
"items": [
{
"id": "string",
"originId": "string",
"type": "dashboard"
}
]
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].
Default value is false
.
Default value is false
.
curl \
--request POST https://localhost:5601/api/fleet/epm/packages \
--header "Content-Type: application/gzip; application/zip" \
--header "kbn-xsrf: true" \
--data-binary '@file'
[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].
curl \
--request GET https://localhost:5601/api/fleet/epm/packages/{pkgName}/stats
{
"response": {
"agent_policy_count": 42.0
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].
curl \
--request GET https://localhost:5601/api/fleet/epm/verification_key_id
{
"id": "string"
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Update a package policy by ID.
Values are simplified
or legacy
.
Package policy description
The package policy namespace. Leave blank to inherit the agent policy's namespace.
Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
Additional properties are NOT allowed.
Additional properties are NOT allowed.
Agent policy ID where that package policy will be added
Agent policy IDs where that package policy will be added
Indicates whether the package policy belongs to an agentless agent policy.
Default value is false
.
Package variable (see integration documentation for more information)
curl \
--request PUT https://localhost:5601/api/fleet/package_policies/{packagePolicyId} \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"description":"string","enabled":true,"force":true,"inputs":[{"config":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"enabled":true,"id":"string","keep_enabled":true,"policy_template":"string","streams":[{"config":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"data_stream":{"dataset":"string","elasticsearch":{"dynamic_dataset":true,"dynamic_namespace":true,"privileges":{"indices":["string"]}},"type":"string"},"enabled":true,"id":"string","keep_enabled":true,"release":"ga","vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}],"type":"string","vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}],"is_managed":true,"name":"string","namespace":"string","output_id":"string","overrides":{"inputs":{}},"package":{"experimental_data_stream_features":[{"data_stream":"string","features":{"doc_value_only_numeric":true,"doc_value_only_other":true,"synthetic_source":true,"tsdb":true}}],"name":"string","requires_root":true,"title":"string","version":"string"},"policy_id":"string","policy_ids":["string"],"supports_agentless":false,"vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"version":"string"}'
# Headers
kbn-xsrf: true
# Payload
{
"description": "string",
"enabled": true,
"force": true,
"inputs": [
{
"config": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"enabled": true,
"id": "string",
"keep_enabled": true,
"policy_template": "string",
"streams": [
{
"config": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"data_stream": {
"dataset": "string",
"elasticsearch": {
"dynamic_dataset": true,
"dynamic_namespace": true,
"privileges": {
"indices": [
"string"
]
}
},
"type": "string"
},
"enabled": true,
"id": "string",
"keep_enabled": true,
"release": "ga",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
}
}
],
"type": "string",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
}
}
],
"is_managed": true,
"name": "string",
"namespace": "string",
"output_id": "string",
"overrides": {
"inputs": {}
},
"package": {
"experimental_data_stream_features": [
{
"data_stream": "string",
"features": {
"doc_value_only_numeric": true,
"doc_value_only_other": true,
"synthetic_source": true,
"tsdb": true
}
}
],
"name": "string",
"requires_root": true,
"title": "string",
"version": "string"
},
"policy_id": "string",
"policy_ids": [
"string"
],
"supports_agentless": false,
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"version": "string"
}
# Headers
kbn-xsrf: true
# Payload
{
"description": "string",
"force": true,
"id": "string",
"inputs": {
"additionalProperty1": {
"enabled": true,
"streams": {
"additionalProperty1": {
"enabled": true,
"vars": {}
},
"additionalProperty2": {
"enabled": true,
"vars": {}
}
},
"vars": {}
},
"additionalProperty2": {
"enabled": true,
"streams": {
"additionalProperty1": {
"enabled": true,
"vars": {}
},
"additionalProperty2": {
"enabled": true,
"vars": {}
}
},
"vars": {}
}
},
"name": "string",
"namespace": "string",
"output_id": "string",
"package": {
"experimental_data_stream_features": [
{
"data_stream": "string",
"features": {
