Get saved queries

Find case activity

GET /api/cases/{caseId}/user_actions/_find

Retrives a paginated list of user activity for a case. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.

Path parameters

caseId string Required

The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

Query parameters

page integer

The page number to return.

Default value is 1.
perPage integer

The number of items to return. Limited to 100 items.

Maximum value is 100. Default value is 20.
sortOrder string

Determines the sort order.

Values are asc or desc. Default value is desc.
types array[string]

Determines the types of user actions to return.

Values are action, alert, assignees, attachment, comment, connector, create_case, description, pushed, settings, severity, status, tags, title, or user.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- page integer
- perPage integer
- total integer
- userActions array[object]
  
  Not more than 10000 elements.
  
  Hide userActions attributes Show userActions attributes object
  
  action string Required
  
  Values are add, create, delete, push_to_service, or update.
  
  comment_id string | null Required
  
  created_at string(date-time) Required
  
  created_by object Required
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string Required
  
  owner string Required
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  payload object | null Required
  
  One of:
  Cases_payload_alert_comment object Cases_payload_assignees object Cases_payload_connector object Cases_payload_create_case object Cases_payload_delete object | null Cases_payload_description object Cases_payload_pushed object Cases_payload_settings object Cases_payload_severity object Cases_payload_status object Cases_payload_tags object Cases_payload_title object Cases_payload_user_comment object
  
  Hide attribute Show attribute
  
  comment object
  
  Hide comment attributes Show comment attributes object
  
  alertId string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  index string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  rule object
  
  Hide rule attributes Show rule attributes object
  
  id string
  
  The rule identifier.
  
  name string
  
  The rule name.
  
  type string
  
  Value is alert.
  
  Hide attribute Show attribute
  
  assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
  
  Hide attribute Show attribute
  
  connector object
  
  Hide connector attributes Show connector attributes object
  
  fields object | null
  
  An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object | null
  
  caseId string
  
  The case identifier for Swimlane connectors.
  
  category string
  
  The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.
  
  destIp boolean | null
  
  Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors.
  
  impact string
  
  The effect an incident had on business for ServiceNow ITSM connectors.
  
  issueType string
  
  The type of issue for Jira connectors.
  
  issueTypes array[string]
  
  The type of incident for IBM Resilient connectors.
  
  malwareHash boolean | null
  
  Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors.
  
  malwareUrl boolean | null
  
  Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors.
  
  parent string
  
  The key of the parent issue, when the issue type is sub-task for Jira connectors.
  
  priority string
  
  The priority of the issue for Jira and ServiceNow SecOps connectors.
  
  severity string
  
  The severity of the incident for ServiceNow ITSM connectors.
  
  severityCode string
  
  The severity code of the incident for IBM Resilient connectors.
  
  sourceIp boolean | null
  
  Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors.
  
  subcategory string
  
  The subcategory of the incident for ServiceNow ITSM connectors.
  
  urgency string
  
  The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.
  
  id string
  
  The identifier for the connector. To create a case without a connector, use none.
  
  name string
  
  The name of the connector. To create a case without a connector, use none.
  
  type string
  
  The type of connector.
  
  Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.
  
  Hide attributes Show attributes
  
  assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
  
  connector object
  
  Hide connector attributes Show connector attributes object
  
  fields object | null
  
  An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object | null
  
  caseId string
  
  The case identifier for Swimlane connectors.
  
  category string
  
  The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.
  
  destIp boolean | null
  
  Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors.
  
  impact string
  
  The effect an incident had on business for ServiceNow ITSM connectors.
  
  issueType string
  
  The type of issue for Jira connectors.
  
  issueTypes array[string]
  
  The type of incident for IBM Resilient connectors.
  
  malwareHash boolean | null
  
  Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors.
  
  malwareUrl boolean | null
  
  Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors.
  
  parent string
  
  The key of the parent issue, when the issue type is sub-task for Jira connectors.
  
  priority string
  
  The priority of the issue for Jira and ServiceNow SecOps connectors.
  
  severity string
  
  The severity of the incident for ServiceNow ITSM connectors.
  
  severityCode string
  
  The severity code of the incident for IBM Resilient connectors.
  
  sourceIp boolean | null
  
  Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors.
  
  subcategory string
  
  The subcategory of the incident for ServiceNow ITSM connectors.
  
  urgency string
  
  The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.
  
  id string
  
  The identifier for the connector. To create a case without a connector, use none.
  
  name string
  
  The name of the connector. To create a case without a connector, use none.
  
  type string
  
  The type of connector.
  
  Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.
  
  description string
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  settings object
  
  An object that contains the case settings.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
  
  severity string
  
  The severity of the case.
  
