Disable a rule

POST /api/alerting/rule/{id}/_disable

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

application/json

Body

  • untrack boolean

    Defines whether this rule's alerts should be untracked.

Responses

  • Indicates a successful call.

  • Indicates an invalid schema.

  • Indicates that this call is forbidden.

  • Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_disable
curl \
 --request POST https://localhost:5601/api/alerting/rule/{id}/_disable \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"untrack":true}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "untrack": true
}
















Mute an alert

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • rule_id string Required

    The identifier for the rule.

  • alert_id string Required

    The identifier for the alert.

Responses

  • Indicates a successful call.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

  • Indicates a rule or alert with the given ID does not exist.

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute
curl \
 --request POST https://localhost:5601/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute \
 --header "kbn-xsrf: true"









Get a list of agent configurations

GET /api/apm/settings/agent-configuration

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
    • configurations array[object]

      Agent configuration

      Hide configurations attributes Show configurations attributes object
      • @timestamp number Required

        Timestamp

      • Agent name

      • Applied by agent

      • etag string Required

        Etag

      • service object Required

        Service

        Additional properties are allowed.

        Hide service attributes Show service attributes object
      • settings object Required

        Agent configuration settings

        Hide settings attribute Show settings attribute object
        • * string Additional properties
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
GET /api/apm/settings/agent-configuration
curl \
 --request GET https://localhost:5601/api/apm/settings/agent-configuration \
 --header "elastic-api-version: 2023-10-31"
Response examples (200)
{
  "configurations": [
    {
      "@timestamp": 1730194190636,
      "agent_name": "string",
      "applied_by_agent": true,
      "etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
      "service": {
        "environment": "prod",
        "name": "node"
      },
      "settings": {
        "additionalProperty1": "string",
        "additionalProperty2": "string"
      }
    }
  ]
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}
























APM agent keys

Configure APM agent keys to authorize requests from APM agents to the APM Server.





APM annotations

Annotate visualizations in the APM app with significant events. Annotations enable you to easily see how events are impacting the performance of your applications.

Create a service annotation

POST /api/apm/services/{serviceName}/annotation

Create a new annotation for a specific service.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

application/json

Body Required

Responses

  • 200 application/json

    Annotation created successfully

    Hide response attributes Show response attributes object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Forbidden response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
POST /api/apm/services/{serviceName}/annotation
curl \
 --request POST https://localhost:5601/api/apm/services/{serviceName}/annotation \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"@timestamp":"string","message":"string","service":{"environment":"string","version":"string"},"tags":["string"]}'
Request examples
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true

# Payload
{
  "@timestamp": "string",
  "message": "string",
  "service": {
    "environment": "string",
    "version": "string"
  },
  "tags": [
    "string"
  ]
}
Response examples (200)
{
  "_id": "string",
  "_index": "string",
  "_source": {
    "@timestamp": "string",
    "annotation": {
      "title": "string",
      "type": "string"
    },
    "event": {
      "created": "string"
    },
    "message": "string",
    "service": {
      "environment": "string",
      "name": "string",
      "version": "string"
    },
    "tags": [
      "string"
    ]
  }
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403)
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Search for annotations

GET /api/apm/services/{serviceName}/annotation/search

Search for annotations related to a specific service.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Path parameters

Query parameters

  • The environment to filter annotations by

  • start string

    The start date for the search

  • end string

    The end date for the search

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal Server Error response

    Hide response attributes Show response attributes object
GET /api/apm/services/{serviceName}/annotation/search
curl \
 --request GET https://localhost:5601/api/apm/services/{serviceName}/annotation/search \
 --header "elastic-api-version: 2023-10-31"
Response examples (200)
{
  "annotations": [
    {
      "@timestamp": 42.0,
      "id": "string",
      "text": "string",
      "type": "version"
    }
  ]
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (500)
{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}














Delete source map

DELETE /api/apm/sourcemaps/{id}

Delete a previously uploaded source map.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    Source map identifier

Responses

  • 200 application/json

    Successful response

    Additional properties are NOT allowed.

  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Forbidden response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal Server Error response

    Hide response attributes Show response attributes object
  • 501 application/json

    Not Implemented response

    Hide response attributes Show response attributes object
DELETE /api/apm/sourcemaps/{id}
curl \
 --request DELETE https://localhost:5601/api/apm/sourcemaps/{id} \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true"
Response examples (200)
{}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403)
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (500)
{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}
Response examples (501)
{
  "error": "Not Implemented",
  "message": "Not Implemented",
  "statusCode": 501
}

























Add a case comment or alert

POST /api/cases/{caseId}/comments

You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating. NOTE: Each case can have a maximum of 1,000 alerts.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

application/json

Body object Required

The add comment to case API request body varies depending on whether you are adding an alert or a comment.

One of:

Defines properties for case comment requests when type is alert.

  • alertId string | array[string] Required

    The alert identifiers. It is required only when type is alert. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; index must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

  • index string | array[string] Required

    The alert indices. It is required only when type is alert. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the alertId array. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

  • owner string Required

    The application that owns the cases: Stack Management, Observability, or Elastic Security.

    Values are cases, observability, or securitySolution.

  • rule object Required Technical preview

    The rule that is associated with the alerts. It is required only when type is alert. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

    Additional properties are allowed.

    Hide rule attributes Show rule attributes object
    • id string

      The rule identifier.

    • name string

      The rule name.

  • type string Required Discriminator

    The type of comment.

    Value is alert.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • assignees array[object] | null

      An array containing users that are assigned to the case.

      Not more than 10 elements.

      Hide assignees attribute Show assignees attribute object
      • uid string Required

        A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

    • category string | null

      The case category.

    • closed_at string(date-time) | null Required
    • closed_by object | null Required

      Additional properties are allowed.

      Hide closed_by attributes Show closed_by attributes object | null
    • comments array[object] Required

      An array of comment objects for the case.

      Not more than 10000 elements.

      One of:
      Hide attributes Show attributes
    • connector object Required

      One of:

      Defines properties for connectors when type is .none.

      Hide attributes Show attributes
      • fields string | null Required

        An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

      • id string Required

        The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • name string Required

        The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • type string Required Discriminator

        The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

        Value is .none.

    • created_at string(date-time) Required
    • created_by object Required

      Additional properties are allowed.

      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom field values for the case.

      Hide customFields attributes Show customFields attributes object
      • key string

        The unique identifier for the custom field. The key value must exist in the case configuration settings.

      • type string

        The custom field type. It must match the type specified in the case configuration settings.

        Values are text or toggle.

      • value string | null | boolean

        The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

        One of:

        Minimum length is 1, maximum length is 160.

    • description string Required
    • duration integer | null Required

      The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

    • external_service object | null Required

      Additional properties are allowed.

      Hide external_service attributes Show external_service attributes object | null
    • id string Required
    • owner string Required

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • settings object Required

      An object that contains the case settings.

      Additional properties are allowed.

      Hide settings attribute Show settings attribute object
      • syncAlerts boolean Required

        Turns alert syncing on or off.

    • severity string Required

      The severity of the case.

      Values are critical, high, low, or medium. Default value is low.

    • status string Required

      The status of the case.

      Values are closed, in-progress, or open.

    • tags array[string] Required
    • title string Required
    • totalAlerts integer Required
    • totalComment integer Required
    • updated_at string(date-time) | null Required
    • updated_by object | null Required

      Additional properties are allowed.

      Hide updated_by attributes Show updated_by attributes object | null
    • version string Required
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
POST /api/cases/{caseId}/comments
curl \
 --request POST https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"type":"user","owner":"cases","comment":"A new comment."}'
Request example
{
  "type": "user",
  "owner": "cases",
  "comment": "A new comment."
}
Response examples (200)
{
  "id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzIzMzgsMV0=",
  "category": null,
  "comments": [
    {
      "id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
      "type": "user",
      "owner": "cases",
      "comment": "A new comment.",
      "version": "WzIwNDMxLDFd",
      "created_at": "2022-10-02T00:49:47.716Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null
      }
    }
  ],
  "duration": null,
  "settings": {
    "syncAlerts": false
  },
  "severity": "low",
  "assignees": [],
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "none",
    "name": "none",
    "type": ".none",
    "fields": null
  },
  "created_at": "2022-03-24T00:37:03.906Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": "2022-06-03T00:49:47.716Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "description": "A case description.",
  "totalAlerts": 0,
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "Field value"
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "value": true
    }
  ],
  "totalComment": 1,
  "external_service": null
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
























Attach a file to a case

POST /api/cases/{caseId}/files

Attach a file to a case. You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating. The request must include:

  • The Content-Type: multipart/form-data HTTP header.
  • The location of the file that is being uploaded.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

multipart/form-data

Body Required

  • file string(binary) Required

    The file being attached to the case.

  • filename string

    The desired name of the file being attached to the case, it can be different than the name of the file in the filesystem. This should not include the file extension.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • assignees array[object] | null

      An array containing users that are assigned to the case.

      Not more than 10 elements.

      Hide assignees attribute Show assignees attribute object
      • uid string Required

        A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

    • category string | null

      The case category.

    • closed_at string(date-time) | null Required
    • closed_by object | null Required

      Additional properties are allowed.

      Hide closed_by attributes Show closed_by attributes object | null
    • comments array[object] Required

      An array of comment objects for the case.

      Not more than 10000 elements.

      One of:
      Hide attributes Show attributes
    • connector object Required

      One of:

      Defines properties for connectors when type is .none.

      Hide attributes Show attributes
      • fields string | null Required

        An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

      • id string Required

        The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • name string Required

        The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • type string Required Discriminator

        The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

        Value is .none.

    • created_at string(date-time) Required
    • created_by object Required

      Additional properties are allowed.

      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom field values for the case.

      Hide customFields attributes Show customFields attributes object
      • key string

        The unique identifier for the custom field. The key value must exist in the case configuration settings.

      • type string

        The custom field type. It must match the type specified in the case configuration settings.

        Values are text or toggle.

      • value string | null | boolean

        The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

        One of:

        Minimum length is 1, maximum length is 160.

    • description string Required
    • duration integer | null Required

      The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

    • external_service object | null Required

      Additional properties are allowed.

      Hide external_service attributes Show external_service attributes object | null
    • id string Required
    • owner string Required

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • settings object Required

      An object that contains the case settings.

      Additional properties are allowed.

      Hide settings attribute Show settings attribute object
      • syncAlerts boolean Required

        Turns alert syncing on or off.

    • severity string Required

      The severity of the case.

      Values are critical, high, low, or medium. Default value is low.

    • status string Required

      The status of the case.

      Values are closed, in-progress, or open.

    • tags array[string] Required
    • title string Required
    • totalAlerts integer Required
    • totalComment integer Required
    • updated_at string(date-time) | null Required
    • updated_by object | null Required

      Additional properties are allowed.

      Hide updated_by attributes Show updated_by attributes object | null
    • version string Required
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
POST /api/cases/{caseId}/files
curl \
 --request POST https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/files \
 --header "Content-Type: multipart/form-data" \
 --header "kbn-xsrf: string" \
 --form "file=@file" \
 --form "filename=string"
Response examples (200)
{
  "id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzIzMzgsMV0=",
  "category": null,
  "comments": [
    {
      "id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
      "type": "user",
      "owner": "cases",
      "comment": "A new comment.",
      "version": "WzIwNDMxLDFd",
      "created_at": "2022-10-02T00:49:47.716Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null
      }
    }
  ],
  "duration": null,
  "settings": {
    "syncAlerts": false
  },
  "severity": "low",
  "assignees": [],
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "none",
    "name": "none",
    "type": ".none",
    "fields": null
  },
  "created_at": "2022-03-24T00:37:03.906Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": "2022-06-03T00:49:47.716Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "description": "A case description.",
  "totalAlerts": 0,
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "Field value"
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "value": true
    }
  ],
  "totalComment": 1,
  "external_service": null
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}








Get case settings

GET /api/cases/configure

Get setting details such as the closure type, custom fields, templatse, and the default connector for cases. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on where the cases were created.

Query parameters

  • owner string | array[string]

    A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).

      Values are close-by-pushing or close-by-user.

    • Additional properties are allowed.

      Hide connector attributes Show connector attributes object
      • fields object | null

        The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

        Additional properties are allowed.

      • id string

        The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

      • name string

        The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

      • type string

        The type of connector.

        Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

    • created_at string(date-time)
    • Additional properties are allowed.

      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom fields configuration details.

      Hide customFields attributes Show customFields attributes object
      • defaultValue string | boolean

        A default value for the custom field. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

      • key string

        A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.

        Minimum length is 1, maximum length is 36.

      • label string

        The custom field label that is displayed in the case.

        Minimum length is 1, maximum length is 50.

      • type string

        The type of the custom field.

        Values are text or toggle.

      • required boolean

        Indicates whether the field is required. If false, the custom field can be set to null or omitted when a case is created or updated.

    • error string | null
    • id string
    • mappings array[object]
      Hide mappings attributes Show mappings attributes object
    • owner string

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • templates array[object] Technical preview
      Hide templates attributes Show templates attributes object
      • Additional properties are allowed.

        Hide caseFields attributes Show caseFields attributes object
        • assignees array[object] | null

          An array containing users that are assigned to the case.

          Not more than 10 elements.

          Hide assignees attribute Show assignees attribute object
          • uid string Required

            A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

        • category string

          A word or phrase that categorizes the case.

          Maximum length is 50.

        • Additional properties are allowed.

          Hide connector attributes Show connector attributes object
          • fields object | null

            The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

            Additional properties are allowed.

          • id string

            The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

          • name string

            The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

          • type string

            The type of connector.

            Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

        • customFields array[object] Technical preview

          Custom field values in the template.

          Hide customFields attributes Show customFields attributes object
          • key string

            The unique key for the custom field.

          • type string

            The type of the custom field.

            Values are text or toggle.

          • value string | boolean

            The default value for the custom field when a case uses the template. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

        • The description for the case.

          Maximum length is 30000.

        • settings object

          An object that contains the case settings.

          Additional properties are allowed.

          Hide settings attribute Show settings attribute object
          • syncAlerts boolean Required

            Turns alert syncing on or off.

        • severity string

          The severity of the case.

          Values are critical, high, low, or medium. Default value is low.

        • tags array[string]

          The words and phrases that help categorize cases. It can be an empty array.

          Not more than 200 elements. Maximum length of each is 256.

        • title string

          A title for the case.

          Maximum length is 160.

      • A description for the template.

      • key string

        A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.

      • name string

        The name of the template.

      • tags array[string]

        The words and phrases that help categorize templates. It can be an empty array.

