Apply a bulk action to detection rules

POST /api/detection_engine/rules/_bulk_action

Apply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs.

When used with API key authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.

If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.

Query parameters

dry_run boolean

Enables dry run mode for the request call.

Enable dry run mode to verify that bulk actions can be applied to specified rules. Certain rules, such as prebuilt Elastic rules on a Basic subscription, can’t be edited and will return errors in the request response. Error details will contain an explanation, the rule name and/or ID, and additional troubleshooting information.

To enable dry run mode on a request, add the query parameter dry_run=true to the end of the request URL. Rules specified in the request will be temporarily updated. These updates won’t be written to Elasticsearch.

Dry run mode is not supported for the export bulk action. A 400 error will be returned in the request response.

application/json

Body object

action string Required

Value is delete.
ids array[string]

Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined.

At least 1 element.
query string

Query to filter rules.

action string Required

Value is disable.
ids array[string]

Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined.

At least 1 element.
query string

Query to filter rules.

action string Required

Value is enable.
ids array[string]

Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined.

At least 1 element.
query string

Query to filter rules.

action string Required

Value is export.
ids array[string]

Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined.

At least 1 element.
query string

Query to filter rules.

action string Required

Value is duplicate.
duplicate object

Duplicate object that describes applying an update action.
Hide duplicate attributes Show duplicate attributes object
- include_exceptions boolean Required
  
  Whether to copy exceptions from the original rule
- include_expired_exceptions boolean Required
  
  Whether to copy expired exceptions from the original rule
ids array[string]

Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined.

At least 1 element.
query string

Query to filter rules.

action string Required

Value is run.
ids array[string]

Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined.

At least 1 element.
query string

Query to filter rules.
run object Required

Object that describes applying a manual rule run action.
Hide run attributes Show run attributes object
- end_date string
  
  End date of the manual rule run
- start_date string Required
  
  Start date of the manual rule run

action string Required

Value is edit.
edit array[object] Required

Array of objects containing the edit operations

At least 1 element.
Any of:
Security_Detections_API_BulkActionEditPayloadTags object Security_Detections_API_BulkActionEditPayloadIndexPatterns object Security_Detections_API_BulkActionEditPayloadInvestigationFields object Security_Detections_API_BulkActionEditPayloadTimeline object Security_Detections_API_BulkActionEditPayloadRuleActions object Security_Detections_API_BulkActionEditPayloadSchedule object
Hide attributes Show attributes

type string Required

Values are add_tags, delete_tags, or set_tags.

value array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
Hide attributes Show attributes

overwrite_data_views boolean

type string Required

Values are add_index_patterns, delete_index_patterns, or set_index_patterns.

value array[string] Required

Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

This field is not supported for ES|QL rules.
Hide attributes Show attributes

type string Required

Values are add_investigation_fields, delete_investigation_fields, or set_investigation_fields.

value object Required

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide value attribute Show value attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.
Hide attributes Show attributes

type string Required

Value is set_timeline.

value object Required

Hide value attributes Show value attributes object

timeline_id string Required

Timeline template ID

timeline_title string Required

Timeline template title
Hide attributes Show attributes

type string Required

Values are add_rule_actions or set_rule_actions.

value object Required

Hide value attributes Show value attributes object

actions array[object] Required

Hide actions attributes Show actions attributes object

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

throttle string

Defines the maximum interval in which a rule’s actions are executed.

The rule level throttle field is deprecated in Elastic Security 8.8 and will remain active for at least the next 12 months. In Elastic Security 8.8 and later, you can use the frequency field to define frequencies for individual actions. Actions without frequencies will acquire a converted version of the rule’s throttle field. In the response, the converted throttle setting appears in the individual actions' frequency field.

Values are rule, 1h, 1d, or 7d.
Hide attributes Show attributes

type string Required

Value is set_schedule.

value object Required

Hide value attributes Show value attributes object

interval string Required

Interval in which the rule runs. For example, "1h" means the rule runs every hour.

Format should match the following pattern: ^[1-9]\d*[smh]$.

lookback string Required

Lookback time for the rule

Format should match the following pattern: ^[1-9]\d*[smh]$.
ids array[string]

Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined.

At least 1 element.
query string

Query to filter rules.

Responses

200 application/json

OK
One of:
Security_Detections_API_BulkEditActionResponse object Security_Detections_API_BulkExportActionResponse string
Hide attributes Show attributes

attributes object Required

Hide attributes attributes Show attributes attributes object

errors array[object]

Hide errors attributes Show errors attributes object

err_code string

Values are IMMUTABLE, PREBUILT_CUSTOMIZATION_LICENSE, MACHINE_LEARNING_AUTH, MACHINE_LEARNING_INDEX_PATTERN, ESQL_INDEX_PATTERN, MANUAL_RULE_RUN_FEATURE, or MANUAL_RULE_RUN_DISABLED_RULE.

message string Required

rules array[object] Required

Hide rules attributes Show rules attributes object

id string Required

name string

status_code integer Required

results object Required

Hide results attributes Show results attributes object

created array[object] Required

Any of:
Security_Detections_API_EqlRuleResponseFields object Security_Detections_API_QueryRuleResponseFields object Security_Detections_API_SavedQueryRuleResponseFields object Security_Detections_API_ThresholdRuleResponseFields object Security_Detections_API_ThreatMatchRuleResponseFields object Security_Detections_API_MachineLearningRuleResponseFields object Security_Detections_API_NewTermsRuleResponseFields object Security_Detections_API_EsqlRuleResponseFields object

Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

language string Required

Query language to use

Value is eql.

query string Required

Query used by the rule to create alerts.