"doc_value_only_numeric": true,
"doc_value_only_other": true,
"synthetic_source": true,
"tsdb": true
}
}
],
"name": "string",
"requires_root": true,
"title": "string",
"version": "string"
},
"policy_id": "string",
"policy_ids": [
"string"
],
"supports_agentless": false,
"vars": {}
}
{
"item": {
"agents": 42.0,
"created_at": "string",
"created_by": "string",
"description": "string",
"elasticsearch": {
"privileges": {
"cluster": [
"string"
]
}
},
"enabled": true,
"id": "string",
"inputs": [
{
"config": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"enabled": true,
"id": "string",
"keep_enabled": true,
"policy_template": "string",
"streams": [
{
"config": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"data_stream": {
"dataset": "string",
"elasticsearch": {
"dynamic_dataset": true,
"dynamic_namespace": true,
"privileges": {
"indices": [
"string"
]
}
},
"type": "string"
},
"enabled": true,
"id": "string",
"keep_enabled": true,
"release": "ga",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
}
}
],
"type": "string",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
}
}
],
"is_managed": true,
"name": "string",
"namespace": "string",
"output_id": "string",
"overrides": {
"inputs": {}
},
"package": {
"experimental_data_stream_features": [
{
"data_stream": "string",
"features": {
"doc_value_only_numeric": true,
"doc_value_only_other": true,
"synthetic_source": true,
"tsdb": true
}
}
],
"name": "string",
"requires_root": true,
"title": "string",
"version": "string"
},
"policy_id": "string",
"policy_ids": [
"string"
],
"revision": 42.0,
"secret_references": [
{
"id": "string"
}
],
"spaceIds": [
"string"
],
"supports_agentless": false,
"updated_at": "string",
"updated_by": "string",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"version": "string"
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Delete a package policy by ID.
[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].
curl \
--request DELETE https://localhost:5601/api/fleet/package_policies/{packagePolicyId} \
--header "kbn-xsrf: true"
{
"id": "string"
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Synchronizes Kibana saved objects for machine learning jobs and trained models in the default space. You must have all
privileges for the Machine Learning feature in the Analytics section of the Kibana feature privileges. This API runs automatically when you start Kibana and periodically thereafter.
When true, simulates the synchronization by returning only the list of actions that would be performed.
curl \
--request GET https://localhost:5601/api/ml/saved_objects/sync
{
"datafeedsAdded": {},
"datafeedsRemoved": {},
"savedObjectsCreated": {
"anomaly-detector": {
"myjob1": {
"success": true
},
"myjob2": {
"success": true
}
}
},
"savedObjectsDeleted": {}
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
If true
and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges.
curl \
--request GET https://localhost:5601/api/security/role
[
{
"name": "my_kibana_role",
"kibana": [
{
"base": [
"all"
],
"spaces": [
"*"
],
"feature": {}
}
],
"metadata": {
"version": 1
},
"description": "My kibana role description",
"elasticsearch": {
"run_as": [],
"cluster": [],
"indices": []
},
"transient_metadata": {
"enabled": true
}
},
{
"name": "my_admin_role",
"kibana": [],
"metadata": {
"version": 1
},
"description": "My admin role description",
"elasticsearch": {
"cluster": [
"all"
],
"indices": [
{
"names": [
"index1",
"index2"
],
"query": "{\\\"match\\\": {\\\"title\\\": \\\"foo\\\"}}",
"privileges": [
"all"
],
"field_security": {
"grant": [
"title",
"body"
]
}
}
]
},
"transient_metadata": {
"enabled": true
}
}
]
Update the attributes for multiple Kibana saved objects.
curl \
--request POST https://localhost:5601/api/saved_objects/_bulk_update \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '[{}]'
# Headers
kbn-xsrf: string
# Payload
[
{}
]
{}
{
"error": "Bad Request",
"message": "string",
"statusCode": 400
}
Create a Kibana saved object and specify its identifier instead of using a randomly generated ID.
An identifier for the saved object.
Valid options include visualization
, dashboard
, search
, index-pattern
, config
.
If true, overwrites the document with the same identifier.
The data that you want to create. WARNING: When you create saved objects, attributes are not validated, which allows you to pass arbitrary and ill-formed data into the API that can break Kibana. Make sure any data that you send to the API is properly formed.
Additional properties are allowed.