        Not more than 200 elements. Maximum length of each is 256.

    • updated_at string(date-time) | null
    • updated_by object | null

      Additional properties are allowed.

      Hide updated_by attributes Show updated_by attributes object | null
    • version string
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/configure
curl \
 --request GET https://localhost:5601/api/cases/configure
Response examples (200)
[
  {
    "id": "856ee650-6c82-11ee-a20a-6164169afa58",
    "error": null,
    "owner": "cases",
    "version": "WzEyLDNd",
    "mappings": [],
    "connector": {
      "id": "none",
      "name": "none",
      "type": ".none",
      "fields": null
    },
    "templates": [
      {
        "key": "505932fe-ee3a-4960-a661-c781b5acdb05",
        "name": "template-1",
        "tags": [
          "Template tag 1"
        ],
        "caseFields": {
          "tags": [
            "Default case tag"
          ],
          "title": "Default case title",
          "category": "Default-category",
          "settings": {
            "syncAlerts": false
          },
          "assignees": [
            {
              "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
            }
          ],
          "connector": {
            "id": "none",
            "name": "none",
            "type": ".none",
            "fields": null
          },
          "description": "A default description for cases.",
          "customFields": [
            {
              "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
              "type": "text",
              "value": "Default text field value."
            }
          ]
        },
        "description": "A description of the template."
      }
    ],
    "created_at": "2024-07-01T17:07:17.767Z",
    "created_by": {
      "email": null,
      "username": "elastic",
      "full_name": null
    },
    "updated_at": null,
    "updated_by": null,
    "closure_type": "close-by-user",
    "customFields": [
      {
        "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
        "type": "text",
        "label": "my-text-field",
        "required": false,
        "defaultValue": "Custom text field value."
      }
    ]
  }
]
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

































Create a connector

POST /api/actions/connector/{id}

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    An identifier for the connector.

application/json

Body

  • connector_type_id string Required

    The type of connector.

  • name string Required

    The display name for the connector.

  • config object

    The connector configuration details.

    One of:

    Defines properties for connectors when type is .bedrock.

    Hide attributes Show attributes
    • apiUrl string Required

      The Amazon Bedrock request URL.

    • The generative artificial intelligence model for Amazon Bedrock to use. Current support is for the Anthropic Claude models.

      Default value is anthropic.claude-3-5-sonnet-20240620-v1:0.

  • secrets object

    One of:

    Defines secrets for connectors when type is .bedrock.

    Hide attributes Show attributes
    • accessKey string Required

      The AWS access key for authentication.

    • secret string Required

      The AWS secret for authentication.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • config object

      Additional properties are allowed.

    • connector_type_id string Required

      The connector type identifier.

    • id string Required

      The identifier for the connector.

    • is_deprecated boolean Required

      Indicates whether the connector is deprecated.

    • Indicates whether the connector is missing secrets.

    • is_preconfigured boolean Required

      Indicates whether the connector is preconfigured. If true, the config and is_missing_secrets properties are omitted from the response.

    • is_system_action boolean Required

      Indicates whether the connector is used for system actions.

    • name string Required

      The name of the rule.

POST /api/actions/connector/{id}
curl \
 --request POST https://localhost:5601/api/actions/connector/{id} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"name":"email-connector-1","config":{"from":"tester@example.com","host":"https://example.com","port":1025,"secure":false,"hasAuth":true,"service":"other"},"secrets":{"user":"username","password":"password"},"connector_type_id":".email"}'
{
  "name": "email-connector-1",
  "config": {
    "from": "tester@example.com",
    "host": "https://example.com",
    "port": 1025,
    "secure": false,
    "hasAuth": true,
    "service": "other"
  },
  "secrets": {
    "user": "username",
    "password": "password"
  },
  "connector_type_id": ".email"
}
{
  "name": "my-connector",
  "config": {
    "index": "test-index"
  },
  "connector_type_id": ".index"
}
{
  "name": "my-webhook-connector",
  "config": {
    "url": "https://example.com",
    "method": "post",
    "authType": "webhook-authentication-ssl",
    "certType": "ssl-crt-key"
  },
  "secrets": {
    "crt": "QmFnIEF0dH...",
    "key": "LS0tLS1CRUdJ...",
    "password": "my-passphrase"
  },
  "connector_type_id": ".webhook"
}
{
  "name": "my-xmatters-connector",
  "config": {
    "usesBasic": false
  },
  "secrets": {
    "secretsUrl": "https://example.com?apiKey=xxxxx"
  },
  "connector_type_id": ".xmatters"
}
{
  "id": "90a82c60-478f-11ee-a343-f98a117c727f",
  "name": "email-connector-1",
  "config": {
    "from": "tester@example.com",
    "host": "https://example.com",
    "port": 1025,
    "secure": false,
    "hasAuth": true,
    "service": "other",
    "clientId": null,
    "tenantId": null,
    "oauthTokenUrl": null
  },
  "is_deprecated": false,
  "is_preconfigured": false,
  "is_system_action": false,
  "connector_type_id": ".email",
  "is_missing_secrets": false
}
{
  "id": "c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad",
  "name": "my-connector",
  "config": {
    "index": "test-index",
    "refresh": false,
    "executionTimeField": null
  },
  "is_deprecated": false,
  "is_preconfigured": false,
  "is_system_action": false,
  "connector_type_id": ".index",
  "is_missing_secrets": false
}
{
  "id": "900eb010-3b9d-11ee-a642-8ffbb94e38bd",
  "name": "my-webhook-connector",
  "config": {
    "url": "https://example.com",
    "method": "post",
    "hasAuth": true,
    "headers": null,
    "authType": "webhook-authentication-ssl",
    "certType": "ssl-crt-key",
    "verificationMode": "full"
  },
  "is_deprecated": false,
  "is_preconfigured": false,
  "is_system_action": false,
  "connector_type_id": ".webhook",
  "is_missing_secrets": false
}
{
  "id": "df770e30-8b8b-11ed-a780-3b746c987a81",
  "name": "my_server_log_connector",
  "config": {},
  "is_deprecated": false,
  "is_preconfigured": false,
  "is_system_action": false,
  "connector_type_id": ".server-log",
  "is_missing_secrets": false
}

Delete a connector

DELETE /api/actions/connector/{id}

WARNING: When you delete a connector, it cannot be recovered.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    An identifier for the connector.

Responses

  • Indicates a successful call.

DELETE /api/actions/connector/{id}
curl \
 --request DELETE https://localhost:5601/api/actions/connector/{id} \
 --header "kbn-xsrf: true"














































































Delete a runtime field from a data view

DELETE /api/data_views/data_view/{viewId}/runtime_field/{fieldName}

Path parameters

  • fieldName string Required

    The name of the runtime field.

  • viewId string Required

    An identifier for the data view.

Responses

  • Indicates a successful call.

  • 404 application/json

    Object is not found.

    Hide response attributes Show response attributes object
DELETE /api/data_views/data_view/{viewId}/runtime_field/{fieldName}
curl \
 --request DELETE https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field/hour_of_day
Response examples (404)
{
  "error": "Not Found",
  "message": "Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found",
  "statusCode": 404
}

Get the default data view

GET /api/data_views/default

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
GET /api/data_views/default
curl \
 --request GET https://localhost:5601/api/data_views/default
Response examples (200)
{
  "data_view_id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f"
}
Response examples (400)
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

























Unenroll an agent

POST /api/fleet/agents/{agentId}/unenroll

[Required authorization] Route required privileges: ALL of [fleet-agents-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

application/json

Body

POST /api/fleet/agents/{agentId}/unenroll
curl \
 --request POST https://localhost:5601/api/fleet/agents/{agentId}/unenroll \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"force":true,"revoke":true}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "force": true,
  "revoke": true
}









































Get an agent binary download source

GET /api/fleet/agent_download_sources/{sourceId}

Get an agent binary download source by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
      • host string(uri) Required
      • id string Required
      • is_default boolean

        Default value is false.

      • name string Required
      • proxy_id string | null

        The ID of the proxy to use for this download source. See the proxies API for more information.

  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/agent_download_sources/{sourceId}
curl \
 --request GET https://localhost:5601/api/fleet/agent_download_sources/{sourceId}
Response examples (200)
{
  "item": {
    "host": "https://example.com",
    "id": "string",
    "is_default": false,
    "name": "string",
    "proxy_id": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}









































Get outputs for an agent policy

GET /api/fleet/agent_policies/{agentPolicyId}/outputs

Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
      • data object Required

        Additional properties are NOT allowed.

        Hide data attributes Show data attributes object
      • monitoring object Required

        Additional properties are NOT allowed.

        Hide monitoring attribute Show monitoring attribute object
        • output object Required

          Additional properties are NOT allowed.

          Hide output attributes Show output attributes object
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/agent_policies/{agentPolicyId}/outputs
curl \
 --request GET https://localhost:5601/api/fleet/agent_policies/{agentPolicyId}/outputs
Response examples (200)
{
  "item": {
    "agentPolicyId": "string",
    "data": {
      "integrations": [
        {
          "id": "string",
          "integrationPolicyName": "string",
          "name": "string",
          "pkgName": "string"
        }
      ],
      "output": {
        "id": "string",
        "name": "string"
      }
    },
    "monitoring": {
      "output": {
        "id": "string",
        "name": "string"
      }
    }
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

















Get an agent status summary

GET /api/fleet/agent_status

Query parameters

Responses

GET /api/fleet/agent_status
curl \
 --request GET https://localhost:5601/api/fleet/agent_status
Response examples (200)
{
  "results": {
    "active": 42.0,
    "all": 42.0,
    "error": 42.0,
    "events": 42.0,
    "inactive": 42.0,
    "offline": 42.0,
    "online": 42.0,
    "orphaned": 42.0,
    "other": 42.0,
    "unenrolled": 42.0,
    "uninstalled": 42.0,
    "updating": 42.0
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}









Get agents by action ids

POST /api/fleet/agents

[Required authorization] Route required privileges: ALL of [fleet-agents-read].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
  • 400 application/json
    Hide response attributes Show response attributes object
POST /api/fleet/agents
curl \
 --request POST https://localhost:5601/api/fleet/agents \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"actionIds":["string"]}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "actionIds": [
    "string"
  ]
}
Response examples (200)
{
  "items": [
    "string"
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}




















Delete an uploaded file

DELETE /api/fleet/agents/files/{fileId}

Delete a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
  • 400 application/json
    Hide response attributes Show response attributes object
DELETE /api/fleet/agents/files/{fileId}
curl \
 --request DELETE https://localhost:5601/api/fleet/agents/files/{fileId} \
 --header "kbn-xsrf: true"
Response examples (200)
{
  "deleted": true,
  "id": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}




Get agent setup info

GET /api/fleet/agents/setup

[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].

Responses

GET /api/fleet/agents/setup
curl \
 --request GET https://localhost:5601/api/fleet/agents/setup
Response examples (200)
{
  "is_secrets_storage_enabled": true,
  "is_space_awareness_enabled": true,
  "isReady": true,
  "missing_optional_features": [
    "encrypted_saved_object_encryption_key_required"
  ],
  "missing_requirements": [
    "security_required"
  ],
  "package_verification_key_id": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

















Create a custom integration

POST /api/fleet/epm/custom_integrations

[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

  • datasets array[object] Required
    Hide datasets attributes Show datasets attributes object
    • name string Required
    • type string Required

      Values are logs, metrics, traces, synthetics, or profiling.

  • force boolean
  • integrationName string Required

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • _meta object Required

      Additional properties are NOT allowed.

      Hide _meta attribute Show _meta attribute object
    • items array[object] Required
      Any of:
      Hide attributes Show attributes
      • id string Required
      • originId string
      • type string Required

        Values are dashboard, lens, visualization, search, index-pattern, map, ml-module, security-rule, csp-rule-template, osquery-pack-asset, osquery-saved-query, or tag.

  • 400 application/json
    Hide response attributes Show response attributes object
POST /api/fleet/epm/custom_integrations
curl \
 --request POST https://localhost:5601/api/fleet/epm/custom_integrations \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"datasets":[{"name":"string","type":"logs"}],"force":true,"integrationName":"string"}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "datasets": [
    {
      "name": "string",
      "type": "logs"
    }
  ],
  "force": true,
  "integrationName": "string"
}
Response examples (200)
{
  "_meta": {
    "install_source": "string"
  },
  "items": [
    {
      "id": "string",
      "originId": "string",
      "type": "dashboard"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}




Install a package by upload

POST /api/fleet/epm/packages

[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

application/gzip; application/zip

Body

string(binary) string(binary)

Responses

  • 200 application/gzip; application/zip
    Hide response attributes Show response attributes object
    • _meta object Required

      Additional properties are NOT allowed.

      Hide _meta attribute Show _meta attribute object
    • items array[object] Required
      Any of:
      Hide attributes Show attributes
      • id string Required
      • originId string
      • type string Required

        Values are dashboard, lens, visualization, search, index-pattern, map, ml-module, security-rule, csp-rule-template, osquery-pack-asset, osquery-saved-query, or tag.

  • 400 application/gzip; application/zip
    Hide response attributes Show response attributes object
POST /api/fleet/epm/packages
curl \
 --request POST https://localhost:5601/api/fleet/epm/packages \
 --header "Content-Type: application/gzip; application/zip" \
 --header "kbn-xsrf: true" \
 --data-binary '@file'




























Get package stats

GET /api/fleet/epm/packages/{pkgName}/stats

[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • response object Required

      Additional properties are NOT allowed.

      Hide response attribute Show response attribute object
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/epm/packages/{pkgName}/stats
curl \
 --request GET https://localhost:5601/api/fleet/epm/packages/{pkgName}/stats
Response examples (200)
{
  "response": {
    "agent_policy_count": 42.0
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}












Get a package signature verification key ID

GET /api/fleet/epm/verification_key_id

[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • id string | null Required
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/epm/verification_key_id
curl \
 --request GET https://localhost:5601/api/fleet/epm/verification_key_id
Response examples (200)
{
  "id": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}



















































































Update a package policy

PUT /api/fleet/package_policies/{packagePolicyId}

Update a package policy by ID.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

  • format string

    Values are simplified or legacy.

application/json

Body object

Any of:
  • Package policy description

  • enabled boolean
  • force boolean
  • inputs array[object]
    Hide inputs attributes Show inputs attributes object
    • config object

      Package variable (see integration documentation for more information)

      Hide config attribute Show config attribute object
      • * object Additional properties

        Additional properties are NOT allowed.