For indicator match rules, only the query’s results are used to determine whether an alert is generated.

ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.

type string Required Discriminator

Rule type

Value is eql.

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

event_category_override string

filters array

The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

This field is not supported for ES|QL rules.

index array[string]

Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

This field is not supported for ES|QL rules.

tiebreaker_field string

Sets a secondary field for sorting events

timestamp_field string

Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with timestamp_override, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field.

Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

type string Required Discriminator

Rule type

Value is query.

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

filters array

The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

This field is not supported for ES|QL rules.

index array[string]

Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

This field is not supported for ES|QL rules.

saved_id string

Kibana saved search used by the rule to create alerts.

language string Required

Values are kuery or lucene.

query string Required

Query used by the rule to create alerts.

For indicator match rules, only the query’s results are used to determine whether an alert is generated.

ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.

Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

saved_id string Required

Kibana saved search used by the rule to create alerts.

type string Required Discriminator

Rule type

Value is saved_query.

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

filters array

The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

This field is not supported for ES|QL rules.

index array[string]

Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

This field is not supported for ES|QL rules.

query string

Query used by the rule to create alerts.

For indicator match rules, only the query’s results are used to determine whether an alert is generated.

ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.

language string Required

Values are kuery or lucene.

Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

query string Required

Query used by the rule to create alerts.

For indicator match rules, only the query’s results are used to determine whether an alert is generated.

ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.

threshold object Required

Hide threshold attributes Show threshold attributes object

cardinality array[object]

The field on which the cardinality is applied.

Hide cardinality attributes Show cardinality attributes object

field string Required

The field on which to calculate and compare the cardinality.

value integer Required

The threshold value from which an alert is generated based on unique number of values of cardinality.field.

Minimum value is 0.

field string Required

value integer Required

The threshold value from which an alert is generated.

Minimum value is 1.

type string Required Discriminator

Rule type

Value is threshold.

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attribute Show alert_suppression attribute object

duration object Required

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

data_view_id string

filters array

The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

This field is not supported for ES|QL rules.

index array[string]

Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

This field is not supported for ES|QL rules.

saved_id string

Kibana saved search used by the rule to create alerts.

language string Required

Values are kuery or lucene.

Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

query string Required

Query used by the rule to create alerts.

For indicator match rules, only the query’s results are used to determine whether an alert is generated.

ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.

threat_index array[string] Required

Elasticsearch indices used to check which field values generate alerts.

threat_mapping array[object] Required

Array of entries objects that define mappings between the source event fields and the values in the Elasticsearch threat index. Each entries object must contain these fields:

field: field from the event indices on which the rule runs

type: must be mapping

value: field from the Elasticsearch threat index

You can use Boolean and and or logic to define the conditions for when matching fields and values generate alerts. Sibling entries objects are evaluated using or logic, whereas multiple entries in a single entries object use and logic. See Example of Threat Match rule which uses both and and or logic.

At least 1 element.

Hide threat_mapping attribute Show threat_mapping attribute object

entries array[object] Required

Hide entries attributes Show entries attributes object

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string Required

Value is mapping.

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

threat_query string Required

Query used to determine which fields in the Elasticsearch index are used for generating alerts.

type string Required Discriminator

Rule type

Value is threat_match.

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

concurrent_searches integer

Minimum value is 1.

data_view_id string

filters array

The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

This field is not supported for ES|QL rules.

index array[string]

Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

This field is not supported for ES|QL rules.

items_per_search integer

Minimum value is 1.

saved_id string

Kibana saved search used by the rule to create alerts.

threat_filters array

Query and filter context array used to filter documents from the Elasticsearch index containing the threat values

threat_indicator_path string

Defines the path to the threat indicator in the indicator documents (optional)

threat_language string

Values are kuery or lucene.

language string Required

Values are kuery or lucene.

Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

anomaly_threshold integer Required

Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100.

Minimum value is 0.

machine_learning_job_id string Required

type string Required Discriminator

Rule type

Value is machine_learning.

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

history_window_start string(nonempty) Required

Start date to use when checking if a term has been seen before. Supports relative dates – for example, now-30d will search the last 30 days of data when checking if a term is new. We do not recommend using absolute dates, which can cause issues with rule performance due to querying increasing amounts of data over time.

Minimum length is 1.

new_terms_fields array[string] Required

Fields to monitor for new values.

At least 1 but not more than 3 elements.

query string Required

Query used by the rule to create alerts.

For indicator match rules, only the query’s results are used to determine whether an alert is generated.

ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.

type string Required Discriminator

Rule type

Value is new_terms.

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

filters array

The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

This field is not supported for ES|QL rules.

index array[string]

Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

This field is not supported for ES|QL rules.

language string Required

Values are kuery or lucene.

Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

language string Required

Value is esql.

query string Required

Query used by the rule to create alerts.