Identifiers for the spaces in which this object is created. If this is provided, the object is created only in the explicitly defined spaces. If this is not provided, the object is created in the current space (default behavior). For shareable object types (registered with namespaceType: 'multiple'
), this option can be used to specify one or more spaces, including the "All spaces" identifier (''). For isolated object types (registered with namespaceType: 'single'
or namespaceType: 'multiple-isolated'
), this option can only be used to specify a single space, and the "All spaces" identifier ('') is not allowed. For global object types (registered with
namespaceType: agnostic`), this option cannot be used.
Identifiers for the spaces in which this object is created. If this is provided, the object is created only in the explicitly defined spaces. If this is not provided, the object is created in the current space (default behavior). For shareable object types (registered with namespaceType: 'multiple'
), this option can be used to specify one or more spaces, including the "All spaces" identifier (''). For isolated object types (registered with namespaceType: 'single'
or namespaceType: 'multiple-isolated'
), this option can only be used to specify a single space, and the "All spaces" identifier ('') is not allowed. For global object types (registered with
namespaceType: agnostic`), this option cannot be used.
curl \
--request POST https://localhost:5601/api/saved_objects/{type}/{id} \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"attributes":{},"initialNamespaces":[],"references":[]}'
# Headers
kbn-xsrf: string
# Payload
{
"attributes": {},
"initialNamespaces": [],
"references": []
}
{}
{}
curl \
--request DELETE https://localhost:5601/api/detection_engine/index
{
"acknowledged": true
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
string
{
"message": "string",
"status_code": 42
}
Retrieve a detection rule using the rule_id
or id
field.
Indicates a successful call.
curl \
--request GET https://localhost:5601/api/detection_engine/rules
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"ecs": true,
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00+00:00",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string",
"language": "eql",
"query": "string",
"type": "eql",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"event_category_override": "string",
"filters": [],
"index": [
"string"
],
"tiebreaker_field": "string",
"timestamp_field": "string"
}
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"ecs": true,
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00+00:00",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string",
"type": "query",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"filters": [],
"index": [
"string"
],
"saved_id": "string",
"language": "kuery",
"query": "string"
}
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"ecs": true,
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00+00:00",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string",
"saved_id": "string",
"type": "saved_query",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"filters": [],
"index": [
"string"
],
"query": "string",
"language": "kuery"
}
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"ecs": true,
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00+00:00",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string",
"query": "string",
"threshold": {
"cardinality": [
{
"field": "string",
"value": 42
}
],
"field": "string",
"value": 42
},
"type": "threshold",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
}
},
"data_view_id": "string",
"filters": [],
"index": [
"string"
],
"saved_id": "string",
"language": "kuery"
}
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"ecs": true,
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00+00:00",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string",
"query": "string",
"threat_index": [
"string"
],
"threat_mapping": [
{
"entries": [
{
"field": "string",
"type": "mapping",
"value": "string"
}
]
}
],
"threat_query": "string",
"type": "threat_match",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"concurrent_searches": 42,
"data_view_id": "string",
"filters": [],
"index": [
"string"
],
"items_per_search": 42,
"saved_id": "string",
"threat_filters": [],
"threat_indicator_path": "string",
"threat_language": "kuery",
"language": "kuery"
}
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"ecs": true,
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00+00:00",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string",
"anomaly_threshold": 42,
"machine_learning_job_id": "string",
"type": "machine_learning",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
}
}
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"ecs": true,
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00+00:00",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string",
"history_window_start": "string",
"new_terms_fields": [
"string"
],
"query": "string",
"type": "new_terms",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"filters": [],
"index": [
"string"
],
"language": "kuery"
}
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"ecs": true,
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00+00:00",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"language": "esql",
"query": "string",
"type": "esql"
}
Update specific fields of an existing detection rule using the rule_id
or id
field.
Values are savedObjectConversion
or savedObjectImport
.
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
Minimum length is 1
.
Determines whether the rule is enabled.
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
A universally unique identifier
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
Schema for fields relating to investigation fields. These are user defined fields we use to highlight
in various features in the UI such as alert details flyout and exceptions auto-population from alert.
Added in PR #163235
Right now we only have a single field but anticipate adding more related fields to store various
configuration states such as override
- where a user might say if they want only these fields to
display, or if they want these fields + the fields we select. When expanding this field, it may look
something like:
const investigationFields = z.object({
field_names: NonEmptyArray(NonEmptyString),
override: z.boolean().optional(),
});
Additional properties are allowed.