        Hide * attributes Show * attributes object
    • enabled boolean Required
    • id string
    • streams array[object]
      Hide streams attributes Show streams attributes object
      • config object

        Package variable (see integration documentation for more information)

        Hide config attribute Show config attribute object
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
      • data_stream object Required

        Additional properties are NOT allowed.

        Hide data_stream attributes Show data_stream attributes object
      • enabled boolean Required
      • id string
      • release string

        Values are ga, beta, or experimental.

      • vars object

        Package variable (see integration documentation for more information)

        Hide vars attribute Show vars attribute object
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
    • type string Required
    • vars object

      Package variable (see integration documentation for more information)

      Hide vars attribute Show vars attribute object
      • * object Additional properties

        Additional properties are NOT allowed.

        Hide * attributes Show * attributes object
  • is_managed boolean
  • name string
  • The package policy namespace. Leave blank to inherit the agent policy's namespace.

  • output_id string | null
  • overrides object | null

    Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

    Additional properties are NOT allowed.

    Hide overrides attribute Show overrides attribute object | null
    • inputs object

      Additional properties are allowed.

  • package object

    Additional properties are NOT allowed.

    Hide package attributes Show package attributes object
  • policy_id string | null Deprecated

    Agent policy ID where that package policy will be added

  • policy_ids array[string]

    Agent policy IDs where that package policy will be added

  • supports_agentless boolean | null

    Indicates whether the package policy belongs to an agentless agent policy.

    Default value is false.

  • vars object

    Package variable (see integration documentation for more information)

    Hide vars attribute Show vars attribute object
    • * object Additional properties

      Additional properties are NOT allowed.

      Hide * attributes Show * attributes object
  • version string

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
      • agents number
      • created_at string Required
      • created_by string Required
      • Package policy description

      • Additional properties are allowed.

        Hide elasticsearch attribute Show elasticsearch attribute object
        • Additional properties are allowed.

          Hide privileges attribute Show privileges attribute object
      • enabled boolean Required
      • id string Required
      • inputs array[object] | object Required

        Any of:
        Hide attributes Show attributes object
        • config object

          Package variable (see integration documentation for more information)

          Hide config attribute Show config attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
        • enabled boolean Required
        • id string
        • streams array[object] Required
          Hide streams attributes Show streams attributes object
          • config object

            Package variable (see integration documentation for more information)

            Hide config attribute Show config attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
          • data_stream object Required

            Additional properties are NOT allowed.

            Hide data_stream attributes Show data_stream attributes object
          • enabled boolean Required
          • id string
          • release string

            Values are ga, beta, or experimental.

          • vars object

            Package variable (see integration documentation for more information)

            Hide vars attribute Show vars attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
        • type string Required
        • vars object

          Package variable (see integration documentation for more information)

          Hide vars attribute Show vars attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
      • is_managed boolean
      • name string Required

        Package policy name (should be unique)

      • The package policy namespace. Leave blank to inherit the agent policy's namespace.

      • output_id string | null
      • overrides object | null

        Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

        Additional properties are NOT allowed.

        Hide overrides attribute Show overrides attribute object | null
        • inputs object

          Additional properties are allowed.

      • package object

        Additional properties are NOT allowed.

        Hide package attributes Show package attributes object
      • policy_id string | null Deprecated

        Agent policy ID where that package policy will be added

      • policy_ids array[string]

        Agent policy IDs where that package policy will be added

      • revision number Required
      • secret_references array[object]
        Hide secret_references attribute Show secret_references attribute object
        • id string Required
      • spaceIds array[string]
      • supports_agentless boolean | null

        Indicates whether the package policy belongs to an agentless agent policy.

        Default value is false.

      • updated_at string Required
      • updated_by string Required
      • vars object

        Any of:

        Package variable (see integration documentation for more information)

        Hide attribute Show attribute
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
      • version string
  • 400 application/json
    Hide response attributes Show response attributes object
  • 403 application/json
    Hide response attributes Show response attributes object
PUT /api/fleet/package_policies/{packagePolicyId}
curl \
 --request PUT https://localhost:5601/api/fleet/package_policies/{packagePolicyId} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"description":"string","enabled":true,"force":true,"inputs":[{"config":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"enabled":true,"id":"string","keep_enabled":true,"policy_template":"string","streams":[{"config":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"data_stream":{"dataset":"string","elasticsearch":{"dynamic_dataset":true,"dynamic_namespace":true,"privileges":{"indices":["string"]}},"type":"string"},"enabled":true,"id":"string","keep_enabled":true,"release":"ga","vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}],"type":"string","vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}],"is_managed":true,"name":"string","namespace":"string","output_id":"string","overrides":{"inputs":{}},"package":{"experimental_data_stream_features":[{"data_stream":"string","features":{"doc_value_only_numeric":true,"doc_value_only_other":true,"synthetic_source":true,"tsdb":true}}],"name":"string","requires_root":true,"title":"string","version":"string"},"policy_id":"string","policy_ids":["string"],"supports_agentless":false,"vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"version":"string"}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "description": "string",
  "enabled": true,
  "force": true,
  "inputs": [
    {
      "config": {
        "additionalProperty1": {
          "frozen": true,
          "type": "string"
        },
        "additionalProperty2": {
          "frozen": true,
          "type": "string"
        }
      },
      "enabled": true,
      "id": "string",
      "keep_enabled": true,
      "policy_template": "string",
      "streams": [
        {
          "config": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          },
          "data_stream": {
            "dataset": "string",
            "elasticsearch": {
              "dynamic_dataset": true,
              "dynamic_namespace": true,
              "privileges": {
                "indices": [
                  "string"
                ]
              }
            },
            "type": "string"
          },
          "enabled": true,
          "id": "string",
          "keep_enabled": true,
          "release": "ga",
          "vars": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          }
        }
      ],
      "type": "string",
      "vars": {
        "additionalProperty1": {
          "frozen": true,
          "type": "string"
        },
        "additionalProperty2": {
          "frozen": true,
          "type": "string"
        }
      }
    }
  ],
  "is_managed": true,
  "name": "string",
  "namespace": "string",
  "output_id": "string",
  "overrides": {
    "inputs": {}
  },
  "package": {
    "experimental_data_stream_features": [
      {
        "data_stream": "string",
        "features": {
          "doc_value_only_numeric": true,
          "doc_value_only_other": true,
          "synthetic_source": true,
          "tsdb": true
        }
      }
    ],
    "name": "string",
    "requires_root": true,
    "title": "string",
    "version": "string"
  },
  "policy_id": "string",
  "policy_ids": [
    "string"
  ],
  "supports_agentless": false,
  "vars": {
    "additionalProperty1": {
      "frozen": true,
      "type": "string"
    },
    "additionalProperty2": {
      "frozen": true,
      "type": "string"
    }
  },
  "version": "string"
}
# Headers
kbn-xsrf: true

# Payload
{
  "description": "string",
  "force": true,
  "id": "string",
  "inputs": {
    "additionalProperty1": {
      "enabled": true,
      "streams": {
        "additionalProperty1": {
          "enabled": true,
          "vars": {}
        },
        "additionalProperty2": {
          "enabled": true,
          "vars": {}
        }
      },
      "vars": {}
    },
    "additionalProperty2": {
      "enabled": true,
      "streams": {
        "additionalProperty1": {
          "enabled": true,
          "vars": {}
        },
        "additionalProperty2": {
          "enabled": true,
          "vars": {}
        }
      },
      "vars": {}
    }
  },
  "name": "string",
  "namespace": "string",
  "output_id": "string",
  "package": {
    "experimental_data_stream_features": [
      {
        "data_stream": "string",
        "features": {
          "doc_value_only_numeric": true,
          "doc_value_only_other": true,
          "synthetic_source": true,
          "tsdb": true
        }
      }
    ],
    "name": "string",
    "requires_root": true,
    "title": "string",
    "version": "string"
  },
  "policy_id": "string",
  "policy_ids": [
    "string"
  ],
  "supports_agentless": false,
  "vars": {}
}
Response examples (200)
{
  "item": {
    "agents": 42.0,
    "created_at": "string",
    "created_by": "string",
    "description": "string",
    "elasticsearch": {
      "privileges": {
        "cluster": [
          "string"
        ]
      }
    },
    "enabled": true,
    "id": "string",
    "inputs": [
      {
        "config": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        },
        "enabled": true,
        "id": "string",
        "keep_enabled": true,
        "policy_template": "string",
        "streams": [
          {
            "config": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            },
            "data_stream": {
              "dataset": "string",
              "elasticsearch": {
                "dynamic_dataset": true,
                "dynamic_namespace": true,
                "privileges": {
                  "indices": [
                    "string"
                  ]
                }
              },
              "type": "string"
            },
            "enabled": true,
            "id": "string",
            "keep_enabled": true,
            "release": "ga",
            "vars": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            }
          }
        ],
        "type": "string",
        "vars": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        }
      }
    ],
    "is_managed": true,
    "name": "string",
    "namespace": "string",
    "output_id": "string",
    "overrides": {
      "inputs": {}
    },
    "package": {
      "experimental_data_stream_features": [
        {
          "data_stream": "string",
          "features": {
            "doc_value_only_numeric": true,
            "doc_value_only_other": true,
            "synthetic_source": true,
            "tsdb": true
          }
        }
      ],
      "name": "string",
      "requires_root": true,
      "title": "string",
      "version": "string"
    },
    "policy_id": "string",
    "policy_ids": [
      "string"
    ],
    "revision": 42.0,
    "secret_references": [
      {
        "id": "string"
      }
    ],
    "spaceIds": [
      "string"
    ],
    "supports_agentless": false,
    "updated_at": "string",
    "updated_by": "string",
    "vars": {
      "additionalProperty1": {
        "frozen": true,
        "type": "string"
      },
      "additionalProperty2": {
        "frozen": true,
        "type": "string"
      }
    },
    "version": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (403)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Delete a package policy

DELETE /api/fleet/package_policies/{packagePolicyId}

Delete a package policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • id string Required
  • 400 application/json
    Hide response attributes Show response attributes object
DELETE /api/fleet/package_policies/{packagePolicyId}
curl \
 --request DELETE https://localhost:5601/api/fleet/package_policies/{packagePolicyId} \
 --header "kbn-xsrf: true"
Response examples (200)
{
  "id": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}










































































Sync saved objects in the default space

GET /api/ml/saved_objects/sync

Synchronizes Kibana saved objects for machine learning jobs and trained models in the default space. You must have all privileges for the Machine Learning feature in the Analytics section of the Kibana feature privileges. This API runs automatically when you start Kibana and periodically thereafter.

Query parameters

  • simulate boolean

    When true, simulates the synchronization by returning only the list of actions that would be performed.

Responses

  • 200 application/json

    Indicates a successful call

    Hide response attributes Show response attributes object
    • If a saved object for an anomaly detection job is missing a datafeed identifier, it is added when you run the sync machine learning saved objects API.

      Hide datafeedsAdded attribute Show datafeedsAdded attribute object
      • * object Additional properties

        The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status.

        Additional properties are allowed.

        Hide * attribute Show * attribute object
        • success boolean

          The success or failure of the synchronization.

    • If a saved object for an anomaly detection job references a datafeed that no longer exists, it is deleted when you run the sync machine learning saved objects API.

      Hide datafeedsRemoved attribute Show datafeedsRemoved attribute object
      • * object Additional properties

        The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status.

        Additional properties are allowed.

        Hide * attribute Show * attribute object
        • success boolean

          The success or failure of the synchronization.

    • If saved objects are missing for machine learning jobs or trained models, they are created when you run the sync machine learning saved objects API.

      Additional properties are allowed.

      Hide savedObjectsCreated attributes Show savedObjectsCreated attributes object
      • If saved objects are missing for anomaly detection jobs, they are created.

        Hide anomaly-detector attribute Show anomaly-detector attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.

          Additional properties are allowed.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.

      • If saved objects are missing for data frame analytics jobs, they are created.

        Hide data-frame-analytics attribute Show data-frame-analytics attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.

          Additional properties are allowed.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.

      • If saved objects are missing for trained models, they are created.

        Hide trained-model attribute Show trained-model attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status.

          Additional properties are allowed.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.

    • If saved objects exist for machine learning jobs or trained models that no longer exist, they are deleted when you run the sync machine learning saved objects API.

      Additional properties are allowed.

      Hide savedObjectsDeleted attributes Show savedObjectsDeleted attributes object
      • If there are saved objects exist for nonexistent anomaly detection jobs, they are deleted.

        Hide anomaly-detector attribute Show anomaly-detector attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.

          Additional properties are allowed.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.

      • If there are saved objects exist for nonexistent data frame analytics jobs, they are deleted.

        Hide data-frame-analytics attribute Show data-frame-analytics attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.

          Additional properties are allowed.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.

      • If there are saved objects exist for nonexistent trained models, they are deleted.

        Hide trained-model attribute Show trained-model attribute object
        • * object Additional properties

          The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status.

          Additional properties are allowed.

          Hide * attribute Show * attribute object
          • success boolean

            The success or failure of the synchronization.

  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/ml/saved_objects/sync
curl \
 --request GET https://localhost:5601/api/ml/saved_objects/sync
Response examples (200)
{
  "datafeedsAdded": {},
  "datafeedsRemoved": {},
  "savedObjectsCreated": {
    "anomaly-detector": {
      "myjob1": {
        "success": true
      },
      "myjob2": {
        "success": true
      }
    }
  },
  "savedObjectsDeleted": {}
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get all roles

GET /api/security/role

Query parameters

  • If true and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges.

Responses

  • 200 application/json

    Indicates a successful call.

GET /api/security/role
curl \
 --request GET https://localhost:5601/api/security/role
Response examples (200)
[
  {
    "name": "my_kibana_role",
    "kibana": [
      {
        "base": [
          "all"
        ],
        "spaces": [
          "*"
        ],
        "feature": {}
      }
    ],
    "metadata": {
      "version": 1
    },
    "description": "My kibana role description",
    "elasticsearch": {
      "run_as": [],
      "cluster": [],
      "indices": []
    },
    "transient_metadata": {
      "enabled": true
    }
  },
  {
    "name": "my_admin_role",
    "kibana": [],
    "metadata": {
      "version": 1
    },
    "description": "My admin role description",
    "elasticsearch": {
      "cluster": [
        "all"
      ],
      "indices": [
        {
          "names": [
            "index1",
            "index2"
          ],
          "query": "{\\\"match\\\": {\\\"title\\\": \\\"foo\\\"}}",
          "privileges": [
            "all"
          ],
          "field_security": {
            "grant": [
              "title",
              "body"
            ]
          }
        }
      ]
    },
    "transient_metadata": {
      "enabled": true
    }
  }
]





































Update saved objects Deprecated

POST /api/saved_objects/_bulk_update

Update the attributes for multiple Kibana saved objects.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json

Body Required

object object

Additional properties are allowed.