For indicator match rules, only the query’s results are used to determine whether an alert is generated.

ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.

type string Required Discriminator

Rule type

Value is esql.

deleted array[object] Required

Any of:
Security_Detections_API_EqlRuleResponseFields object Security_Detections_API_QueryRuleResponseFields object Security_Detections_API_SavedQueryRuleResponseFields object Security_Detections_API_ThresholdRuleResponseFields object Security_Detections_API_ThreatMatchRuleResponseFields object Security_Detections_API_MachineLearningRuleResponseFields object Security_Detections_API_NewTermsRuleResponseFields object Security_Detections_API_EsqlRuleResponseFields object

Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

language string Required

Query language to use

Value is eql.

query string Required

Query used by the rule to create alerts.

For indicator match rules, only the query’s results are used to determine whether an alert is generated.

ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.

type string Required Discriminator

Rule type

Value is eql.

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

event_category_override string

filters array

The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

This field is not supported for ES|QL rules.

index array[string]

Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

This field is not supported for ES|QL rules.

tiebreaker_field string

Sets a secondary field for sorting events

timestamp_field string

Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with timestamp_override, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field.

Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

type string Required Discriminator

Rule type

Value is query.

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

filters array

The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

This field is not supported for ES|QL rules.

index array[string]

Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

This field is not supported for ES|QL rules.

saved_id string

Kibana saved search used by the rule to create alerts.

language string Required

Values are kuery or lucene.

query string Required

Query used by the rule to create alerts.

For indicator match rules, only the query’s results are used to determine whether an alert is generated.

ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.

Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

saved_id string Required

Kibana saved search used by the rule to create alerts.

type string Required Discriminator

Rule type

Value is saved_query.

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

filters array

The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

This field is not supported for ES|QL rules.

index array[string]

Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

This field is not supported for ES|QL rules.

query string

Query used by the rule to create alerts.

For indicator match rules, only the query’s results are used to determine whether an alert is generated.

ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.

language string Required

Values are kuery or lucene.

Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

query string Required

Query used by the rule to create alerts.

For indicator match rules, only the query’s results are used to determine whether an alert is generated.

ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.

threshold object Required

Hide threshold attributes Show threshold attributes object

cardinality array[object]

The field on which the cardinality is applied.

Hide cardinality attributes Show cardinality attributes object

field string Required

The field on which to calculate and compare the cardinality.

value integer Required

The threshold value from which an alert is generated based on unique number of values of cardinality.field.

Minimum value is 0.

field string Required

value integer Required

The threshold value from which an alert is generated.

Minimum value is 1.

type string Required Discriminator

Rule type

Value is threshold.

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attribute Show alert_suppression attribute object

duration object Required

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

data_view_id string

filters array

The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

This field is not supported for ES|QL rules.

index array[string]

Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

This field is not supported for ES|QL rules.

saved_id string

Kibana saved search used by the rule to create alerts.

language string Required

Values are kuery or lucene.

Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

query string Required

Query used by the rule to create alerts.

For indicator match rules, only the query’s results are used to determine whether an alert is generated.

ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.

threat_index array[string] Required

Elasticsearch indices used to check which field values generate alerts.

threat_mapping array[object] Required

Array of entries objects that define mappings between the source event fields and the values in the Elasticsearch threat index. Each entries object must contain these fields:

field: field from the event indices on which the rule runs

type: must be mapping

value: field from the Elasticsearch threat index

You can use Boolean and and or logic to define the conditions for when matching fields and values generate alerts. Sibling entries objects are evaluated using or logic, whereas multiple entries in a single entries object use and logic. See Example of Threat Match rule which uses both and and or logic.

At least 1 element.

Hide threat_mapping attribute Show threat_mapping attribute object

entries array[object] Required

Hide entries attributes Show entries attributes object

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string Required

Value is mapping.

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

threat_query string Required

Query used to determine which fields in the Elasticsearch index are used for generating alerts.

type string Required Discriminator

Rule type

Value is threat_match.

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

concurrent_searches integer

Minimum value is 1.

data_view_id string

filters array

The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

This field is not supported for ES|QL rules.

index array[string]

Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

This field is not supported for ES|QL rules.

items_per_search integer

Minimum value is 1.

saved_id string

Kibana saved search used by the rule to create alerts.

threat_filters array

Query and filter context array used to filter documents from the Elasticsearch index containing the threat values

threat_indicator_path string

Defines the path to the threat indicator in the indicator documents (optional)

threat_language string

Values are kuery or lucene.

language string Required

Values are kuery or lucene.

Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

anomaly_threshold integer Required

Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100.

Minimum value is 0.

machine_learning_job_id string Required

type string Required Discriminator

Rule type

Value is machine_learning.

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

history_window_start string(nonempty) Required

Start date to use when checking if a term has been seen before. Supports relative dates – for example, now-30d will search the last 30 days of data when checking if a term is new. We do not recommend using absolute dates, which can cause issues with rule performance due to querying increasing amounts of data over time.

Minimum length is 1.

new_terms_fields array[string] Required

Fields to monitor for new values.

At least 1 but not more than 3 elements.

query string Required

Query used by the rule to create alerts.

For indicator match rules, only the query’s results are used to determine whether an alert is generated.

ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.

type string Required Discriminator

Rule type

Value is new_terms.

