List all detection rules

GET /api/detection_engine/rules/_find

Retrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page.

Query parameters

  • fields array[string]
  • filter string

    Search query

  • Field to sort by

    Values are created_at, createdAt, enabled, execution_summary.last_execution.date, execution_summary.last_execution.metrics.execution_gap_duration_s, execution_summary.last_execution.metrics.total_indexing_duration_ms, execution_summary.last_execution.metrics.total_search_duration_ms, execution_summary.last_execution.status, name, risk_score, riskScore, severity, updated_at, or updatedAt.

  • Sort order

    Values are asc or desc.

  • page integer

    Page number

    Minimum value is 1. Default value is 1.

  • per_page integer

    Rules per page

    Minimum value is 0. Default value is 20.

  • Gaps range start

  • Gaps range end

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • data array[object] Required
      Any of:
      Hide attributes Show attributes
      • actions array[object] Required
        Hide actions attributes Show actions attributes object
        • action_type_id string Required

          The action type used for sending notifications.

        • Additional properties are allowed.

        • The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

          Additional properties are allowed.

          Hide frequency attributes Show frequency attributes object
          • notifyWhen string Required

            The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

            Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

          • summary boolean Required

            Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

          • throttle string | null Required

            Defines how often rule actions are taken.

            One of:

            Values are no_actions or rule.

        • group string

          Optionally groups actions by use cases. Use default for alert notifications.

        • id string Required

          The connector ID.

        • params object Required

          Object containing the allowed connector fields, which varies according to the connector type.

          Additional properties are allowed.

        • uuid string(nonempty)

          A string that does not contain only whitespace characters

          Minimum length is 1.

      • Values are savedObjectConversion or savedObjectImport.

      • author array[string] Required
      • Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

      • description string Required

        Minimum length is 1.

      • enabled boolean Required

        Determines whether the rule is enabled.

      • exceptions_list array[object] Required
        Hide exceptions_list attributes Show exceptions_list attributes object
        • id string(nonempty) Required

          A string that does not contain only whitespace characters

          Minimum length is 1.

        • list_id string(nonempty) Required

          A string that does not contain only whitespace characters

          Minimum length is 1.

        • namespace_type string Required

          Determines the exceptions validity in rule's Kibana space

          Values are agnostic or single.

        • type string Required

          The exception type

          Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

      • false_positives array[string] Required
      • from string(date-math) Required

        Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

      • interval string Required

        Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

      • Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

        const investigationFields = z.object({
          field_names: NonEmptyArray(NonEmptyString),
          override: z.boolean().optional(),
        });
        

        Additional properties are allowed.

        Hide investigation_fields attribute Show investigation_fields attribute object
        • field_names array[string(nonempty)] Required

          A string that does not contain only whitespace characters

          At least 1 element. Minimum length of each is 1.

      • license string

        The rule's license.

      • max_signals integer Required

        Minimum value is 1.

      • meta object

        Additional properties are allowed.

      • name string Required

        Minimum length is 1.

      • Has no effect.

      • note string

        Notes to help investigate alerts produced by the rule.

      • outcome string

        Values are exactMatch, aliasMatch, or conflict.

      • output_index string Deprecated

        (deprecated) Has no effect.

      • references array[string] Required
      • required_fields array[object] Required
        Hide required_fields attributes Show required_fields attributes object
        • ecs boolean Required

          Whether the field is an ECS field

        • name string(nonempty) Required

          A string that does not contain only whitespace characters

          Minimum length is 1.

        • type string(nonempty) Required

          A string that does not contain only whitespace characters

          Minimum length is 1.

      • response_actions array[object]
        One of:
        Hide attributes Show attributes
      • risk_score integer Required

        Risk score (0 to 100)

        Minimum value is 0, maximum value is 100.

      • risk_score_mapping array[object] Required

        Overrides generated alerts' risk_score with a value from the source event

        Hide risk_score_mapping attributes Show risk_score_mapping attributes object
      • Sets the source field for the alert's signal.rule.name value

      • setup string Required
      • severity string Required

        Severity of the rule

        Values are low, medium, high, or critical.