Responses

  • 200 application/json

    Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body.

    Additional properties are allowed.

  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
POST /api/saved_objects/_bulk_update
curl \
 --request POST https://localhost:5601/api/saved_objects/_bulk_update \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '[{}]'
Request examples
# Headers
kbn-xsrf: string

# Payload
[
  {}
]
Response examples (200)
{}
Response examples (400)
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}




























Create a saved object Deprecated

POST /api/saved_objects/{type}/{id}

Create a Kibana saved object and specify its identifier instead of using a randomly generated ID.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • id string Required

    An identifier for the saved object.

  • type string Required

    Valid options include visualization, dashboard, search, index-pattern, config.

Query parameters

  • overwrite boolean

    If true, overwrites the document with the same identifier.

application/json

Body Required

  • attributes object Required

    The data that you want to create. WARNING: When you create saved objects, attributes are not validated, which allows you to pass arbitrary and ill-formed data into the API that can break Kibana. Make sure any data that you send to the API is properly formed.

    Additional properties are allowed.

  • Identifiers for the spaces in which this object is created. If this is provided, the object is created only in the explicitly defined spaces. If this is not provided, the object is created in the current space (default behavior). For shareable object types (registered with namespaceType: 'multiple'), this option can be used to specify one or more spaces, including the "All spaces" identifier (''). For isolated object types (registered with namespaceType: 'single' or namespaceType: 'multiple-isolated'), this option can only be used to specify a single space, and the "All spaces" identifier ('') is not allowed. For global object types (registered withnamespaceType: agnostic`), this option cannot be used.

  • Identifiers for the spaces in which this object is created. If this is provided, the object is created only in the explicitly defined spaces. If this is not provided, the object is created in the current space (default behavior). For shareable object types (registered with namespaceType: 'multiple'), this option can be used to specify one or more spaces, including the "All spaces" identifier (''). For isolated object types (registered with namespaceType: 'single' or namespaceType: 'multiple-isolated'), this option can only be used to specify a single space, and the "All spaces" identifier ('') is not allowed. For global object types (registered withnamespaceType: agnostic`), this option cannot be used.

Responses

  • 200 application/json

    Indicates a successful call.

    Additional properties are allowed.

  • 409 application/json

    Indicates a conflict error.

    Additional properties are allowed.

POST /api/saved_objects/{type}/{id}
curl \
 --request POST https://localhost:5601/api/saved_objects/{type}/{id} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"attributes":{},"initialNamespaces":[],"references":[]}'
Request examples
# Headers
kbn-xsrf: string

# Payload
{
  "attributes": {},
  "initialNamespaces": [],
  "references": []
}
Response examples (200)
{}
Response examples (409)
{}






















































































Delete an alerts index

DELETE /api/detection_engine/index

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 403 application/json

    Not enough permissions response

    Hide response attributes Show response attributes object
  • 404 application/json

    Index does not exist response

  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
DELETE /api/detection_engine/index
curl \
 --request DELETE https://localhost:5601/api/detection_engine/index
Response examples (200)
{
  "acknowledged": true
}
Response examples (401)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (403)
{
  "message": "string",
  "status_code": 42
}
Response examples (404)
string
Response examples (500)
{
  "message": "string",
  "status_code": 42
}




Retrieve a detection rule

GET /api/detection_engine/rules

Retrieve a detection rule using the rule_id or id field.

Query parameters

  • id string(uuid)

    The rule's id value.

  • rule_id string

    The rule's rule_id value.

Responses

  • 200 application/json

    Indicates a successful call.

    Any of:
    Hide attributes Show attributes
    • actions array[object] Required
      Hide actions attributes Show actions attributes object
      • action_type_id string Required

        The action type used for sending notifications.

      • Additional properties are allowed.

      • The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

        Additional properties are allowed.

        Hide frequency attributes Show frequency attributes object
        • notifyWhen string Required

          The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

          Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

        • summary boolean Required

          Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

        • throttle string | null Required

          Defines how often rule actions are taken.

          One of:

          Values are no_actions or rule.

      • group string

        Optionally groups actions by use cases. Use default for alert notifications.

      • id string Required

        The connector ID.

      • params object Required

        Object containing the allowed connector fields, which varies according to the connector type.

        Additional properties are allowed.

      • uuid string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • Values are savedObjectConversion or savedObjectImport.

    • author array[string] Required
    • Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

    • description string Required

      Minimum length is 1.

    • enabled boolean Required

      Determines whether the rule is enabled.

    • exceptions_list array[object] Required
      Hide exceptions_list attributes Show exceptions_list attributes object
      • id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • list_id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • namespace_type string Required

        Determines the exceptions validity in rule's Kibana space

        Values are agnostic or single.

      • type string Required

        The exception type

        Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

    • false_positives array[string] Required
    • from string(date-math) Required

      Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

    • interval string Required

      Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

    • Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

      const investigationFields = z.object({
        field_names: NonEmptyArray(NonEmptyString),
        override: z.boolean().optional(),
      });
      

      Additional properties are allowed.

      Hide investigation_fields attribute Show investigation_fields attribute object
      • field_names array[string(nonempty)] Required

        A string that does not contain only whitespace characters

        At least 1 element. Minimum length of each is 1.

    • license string

      The rule's license.

    • max_signals integer Required

      Minimum value is 1.

    • meta object

      Additional properties are allowed.

    • name string Required

      Minimum length is 1.

    • Has no effect.

    • note string

      Notes to help investigate alerts produced by the rule.

    • outcome string

      Values are exactMatch, aliasMatch, or conflict.

    • output_index string Deprecated

      (deprecated) Has no effect.

    • references array[string] Required
    • required_fields array[object] Required
      Hide required_fields attributes Show required_fields attributes object
      • ecs boolean Required

        Whether the field is an ECS field

      • name string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • type string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • response_actions array[object]
      One of:
      Hide attributes Show attributes
    • risk_score integer Required

      Risk score (0 to 100)

      Minimum value is 0, maximum value is 100.

    • risk_score_mapping array[object] Required

      Overrides generated alerts' risk_score with a value from the source event

      Hide risk_score_mapping attributes Show risk_score_mapping attributes object
    • Sets the source field for the alert's signal.rule.name value

    • setup string Required
    • severity string Required

      Severity of the rule

      Values are low, medium, high, or critical.

    • severity_mapping array[object] Required

      Overrides generated alerts' severity with values from the source event

      Hide severity_mapping attributes Show severity_mapping attributes object
      • field string Required
      • operator string Required

        Value is equals.

      • severity string Required

        Severity of the rule

        Values are low, medium, high, or critical.

      • value string Required
    • tags array[string] Required

      String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

    • threat array[object] Required
      Hide threat attributes Show threat attributes object
      • framework string Required

        Relevant attack framework

      • tactic object Required

        Additional properties are allowed.

        Hide tactic attributes Show tactic attributes object
        • id string Required

          Tactic ID

        • name string Required

          Tactic name

        • reference string Required

          Tactic reference

      • technique array[object]

        Array containing information on the attack techniques (optional)

        Hide technique attributes Show technique attributes object
        • id string Required

          Technique ID

        • name string Required

          Technique name

        • reference string Required

          Technique reference

        • subtechnique array[object]

          Array containing more specific information on the attack technique

          Hide subtechnique attributes Show subtechnique attributes object
          • id string Required

            Subtechnique ID

          • name string Required

            Subtechnique name

          • reference string Required

            Subtechnique reference

    • throttle string | null

      Defines how often rule actions are taken.

      One of:

      Values are no_actions or rule.

    • Timeline template ID

    • Timeline template title

    • Sets the time field used to query indices

    • Disables the fallback to the event's @timestamp field

    • to string Required
    • version integer Required

      The rule's version number.

      Minimum value is 1.

    • created_at string(date-time) Required
    • created_by string Required
    • Additional properties are allowed.

      Hide execution_summary attribute Show execution_summary attribute object
      • last_execution object Required

        Additional properties are allowed.

        Hide last_execution attributes Show last_execution attributes object
        • date string(date-time) Required

          Date of the last execution

        • message string Required
        • metrics object Required

          Additional properties are allowed.

          Hide metrics attributes Show metrics attributes object
          • Duration in seconds of execution gap

            Minimum value is 0.

          • Range of the execution gap

            Additional properties are allowed.

            Hide gap_range attributes Show gap_range attributes object
            • gte string Required

              Start date of the execution gap

            • lte string Required

              End date of the execution gap

          • Total time spent enriching documents during current rule execution cycle

            Minimum value is 0.

          • Total time spent indexing documents during current rule execution cycle

            Minimum value is 0.

          • Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

            Minimum value is 0.

        • status string Required

          Status of the last execution

          Values are going to run, running, partial failure, failed, or succeeded.

        • status_order integer Required
    • id string(uuid) Required

      A universally unique identifier

    • immutable boolean Required Deprecated

      This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

    • revision integer Required

      Minimum value is 0.

    • rule_id string Required

      Could be any string, not necessarily a UUID

    • rule_source object Required

      Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

      One of:

      Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

      Hide attributes Show attributes
      • is_customized boolean Required

        Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

      • type string Required Discriminator

        Value is external.

    • updated_at string(date-time) Required
    • updated_by string Required
    • language string Required

      Query language to use

      Value is eql.

    • query string Required

      EQL query to execute

    • type string Required Discriminator

      Rule type

      Value is eql.

    • Additional properties are allowed.

      Hide alert_suppression attributes Show alert_suppression attributes object
      • duration object

        Additional properties are allowed.

        Hide duration attributes Show duration attributes object
        • unit string Required

          Values are s, m, or h.

        • value integer Required

          Minimum value is 1.

      • group_by array[string] Required

        At least 1 but not more than 3 elements.

      • Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

        Values are doNotSuppress or suppress.

    • filters array
    • index array[string]
    • Sets a secondary field for sorting events

    • Contains the event timestamp used for sorting a sequence of events

GET /api/detection_engine/rules
curl \
 --request GET https://localhost:5601/api/detection_engine/rules
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "language": "eql",
  "query": "string",
  "type": "eql",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "event_category_override": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "tiebreaker_field": "string",
  "timestamp_field": "string"
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "type": "query",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "saved_id": "string",
  "language": "kuery",
  "query": "string"
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "saved_id": "string",
  "type": "saved_query",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "query": "string",
  "language": "kuery"
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "query": "string",
  "threshold": {
    "cardinality": [
      {
        "field": "string",
        "value": 42
      }
    ],
    "field": "string",
    "value": 42
  },
  "type": "threshold",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    }
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "saved_id": "string",
  "language": "kuery"
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "query": "string",
  "threat_index": [
    "string"
  ],
  "threat_mapping": [
    {
      "entries": [
        {
          "field": "string",
          "type": "mapping",
          "value": "string"
        }
      ]
    }
  ],
  "threat_query": "string",
  "type": "threat_match",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "concurrent_searches": 42,
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "items_per_search": 42,
  "saved_id": "string",
  "threat_filters": [],
  "threat_indicator_path": "string",
  "threat_language": "kuery",
  "language": "kuery"
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "anomaly_threshold": 42,
  "machine_learning_job_id": "string",
  "type": "machine_learning",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  }
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "history_window_start": "string",
  "new_terms_fields": [
    "string"
  ],
  "query": "string",
  "type": "new_terms",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "language": "kuery"
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "language": "esql",
  "query": "string",
  "type": "esql"
}












Patch a detection rule

PATCH /api/detection_engine/rules

Update specific fields of an existing detection rule using the rule_id or id field.

application/json

Body object Required

Any of:
  • actions array[object]
    Hide actions attributes Show actions attributes object
    • action_type_id string Required

      The action type used for sending notifications.

    • Additional properties are allowed.

    • The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

      Additional properties are allowed.

      Hide frequency attributes Show frequency attributes object
      • notifyWhen string Required

        The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

        Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

      • summary boolean Required

        Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

      • throttle string | null Required

        Defines how often rule actions are taken.

        One of:

        Values are no_actions or rule.

    • group string

      Optionally groups actions by use cases. Use default for alert notifications.

    • id string Required

      The connector ID.

    • params object Required

      Object containing the allowed connector fields, which varies according to the connector type.

      Additional properties are allowed.

    • uuid string(nonempty)

      A string that does not contain only whitespace characters

      Minimum length is 1.

  • Values are savedObjectConversion or savedObjectImport.

  • author array[string]
  • Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

  • Minimum length is 1.

  • enabled boolean

    Determines whether the rule is enabled.

  • exceptions_list array[object]
    Hide exceptions_list attributes Show exceptions_list attributes object
    • id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • list_id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • namespace_type string Required

      Determines the exceptions validity in rule's Kibana space

      Values are agnostic or single.

    • type string Required

      The exception type

      Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

  • false_positives array[string]
  • from string(date-math)

    Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

  • id string(uuid)

    A universally unique identifier

  • interval string

    Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

  • Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

    const investigationFields = z.object({
      field_names: NonEmptyArray(NonEmptyString),
      override: z.boolean().optional(),
    });
    

    Additional properties are allowed.

    Hide investigation_fields attribute Show investigation_fields attribute object
    • field_names array[string(nonempty)] Required

      A string that does not contain only whitespace characters

      At least 1 element. Minimum length of each is 1.

  • license string

    The rule's license.

  • Minimum value is 1.

  • meta object

    Additional properties are allowed.

  • name string

    Minimum length is 1.

  • Has no effect.

  • note string

    Notes to help investigate alerts produced by the rule.

  • outcome string

    Values are exactMatch, aliasMatch, or conflict.

  • output_index string Deprecated

    (deprecated) Has no effect.

  • references array[string]
  • required_fields array[object]
    Hide required_fields attributes Show required_fields attributes object
    • name string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • type string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

  • response_actions array[object]
    One of:
    Hide attributes Show attributes
  • risk_score integer

    Risk score (0 to 100)

    Minimum value is 0, maximum value is 100.

  • risk_score_mapping array[object]

    Overrides generated alerts' risk_score with a value from the source event

    Hide risk_score_mapping attributes Show risk_score_mapping attributes object
  • rule_id string

    Could be any string, not necessarily a UUID

  • Sets the source field for the alert's signal.rule.name value

  • setup string
  • severity string

    Severity of the rule

    Values are low, medium, high, or critical.