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

filters array

The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

This field is not supported for ES|QL rules.

index array[string]

Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

This field is not supported for ES|QL rules.

language string Required

Values are kuery or lucene.

Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

language string Required

Value is esql.

query string Required

Query used by the rule to create alerts.

For indicator match rules, only the query’s results are used to determine whether an alert is generated.

ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.

type string Required Discriminator

Rule type

Value is esql.

skipped array[object] Required

Hide skipped attributes Show skipped attributes object

id string Required

name string

skip_reason string Required

Value is RULE_NOT_MODIFIED.

updated array[object] Required

Any of:
Security_Detections_API_EqlRuleResponseFields object Security_Detections_API_QueryRuleResponseFields object Security_Detections_API_SavedQueryRuleResponseFields object Security_Detections_API_ThresholdRuleResponseFields object Security_Detections_API_ThreatMatchRuleResponseFields object Security_Detections_API_MachineLearningRuleResponseFields object Security_Detections_API_NewTermsRuleResponseFields object Security_Detections_API_EsqlRuleResponseFields object

Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

language string Required

Query language to use

Value is eql.

query string Required

Query used by the rule to create alerts.

For indicator match rules, only the query’s results are used to determine whether an alert is generated.

ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.

type string Required Discriminator

Rule type

Value is eql.

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

event_category_override string

filters array

The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

This field is not supported for ES|QL rules.

index array[string]

Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

This field is not supported for ES|QL rules.

tiebreaker_field string

Sets a secondary field for sorting events

timestamp_field string

Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with timestamp_override, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field.

Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

type string Required Discriminator

Rule type

Value is query.

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

filters array

The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

This field is not supported for ES|QL rules.

index array[string]

Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

This field is not supported for ES|QL rules.

saved_id string

Kibana saved search used by the rule to create alerts.

language string Required

Values are kuery or lucene.

query string Required

Query used by the rule to create alerts.

For indicator match rules, only the query’s results are used to determine whether an alert is generated.

ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.

Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

saved_id string Required

Kibana saved search used by the rule to create alerts.

type string Required Discriminator

Rule type

Value is saved_query.

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

filters array

The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

This field is not supported for ES|QL rules.

index array[string]

Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

This field is not supported for ES|QL rules.

query string

Query used by the rule to create alerts.

For indicator match rules, only the query’s results are used to determine whether an alert is generated.

ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.

language string Required

Values are kuery or lucene.

Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

query string Required

Query used by the rule to create alerts.

For indicator match rules, only the query’s results are used to determine whether an alert is generated.

ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.

threshold object Required

Hide threshold attributes Show threshold attributes object

cardinality array[object]

The field on which the cardinality is applied.

Hide cardinality attributes Show cardinality attributes object

field string Required

The field on which to calculate and compare the cardinality.

value integer Required

The threshold value from which an alert is generated based on unique number of values of cardinality.field.

Minimum value is 0.

field string Required

value integer Required

The threshold value from which an alert is generated.

Minimum value is 1.

type string Required Discriminator

Rule type

Value is threshold.

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attribute Show alert_suppression attribute object

duration object Required

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

data_view_id string

filters array

The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

This field is not supported for ES|QL rules.

index array[string]

Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

This field is not supported for ES|QL rules.

saved_id string

Kibana saved search used by the rule to create alerts.

language string Required

Values are kuery or lucene.

Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

query string Required

Query used by the rule to create alerts.

For indicator match rules, only the query’s results are used to determine whether an alert is generated.

ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.

threat_index array[string] Required

Elasticsearch indices used to check which field values generate alerts.

threat_mapping array[object] Required

Array of entries objects that define mappings between the source event fields and the values in the Elasticsearch threat index. Each entries object must contain these fields:

field: field from the event indices on which the rule runs

type: must be mapping

value: field from the Elasticsearch threat index

You can use Boolean and and or logic to define the conditions for when matching fields and values generate alerts. Sibling entries objects are evaluated using or logic, whereas multiple entries in a single entries object use and logic. See Example of Threat Match rule which uses both and and or logic.

At least 1 element.

Hide threat_mapping attribute Show threat_mapping attribute object

entries array[object] Required

Hide entries attributes Show entries attributes object

field string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

type string Required

Value is mapping.

value string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

threat_query string Required

Query used to determine which fields in the Elasticsearch index are used for generating alerts.

type string Required Discriminator

Rule type

Value is threat_match.

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

concurrent_searches integer

Minimum value is 1.

data_view_id string

filters array

The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

This field is not supported for ES|QL rules.

index array[string]

Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

This field is not supported for ES|QL rules.

items_per_search integer

Minimum value is 1.

saved_id string

Kibana saved search used by the rule to create alerts.

threat_filters array

Query and filter context array used to filter documents from the Elasticsearch index containing the threat values

threat_indicator_path string

Defines the path to the threat indicator in the indicator documents (optional)

threat_language string

Values are kuery or lucene.

language string Required

Values are kuery or lucene.

Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

anomaly_threshold integer Required

Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100.

Minimum value is 0.

machine_learning_job_id string Required

type string Required Discriminator

Rule type

Value is machine_learning.