      • severity_mapping array[object] Required

        Overrides generated alerts' severity with values from the source event

        Hide severity_mapping attributes Show severity_mapping attributes object
        • field string Required
        • operator string Required

          Value is equals.

        • severity string Required

          Severity of the rule

          Values are low, medium, high, or critical.

        • value string Required
      • tags array[string] Required

        String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

      • threat array[object] Required
        Hide threat attributes Show threat attributes object
        • framework string Required

          Relevant attack framework

        • tactic object Required

          Additional properties are allowed.

          Hide tactic attributes Show tactic attributes object
          • id string Required

            Tactic ID

          • name string Required

            Tactic name

          • reference string Required

            Tactic reference

        • technique array[object]

          Array containing information on the attack techniques (optional)

          Hide technique attributes Show technique attributes object
          • id string Required

            Technique ID

          • name string Required

            Technique name

          • reference string Required

            Technique reference

          • subtechnique array[object]

            Array containing more specific information on the attack technique

            Hide subtechnique attributes Show subtechnique attributes object
            • id string Required

              Subtechnique ID

            • name string Required

              Subtechnique name

            • reference string Required

              Subtechnique reference

      • throttle string | null

        Defines how often rule actions are taken.

        One of:

        Values are no_actions or rule.

      • Timeline template ID

      • Timeline template title

      • Sets the time field used to query indices

      • Disables the fallback to the event's @timestamp field

      • to string Required
      • version integer Required

        The rule's version number.

        Minimum value is 1.

      • created_at string(date-time) Required
      • created_by string Required
      • Additional properties are allowed.

        Hide execution_summary attribute Show execution_summary attribute object
        • last_execution object Required

          Additional properties are allowed.

          Hide last_execution attributes Show last_execution attributes object
          • date string(date-time) Required

            Date of the last execution

          • message string Required
          • metrics object Required

            Additional properties are allowed.

            Hide metrics attributes Show metrics attributes object
            • Duration in seconds of execution gap

              Minimum value is 0.

            • Range of the execution gap

              Additional properties are allowed.

              Hide gap_range attributes Show gap_range attributes object
              • gte string Required

                Start date of the execution gap

              • lte string Required

                End date of the execution gap

            • Total time spent enriching documents during current rule execution cycle

              Minimum value is 0.

            • Total time spent indexing documents during current rule execution cycle

              Minimum value is 0.

            • Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

              Minimum value is 0.

          • status string Required

            Status of the last execution

            Values are going to run, running, partial failure, failed, or succeeded.

          • status_order integer Required
      • id string(uuid) Required

        A universally unique identifier

      • immutable boolean Required Deprecated

        This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

      • revision integer Required

        Minimum value is 0.

      • rule_id string Required

        Could be any string, not necessarily a UUID

      • rule_source object Required

        Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

        One of:

        Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

        Hide attributes Show attributes
        • is_customized boolean Required

          Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

        • type string Required Discriminator

          Value is external.

      • updated_at string(date-time) Required
      • updated_by string Required
      • language string Required

        Query language to use

        Value is eql.

      • query string Required

        EQL query to execute

      • type string Required Discriminator

        Rule type

        Value is eql.

      • Additional properties are allowed.

        Hide alert_suppression attributes Show alert_suppression attributes object
        • duration object

          Additional properties are allowed.

          Hide duration attributes Show duration attributes object
          • unit string Required

            Values are s, m, or h.

          • value integer Required

            Minimum value is 1.

        • group_by array[string] Required

          At least 1 but not more than 3 elements.

        • Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

          Values are doNotSuppress or suppress.