  • severity_mapping array[object]

    Overrides generated alerts' severity with values from the source event

    Hide severity_mapping attributes Show severity_mapping attributes object
    • field string Required
    • operator string Required

      Value is equals.

    • severity string Required

      Severity of the rule

      Values are low, medium, high, or critical.

    • value string Required
  • tags array[string]

    String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

  • threat array[object]
    Hide threat attributes Show threat attributes object
    • framework string Required

      Relevant attack framework

    • tactic object Required

      Additional properties are allowed.

      Hide tactic attributes Show tactic attributes object
      • id string Required

        Tactic ID

      • name string Required

        Tactic name

      • reference string Required

        Tactic reference

    • technique array[object]

      Array containing information on the attack techniques (optional)

      Hide technique attributes Show technique attributes object
      • id string Required

        Technique ID

      • name string Required

        Technique name

      • reference string Required

        Technique reference

      • subtechnique array[object]

        Array containing more specific information on the attack technique

        Hide subtechnique attributes Show subtechnique attributes object
        • id string Required

          Subtechnique ID

        • name string Required

          Subtechnique name

        • reference string Required

          Subtechnique reference

  • throttle string | null

    Defines how often rule actions are taken.

    One of:

    Values are no_actions or rule.

  • Timeline template ID

  • Timeline template title

  • Sets the time field used to query indices

  • Disables the fallback to the event's @timestamp field

  • to string
  • version integer

    The rule's version number.

    Minimum value is 1.

  • language string

    Query language to use

    Value is eql.

  • query string

    EQL query to execute

  • type string

    Rule type

    Value is eql.

  • Additional properties are allowed.

    Hide alert_suppression attributes Show alert_suppression attributes object
    • duration object

      Additional properties are allowed.

      Hide duration attributes Show duration attributes object
      • unit string Required

        Values are s, m, or h.

      • value integer Required

        Minimum value is 1.

    • group_by array[string] Required

      At least 1 but not more than 3 elements.

    • Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

      Values are doNotSuppress or suppress.

  • filters array
  • index array[string]
  • Sets a secondary field for sorting events

  • Contains the event timestamp used for sorting a sequence of events

Responses

  • 200 application/json

    Indicates a successful call.

    Any of:
    Hide attributes Show attributes
    • actions array[object] Required
      Hide actions attributes Show actions attributes object
      • action_type_id string Required

        The action type used for sending notifications.

      • Additional properties are allowed.

      • The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

        Additional properties are allowed.

        Hide frequency attributes Show frequency attributes object
        • notifyWhen string Required

          The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

          Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

        • summary boolean Required

          Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

        • throttle string | null Required

          Defines how often rule actions are taken.

          One of:

          Values are no_actions or rule.

      • group string

        Optionally groups actions by use cases. Use default for alert notifications.

      • id string Required

        The connector ID.

      • params object Required

        Object containing the allowed connector fields, which varies according to the connector type.

        Additional properties are allowed.

      • uuid string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • Values are savedObjectConversion or savedObjectImport.

    • author array[string] Required
    • Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

    • description string Required

      Minimum length is 1.

    • enabled boolean Required

      Determines whether the rule is enabled.

    • exceptions_list array[object] Required
      Hide exceptions_list attributes Show exceptions_list attributes object
      • id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • list_id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • namespace_type string Required

        Determines the exceptions validity in rule's Kibana space

        Values are agnostic or single.

      • type string Required

        The exception type

        Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

    • false_positives array[string] Required
    • from string(date-math) Required

      Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

    • interval string Required

      Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

    • Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

      const investigationFields = z.object({
        field_names: NonEmptyArray(NonEmptyString),
        override: z.boolean().optional(),
      });
      

      Additional properties are allowed.

      Hide investigation_fields attribute Show investigation_fields attribute object
      • field_names array[string(nonempty)] Required

        A string that does not contain only whitespace characters

        At least 1 element. Minimum length of each is 1.

    • license string

      The rule's license.

    • max_signals integer Required

      Minimum value is 1.

    • meta object

      Additional properties are allowed.

    • name string Required

      Minimum length is 1.

    • Has no effect.

    • note string

      Notes to help investigate alerts produced by the rule.

    • outcome string

      Values are exactMatch, aliasMatch, or conflict.

    • output_index string Deprecated

      (deprecated) Has no effect.

    • references array[string] Required
    • required_fields array[object] Required
      Hide required_fields attributes Show required_fields attributes object
      • ecs boolean Required

        Whether the field is an ECS field

      • name string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • type string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • response_actions array[object]
      One of:
      Hide attributes Show attributes
    • risk_score integer Required

      Risk score (0 to 100)

      Minimum value is 0, maximum value is 100.

    • risk_score_mapping array[object] Required

      Overrides generated alerts' risk_score with a value from the source event

      Hide risk_score_mapping attributes Show risk_score_mapping attributes object
    • Sets the source field for the alert's signal.rule.name value

    • setup string Required
    • severity string Required

      Severity of the rule

      Values are low, medium, high, or critical.

    • severity_mapping array[object] Required

      Overrides generated alerts' severity with values from the source event

      Hide severity_mapping attributes Show severity_mapping attributes object
      • field string Required
      • operator string Required

        Value is equals.

      • severity string Required

        Severity of the rule

        Values are low, medium, high, or critical.

      • value string Required
    • tags array[string] Required

      String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

    • threat array[object] Required
      Hide threat attributes Show threat attributes object
      • framework string Required

        Relevant attack framework

      • tactic object Required

        Additional properties are allowed.

        Hide tactic attributes Show tactic attributes object
        • id string Required

          Tactic ID

        • name string Required

          Tactic name

        • reference string Required

          Tactic reference

      • technique array[object]

        Array containing information on the attack techniques (optional)

        Hide technique attributes Show technique attributes object
        • id string Required

          Technique ID

        • name string Required

          Technique name

        • reference string Required

          Technique reference

        • subtechnique array[object]

          Array containing more specific information on the attack technique

          Hide subtechnique attributes Show subtechnique attributes object
          • id string Required

            Subtechnique ID

          • name string Required

            Subtechnique name

          • reference string Required

            Subtechnique reference

    • throttle string | null

      Defines how often rule actions are taken.

      One of:

      Values are no_actions or rule.

    • Timeline template ID

    • Timeline template title

    • Sets the time field used to query indices

    • Disables the fallback to the event's @timestamp field

    • to string Required
    • version integer Required

      The rule's version number.

      Minimum value is 1.

    • created_at string(date-time) Required
    • created_by string Required
    • Additional properties are allowed.

      Hide execution_summary attribute Show execution_summary attribute object
      • last_execution object Required

        Additional properties are allowed.

        Hide last_execution attributes Show last_execution attributes object
        • date string(date-time) Required

          Date of the last execution

        • message string Required
        • metrics object Required

          Additional properties are allowed.

          Hide metrics attributes Show metrics attributes object
          • Duration in seconds of execution gap

            Minimum value is 0.

          • Range of the execution gap

            Additional properties are allowed.

            Hide gap_range attributes Show gap_range attributes object
            • gte string Required

              Start date of the execution gap

            • lte string Required

              End date of the execution gap

          • Total time spent enriching documents during current rule execution cycle

            Minimum value is 0.

          • Total time spent indexing documents during current rule execution cycle

            Minimum value is 0.

          • Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

            Minimum value is 0.

        • status string Required

          Status of the last execution

          Values are going to run, running, partial failure, failed, or succeeded.

        • status_order integer Required
    • id string(uuid) Required

      A universally unique identifier

    • immutable boolean Required Deprecated

      This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

    • revision integer Required

      Minimum value is 0.

    • rule_id string Required

      Could be any string, not necessarily a UUID

    • rule_source object Required

      Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

      One of:

      Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

      Hide attributes Show attributes
      • is_customized boolean Required

        Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

      • type string Required Discriminator

        Value is external.

    • updated_at string(date-time) Required
    • updated_by string Required
    • language string Required

      Query language to use

      Value is eql.

    • query string Required

      EQL query to execute

    • type string Required Discriminator

      Rule type

      Value is eql.

    • Additional properties are allowed.

      Hide alert_suppression attributes Show alert_suppression attributes object
      • duration object

        Additional properties are allowed.

        Hide duration attributes Show duration attributes object
        • unit string Required

          Values are s, m, or h.

        • value integer Required

          Minimum value is 1.

      • group_by array[string] Required

        At least 1 but not more than 3 elements.

      • Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

        Values are doNotSuppress or suppress.

    • filters array
    • index array[string]
    • Sets a secondary field for sorting events

    • Contains the event timestamp used for sorting a sequence of events

PATCH /api/detection_engine/rules
curl \
 --request PATCH https://localhost:5601/api/detection_engine/rules \
 --header "Content-Type: application/json" \
 --data '{"actions":[{"action_type_id":"string","alerts_filter":{},"frequency":{"notifyWhen":"onActiveAlert","summary":true,"throttle":"no_actions"},"group":"string","id":"string","params":{},"uuid":"string"}],"alias_purpose":"savedObjectConversion","alias_target_id":"string","author":["string"],"building_block_type":"string","description":"string","enabled":true,"exceptions_list":[{"id":"string","list_id":"string","namespace_type":"agnostic","type":"detection"}],"false_positives":["string"],"from":"string","id":"string","interval":"string","investigation_fields":{"field_names":["string"]},"license":"string","max_signals":42,"meta":{},"name":"string","namespace":"string","note":"string","outcome":"exactMatch","output_index":"string","references":["string"],"related_integrations":[{"integration":"string","package":"string","version":"string"}],"required_fields":[{"name":"string","type":"string"}],"response_actions":[{"action_type_id":".osquery","params":{"ecs_mapping":{"additionalProperty1":{"field":"string","value":"string"},"additionalProperty2":{"field":"string","value":"string"}},"pack_id":"string","queries":[{"ecs_mapping":{"additionalProperty1":{"field":"string","value":"string"},"additionalProperty2":{"field":"string","value":"string"}},"id":"string","platform":"string","query":"string","removed":true,"snapshot":true,"version":"string"}],"query":"string","saved_query_id":"string","timeout":42.0}}],"risk_score":42,"risk_score_mapping":[{"field":"string","operator":"equals","risk_score":42,"value":"string"}],"rule_id":"string","rule_name_override":"string","setup":"string","severity":"low","severity_mapping":[{"field":"string","operator":"equals","severity":"low","value":"string"}],"tags":["string"],"threat":[{"framework":"string","tactic":{"id":"string","name":"string","reference":"string"},"technique":[{"id":"string","name":"string","reference":"string","subtechnique":[{"id":"string","name":"string","reference":"string"}]}]}],"throttle":"no_actions","timeline_id":"string","timeline_title":"string","timestamp_override":"string","timestamp_override_fallback_disabled":true,"to":"string","version":42,"language":"eql","query":"string","type":"eql","alert_suppression":{"duration":{"unit":"s","value":42},"group_by":["string"],"missing_fields_strategy":"doNotSuppress"},"data_view_id":"string","event_category_override":"string","filters":[],"index":["string"],"tiebreaker_field":"string","timestamp_field":"string"}'
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "id": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "language": "eql",
  "query": "string",
  "type": "eql",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "event_category_override": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "tiebreaker_field": "string",
  "timestamp_field": "string"
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "id": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "type": "query",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "saved_id": "string",
  "language": "kuery",
  "query": "string"
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "id": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "saved_id": "string",
  "type": "saved_query",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "query": "string",
  "language": "kuery"
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "id": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "query": "string",
  "threshold": {
    "cardinality": [
      {
        "field": "string",
        "value": 42
      }
    ],
    "field": "string",
    "value": 42
  },
  "type": "threshold",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    }
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "saved_id": "string",
  "language": "kuery"
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "id": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "query": "string",
  "threat_index": [
    "string"
  ],
  "threat_mapping": [
    {
      "entries": [
        {
          "field": "string",
          "type": "mapping",
          "value": "string"
        }
      ]
    }
  ],
  "threat_query": "string",
  "type": "threat_match",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "concurrent_searches": 42,
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "items_per_search": 42,
  "saved_id": "string",
  "threat_filters": [],
  "threat_indicator_path": "string",
  "threat_language": "kuery",
  "language": "kuery"
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "id": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "anomaly_threshold": 42,
  "machine_learning_job_id": "string",
  "type": "machine_learning",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  }
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "id": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "history_window_start": "string",
  "new_terms_fields": [
    "string"
  ],
  "query": "string",
  "type": "new_terms",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "language": "kuery"
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "id": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "language": "esql",
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "query": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "type": "esql",
  "version": 42,
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  }
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "language": "eql",
  "query": "string",
  "type": "eql",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "event_category_override": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "tiebreaker_field": "string",
  "timestamp_field": "string"
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "type": "query",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "saved_id": "string",
  "language": "kuery",
  "query": "string"
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "saved_id": "string",
  "type": "saved_query",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "query": "string",
  "language": "kuery"
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "query": "string",
  "threshold": {
    "cardinality": [
      {
        "field": "string",
        "value": 42
      }
    ],
    "field": "string",
    "value": 42
  },
  "type": "threshold",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    }
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "saved_id": "string",
  "language": "kuery"
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "query": "string",
  "threat_index": [
    "string"
  ],
  "threat_mapping": [
    {
      "entries": [
        {
          "field": "string",
          "type": "mapping",
          "value": "string"
        }
      ]
    }
  ],
  "threat_query": "string",
  "type": "threat_match",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "concurrent_searches": 42,
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "items_per_search": 42,
  "saved_id": "string",
  "threat_filters": [],
  "threat_indicator_path": "string",
  "threat_language": "kuery",
  "language": "kuery"
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "anomaly_threshold": 42,
  "machine_learning_job_id": "string",
  "type": "machine_learning",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  }
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "history_window_start": "string",
  "new_terms_fields": [
    "string"
  ],
  "query": "string",
  "type": "new_terms",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "language": "kuery"
}
{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00+00:00",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "language": "esql",
  "query": "string",
  "type": "esql"
}




















Patch multiple detection rules Deprecated

PATCH /api/detection_engine/rules/_bulk_update

Update specific fields of existing detection rules using the rule_id or id field.

application/json

Body object Required

A JSON array of rules, where each rule contains the required fields.

Any of:
  • actions array[object]
    Hide actions attributes Show actions attributes object
    • action_type_id string Required

      The action type used for sending notifications.

    • Additional properties are allowed.

    • The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

      Additional properties are allowed.

      Hide frequency attributes Show frequency attributes object
      • notifyWhen string Required

        The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

        Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

      • summary boolean Required

        Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

      • throttle string | null Required

        Defines how often rule actions are taken.