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

history_window_start string(nonempty) Required

Start date to use when checking if a term has been seen before. Supports relative dates – for example, now-30d will search the last 30 days of data when checking if a term is new. We do not recommend using absolute dates, which can cause issues with rule performance due to querying increasing amounts of data over time.

Minimum length is 1.

new_terms_fields array[string] Required

Fields to monitor for new values.

At least 1 but not more than 3 elements.

query string Required

Query used by the rule to create alerts.

For indicator match rules, only the query’s results are used to determine whether an alert is generated.

ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.

type string Required Discriminator

Rule type

Value is new_terms.

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

data_view_id string

filters array

The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.

This field is not supported for ES|QL rules.

index array[string]

Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).

This field is not supported for ES|QL rules.

language string Required

Values are kuery or lucene.

Hide attributes Show attributes

actions array[object] Required

Array defining the automated actions (notifications) taken when alerts are generated.

Hide actions attributes Show actions attributes object

action_type_id string Required

The action type used for sending notifications, can be:

.slack

.slack_api

.email

.index

.pagerduty

.swimlane

.webhook

.servicenow

.servicenow-itom

.servicenow-sir

.jira

.resilient

.opsgenie

.teams

.torq

.tines

.d3security

alerts_filter object

Object containing an action’s conditional filters.

timeframe (object, optional): Object containing the time frame for when this action can be run.

days (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between 1-7, where 1 is Monday and 7 is Sunday. To select all days of the week, enter an empty array.

hours (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format hh:mm in 24 hour time. A start of 00:00 and an end of 24:00 means the action can run all day.

start (string, required): Start time in hh:mm format.

end (string, required): End time in hh:mm format.

timezone (string, required): An ISO timezone name, such as Europe/Madrid or America/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.

query (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.

kql (string, required): A KQL string.

filters (array of objects, required): Array of filter objects, as defined in the kbn-es-query package.

Additional properties are allowed.

frequency object

The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

Hide frequency attributes Show frequency attributes object

notifyWhen string Required

Defines how often rules run actions.

Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

summary boolean Required

Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

throttle string | null Required

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.

group string

Optionally groups actions by use cases. Use default for alert notifications.

id string Required

The connector ID.

params object Required

Object containing the allowed connector fields, which varies according to the connector type.

For Slack:

message (string, required): The notification message.

For email:

to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.

subject (string, optional): Email subject line.

message (string, required): Email body text.

For Webhook:

body (string, required): JSON payload.

For PagerDuty:

severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.

eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.

dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.

timestamp (DateTime, optional): ISO-8601 format timestamp.

component (string, optional): Source machine component responsible for the event, for example security-solution.

group (string, optional): Enables logical grouping of service components.

source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.

summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.

class (string, optional): Value indicating the class/type of the event.

Additional properties are allowed.

uuid string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

alias_purpose string

Values are savedObjectConversion or savedObjectImport.

alias_target_id string

author array[string] Required

The rule’s author.

building_block_type string

Determines if the rule acts as a building block. If yes, the value must be default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules.

description string Required

The rule’s description.

Minimum length is 1.

enabled boolean Required

Determines whether the rule is enabled. Defaults to true.

exceptions_list array[object] Required

Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.

Hide exceptions_list attributes Show exceptions_list attributes object

id string(nonempty) Required

ID of the exception container

Minimum length is 1.

list_id string(nonempty) Required

List ID of the exception container

Minimum length is 1.

namespace_type string Required

Determines the exceptions validity in rule's Kibana space

Values are agnostic or single.

type string Required

The exception type

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

false_positives array[string] Required

String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.

from string(date-math) Required

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

interval string Required

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

investigation_fields object

Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.

Hide investigation_fields attribute Show investigation_fields attribute object

field_names array[string(nonempty)] Required

A string that does not contain only whitespace characters

At least 1 element. Minimum length of each is 1.

license string

The rule's license.

max_signals integer Required

Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).

This setting can be superseded by the Kibana configuration setting xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max is set to 1000, the rule can generate no more than 1000 alerts even if max_signals is set higher.

Minimum value is 1. Default value is 100.

meta object

Placeholder for metadata about the rule.

This field is overwritten when you save changes to the rule’s settings.

Additional properties are allowed.

name string Required

A human-readable name for the rule.

Minimum length is 1.

namespace string

Has no effect.

note string

Notes to help investigate alerts produced by the rule.

outcome string

Values are exactMatch, aliasMatch, or conflict.

output_index string Deprecated

(deprecated) Has no effect.

references array[string] Required

Array containing notes about or references to relevant information about the rule. Defaults to an empty array.

related_integrations array[object] Required

Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.

NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.

Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:

package: name of the package (required, unique id)

version: version of the package (required, semver-compatible)

integration: name of the integration of this package (optional, id within the package)

There are Fleet packages like windows that contain only one integration; in this case, integration should be unspecified. There are also packages like aws and azure that contain several integrations; in this case, integration should be specified.

Hide related_integrations attributes Show related_integrations attributes object

integration string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.

package string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

version string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

required_fields array[object] Required

Elasticsearch fields and their types that need to be present for the rule to function.

The value of required_fields does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use required_fields as an informational property to document the fields that the rule expects to be present in the data.

Input parameters to create a RequiredField. Does not include the ecs field, because ecs is calculated on the backend based on the field name and type.