The rule's license.
Minimum value is 1
.
Additional properties are allowed.
Minimum length is 1
.
Has no effect.
Notes to help investigate alerts produced by the rule.
Values are exactMatch
, aliasMatch
, or conflict
.
(deprecated) Has no effect.
Risk score (0 to 100)
Minimum value is 0
, maximum value is 100
.
Overrides generated alerts' risk_score with a value from the source event
Could be any string, not necessarily a UUID
Sets the source field for the alert's signal.rule.name value
Severity of the rule
Values are low
, medium
, high
, or critical
.
Overrides generated alerts' severity with values from the source event
Timeline template ID
Timeline template title
Sets the time field used to query indices
Disables the fallback to the event's @timestamp field
The rule's version number.
Minimum value is 1
.
Query language to use
Value is eql
.
EQL query to execute
Rule type
Value is eql
.
Additional properties are allowed.
Sets a secondary field for sorting events
Contains the event timestamp used for sorting a sequence of events
Indicates a successful call.
curl \
--request PATCH https://localhost:5601/api/detection_engine/rules \
--header "Content-Type: application/json" \
--data '{"actions":[{"action_type_id":"string","alerts_filter":{},"frequency":{"notifyWhen":"onActiveAlert","summary":true,"throttle":"no_actions"},"group":"string","id":"string","params":{},"uuid":"string"}],"alias_purpose":"savedObjectConversion","alias_target_id":"string","author":["string"],"building_block_type":"string","description":"string","enabled":true,"exceptions_list":[{"id":"string","list_id":"string","namespace_type":"agnostic","type":"detection"}],"false_positives":["string"],"from":"string","id":"string","interval":"string","investigation_fields":{"field_names":["string"]},"license":"string","max_signals":42,"meta":{},"name":"string","namespace":"string","note":"string","outcome":"exactMatch","output_index":"string","references":["string"],"related_integrations":[{"integration":"string","package":"string","version":"string"}],"required_fields":[{"name":"string","type":"string"}],"response_actions":[{"action_type_id":".osquery","params":{"ecs_mapping":{"additionalProperty1":{"field":"string","value":"string"},"additionalProperty2":{"field":"string","value":"string"}},"pack_id":"string","queries":[{"ecs_mapping":{"additionalProperty1":{"field":"string","value":"string"},"additionalProperty2":{"field":"string","value":"string"}},"id":"string","platform":"string","query":"string","removed":true,"snapshot":true,"version":"string"}],"query":"string","saved_query_id":"string","timeout":42.0}}],"risk_score":42,"risk_score_mapping":[{"field":"string","operator":"equals","risk_score":42,"value":"string"}],"rule_id":"string","rule_name_override":"string","setup":"string","severity":"low","severity_mapping":[{"field":"string","operator":"equals","severity":"low","value":"string"}],"tags":["string"],"threat":[{"framework":"string","tactic":{"id":"string","name":"string","reference":"string"},"technique":[{"id":"string","name":"string","reference":"string","subtechnique":[{"id":"string","name":"string","reference":"string"}]}]}],"throttle":"no_actions","timeline_id":"string","timeline_title":"string","timestamp_override":"string","timestamp_override_fallback_disabled":true,"to":"string","version":42,"language":"eql","query":"string","type":"eql","alert_suppression":{"duration":{"unit":"s","value":42},"group_by":["string"],"missing_fields_strategy":"doNotSuppress"},"data_view_id":"string","event_category_override":"string","filters":[],"index":["string"],"tiebreaker_field":"string","timestamp_field":"string"}'
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"id": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_id": "string",
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"language": "eql",
"query": "string",
"type": "eql",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"event_category_override": "string",
"filters": [],
"index": [
"string"
],
"tiebreaker_field": "string",
"timestamp_field": "string"
}
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"id": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_id": "string",
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"type": "query",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"filters": [],
"index": [
"string"
],
"saved_id": "string",
"language": "kuery",
"query": "string"
}
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"id": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_id": "string",
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"saved_id": "string",
"type": "saved_query",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"filters": [],
"index": [
"string"
],
"query": "string",
"language": "kuery"
}
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"id": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_id": "string",
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"query": "string",
"threshold": {
"cardinality": [
{
"field": "string",
"value": 42
}
],
"field": "string",
"value": 42
},
"type": "threshold",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
}
},
"data_view_id": "string",
"filters": [],
"index": [
"string"
],
"saved_id": "string",
"language": "kuery"
}
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"id": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_id": "string",
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"query": "string",
"threat_index": [
"string"
],
"threat_mapping": [
{
"entries": [
{
"field": "string",
"type": "mapping",
"value": "string"
}
]
}
],
"threat_query": "string",
"type": "threat_match",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"concurrent_searches": 42,
"data_view_id": "string",
"filters": [],
"index": [