  Values are critical, high, low, or medium. Default value is low.
  
  status string
  
  The status of the case.
  
  Values are closed, in-progress, or open.
  
  tags array[string]
  
  title string
  
  Hide attribute Show attribute
  
  externalService object | null
  
  Hide externalService attributes Show externalService attributes object | null
  
  connector_id string
  
  connector_name string
  
  external_id string
  
  external_title string
  
  external_url string
  
  pushed_at string(date-time)
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null
  
  full_name string | null
  
  profile_uid string
  
  username string | null
  
  Hide attribute Show attribute
  
  settings object
  
  An object that contains the case settings.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
  
  Hide attribute Show attribute
  
  comment object
  
  Hide comment attributes Show comment attributes object
  
  comment string
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  type string
  
  Value is user.
  
  type string Required
  
  The type of action.
  
  Values are assignees, create_case, comment, connector, description, pushed, tags, title, status, settings, or severity.
  
  version string Required
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

GET /api/cases/{caseId}/user_actions/_find

curl \
 --request GET 'http://localhost:5622/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/user_actions/_find' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "page": 1,
  "total": 3,
  "perPage": 20,
  "userActions": [
    {
      "id": "b4cd0770-07c9-11ed-a5fd-47154cb8767e",
      "type": "create_case",
      "owner": "cases",
      "action": "create",
      "payload": {
        "tags": [
          "tag 1"
        ],
        "owner": "cases",
        "title": "Case title 1",
        "status": "open",
        "category": null,
        "settings": {
          "syncAlerts": false
        },
        "severity": "low",
        "assignees": [],
        "connector": {
          "id": "none",
          "name": "none",
          "type": ".none",
          "fields": null
        },
        "description": "A case description.",
        "customFields": [
          {
            "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
            "type": "text",
            "value": "My field value"
          },
          {
            "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
            "type": "toggle",
            "value": null
          }
        ]
      },
      "version": "WzM1ODg4LDFd",
      "comment_id": null,
      "created_at": "2023-10-20T01:17:22.150Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      }
    },
    {
      "id": "57af14a0-03b1-11ed-920c-974bfa104448",
      "type": "comment",
      "owner": "cases",
      "action": "create",
      "payload": {
        "type": "user",
        "owner": "cases",
        "comment": "A new comment"
      },
      "version": "WzM1ODg4LDFa",
      "comment_id": "578608d0-03b1-11ed-920c-974bfa104448",
      "created_at": "2023-10-14T20:12:53.354Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      }
    },
    {
      "id": "573c6980-6123-11ed-aa41-81a0a61fe447",
      "type": "assignees",
      "owner": "cases",
      "action": "add",
      "payload": {
        "assignees": {
          "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
        }
      },
      "version": "WzM1ODg4LDFb",
      "comment_id": null,
      "created_at": "2023-10-20T01:10:28.238Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      }
    }
  ]
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Retrieve a detection rule

GET /api/detection_engine/rules

Api key auth Basic auth

Retrieve a detection rule using the rule_id or id field.

Query parameters

id string(uuid)

The rule's id value.
rule_id string

The rule's rule_id value.

Responses

200 application/json

Indicates a successful call.
Any of:
Security_Detections_API_EqlRuleResponseFields object Security_Detections_API_QueryRuleResponseFields object Security_Detections_API_SavedQueryRuleResponseFields object Security_Detections_API_ThresholdRuleResponseFields object Security_Detections_API_ThreatMatchRuleResponseFields object Security_Detections_API_MachineLearningRuleResponseFields object Security_Detections_API_NewTermsRuleResponseFields object Security_Detections_API_EsqlRuleResponseFields object
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

@example const x: RelatedIntegration = { package: 'windows', version: '1.5.x', };

@example const x: RelatedIntegration = { package: 'azure', version: '~1.1.6', integration: 'activitylogs', };

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

language string Required

Query language to use

Value is eql.

query string Required

EQL query to execute

type string Required Discriminator

Rule type

Value is eql.

alert_suppression object

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

event_category_override string

filters array

index array[string]

tiebreaker_field string

Sets a secondary field for sorting events

timestamp_field string

Contains the event timestamp used for sorting a sequence of events
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

@example const x: RelatedIntegration = { package: 'windows', version: '1.5.x', };

@example const x: RelatedIntegration = { package: 'azure', version: '~1.1.6', integration: 'activitylogs', };

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

type string Required Discriminator

Rule type

Value is query.

alert_suppression object

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

filters array

index array[string]

saved_id string

language string Required

Values are kuery or lucene.

query string Required

EQL query to execute
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

@example const x: RelatedIntegration = { package: 'windows', version: '1.5.x', };