Hide required_fields attributes Show required_fields attributes object

name string(nonempty) Required

Name of an Elasticsearch field

Minimum length is 1.

type string(nonempty) Required

Type of the Elasticsearch field

Minimum length is 1.

response_actions array[object]

One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object

Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Hide params attributes Show params attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

To specify a query pack, use the packId field. Example: "packId": "processes_elastic"

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"

saved_query_id string

To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"

timeout number

A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.

Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"

Values are kill-process or suspend-process.

comment string

Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"

config object Required

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.

risk_score integer Required

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

risk_score_mapping array[object] Required

Overrides generated alerts' risk_score with a value from the source event

Hide risk_score_mapping attributes Show risk_score_mapping attributes object

field string Required

Source event field used to override the default risk_score.

operator string Required

Value is equals.

risk_score integer

A numerical representation of the alert's severity from 0 to 100, where:

0 - 21 represents low severity

22 - 47 represents medium severity

48 - 73 represents high severity

74 - 100 represents critical severity

Minimum value is 0, maximum value is 100.

value string Required

rule_name_override string

Sets which field in the source event is used to populate the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.

setup string Required

Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

severity_mapping array[object] Required

Overrides generated alerts' severity with values from the source event

Hide severity_mapping attributes Show severity_mapping attributes object

field string Required

Source event field used to override the default severity.

operator string Required

Value is equals.

severity string Required

Severity level of alerts produced by the rule, which must be one of the following:

low: Alerts that are of interest but generally not considered to be security incidents

medium: Alerts that require investigation

high: Alerts that require immediate investigation

critical: Alerts that indicate it is highly likely a security incident has occurred

Values are low, medium, high, or critical.

value string Required

tags array[string] Required

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

threat array[object] Required

Currently, only threats described using the MITRE ATT&CK™ framework are supported.

Hide threat attributes Show threat attributes object

framework string Required

Relevant attack framework

tactic object Required

Object containing information on the attack type

Hide tactic attributes Show tactic attributes object

id string Required

Tactic ID

name string Required

Tactic name

reference string Required

Tactic reference

technique array[object]

Array containing information on the attack techniques (optional)

Hide technique attributes Show technique attributes object

id string Required

Technique ID

name string Required

Technique name

reference string Required

Technique reference

subtechnique array[object]

Array containing more specific information on the attack technique.

Hide subtechnique attributes Show subtechnique attributes object

id string Required

Subtechnique ID

name string Required

Subtechnique name

reference string Required

Subtechnique reference

throttle string | null

Time interval in seconds, minutes, hours, or days.

Format should match the following pattern: ^[1-9]\d*[smhd]$. Values are no_actions or rule.

timeline_id string

Timeline template ID

timeline_title string

Timeline template title

timestamp_override string

Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.

timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field

to string Required

version integer Required

The rule's version number.

For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding security_detection_engine Fleet package that is used for distributing prebuilt rules).

For custom rules it is set to 1 when the rule is created.

It is not incremented on each update. Compare this to the revision field.

Minimum value is 1.

created_at string(date-time) Required

created_by string Required

execution_summary object

Summary of the last execution of a rule.

This field is under development and its usage or schema may change

Hide execution_summary attribute Show execution_summary attribute object

last_execution object Required

Hide last_execution attributes Show last_execution attributes object

date string(date-time) Required

Date of the last execution

message string Required

metrics object Required

Hide metrics attributes Show metrics attributes object

execution_gap_duration_s integer

Duration in seconds of execution gap

Minimum value is 0.

gap_range object

Range of the execution gap

Hide gap_range attributes Show gap_range attributes object

gte string Required

Start date of the execution gap

lte string Required

End date of the execution gap

total_enrichment_duration_ms integer

Total time spent enriching documents during current rule execution cycle

Minimum value is 0.

total_indexing_duration_ms integer

Total time spent indexing documents during current rule execution cycle

Minimum value is 0.

total_search_duration_ms integer

Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

Minimum value is 0.

status string Required

Status of the last execution

Values are going to run, running, partial failure, failed, or succeeded.

status_order integer Required

id string(uuid) Required

A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object ids.

immutable boolean Required Deprecated

This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

revision integer Required

The rule's revision number.

It represents the version of rule's object in Kibana. It is set to 0 when the rule is installed or created and then gets incremented on each update.

Not all updates to any rule fields will increment the revision. Only those fields that are considered static rule parameters can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by 1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.

Minimum value is 0.

rule_id string Required

A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

rule_source object Required

Type of rule source for internally sourced rules, i.e. created within the Kibana apps.

Hide rule_source attributes Show rule_source attributes object

is_customized boolean Required

Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

type string Required

Values are external or internal.

updated_at string(date-time) Required

updated_by string Required

alert_suppression object

Defines alert suppression configuration.

Hide alert_suppression attributes Show alert_suppression attributes object

duration object

Hide duration attributes Show duration attributes object

unit string Required

Time unit

Values are s, m, or h.

value integer Required

Minimum value is 1.

group_by array[string] Required

At least 1 but not more than 3 elements.

missing_fields_strategy string

Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

Values are doNotSuppress or suppress.

language string Required

Value is esql.

query string Required

Query used by the rule to create alerts.