      • filters array
      • index array[string]
      • Sets a secondary field for sorting events

      • Contains the event timestamp used for sorting a sequence of events

    • page integer Required
    • perPage integer Required
    • total integer Required
GET /api/detection_engine/rules/_find
curl \
 --request GET https://localhost:5601/api/detection_engine/rules/_find
Response examples (200)
{
  "data": [
    {
      "actions": [
        {
          "action_type_id": "string",
          "alerts_filter": {},
          "frequency": {
            "notifyWhen": "onActiveAlert",
            "summary": true,
            "throttle": "no_actions"
          },
          "group": "string",
          "id": "string",
          "params": {},
          "uuid": "string"
        }
      ],
      "alias_purpose": "savedObjectConversion",
      "alias_target_id": "string",
      "author": [
        "string"
      ],
      "building_block_type": "string",
      "description": "string",
      "enabled": true,
      "exceptions_list": [
        {
          "id": "string",
          "list_id": "string",
          "namespace_type": "agnostic",
          "type": "detection"
        }
      ],
      "false_positives": [
        "string"
      ],
      "from": "string",
      "interval": "string",
      "investigation_fields": {
        "field_names": [
          "string"
        ]
      },
      "license": "string",
      "max_signals": 42,
      "meta": {},
      "name": "string",
      "namespace": "string",
      "note": "string",
      "outcome": "exactMatch",
      "output_index": "string",
      "references": [
        "string"
      ],
      "related_integrations": [
        {
          "integration": "string",
          "package": "string",
          "version": "string"
        }
      ],
      "required_fields": [
        {
          "ecs": true,
          "name": "string",
          "type": "string"
        }
      ],
      "response_actions": [
        {
          "action_type_id": ".osquery",
          "params": {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "pack_id": "string",
            "queries": [
              {
                "ecs_mapping": {
                  "additionalProperty1": {
                    "field": "string",
                    "value": "string"
                  },
                  "additionalProperty2": {
                    "field": "string",
                    "value": "string"
                  }
                },
                "id": "string",
                "platform": "string",
                "query": "string",
                "removed": true,
                "snapshot": true,
                "version": "string"
              }
            ],
            "query": "string",
            "saved_query_id": "string",
            "timeout": 42.0
          }
        }
      ],
      "risk_score": 42,
      "risk_score_mapping": [
        {
          "field": "string",
          "operator": "equals",
          "risk_score": 42,
          "value": "string"
        }
      ],
      "rule_name_override": "string",
      "setup": "string",
      "severity": "low",
      "severity_mapping": [
        {
          "field": "string",
          "operator": "equals",
          "severity": "low",
          "value": "string"
        }
      ],
      "tags": [
        "string"
      ],
      "threat": [
        {
          "framework": "string",
          "tactic": {
            "id": "string",
            "name": "string",
            "reference": "string"
          },
          "technique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string",
              "subtechnique": [
                {
                  "id": "string",
                  "name": "string",
                  "reference": "string"
                }
              ]
            }
          ]
        }
      ],
      "throttle": "no_actions",
      "timeline_id": "string",
      "timeline_title": "string",
      "timestamp_override": "string",
      "timestamp_override_fallback_disabled": true,
      "to": "string",
      "version": 42,
      "created_at": "2025-05-04T09:42:00+00:00",
      "created_by": "string",
      "execution_summary": {
        "last_execution": {
          "date": "2025-05-04T09:42:00+00:00",
          "message": "string",
          "metrics": {
            "execution_gap_duration_s": 42,
            "gap_range": {
              "gte": "string",
              "lte": "string"
            },
            "total_enrichment_duration_ms": 42,
            "total_indexing_duration_ms": 42,
            "total_search_duration_ms": 42
          },
          "status": "going to run",
          "status_order": 42
        }
      },
      "id": "string",
      "immutable": true,
      "revision": 42,
      "rule_id": "string",
      "rule_source": {
        "is_customized": true,
        "type": "external"
      },
      "updated_at": "2025-05-04T09:42:00+00:00",
      "updated_by": "string",
      "language": "eql",
      "query": "string",
      "type": "eql",
      "alert_suppression": {
        "duration": {
          "unit": "s",
          "value": 42
        },
        "group_by": [
          "string"
        ],
        "missing_fields_strategy": "doNotSuppress"
      },
      "data_view_id": "string",
      "event_category_override": "string",
      "filters": [],
      "index": [
        "string"
      ],
      "tiebreaker_field": "string",
      "timestamp_field": "string"
    }
  ],
  "page": 42,
  "perPage": 42,
  "total": 42
}