Find and/or aggregate detection alerts
Find and/or aggregate detection alerts that match the given query.
Body Required
Search and/or aggregation query
_source boolean | string | array[string]
-
aggs object
Additional properties are allowed.
-
fields array[string]
-
query object
Additional properties are allowed.
-
runtime_mappings object
Additional properties are allowed.
-
size integer
Minimum value is
0
. sort string | object | array[string | object]
-
track_total_hits boolean
POST
/api/detection_engine/signals/search
curl \
--request POST https://localhost:5601/api/detection_engine/signals/search \
--header "Content-Type: application/json" \
--data '{"aggs":{"missingFields":{"missing":{"field":"host.name"}},"alertsByGrouping":{"terms":{"size":10,"field":"host.name"}}},"size":0,"query":{"bool":{"filter":[{"bool":{"must":[],"filter":[{"match_phrase":{"kibana.alert.workflow_status":"open"}}],"should":[],"must_not":[{"exists":{"field":"kibana.alert.building_block_type"}}]}},{"range":{"@timestamp":{"gte":"2025-01-17T08:00:00.000Z","lte":"2025-01-18T07:59:59.999Z"}}}]}},"runtime_mappings":{}}'
Request example
{
"aggs": {
"missingFields": {
"missing": {
"field": "host.name"
}
},
"alertsByGrouping": {
"terms": {
"size": 10,
"field": "host.name"
}
}
},
"size": 0,
"query": {
"bool": {
"filter": [
{
"bool": {
"must": [],
"filter": [
{
"match_phrase": {
"kibana.alert.workflow_status": "open"
}
}
],
"should": [],
"must_not": [
{
"exists": {
"field": "kibana.alert.building_block_type"
}
}
]
}
},
{
"range": {
"@timestamp": {
"gte": "2025-01-17T08:00:00.000Z",
"lte": "2025-01-18T07:59:59.999Z"
}
}
}
]
}
},
"runtime_mappings": {}
}
Response examples (200)
{
"hits": {
"hits": [],
"total": {
"value": 5,
"relation": "eq"
},
"max_score": null
},
"took": 0,
"_shards": {
"total": 1,
"failed": 0,
"skipped": 0,
"successful": 1
},
"timed_out": false,
"aggregations": {
"missingFields": {
"doc_count": 0
},
"alertsByGrouping": {
"buckets": [
{
"key": "Host-f43kkddfyc",
"doc_count": 5
}
],
"sum_other_doc_count": 0,
"doc_count_error_upper_bound": 0
}
}
}
Response examples (400)
Security_detections_api_platformerrorresponse
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
Response examples (401)
{
"error": "string",
"message": "string",
"statusCode": 42
}
Response examples (500)
{
"message": "string",
"status_code": 42
}