For indicator match rules, only the query’s results are used to determine whether an alert is generated.

ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.

type string Required Discriminator

Rule type

Value is esql.

summary object Required

A rule can only be skipped when the bulk action to be performed on it results in nothing being done. For example, if the edit action is used to add a tag to a rule that already has that tag, or to delete an index pattern that is not specified in a rule. Objects returned in attributes.results.skipped will only include rules' id, name, and skip_reason.

Hide summary attributes Show summary attributes object

failed integer Required

skipped integer Required

succeeded integer Required

total integer Required

message string

rules_count integer

status_code integer

success boolean

POST /api/detection_engine/rules/_bulk_action

curl \
 --request POST 'https://localhost:5601/api/detection_engine/rules/_bulk_action' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"query":"alert.attributes.tags: \"test\"","action":"enable"}'

Request examples

The following request activates all rules with the test tag

{
  "query": "alert.attributes.tags: \"test\"",
  "action": "enable"
}

The following request enables the rule with the specified ID.

{
  "ids": [
    "748694f0-6977-4ea5-8384-cd2e39730779"
  ],
  "action": "enable"
}

The following request disables the rule with the specified ID.

{
  "ids": [
    "748694f0-6977-4ea5-8384-cd2e39730779"
  ],
  "action": "disable"
}

The following request adds tags tag-1 and tag-2 to the rules that have the IDs sent in the payload

{
  "ids": [
    "8bc7dad0-9320-11ec-9265-8b772383a08d",
    "8e5c1a40-9320-11ec-9265-8b772383a08d"
  ],
  "edit": [
    {
      "type": "add_tags",
      "value": [
        "tag-1",
        "tag-2"
      ]
    }
  ],
  "action": "edit"
}

The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true

{
  "ids": [
    "81aa0480-06af-11ed-94fb-dd1a0597d8d2",
    "dc015d10-0831-11ed-ac8b-05a222bd8d4a",
    "de8f5af0-0831-11ed-ac8b-05a222bd8d4a"
  ],
  "edit": [
    {
      "type": "add_index_patterns",
      "value": [
        "test-*"
      ]
    }
  ],
  "action": "edit"
}

The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions.

{
  "ids": [
    "748694f0-6977-4ea5-8384-cd2e39730779",
    "461a4c22-416e-4009-a9a7-cf79656454bf"
  ],
  "action": "duplicate",
  "duplicate": {
    "include_exceptions": true,
    "include_expired_exceptions": false
  }
}

The following request deletes the rule with the specified ID.

{
  "ids": [
    "cf4abfd1-7c37-4519-ab0f-5ea5c75fac60"
  ],
  "action": "delete"
}

The following request runs the rule with the specified ID within the given date range.

{
  "ids": [
    "748694f0-6977-4ea5-8384-cd2e39730779"
  ],
  "run": {
    "end_date": "2025-03-10T23:59:59.999Z",
    "start_date": "2025-03-01T00:00:00.000Z"
  },
  "action": "run"
}

The following request exports the rules with the specified IDs.

{
  "ids": [
    "748694f0-6977-4ea5-8384-cd2e39730779",
    "13199674-aff1-418a-9e93-04f585fe36d1"
  ],
  "action": "export"
}

Response examples (200)

In this response one rule was updated and one was skipped. Objects returned in attributes.results.skipped will only include rules' id, name, and skip_reason.

{
  "success": true,
  "attributes": {
    "results": {
      "created": [],
      "deleted": [],
      "skipped": [
        {
          "id": "51658332-a15e-4c9e-912a-67214e2e2359",
          "name": "Skipped rule",
          "skip_reason": "RULE_NOT_MODIFIED"
        }
      ],
      "updated": [
        {
          "id": "8bc7dad0-9320-11ec-9265-8b772383a08d",
          "to": "now",
          "from": "now-45m",
          "name": "DNS Tunneling [Duplicate]",
          "tags": [
            "Elastic",
            "Network",
            "Threat Detection",
            "ML"
          ],
          "type": "machine_learning",
          "setup": "",
          "author": [
            "Elastic"
          ],
          "threat": [],
          "enabled": true,
          "license": "Elastic License v2",
          "rule_id": "7289bf08-4e91-4c70-bf01-e04c4c5d7756",
          "version": 6,
          "interval": "15m",
          "severity": "low",
          "immutable": false,
          "created_at": "2022-02-21T14:14:13.801Z",
          "created_by": "elastic",
          "references": [
            "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
          ],
          "risk_score": 21,
          "updated_at": "2022-02-21T17:05:50.883Z",
          "updated_by": "elastic",
          "description": "A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.",
          "max_signals": 100,
          "exceptions_list": [],
          "false_positives": [
            "DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded."
          ],
          "required_fields": [],
          "severity_mapping": [],
          "anomaly_threshold": 50,
          "execution_summary": {
            "last_execution": {
              "date": "2022-03-23T16:06:12.787Z",
              "status": "partial failure",
              "message": "This rule attempted to query data from Elasticsearch indices listed in the \"Index pattern\" section of the rule definition, but no matching index was found.",
              "metrics": {
                "execution_gap_duration_s": 0,
                "total_search_duration_ms": 135,
                "total_indexing_duration_ms": 15
              },
              "status_order": 20
            }
          },
          "risk_score_mapping": [],
          "related_integrations": [],
          "machine_learning_job_id": [
            "packetbeat_dns_tunneling"
          ]
        }
      ]
    },
    "summary": {
      "total": 2,
      "failed": 0,
      "skipped": 1,
      "succeeded": 1
    }
  },
  "rules_count": 1
}

If processing of any rule fails, a partial error outputs the ID and/or name of the affected rule and the corresponding error, as well as successfully processed rules (in the same format as a successful 200 request).