        One of:

        Values are no_actions or rule.

    • group string

      Optionally groups actions by use cases. Use default for alert notifications.

    • id string Required

      The connector ID.

    • params object Required

      Object containing the allowed connector fields, which varies according to the connector type.

      Additional properties are allowed.

    • uuid string(nonempty)

      A string that does not contain only whitespace characters

      Minimum length is 1.

  • Values are savedObjectConversion or savedObjectImport.

  • author array[string]
  • Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

  • Minimum length is 1.

  • enabled boolean

    Determines whether the rule is enabled.

  • exceptions_list array[object]
    Hide exceptions_list attributes Show exceptions_list attributes object
    • id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • list_id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • namespace_type string Required

      Determines the exceptions validity in rule's Kibana space

      Values are agnostic or single.

    • type string Required

      The exception type

      Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

  • false_positives array[string]
  • from string(date-math)

    Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

  • id string(uuid)

    A universally unique identifier

  • interval string

    Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

  • Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

    const investigationFields = z.object({
      field_names: NonEmptyArray(NonEmptyString),
      override: z.boolean().optional(),
    });
    

    Additional properties are allowed.

    Hide investigation_fields attribute Show investigation_fields attribute object
    • field_names array[string(nonempty)] Required

      A string that does not contain only whitespace characters

      At least 1 element. Minimum length of each is 1.

  • license string

    The rule's license.

  • Minimum value is 1.

  • meta object

    Additional properties are allowed.

  • name string

    Minimum length is 1.

  • Has no effect.

  • note string

    Notes to help investigate alerts produced by the rule.

  • outcome string

    Values are exactMatch, aliasMatch, or conflict.

  • output_index string Deprecated

    (deprecated) Has no effect.

  • references array[string]
  • required_fields array[object]
    Hide required_fields attributes Show required_fields attributes object
    • name string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • type string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

  • response_actions array[object]
    One of:
    Hide attributes Show attributes
  • risk_score integer

    Risk score (0 to 100)

    Minimum value is 0, maximum value is 100.

  • risk_score_mapping array[object]

    Overrides generated alerts' risk_score with a value from the source event

    Hide risk_score_mapping attributes Show risk_score_mapping attributes object
  • rule_id string

    Could be any string, not necessarily a UUID

  • Sets the source field for the alert's signal.rule.name value

  • setup string
  • severity string

    Severity of the rule

    Values are low, medium, high, or critical.

  • severity_mapping array[object]

    Overrides generated alerts' severity with values from the source event

    Hide severity_mapping attributes Show severity_mapping attributes object
    • field string Required
    • operator string Required

      Value is equals.

    • severity string Required

      Severity of the rule

      Values are low, medium, high, or critical.

    • value string Required
  • tags array[string]

    String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

  • threat array[object]
    Hide threat attributes Show threat attributes object
    • framework string Required

      Relevant attack framework

    • tactic object Required

      Additional properties are allowed.

      Hide tactic attributes Show tactic attributes object
      • id string Required

        Tactic ID

      • name string Required

        Tactic name

      • reference string Required

        Tactic reference

    • technique array[object]

      Array containing information on the attack techniques (optional)

      Hide technique attributes Show technique attributes object
      • id string Required

        Technique ID

      • name string Required

        Technique name

      • reference string Required

        Technique reference

      • subtechnique array[object]

        Array containing more specific information on the attack technique

        Hide subtechnique attributes Show subtechnique attributes object
        • id string Required

          Subtechnique ID

        • name string Required

          Subtechnique name

        • reference string Required

          Subtechnique reference

  • throttle string | null

    Defines how often rule actions are taken.

    One of:

    Values are no_actions or rule.

  • Timeline template ID

  • Timeline template title

  • Sets the time field used to query indices

  • Disables the fallback to the event's @timestamp field

  • to string
  • version integer

    The rule's version number.

    Minimum value is 1.

  • language string

    Query language to use

    Value is eql.

  • query string

    EQL query to execute

  • type string

    Rule type

    Value is eql.

  • Additional properties are allowed.

    Hide alert_suppression attributes Show alert_suppression attributes object
    • duration object

      Additional properties are allowed.

      Hide duration attributes Show duration attributes object
      • unit string Required

        Values are s, m, or h.

      • value integer Required

        Minimum value is 1.

    • group_by array[string] Required

      At least 1 but not more than 3 elements.

    • Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

      Values are doNotSuppress or suppress.

  • filters array
  • index array[string]
  • Sets a secondary field for sorting events

  • Contains the event timestamp used for sorting a sequence of events

Responses

  • 200 application/json

    Indicates a successful call.

    One of:
    Hide attributes Show attributes
    • actions array[object] Required
      Hide actions attributes Show actions attributes object
      • action_type_id string Required

        The action type used for sending notifications.

      • Additional properties are allowed.

      • The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

        Additional properties are allowed.

        Hide frequency attributes Show frequency attributes object
        • notifyWhen string Required

          The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

          Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

        • summary boolean Required

          Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

        • throttle string | null Required

          Defines how often rule actions are taken.

          One of:

          Values are no_actions or rule.

      • group string

        Optionally groups actions by use cases. Use default for alert notifications.

      • id string Required

        The connector ID.

      • params object Required

        Object containing the allowed connector fields, which varies according to the connector type.

        Additional properties are allowed.

      • uuid string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • Values are savedObjectConversion or savedObjectImport.

    • author array[string] Required
    • Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

    • description string Required

      Minimum length is 1.

    • enabled boolean Required

      Determines whether the rule is enabled.

    • exceptions_list array[object] Required
      Hide exceptions_list attributes Show exceptions_list attributes object
      • id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • list_id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • namespace_type string Required

        Determines the exceptions validity in rule's Kibana space

        Values are agnostic or single.

      • type string Required

        The exception type

        Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

    • false_positives array[string] Required
    • from string(date-math) Required

      Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

    • interval string Required

      Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

    • Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

      const investigationFields = z.object({
        field_names: NonEmptyArray(NonEmptyString),
        override: z.boolean().optional(),
      });
      

      Additional properties are allowed.

      Hide investigation_fields attribute Show investigation_fields attribute object
      • field_names array[string(nonempty)] Required

        A string that does not contain only whitespace characters

        At least 1 element. Minimum length of each is 1.

    • license string

      The rule's license.

    • max_signals integer Required

      Minimum value is 1.

    • meta object

      Additional properties are allowed.

    • name string Required

      Minimum length is 1.

    • Has no effect.

    • note string

      Notes to help investigate alerts produced by the rule.

    • outcome string

      Values are exactMatch, aliasMatch, or conflict.

    • output_index string Deprecated

      (deprecated) Has no effect.

    • references array[string] Required
    • required_fields array[object] Required
      Hide required_fields attributes Show required_fields attributes object
      • ecs boolean Required

        Whether the field is an ECS field

      • name string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • type string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • response_actions array[object]
      One of:
      Hide attributes Show attributes
    • risk_score integer Required

      Risk score (0 to 100)

      Minimum value is 0, maximum value is 100.

    • risk_score_mapping array[object] Required

      Overrides generated alerts' risk_score with a value from the source event

      Hide risk_score_mapping attributes Show risk_score_mapping attributes object
    • Sets the source field for the alert's signal.rule.name value

    • setup string Required
    • severity string Required

      Severity of the rule

      Values are low, medium, high, or critical.

    • severity_mapping array[object] Required

      Overrides generated alerts' severity with values from the source event

      Hide severity_mapping attributes Show severity_mapping attributes object
      • field string Required
      • operator string Required

        Value is equals.

      • severity string Required

        Severity of the rule

        Values are low, medium, high, or critical.

      • value string Required
    • tags array[string] Required

      String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

    • threat array[object] Required
      Hide threat attributes Show threat attributes object
      • framework string Required

        Relevant attack framework

      • tactic object Required

        Additional properties are allowed.

        Hide tactic attributes Show tactic attributes object
        • id string Required

          Tactic ID

        • name string Required

          Tactic name

        • reference string Required

          Tactic reference

      • technique array[object]

        Array containing information on the attack techniques (optional)

        Hide technique attributes Show technique attributes object
        • id string Required

          Technique ID

        • name string Required

          Technique name

        • reference string Required

          Technique reference

        • subtechnique array[object]

          Array containing more specific information on the attack technique

          Hide subtechnique attributes Show subtechnique attributes object
          • id string Required

            Subtechnique ID

          • name string Required

            Subtechnique name

          • reference string Required

            Subtechnique reference

    • throttle string | null

      Defines how often rule actions are taken.

      One of:

      Values are no_actions or rule.

    • Timeline template ID

    • Timeline template title

    • Sets the time field used to query indices

    • Disables the fallback to the event's @timestamp field

    • to string Required
    • version integer Required

      The rule's version number.

      Minimum value is 1.

    • created_at string(date-time) Required
    • created_by string Required
    • Additional properties are allowed.

      Hide execution_summary attribute Show execution_summary attribute object
      • last_execution object Required

        Additional properties are allowed.

        Hide last_execution attributes Show last_execution attributes object
        • date string(date-time) Required

          Date of the last execution

        • message string Required
        • metrics object Required

          Additional properties are allowed.

          Hide metrics attributes Show metrics attributes object
          • Duration in seconds of execution gap

            Minimum value is 0.

          • Range of the execution gap

            Additional properties are allowed.

            Hide gap_range attributes Show gap_range attributes object
            • gte string Required

              Start date of the execution gap

            • lte string Required

              End date of the execution gap

          • Total time spent enriching documents during current rule execution cycle

            Minimum value is 0.

          • Total time spent indexing documents during current rule execution cycle

            Minimum value is 0.

          • Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

            Minimum value is 0.

        • status string Required

          Status of the last execution

          Values are going to run, running, partial failure, failed, or succeeded.

        • status_order integer Required
    • id string(uuid) Required

      A universally unique identifier

    • immutable boolean Required Deprecated

      This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

    • revision integer Required

      Minimum value is 0.

    • rule_id string Required

      Could be any string, not necessarily a UUID

    • rule_source object Required

      Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

      One of:

      Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

      Hide attributes Show attributes
      • is_customized boolean Required

        Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

      • type string Required Discriminator

        Value is external.

    • updated_at string(date-time) Required
    • updated_by string Required
    • language string Required

      Query language to use

      Value is eql.

    • query string Required

      EQL query to execute

    • type string Required Discriminator

      Rule type

      Value is eql.

    • Additional properties are allowed.

      Hide alert_suppression attributes Show alert_suppression attributes object
      • duration object

        Additional properties are allowed.

        Hide duration attributes Show duration attributes object
        • unit string Required

          Values are s, m, or h.

        • value integer Required

          Minimum value is 1.

      • group_by array[string] Required

        At least 1 but not more than 3 elements.

      • Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

        Values are doNotSuppress or suppress.

    • filters array
    • index array[string]
    • Sets a secondary field for sorting events