@example const x: RelatedIntegration = { package: 'azure', version: '~1.1.6', integration: 'activitylogs', };

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

saved_id string Required

type string Required Discriminator

Rule type

Value is saved_query.

alert_suppression object

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

filters array

index array[string]

query string

EQL query to execute

language string Required

Values are kuery or lucene.
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

@example const x: RelatedIntegration = { package: 'windows', version: '1.5.x', };

@example const x: RelatedIntegration = { package: 'azure', version: '~1.1.6', integration: 'activitylogs', };

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

query string Required

EQL query to execute

threshold object Required

Hide threshold attributes Show threshold attributes object

cardinality array[object]

Hide cardinality attributes Show cardinality attributes object

field string Required

value integer Required

Minimum value is 0.

field string | array[string] Required

Field to aggregate on

One of:
string-1 string array-2 array[string]

value integer Required

Threshold value

Minimum value is 1.

type string Required Discriminator

Rule type

Value is threshold.

alert_suppression object

Hide alert_suppression attribute Show alert_suppression attribute object

duration object Required

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

data_view_id string

filters array

index array[string]

saved_id string

language string Required

Values are kuery or lucene.
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

@example const x: RelatedIntegration = { package: 'windows', version: '1.5.x', };

@example const x: RelatedIntegration = { package: 'azure', version: '~1.1.6', integration: 'activitylogs', };

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

query string Required

EQL query to execute

threat_index array[string] Required

threat_mapping array[object] Required

At least 1 element.

Hide threat_mapping attribute Show threat_mapping attribute object

entries array[object] Required

Hide entries attributes Show entries attributes object

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string Required

Value is mapping.

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

threat_query string Required

Query to run

type string Required Discriminator

Rule type

Value is threat_match.

alert_suppression object

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

concurrent_searches integer

Minimum value is 1.

data_view_id string

filters array

index array[string]

items_per_search integer

Minimum value is 1.

saved_id string

threat_filters array

Query and filter context array used to filter documents from the Elasticsearch index containing the threat values

threat_indicator_path string

Defines the path to the threat indicator in the indicator documents (optional)

threat_language string

Values are kuery or lucene.

language string Required

Values are kuery or lucene.
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

@example const x: RelatedIntegration = { package: 'windows', version: '1.5.x', };

@example const x: RelatedIntegration = { package: 'azure', version: '~1.1.6', integration: 'activitylogs', };

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

anomaly_threshold integer Required

Anomaly threshold

Minimum value is 0.

machine_learning_job_id string Required

type string Required Discriminator

Rule type

Value is machine_learning.

alert_suppression object

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

@example const x: RelatedIntegration = { package: 'windows', version: '1.5.x', };

@example const x: RelatedIntegration = { package: 'azure', version: '~1.1.6', integration: 'activitylogs', };

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

history_window_start string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

new_terms_fields array[string] Required

At least 1 but not more than 3 elements.

query string Required

EQL query to execute

type string Required Discriminator

Rule type

Value is new_terms.

alert_suppression object

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

filters array

index array[string]

language string Required

Values are kuery or lucene.
Hide attributes Show attributes

actions array[object] Required

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications.

alerts_filter object

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

description string Required

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled.

exceptions_list array[object] Required

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

list_id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Minimum value is 1.

meta object

Additional properties are allowed.

name string Required

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

@example const x: RelatedIntegration = { package: 'windows', version: '1.5.x', };

@example const x: RelatedIntegration = { package: 'azure', version: '~1.1.6', integration: 'activitylogs', };

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

operator string Required

Value is equals.

risk_score integer

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets the source field for the alert's signal.rule.name value

setup string Required

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

operator string Required

Value is equals.

severity string Required

Severity of the rule

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A universally unique identifier

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

Minimum value is 0.

rule_id string Required

Could be any string, not necessarily a UUID

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required Discriminator

Value is external.

updated_at string(date-time) Required

updated_by string Required

alert_suppression object

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

language string Required

Value is esql.

query string Required

EQL query to execute

type string Required Discriminator

Rule type

Value is esql.