{
  "value": {
    "message": "Bulk edit partially failed",
    "success": false,
    "attributes": {
      "errors": [
        {
          "rules": [
            {
              "id": "8bc7dad0-9320-11ec-9265-8b772383a08d",
              "name": "DNS Tunneling [Duplicate]"
            }
          ],
          "message": "Index patterns can't be added. Machine learning rule doesn't have index patterns property",
          "status_code": 500
        }
      ],
      "results": {
        "created": [],
        "deleted": [],
        "skipped": [],
        "updated": [
          {
            "id": "8e5c1a40-9320-11ec-9265-8b772383a08d",
            "to": "now",
            "from": "now-6m",
            "name": "External Alerts [Duplicate]",
            "tags": [
              "Elastic",
              "Network",
              "Windows",
              "APM",
              "macOS",
              "Linux"
            ],
            "type": "query",
            "index": [
              "apm-*-transaction*",
              "traces-apm*",
              "auditbeat-*",
              "filebeat-*",
              "logs-*",
              "packetbeat-*",
              "winlogbeat-*",
              "added-by-id-*"
            ],
            "query": "event.kind:alert and not event.module:(endgame or endpoint)\n",
            "setup": "",
            "author": [
              "Elastic"
            ],
            "threat": [],
            "actions": [],
            "enabled": true,
            "license": "Elastic License v2",
            "rule_id": "941faf98-0cdc-4569-b16d-4af962914d61",
            "version": 5,
            "interval": "5m",
            "language": "kuery",
            "severity": "medium",
            "immutable": false,
            "created_at": "2022-02-21T14:14:17.883Z",
            "created_by": "elastic",
            "references": [],
            "risk_score": 47,
            "updated_at": "2022-02-21T16:56:22.818Z",
            "updated_by": "elastic",
            "description": "Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app.",
            "max_signals": 10000,
            "exceptions_list": [],
            "false_positives": [],
            "required_fields": [],
            "severity_mapping": [
              {
                "field": "event.severity",
                "value": "21",
                "operator": "equals",
                "severity": "low"
              },
              {
                "field": "event.severity",
                "value": "47",
                "operator": "equals",
                "severity": "medium"
              },
              {
                "field": "event.severity",
                "value": "73",
                "operator": "equals",
                "severity": "high"
              },
              {
                "field": "event.severity",
                "value": "99",
                "operator": "equals",
                "severity": "critical"
              }
            ],
            "execution_summary": {
              "last_execution": {
                "date": "2022-03-23T16:06:12.787Z",
                "status": "partial failure",
                "message": "This rule attempted to query data from Elasticsearch indices listed in the \"Index pattern\" section of the rule definition, but no matching index was found.",
                "metrics": {
                  "execution_gap_duration_s": 0,
                  "total_search_duration_ms": 135,
                  "total_indexing_duration_ms": 15
                },
                "status_order": 20
              }
            },
            "risk_score_mapping": [
              {
                "field": "event.risk_score",
                "value": "",
                "operator": "equals"
              }
            ],
            "rule_name_override": "message",
            "timestamp_override": "event.ingested",
            "related_integrations": []
          }
        ]
      },
      "summary": {
        "total": 2,
        "failed": 1,
        "skipped": 0,
        "succeeded": 1
      }
    },
    "rules_count": 2,
    "status_code": 500
  }
}

The attributes.errors section of the response shows that two rules failed to update and one succeeded. The same results would be returned if you ran the request without dry run mode enabled. Notice that there are no arrays in attributes.results. In dry run mode, rule updates are not applied and saved to Elasticsearch, so the endpoint wouldn’t return results for rules that have been updated, created, or deleted.

{
  "message": "Bulk edit partially failed",
  "attributes": {
    "errors": [
      {
        "rules": [
          {
            "id": "81aa0480-06af-11ed-94fb-dd1a0597d8d2",
            "name": "Unusual AWS Command for a User"
          }
        ],
        "message": "Elastic rule can't be edited",
        "err_code": "IMMUTABLE",
        "status_code": 500
      },
      {
        "rules": [
          {
            "id": "dc015d10-0831-11ed-ac8b-05a222bd8d4a",
            "name": "Suspicious Powershell Script [Duplicate]"
          }
        ],
        "message": "Machine learning rule doesn't have index patterns",
        "err_code": "MACHINE_LEARNING_INDEX_PATTERN",
        "status_code": 500
      }
    ],
    "results": {
      "created": [],
      "deleted": [],
      "skipped": [],
      "updated": []
    },
    "summary": {
      "total": 3,
      "failed": 2,
      "skipped": 0,
      "succeeded": 1
    }
  },
  "status_code": 500
}