"string"
],
"items_per_search": 42,
"saved_id": "string",
"threat_filters": [],
"threat_indicator_path": "string",
"threat_language": "kuery",
"language": "kuery"
}
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"id": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_id": "string",
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"anomaly_threshold": 42,
"machine_learning_job_id": "string",
"type": "machine_learning",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
}
}
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"id": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_id": "string",
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"history_window_start": "string",
"new_terms_fields": [
"string"
],
"query": "string",
"type": "new_terms",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"filters": [],
"index": [
"string"
],
"language": "kuery"
}
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"id": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"language": "esql",
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"query": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_id": "string",
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"type": "esql",
"version": 42,
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
}
}
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"ecs": true,
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00+00:00",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string",
"language": "eql",
"query": "string",
"type": "eql",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"event_category_override": "string",
"filters": [],
"index": [
"string"
],
"tiebreaker_field": "string",
"timestamp_field": "string"
}
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"ecs": true,
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00+00:00",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string",
"type": "query",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"filters": [],
"index": [
"string"
],
"saved_id": "string",
"language": "kuery",
"query": "string"
}
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"ecs": true,
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00+00:00",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string",
"saved_id": "string",
"type": "saved_query",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"filters": [],
"index": [
"string"
],
"query": "string",
"language": "kuery"
}
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"ecs": true,
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00+00:00",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string",
"query": "string",
"threshold": {
"cardinality": [
{
"field": "string",
"value": 42
}
],
"field": "string",
"value": 42
},
"type": "threshold",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
}
},
"data_view_id": "string",
"filters": [],
"index": [
"string"
],
"saved_id": "string",
"language": "kuery"
}
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"ecs": true,
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00+00:00",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string",
"query": "string",
"threat_index": [
"string"
],
"threat_mapping": [
{
"entries": [
{
"field": "string",
"type": "mapping",
"value": "string"
}
]
}
],
"threat_query": "string",
"type": "threat_match",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"concurrent_searches": 42,
"data_view_id": "string",
"filters": [],
"index": [
"string"
],
"items_per_search": 42,
"saved_id": "string",
"threat_filters": [],
"threat_indicator_path": "string",
"threat_language": "kuery",
"language": "kuery"
}
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"ecs": true,
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00+00:00",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string",
"anomaly_threshold": 42,
"machine_learning_job_id": "string",
"type": "machine_learning",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
}
}
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"ecs": true,
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00+00:00",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string",
"history_window_start": "string",
"new_terms_fields": [
"string"
],
"query": "string",
"type": "new_terms",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"filters": [],
"index": [
"string"
],
"language": "kuery"
}
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"ecs": true,
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00+00:00",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"language": "esql",
"query": "string",
"type": "esql"
}
Update specific fields of existing detection rules using the rule_id
or id
field.
A JSON array of rules, where each rule contains the required fields.
Values are savedObjectConversion
or savedObjectImport
.
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
Minimum length is 1
.
Determines whether the rule is enabled.
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
A universally unique identifier
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
Schema for fields relating to investigation fields. These are user defined fields we use to highlight
in various features in the UI such as alert details flyout and exceptions auto-population from alert.
Added in PR #163235
Right now we only have a single field but anticipate adding more related fields to store various
configuration states such as override
- where a user might say if they want only these fields to
display, or if they want these fields + the fields we select. When expanding this field, it may look
something like:
const investigationFields = z.object({
field_names: NonEmptyArray(NonEmptyString),
override: z.boolean().optional(),
});
Additional properties are allowed.