GET /api/detection_engine/rules

curl \
 --request GET 'http://localhost:5622/api/detection_engine/rules' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "1h",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00Z",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00Z",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00Z",
  "updated_by": "string",
  "language": "eql",
  "query": "string",
  "type": "eql",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "event_category_override": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "tiebreaker_field": "string",
  "timestamp_field": "string"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "1h",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00Z",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00Z",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00Z",
  "updated_by": "string",
  "type": "query",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "saved_id": "string",
  "language": "kuery",
  "query": "string"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "1h",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00Z",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00Z",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00Z",
  "updated_by": "string",
  "saved_id": "string",
  "type": "saved_query",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "query": "string",
  "language": "kuery"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "1h",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00Z",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00Z",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00Z",
  "updated_by": "string",
  "query": "string",
  "threshold": {
    "cardinality": [
      {
        "field": "string",
        "value": 42
      }
    ],
    "field": "string",
    "value": 42
  },
  "type": "threshold",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    }
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "saved_id": "string",
  "language": "kuery"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "1h",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00Z",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00Z",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00Z",
  "updated_by": "string",
  "query": "string",
  "threat_index": [
    "string"
  ],
  "threat_mapping": [
    {
      "entries": [
        {
          "field": "string",
          "type": "mapping",
          "value": "string"
        }
      ]
    }
  ],
  "threat_query": "string",
  "type": "threat_match",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "concurrent_searches": 42,
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "items_per_search": 42,
  "saved_id": "string",
  "threat_filters": [],
  "threat_indicator_path": "string",
  "threat_language": "kuery",
  "language": "kuery"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "1h",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00Z",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00Z",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00Z",
  "updated_by": "string",
  "anomaly_threshold": 42,
  "machine_learning_job_id": "string",
  "type": "machine_learning",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  }
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "1h",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00Z",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00Z",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00Z",
  "updated_by": "string",
  "history_window_start": "string",
  "new_terms_fields": [
    "string"
  ],
  "query": "string",
  "type": "new_terms",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "language": "kuery"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "1h",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "created_at": "2025-05-04T09:42:00Z",
  "created_by": "string",
  "execution_summary": {
    "last_execution": {
      "date": "2025-05-04T09:42:00Z",
      "message": "string",
      "metrics": {
        "execution_gap_duration_s": 42,
        "gap_range": {
          "gte": "string",
          "lte": "string"
        },
        "total_enrichment_duration_ms": 42,
        "total_indexing_duration_ms": 42,
        "total_search_duration_ms": 42
      },
      "status": "going to run",
      "status_order": 42
    }
  },
  "id": "string",
  "immutable": true,
  "revision": 42,
  "rule_id": "string",
  "rule_source": {
    "is_customized": true,
    "type": "external"
  },
  "updated_at": "2025-05-04T09:42:00Z",
  "updated_by": "string",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "language": "esql",
  "query": "string",
  "type": "esql"
}

Get a policy response

GET /api/endpoint/policy_response

Api key auth Basic auth

Query parameters

query object Required
Hide query attribute Show query attribute object
- agentId string
  
  Agent ID

Responses

200 application/json

OK

GET /api/endpoint/policy_response

curl \
 --request GET 'http://localhost:5622/api/endpoint/policy_response?query=%7B%7D' \
 --header "Authorization: $API_KEY"

Response examples (200)

{}

GET /api/osquery/saved_queries

Api key auth Basic auth

Get a list of all saved queries.

Query parameters

page integer | null

The page number to return. The default is 1.
pageSize integer | null

The number of results to return per page. The default is 20.
sort string | null

The field that is used to sort the results.

Default value is createdAt.
sortOrder string

Specifies the sort order.

Values are asc or desc.

Responses

200 application/json

OK

GET /api/osquery/saved_queries

curl \
 --request GET 'http://localhost:5622/api/osquery/saved_queries' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "data": [
    {
      "id": "42ba9c50-0cc5-11ed-aa1d-2b27890bc90d",
      "type": "osquery-saved-query",
      "attributes": {
        "id": "saved_query_id",
        "query": "select * from uptime;",
        "version": "2.8.0",
        "interval": "60",
        "platform": "linux,darwin",
        "prebuilt": false,
        "created_at": "2022-07-26T09:28:08.597Z",
        "created_by": "elastic",
        "updated_at": "2022-07-26T09:28:08.597Z",
        "updated_by": "elastic",
        "description": "Saved query description",
        "ecs_mapping": {
          "host.uptime": {
            "field": "total_seconds"
          }
        }
      },
      "namespaces": [
        "default"
      ]
    }
  ],
  "page": 1,
  "total": 11,
  "per_page": 100
}

payload object | null Required

alertId string | array[string]

index string | array[string]

throttle string | null Required

value string | array[string]

value string | array[string]

throttle string | null Required

value string | array[string]

value string | array[string]

throttle string | null Required

value string | array[string]

value string | array[string]

throttle string | null Required

value string | array[string]

value string | array[string]

throttle string | null Required

value string | array[string]

value string | array[string]

throttle string | null Required

value string | array[string]

value string | array[string]

throttle string | null Required

value string | array[string]

value string | array[string]

throttle string | null Required

value string | array[string]

value string | array[string]