    • Contains the event timestamp used for sorting a sequence of events

PATCH /api/detection_engine/rules/_bulk_update
curl \
 --request PATCH https://localhost:5601/api/detection_engine/rules/_bulk_update \
 --header "Content-Type: application/json" \
 --data '[{"actions":[{"action_type_id":"string","alerts_filter":{},"frequency":{"notifyWhen":"onActiveAlert","summary":true,"throttle":"no_actions"},"group":"string","id":"string","params":{},"uuid":"string"}],"alias_purpose":"savedObjectConversion","alias_target_id":"string","author":["string"],"building_block_type":"string","description":"string","enabled":true,"exceptions_list":[{"id":"string","list_id":"string","namespace_type":"agnostic","type":"detection"}],"false_positives":["string"],"from":"string","id":"string","interval":"string","investigation_fields":{"field_names":["string"]},"license":"string","max_signals":42,"meta":{},"name":"string","namespace":"string","note":"string","outcome":"exactMatch","output_index":"string","references":["string"],"related_integrations":[{"integration":"string","package":"string","version":"string"}],"required_fields":[{"name":"string","type":"string"}],"response_actions":[{"action_type_id":".osquery","params":{"ecs_mapping":{"additionalProperty1":{"field":"string","value":"string"},"additionalProperty2":{"field":"string","value":"string"}},"pack_id":"string","queries":[{"ecs_mapping":{"additionalProperty1":{"field":"string","value":"string"},"additionalProperty2":{"field":"string","value":"string"}},"id":"string","platform":"string","query":"string","removed":true,"snapshot":true,"version":"string"}],"query":"string","saved_query_id":"string","timeout":42.0}}],"risk_score":42,"risk_score_mapping":[{"field":"string","operator":"equals","risk_score":42,"value":"string"}],"rule_id":"string","rule_name_override":"string","setup":"string","severity":"low","severity_mapping":[{"field":"string","operator":"equals","severity":"low","value":"string"}],"tags":["string"],"threat":[{"framework":"string","tactic":{"id":"string","name":"string","reference":"string"},"technique":[{"id":"string","name":"string","reference":"string","subtechnique":[{"id":"string","name":"string","reference":"string"}]}]}],"throttle":"no_actions","timeline_id":"string","timeline_title":"string","timestamp_override":"string","timestamp_override_fallback_disabled":true,"to":"string","version":42,"language":"eql","query":"string","type":"eql","alert_suppression":{"duration":{"unit":"s","value":42},"group_by":["string"],"missing_fields_strategy":"doNotSuppress"},"data_view_id":"string","event_category_override":"string","filters":[],"index":["string"],"tiebreaker_field":"string","timestamp_field":"string"}]'
Request examples
[
  {
    "actions": [
      {
        "action_type_id": "string",
        "alerts_filter": {},
        "frequency": {
          "notifyWhen": "onActiveAlert",
          "summary": true,
          "throttle": "no_actions"
        },
        "group": "string",
        "id": "string",
        "params": {},
        "uuid": "string"
      }
    ],
    "alias_purpose": "savedObjectConversion",
    "alias_target_id": "string",
    "author": [
      "string"
    ],
    "building_block_type": "string",
    "description": "string",
    "enabled": true,
    "exceptions_list": [
      {
        "id": "string",
        "list_id": "string",
        "namespace_type": "agnostic",
        "type": "detection"
      }
    ],
    "false_positives": [
      "string"
    ],
    "from": "string",
    "id": "string",
    "interval": "string",
    "investigation_fields": {
      "field_names": [
        "string"
      ]
    },
    "license": "string",
    "max_signals": 42,
    "meta": {},
    "name": "string",
    "namespace": "string",
    "note": "string",
    "outcome": "exactMatch",
    "output_index": "string",
    "references": [
      "string"
    ],
    "related_integrations": [
      {
        "integration": "string",
        "package": "string",
        "version": "string"
      }
    ],
    "required_fields": [
      {
        "name": "string",
        "type": "string"
      }
    ],
    "response_actions": [
      {
        "action_type_id": ".osquery",
        "params": {
          "ecs_mapping": {
            "additionalProperty1": {
              "field": "string",
              "value": "string"
            },
            "additionalProperty2": {
              "field": "string",
              "value": "string"
            }
          },
          "pack_id": "string",
          "queries": [
            {
              "ecs_mapping": {
                "additionalProperty1": {
                  "field": "string",
                  "value": "string"
                },
                "additionalProperty2": {
                  "field": "string",
                  "value": "string"
                }
              },
              "id": "string",
              "platform": "string",
              "query": "string",
              "removed": true,
              "snapshot": true,
              "version": "string"
            }
          ],
          "query": "string",
          "saved_query_id": "string",
          "timeout": 42.0
        }
      }
    ],
    "risk_score": 42,
    "risk_score_mapping": [
      {
        "field": "string",
        "operator": "equals",
        "risk_score": 42,
        "value": "string"
      }
    ],
    "rule_id": "string",
    "rule_name_override": "string",
    "setup": "string",
    "severity": "low",
    "severity_mapping": [
      {
        "field": "string",
        "operator": "equals",
        "severity": "low",
        "value": "string"
      }
    ],
    "tags": [
      "string"
    ],
    "threat": [
      {
        "framework": "string",
        "tactic": {
          "id": "string",
          "name": "string",
          "reference": "string"
        },
        "technique": [
          {
            "id": "string",
            "name": "string",
            "reference": "string",
            "subtechnique": [
              {
                "id": "string",
                "name": "string",
                "reference": "string"
              }
            ]
          }
        ]
      }
    ],
    "throttle": "no_actions",
    "timeline_id": "string",
    "timeline_title": "string",
    "timestamp_override": "string",
    "timestamp_override_fallback_disabled": true,
    "to": "string",
    "version": 42,
    "language": "eql",
    "query": "string",
    "type": "eql",
    "alert_suppression": {
      "duration": {
        "unit": "s",
        "value": 42
      },
      "group_by": [
        "string"
      ],
      "missing_fields_strategy": "doNotSuppress"
    },
    "data_view_id": "string",
    "event_category_override": "string",
    "filters": [],
    "index": [
      "string"
    ],
    "tiebreaker_field": "string",
    "timestamp_field": "string"
  }
]
Response examples (200)
[
  {
    "actions": [
      {
        "action_type_id": "string",
        "alerts_filter": {},
        "frequency": {
          "notifyWhen": "onActiveAlert",
          "summary": true,
          "throttle": "no_actions"
        },
        "group": "string",
        "id": "string",
        "params": {},
        "uuid": "string"
      }
    ],
    "alias_purpose": "savedObjectConversion",
    "alias_target_id": "string",
    "author": [
      "string"
    ],
    "building_block_type": "string",
    "description": "string",
    "enabled": true,
    "exceptions_list": [
      {
        "id": "string",
        "list_id": "string",
        "namespace_type": "agnostic",
        "type": "detection"
      }
    ],
    "false_positives": [
      "string"
    ],
    "from": "string",
    "interval": "string",
    "investigation_fields": {
      "field_names": [
        "string"
      ]
    },
    "license": "string",
    "max_signals": 42,
    "meta": {},
    "name": "string",
    "namespace": "string",
    "note": "string",
    "outcome": "exactMatch",
    "output_index": "string",
    "references": [
      "string"
    ],
    "related_integrations": [
      {
        "integration": "string",
        "package": "string",
        "version": "string"
      }
    ],
    "required_fields": [
      {
        "ecs": true,
        "name": "string",
        "type": "string"
      }
    ],
    "response_actions": [
      {
        "action_type_id": ".osquery",
        "params": {
          "ecs_mapping": {
            "additionalProperty1": {
              "field": "string",
              "value": "string"
            },
            "additionalProperty2": {
              "field": "string",
              "value": "string"
            }
          },
          "pack_id": "string",
          "queries": [
            {
              "ecs_mapping": {
                "additionalProperty1": {
                  "field": "string",
                  "value": "string"
                },
                "additionalProperty2": {
                  "field": "string",
                  "value": "string"
                }
              },
              "id": "string",
              "platform": "string",
              "query": "string",
              "removed": true,
              "snapshot": true,
              "version": "string"
            }
          ],
          "query": "string",
          "saved_query_id": "string",
          "timeout": 42.0
        }
      }
    ],
    "risk_score": 42,
    "risk_score_mapping": [
      {
        "field": "string",
        "operator": "equals",
        "risk_score": 42,
        "value": "string"
      }
    ],
    "rule_name_override": "string",
    "setup": "string",
    "severity": "low",
    "severity_mapping": [
      {
        "field": "string",
        "operator": "equals",
        "severity": "low",
        "value": "string"
      }
    ],
    "tags": [
      "string"
    ],
    "threat": [
      {
        "framework": "string",
        "tactic": {
          "id": "string",
          "name": "string",
          "reference": "string"
        },
        "technique": [
          {
            "id": "string",
            "name": "string",
            "reference": "string",
            "subtechnique": [
              {
                "id": "string",
                "name": "string",
                "reference": "string"
              }
            ]
          }
        ]
      }
    ],
    "throttle": "no_actions",
    "timeline_id": "string",
    "timeline_title": "string",
    "timestamp_override": "string",
    "timestamp_override_fallback_disabled": true,
    "to": "string",
    "version": 42,
    "created_at": "2025-05-04T09:42:00+00:00",
    "created_by": "string",
    "execution_summary": {
      "last_execution": {
        "date": "2025-05-04T09:42:00+00:00",
        "message": "string",
        "metrics": {
          "execution_gap_duration_s": 42,
          "gap_range": {
            "gte": "string",
            "lte": "string"
          },
          "total_enrichment_duration_ms": 42,
          "total_indexing_duration_ms": 42,
          "total_search_duration_ms": 42
        },
        "status": "going to run",
        "status_order": 42
      }
    },
    "id": "string",
    "immutable": true,
    "revision": 42,
    "rule_id": "string",
    "rule_source": {
      "is_customized": true,
      "type": "external"
    },
    "updated_at": "2025-05-04T09:42:00+00:00",
    "updated_by": "string",
    "language": "eql",
    "query": "string",
    "type": "eql",
    "alert_suppression": {
      "duration": {
        "unit": "s",
        "value": 42
      },
      "group_by": [
        "string"
      ],
      "missing_fields_strategy": "doNotSuppress"
    },
    "data_view_id": "string",
    "event_category_override": "string",
    "filters": [],
    "index": [
      "string"
    ],
    "tiebreaker_field": "string",
    "timestamp_field": "string"
  }
]




List all detection rules

GET /api/detection_engine/rules/_find

Retrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page.

Query parameters

  • fields array[string]
  • filter string

    Search query

  • Field to sort by

    Values are created_at, createdAt, enabled, execution_summary.last_execution.date, execution_summary.last_execution.metrics.execution_gap_duration_s, execution_summary.last_execution.metrics.total_indexing_duration_ms, execution_summary.last_execution.metrics.total_search_duration_ms, execution_summary.last_execution.status, name, risk_score, riskScore, severity, updated_at, or updatedAt.

  • Sort order

    Values are asc or desc.

  • page integer

    Page number

    Minimum value is 1. Default value is 1.

  • per_page integer

    Rules per page

    Minimum value is 0. Default value is 20.

  • Gaps range start

  • Gaps range end

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • data array[object] Required
      Any of:
      Hide attributes Show attributes
      • actions array[object] Required
        Hide actions attributes Show actions attributes object
        • action_type_id string Required

          The action type used for sending notifications.

        • Additional properties are allowed.

        • The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

          Additional properties are allowed.

          Hide frequency attributes Show frequency attributes object
          • notifyWhen string Required

            The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

            Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

          • summary boolean Required

            Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

          • throttle string | null Required

            Defines how often rule actions are taken.

            One of:

            Values are no_actions or rule.

        • group string

          Optionally groups actions by use cases. Use default for alert notifications.

        • id string Required

          The connector ID.

        • params object Required

          Object containing the allowed connector fields, which varies according to the connector type.

          Additional properties are allowed.

        • uuid string(nonempty)

          A string that does not contain only whitespace characters

          Minimum length is 1.

      • Values are savedObjectConversion or savedObjectImport.

      • author array[string] Required
      • Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

      • description string Required

        Minimum length is 1.

      • enabled boolean Required

        Determines whether the rule is enabled.

      • exceptions_list array[object] Required
        Hide exceptions_list attributes Show exceptions_list attributes object
        • id string(nonempty) Required

          A string that does not contain only whitespace characters

          Minimum length is 1.

        • list_id string(nonempty) Required

          A string that does not contain only whitespace characters

          Minimum length is 1.

        • namespace_type string Required

          Determines the exceptions validity in rule's Kibana space

          Values are agnostic or single.

        • type string Required

          The exception type

          Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

      • false_positives array[string] Required
      • from string(date-math) Required

        Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

      • interval string Required

        Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

      • Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

        const investigationFields = z.object({
          field_names: NonEmptyArray(NonEmptyString),
          override: z.boolean().optional(),
        });
        

        Additional properties are allowed.

        Hide investigation_fields attribute Show investigation_fields attribute object
        • field_names array[string(nonempty)] Required

          A string that does not contain only whitespace characters

          At least 1 element. Minimum length of each is 1.

      • license string

        The rule's license.

      • max_signals integer Required

        Minimum value is 1.

      • meta object

        Additional properties are allowed.

      • name string Required

        Minimum length is 1.

      • Has no effect.

      • note string

        Notes to help investigate alerts produced by the rule.

      • outcome string

        Values are exactMatch, aliasMatch, or conflict.

      • output_index string Deprecated

        (deprecated) Has no effect.

      • references array[string] Required
      • required_fields array[object] Required
        Hide required_fields attributes Show required_fields attributes object
        • ecs boolean Required

          Whether the field is an ECS field

        • name string(nonempty) Required

          A string that does not contain only whitespace characters

          Minimum length is 1.

        • type string(nonempty) Required

          A string that does not contain only whitespace characters

          Minimum length is 1.

      • response_actions array[object]
        One of:
        Hide attributes Show attributes
      • risk_score integer Required

        Risk score (0 to 100)

        Minimum value is 0, maximum value is 100.

      • risk_score_mapping array[object] Required

        Overrides generated alerts' risk_score with a value from the source event

        Hide risk_score_mapping attributes Show risk_score_mapping attributes object
      • Sets the source field for the alert's signal.rule.name value

      • setup string Required
      • severity string Required

        Severity of the rule

        Values are low, medium, high, or critical.

      • severity_mapping array[object] Required

        Overrides generated alerts' severity with values from the source event

        Hide severity_mapping attributes Show severity_mapping attributes object
        • field string Required
        • operator string Required

          Value is equals.

        • severity string Required

          Severity of the rule

          Values are low, medium, high, or critical.

        • value string Required
      • tags array[string] Required

        String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

      • threat array[object] Required
        Hide threat attributes Show threat attributes object
        • framework string Required

          Relevant attack framework

        • tactic object Required

          Additional properties are allowed.

          Hide tactic attributes Show tactic attributes object
          • id string Required

            Tactic ID

          • name string Required

            Tactic name

          • reference string Required

            Tactic reference

        • technique array[object]

          Array containing information on the attack techniques (optional)

          Hide technique attributes Show technique attributes object
          • id string Required

            Technique ID

          • name string Required

            Technique name

          • reference string Required

            Technique reference

          • subtechnique array[object]

            Array containing more specific information on the attack technique

            Hide subtechnique attributes Show subtechnique attributes object
            • id string Required

              Subtechnique ID

            • name string Required

              Subtechnique name

            • reference string Required

              Subtechnique reference

      • throttle string | null

        Defines how often rule actions are taken.

        One of:

        Values are no_actions or rule.

      • Timeline template ID

      • Timeline template title

      • Sets the time field used to query indices

      • Disables the fallback to the event's @timestamp field

      • to string Required
      • version integer Required

        The rule's version number.

        Minimum value is 1.

      • created_at string(date-time) Required
      • created_by string Required
      • Additional properties are allowed.

        Hide execution_summary attribute Show execution_summary attribute object
        • last_execution object Required

          Additional properties are allowed.

          Hide last_execution attributes Show last_execution attributes object
          • date string(date-time) Required

            Date of the last execution

          • message string Required
          • metrics object Required

            Additional properties are allowed.

            Hide metrics attributes Show metrics attributes object
            • Duration in seconds of execution gap

              Minimum value is 0.

            • Range of the execution gap

              Additional properties are allowed.

              Hide gap_range attributes Show gap_range attributes object
              • gte string Required

                Start date of the execution gap

              • lte string Required

                End date of the execution gap

            • Total time spent enriching documents during current rule execution cycle

              Minimum value is 0.

            • Total time spent indexing documents during current rule execution cycle

              Minimum value is 0.

            • Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

              Minimum value is 0.

          • status string Required

            Status of the last execution

            Values are going to run, running, partial failure, failed, or succeeded.

          • status_order integer Required
      • id string(uuid) Required

        A universally unique identifier

      • immutable boolean Required Deprecated

        This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

      • revision integer Required

        Minimum value is 0.

      • rule_id string Required

        Could be any string, not necessarily a UUID

      • rule_source object Required

        Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

        One of:

        Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

        Hide attributes Show attributes
        • is_customized boolean Required

          Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

        • type string Required Discriminator

          Value is external.

      • updated_at string(date-time) Required
      • updated_by string Required
      • language string Required

        Query language to use

        Value is eql.

      • query string Required

        EQL query to execute

      • type string Required Discriminator

        Rule type

        Value is eql.

      • Additional properties are allowed.

        Hide alert_suppression attributes Show alert_suppression attributes object
        • duration object

          Additional properties are allowed.

          Hide duration attributes Show duration attributes object
          • unit string Required

            Values are s, m, or h.

          • value integer Required

            Minimum value is 1.

        • group_by array[string] Required

          At least 1 but not more than 3 elements.

        • Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

          Values are doNotSuppress or suppress.