The rule's license.
Minimum value is 1
.
Additional properties are allowed.
Minimum length is 1
.
Has no effect.
Notes to help investigate alerts produced by the rule.
Values are exactMatch
, aliasMatch
, or conflict
.
(deprecated) Has no effect.
Risk score (0 to 100)
Minimum value is 0
, maximum value is 100
.
Overrides generated alerts' risk_score with a value from the source event
Could be any string, not necessarily a UUID
Sets the source field for the alert's signal.rule.name value
Severity of the rule
Values are low
, medium
, high
, or critical
.
Overrides generated alerts' severity with values from the source event
Timeline template ID
Timeline template title
Sets the time field used to query indices
Disables the fallback to the event's @timestamp field
The rule's version number.
Minimum value is 1
.
Query language to use
Value is eql
.
EQL query to execute
Rule type
Value is eql
.
Additional properties are allowed.
Sets a secondary field for sorting events
Contains the event timestamp used for sorting a sequence of events
Indicates a successful call.
curl \
--request PATCH https://localhost:5601/api/detection_engine/rules/_bulk_update \
--header "Content-Type: application/json" \
--data '[{"actions":[{"action_type_id":"string","alerts_filter":{},"frequency":{"notifyWhen":"onActiveAlert","summary":true,"throttle":"no_actions"},"group":"string","id":"string","params":{},"uuid":"string"}],"alias_purpose":"savedObjectConversion","alias_target_id":"string","author":["string"],"building_block_type":"string","description":"string","enabled":true,"exceptions_list":[{"id":"string","list_id":"string","namespace_type":"agnostic","type":"detection"}],"false_positives":["string"],"from":"string","id":"string","interval":"string","investigation_fields":{"field_names":["string"]},"license":"string","max_signals":42,"meta":{},"name":"string","namespace":"string","note":"string","outcome":"exactMatch","output_index":"string","references":["string"],"related_integrations":[{"integration":"string","package":"string","version":"string"}],"required_fields":[{"name":"string","type":"string"}],"response_actions":[{"action_type_id":".osquery","params":{"ecs_mapping":{"additionalProperty1":{"field":"string","value":"string"},"additionalProperty2":{"field":"string","value":"string"}},"pack_id":"string","queries":[{"ecs_mapping":{"additionalProperty1":{"field":"string","value":"string"},"additionalProperty2":{"field":"string","value":"string"}},"id":"string","platform":"string","query":"string","removed":true,"snapshot":true,"version":"string"}],"query":"string","saved_query_id":"string","timeout":42.0}}],"risk_score":42,"risk_score_mapping":[{"field":"string","operator":"equals","risk_score":42,"value":"string"}],"rule_id":"string","rule_name_override":"string","setup":"string","severity":"low","severity_mapping":[{"field":"string","operator":"equals","severity":"low","value":"string"}],"tags":["string"],"threat":[{"framework":"string","tactic":{"id":"string","name":"string","reference":"string"},"technique":[{"id":"string","name":"string","reference":"string","subtechnique":[{"id":"string","name":"string","reference":"string"}]}]}],"throttle":"no_actions","timeline_id":"string","timeline_title":"string","timestamp_override":"string","timestamp_override_fallback_disabled":true,"to":"string","version":42,"language":"eql","query":"string","type":"eql","alert_suppression":{"duration":{"unit":"s","value":42},"group_by":["string"],"missing_fields_strategy":"doNotSuppress"},"data_view_id":"string","event_category_override":"string","filters":[],"index":["string"],"tiebreaker_field":"string","timestamp_field":"string"}]'
[
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"id": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_id": "string",
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"language": "eql",
"query": "string",
"type": "eql",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"event_category_override": "string",
"filters": [],
"index": [
"string"
],
"tiebreaker_field": "string",
"timestamp_field": "string"
}
]
[
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"ecs": true,
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00+00:00",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string",
"language": "eql",
"query": "string",
"type": "eql",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"event_category_override": "string",
"filters": [],
"index": [
"string"
],
"tiebreaker_field": "string",
"timestamp_field": "string"
}
]
Retrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page.
Search query
Field to sort by
Values are created_at
, createdAt
, enabled
, execution_summary.last_execution.date
, execution_summary.last_execution.metrics.execution_gap_duration_s
, execution_summary.last_execution.metrics.total_indexing_duration_ms
, execution_summary.last_execution.metrics.total_search_duration_ms
, execution_summary.last_execution.status
, name
, risk_score
, riskScore
, severity
, updated_at
, or updatedAt
.
Sort order
Values are asc
or desc
.
Page number
Minimum value is 1
. Default value is 1
.
Rules per page
Minimum value is 0
. Default value is 20
.
Gaps range start
Gaps range end
curl \
--request GET https://localhost:5601/api/detection_engine/rules/_find
{
"data": [
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"ecs": true,
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00+00:00",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string",
"language": "eql",
"query": "string",
"type": "eql",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"event_category_override": "string",
"filters": [],
"index": [
"string"
],
"tiebreaker_field": "string",
"timestamp_field": "string"
}
],
"page": 42,
"perPage": 42,
"total": 42
}
Update an endpoint exception list item using the id
or item_id
field.
Exception list item's properties
Array of comment fields:
Describes the exception list.
Exception's identifier.
Minimum length is 1
.
Human readable string identifier, e.g. trusted-linux-processes
Minimum length is 1
.
Additional properties are allowed.
Exception list name.
Minimum length is 1
.
Use this field to specify the operating system.
Values are linux
, macos
, or windows
.
Value is simple
.
curl \
--request PUT https://localhost:5601/api/endpoint_list/items \
--header "Content-Type: application/json" \
--data '{"_version":"string","comments":[{"comment":"string","created_at":"2025-05-04T09:42:00+00:00","created_by":"string","id":"string","updated_at":"2025-05-04T09:42:00+00:00","updated_by":"string"}],"description":"string","entries":[{"field":"string","operator":"excluded","type":"match","value":"string"}],"id":"71a9f4b2-c85c-49b4-866f-c71eb9e67da2","item_id":"simple_list_item","meta":{},"name":"string","os_types":["linux"],"tags":["string"],"type":"simple"}'
{
"_version": "string",
"comments": [
{
"comment": "string",
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"id": "string",
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string"
}
],
"description": "string",
"entries": [
{
"field": "string",
"operator": "excluded",
"type": "match",
"value": "string"
}
],
"id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
"item_id": "simple_list_item",
"meta": {},
"name": "string",
"os_types": [
"linux"
],
"tags": [
"string"
],
"type": "simple"
}
{
"_version": "string",
"comments": [
{
"comment": "string",
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"id": "string",
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string"
}
],
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"description": "string",
"entries": [
{
"field": "string",
"operator": "excluded",
"type": "match",
"value": "string"
}
],
"expire_time": "2025-05-04T09:42:00+00:00",
"id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
"item_id": "simple_list_item",
"list_id": "simple_list",
"meta": {},
"name": "string",
"namespace_type": "agnostic",
"os_types": [
"linux"
],
"tags": [
"string"
],
"tie_breaker_id": "string",
"type": "simple",
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string"
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
{
"message": "string",
"status_code": 42
}
Delete an endpoint exception list item using the id
or item_id
field.
curl \
--request DELETE https://localhost:5601/api/endpoint_list/items
{
"_version": "string",
"comments": [
{
"comment": "string",
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"id": "string",
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string"
}
],
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"description": "string",
"entries": [
{
"field": "string",
"operator": "excluded",
"type": "match",
"value": "string"
}
],
"expire_time": "2025-05-04T09:42:00+00:00",
"id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
"item_id": "simple_list_item",
"list_id": "simple_list",
"meta": {},
"name": "string",
"namespace_type": "agnostic",
"os_types": [
"linux"
],
"tags": [
"string"
],
"tie_breaker_id": "string",
"type": "simple",
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string"
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
{
"message": "string",
"status_code": 42
}
Interact with and manage endpoints running the Elastic Defend integration.
Get the details of a response action using the action ID.
curl \
--request GET https://localhost:5601/api/endpoint/action/{action_id}
{}
Download a file from an endpoint.
curl \
--request GET https://localhost:5601/api/endpoint/action/{action_id}/file/{file_id}/download
{}