      • filters array
      • index array[string]
      • Sets a secondary field for sorting events

      • Contains the event timestamp used for sorting a sequence of events

    • page integer Required
    • perPage integer Required
    • total integer Required
GET /api/detection_engine/rules/_find
curl \
 --request GET https://localhost:5601/api/detection_engine/rules/_find
Response examples (200)
{
  "data": [
    {
      "actions": [
        {
          "action_type_id": "string",
          "alerts_filter": {},
          "frequency": {
            "notifyWhen": "onActiveAlert",
            "summary": true,
            "throttle": "no_actions"
          },
          "group": "string",
          "id": "string",
          "params": {},
          "uuid": "string"
        }
      ],
      "alias_purpose": "savedObjectConversion",
      "alias_target_id": "string",
      "author": [
        "string"
      ],
      "building_block_type": "string",
      "description": "string",
      "enabled": true,
      "exceptions_list": [
        {
          "id": "string",
          "list_id": "string",
          "namespace_type": "agnostic",
          "type": "detection"
        }
      ],
      "false_positives": [
        "string"
      ],
      "from": "string",
      "interval": "string",
      "investigation_fields": {
        "field_names": [
          "string"
        ]
      },
      "license": "string",
      "max_signals": 42,
      "meta": {},
      "name": "string",
      "namespace": "string",
      "note": "string",
      "outcome": "exactMatch",
      "output_index": "string",
      "references": [
        "string"
      ],
      "related_integrations": [
        {
          "integration": "string",
          "package": "string",
          "version": "string"
        }
      ],
      "required_fields": [
        {
          "ecs": true,
          "name": "string",
          "type": "string"
        }
      ],
      "response_actions": [
        {
          "action_type_id": ".osquery",
          "params": {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "pack_id": "string",
            "queries": [
              {
                "ecs_mapping": {
                  "additionalProperty1": {
                    "field": "string",
                    "value": "string"
                  },
                  "additionalProperty2": {
                    "field": "string",
                    "value": "string"
                  }
                },
                "id": "string",
                "platform": "string",
                "query": "string",
                "removed": true,
                "snapshot": true,
                "version": "string"
              }
            ],
            "query": "string",
            "saved_query_id": "string",
            "timeout": 42.0
          }
        }
      ],
      "risk_score": 42,
      "risk_score_mapping": [
        {
          "field": "string",
          "operator": "equals",
          "risk_score": 42,
          "value": "string"
        }
      ],
      "rule_name_override": "string",
      "setup": "string",
      "severity": "low",
      "severity_mapping": [
        {
          "field": "string",
          "operator": "equals",
          "severity": "low",
          "value": "string"
        }
      ],
      "tags": [
        "string"
      ],
      "threat": [
        {
          "framework": "string",
          "tactic": {
            "id": "string",
            "name": "string",
            "reference": "string"
          },
          "technique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string",
              "subtechnique": [
                {
                  "id": "string",
                  "name": "string",
                  "reference": "string"
                }
              ]
            }
          ]
        }
      ],
      "throttle": "no_actions",
      "timeline_id": "string",
      "timeline_title": "string",
      "timestamp_override": "string",
      "timestamp_override_fallback_disabled": true,
      "to": "string",
      "version": 42,
      "created_at": "2025-05-04T09:42:00+00:00",
      "created_by": "string",
      "execution_summary": {
        "last_execution": {
          "date": "2025-05-04T09:42:00+00:00",
          "message": "string",
          "metrics": {
            "execution_gap_duration_s": 42,
            "gap_range": {
              "gte": "string",
              "lte": "string"
            },
            "total_enrichment_duration_ms": 42,
            "total_indexing_duration_ms": 42,
            "total_search_duration_ms": 42
          },
          "status": "going to run",
          "status_order": 42
        }
      },
      "id": "string",
      "immutable": true,
      "revision": 42,
      "rule_id": "string",
      "rule_source": {
        "is_customized": true,
        "type": "external"
      },
      "updated_at": "2025-05-04T09:42:00+00:00",
      "updated_by": "string",
      "language": "eql",
      "query": "string",
      "type": "eql",
      "alert_suppression": {
        "duration": {
          "unit": "s",
          "value": 42
        },
        "group_by": [
          "string"
        ],
        "missing_fields_strategy": "doNotSuppress"
      },
      "data_view_id": "string",
      "event_category_override": "string",
      "filters": [],
      "index": [
        "string"
      ],
      "tiebreaker_field": "string",
      "timestamp_field": "string"
    }
  ],
  "page": 42,
  "perPage": 42,
  "total": 42
}





























































Update an endpoint exception list item

PUT /api/endpoint_list/items

Update an endpoint exception list item using the id or item_id field.

application/json

Body Required

Exception list item's properties

  • _version string
  • comments array[object]

    Array of comment fields:

    • comment (string): Comments about the exception item.
    Hide comments attributes Show comments attributes object
    • comment string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • created_at string(date-time) Required

      Autogenerated date of object creation.

    • created_by string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • updated_at string(date-time)

      Autogenerated date of last object update.

    • updated_by string(nonempty)

      A string that does not contain only whitespace characters

      Minimum length is 1.

  • description string Required

    Describes the exception list.

  • entries array[object] Required
    Any of:
    Hide attributes Show attributes
    • field string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • operator string Required

      Values are excluded or included.

    • type string Required Discriminator

      Value is match.

    • value string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

  • id string(nonempty)

    Exception's identifier.

    Minimum length is 1.

  • item_id string(nonempty)

    Human readable string identifier, e.g. trusted-linux-processes

    Minimum length is 1.

  • meta object

    Additional properties are allowed.

  • name string(nonempty) Required

    Exception list name.

    Minimum length is 1.

  • os_types array[string]

    Use this field to specify the operating system.

    Values are linux, macos, or windows.

  • tags array[string(nonempty)]

    String array containing words and phrases to help categorize exception items.

    Minimum length of each is 1.

  • type string Required

    Value is simple.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • _version string

      The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.

    • comments array[object] Required

      Array of comment fields:

      • comment (string): Comments about the exception item.
      Hide comments attributes Show comments attributes object
      • comment string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • created_at string(date-time) Required

        Autogenerated date of object creation.

      • created_by string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • updated_at string(date-time)

        Autogenerated date of last object update.

      • updated_by string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • created_at string(date-time) Required

      Autogenerated date of object creation.

    • created_by string Required

      Autogenerated value - user that created object.

    • description string Required

      Describes the exception list.

    • entries array[object] Required
      Any of:
      Hide attributes Show attributes
      • field string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • operator string Required

        Values are excluded or included.

      • type string Required Discriminator

        Value is match.

      • value string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • expire_time string(date-time)

      The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.

    • id string(nonempty) Required

      Exception's identifier.

      Minimum length is 1.

    • item_id string(nonempty) Required

      Human readable string identifier, e.g. trusted-linux-processes

      Minimum length is 1.

    • list_id string(nonempty) Required

      Exception list's human readable string identifier, e.g. trusted-linux-processes.

      Minimum length is 1.

    • meta object

      Additional properties are allowed.

    • name string(nonempty) Required

      Exception list name.

      Minimum length is 1.

    • namespace_type string Required

      Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

      • single: Only available in the Kibana space in which it is created.
      • agnostic: Available in all Kibana spaces.

      Values are agnostic or single.

    • os_types array[string]

      Use this field to specify the operating system.

      Values are linux, macos, or windows.

    • tags array[string(nonempty)]

      String array containing words and phrases to help categorize exception items.

      Minimum length of each is 1.

    • tie_breaker_id string Required

      Field used in search to ensure all containers are sorted and returned correctly.

    • type string Required

      Value is simple.

    • updated_at string(date-time) Required

      Autogenerated date of last object update.

    • updated_by string Required

      Autogenerated value - user that last updated object.

  • 400 application/json

    Invalid input data

    One of:
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication

    Hide response attributes Show response attributes object
  • 403 application/json

    Insufficient privileges

    Hide response attributes Show response attributes object
  • 404 application/json

    Endpoint list item not found

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error

    Hide response attributes Show response attributes object
PUT /api/endpoint_list/items
curl \
 --request PUT https://localhost:5601/api/endpoint_list/items \
 --header "Content-Type: application/json" \
 --data '{"_version":"string","comments":[{"comment":"string","created_at":"2025-05-04T09:42:00+00:00","created_by":"string","id":"string","updated_at":"2025-05-04T09:42:00+00:00","updated_by":"string"}],"description":"string","entries":[{"field":"string","operator":"excluded","type":"match","value":"string"}],"id":"71a9f4b2-c85c-49b4-866f-c71eb9e67da2","item_id":"simple_list_item","meta":{},"name":"string","os_types":["linux"],"tags":["string"],"type":"simple"}'
Request examples
{
  "_version": "string",
  "comments": [
    {
      "comment": "string",
      "created_at": "2025-05-04T09:42:00+00:00",
      "created_by": "string",
      "id": "string",
      "updated_at": "2025-05-04T09:42:00+00:00",
      "updated_by": "string"
    }
  ],
  "description": "string",
  "entries": [
    {
      "field": "string",
      "operator": "excluded",
      "type": "match",
      "value": "string"
    }
  ],
  "id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
  "item_id": "simple_list_item",
  "meta": {},
  "name": "string",
  "os_types": [
    "linux"
  ],
  "tags": [
    "string"
  ],
  "type": "simple"
}
Response examples (200)
{
  "_version": "string",
  "comments": [
    {
      "comment": "string",
      "created_at": "2025-05-04T09:42:00+00:00",
      "created_by": "string",
      "id": "string",
      "updated_at": "2025-05-04T09:42:00+00:00",
      "updated_by": "string"
    }
  ],
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "description": "string",
  "entries": [
    {
      "field": "string",
      "operator": "excluded",
      "type": "match",
      "value": "string"
    }
  ],
  "expire_time": "2025-05-04T09:42:00+00:00",
  "id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
  "item_id": "simple_list_item",
  "list_id": "simple_list",
  "meta": {},
  "name": "string",
  "namespace_type": "agnostic",
  "os_types": [
    "linux"
  ],
  "tags": [
    "string"
  ],
  "tie_breaker_id": "string",
  "type": "simple",
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
{
  "message": "string",
  "status_code": 42
}
Response examples (401)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (403)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (404)
{
  "message": "string",
  "status_code": 42
}
Response examples (500)
{
  "message": "string",
  "status_code": 42
}




Delete an endpoint exception list item

DELETE /api/endpoint_list/items

Delete an endpoint exception list item using the id or item_id field.

Query parameters

  • id string(nonempty)

    Either id or item_id must be specified

    Minimum length is 1.

  • item_id string(nonempty)

    Either id or item_id must be specified

    Minimum length is 1.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • _version string

      The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.

    • comments array[object] Required

      Array of comment fields:

      • comment (string): Comments about the exception item.
      Hide comments attributes Show comments attributes object
      • comment string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • created_at string(date-time) Required

        Autogenerated date of object creation.

      • created_by string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • updated_at string(date-time)

        Autogenerated date of last object update.

      • updated_by string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • created_at string(date-time) Required

      Autogenerated date of object creation.

    • created_by string Required

      Autogenerated value - user that created object.

    • description string Required

      Describes the exception list.

    • entries array[object] Required
      Any of:
      Hide attributes Show attributes
      • field string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • operator string Required

        Values are excluded or included.

      • type string Required Discriminator

        Value is match.

      • value string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • expire_time string(date-time)

      The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.

    • id string(nonempty) Required

      Exception's identifier.

      Minimum length is 1.

    • item_id string(nonempty) Required

      Human readable string identifier, e.g. trusted-linux-processes

      Minimum length is 1.

    • list_id string(nonempty) Required

      Exception list's human readable string identifier, e.g. trusted-linux-processes.

      Minimum length is 1.

    • meta object

      Additional properties are allowed.

    • name string(nonempty) Required

      Exception list name.

      Minimum length is 1.

    • namespace_type string Required

      Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

      • single: Only available in the Kibana space in which it is created.
      • agnostic: Available in all Kibana spaces.

      Values are agnostic or single.

    • os_types array[string]

      Use this field to specify the operating system.

      Values are linux, macos, or windows.

    • tags array[string(nonempty)]

      String array containing words and phrases to help categorize exception items.

      Minimum length of each is 1.

    • tie_breaker_id string Required

      Field used in search to ensure all containers are sorted and returned correctly.

    • type string Required

      Value is simple.

    • updated_at string(date-time) Required

      Autogenerated date of last object update.

    • updated_by string Required

      Autogenerated value - user that last updated object.

  • 400 application/json

    Invalid input data

    One of:
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication

    Hide response attributes Show response attributes object
  • 403 application/json

    Insufficient privileges

    Hide response attributes Show response attributes object
  • 404 application/json

    Endpoint list item not found

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error

    Hide response attributes Show response attributes object
DELETE /api/endpoint_list/items
curl \
 --request DELETE https://localhost:5601/api/endpoint_list/items
Response examples (200)
{
  "_version": "string",
  "comments": [
    {
      "comment": "string",
      "created_at": "2025-05-04T09:42:00+00:00",
      "created_by": "string",
      "id": "string",
      "updated_at": "2025-05-04T09:42:00+00:00",
      "updated_by": "string"
    }
  ],
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "description": "string",
  "entries": [
    {
      "field": "string",
      "operator": "excluded",
      "type": "match",
      "value": "string"
    }
  ],
  "expire_time": "2025-05-04T09:42:00+00:00",
  "id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
  "item_id": "simple_list_item",
  "list_id": "simple_list",
  "meta": {},
  "name": "string",
  "namespace_type": "agnostic",
  "os_types": [
    "linux"
  ],
  "tags": [
    "string"
  ],
  "tie_breaker_id": "string",
  "type": "simple",
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
{
  "message": "string",
  "status_code": 42
}
Response examples (401)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (403)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (404)
{
  "message": "string",
  "status_code": 42
}
Response examples (500)
{
  "message": "string",
  "status_code": 42
}




Security endpoint management

Interact with and manage endpoints running the Elastic Defend integration.









Get action details

GET /api/endpoint/action/{action_id}

Get the details of a response action using the action ID.

Responses

  • 200 application/json

    OK

    Additional properties are allowed.

GET /api/endpoint/action/{action_id}
curl \
 --request GET https://localhost:5601/api/endpoint/action/{action_id}
Response examples (200)
{}




Download a file

GET /api/endpoint/action/{action_id}/file/{file_id}/download

Download a file from an endpoint.

Path parameters

Responses

  • 200 application/json

    OK

    Additional properties are allowed.

GET /api/endpoint/action/{action_id}/file/{file_id}/download
curl \
 --request GET https://localhost:5601/api/endpoint/action/{action_id}/file/{file_id}/download
Response examples (200)
{}