Set a detection alert status

Delete a connector

DELETE /api/actions/connector/{id}

WARNING: When you delete a connector, it cannot be recovered.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

An identifier for the connector.

Responses

204

Indicates a successful call.

DELETE /api/actions/connector/{id}

curl \
 --request DELETE https://localhost:5601/api/actions/connector/{id} \
 --header "kbn-xsrf: true"

Update data view fields metadata

POST /api/data_views/data_view/{viewId}/fields

Update fields presentation metadata such as count, customLabel, customDescription, and format.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

viewId string Required

An identifier for the data view.

application/json

Body Required

fields object Required

The field object.

Additional properties are allowed.

Responses

200 application/json

Indicates a successful call.
Hide response attribute Show response attribute object
- acknowledged boolean
400 application/json

Bad request
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required

POST /api/data_views/data_view/{viewId}/fields

curl \
 --request POST https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/fields \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"fields":{"field1":{"count":123,"customLabel":"Field 1 label"},"field2":{"customLabel":"Field 2 label","customDescription":"Field 2 description"}}}'

Request example

{
  "fields": {
    "field1": {
      "count": 123,
      "customLabel": "Field 1 label"
    },
    "field2": {
      "customLabel": "Field 2 label",
      "customDescription": "Field 2 description"
    }
  }
}

Response examples (200)

{
  "acknowledged": true
}

Response examples (400)

{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Delete a runtime field from a data view

DELETE /api/data_views/data_view/{viewId}/runtime_field/{fieldName}

Path parameters

fieldName string Required

The name of the runtime field.
viewId string Required

An identifier for the data view.

Responses

200

Indicates a successful call.
404 application/json

Object is not found.
Hide response attributes Show response attributes object
- error string
  
  Value is Not Found.
- message string
- statusCode integer
  
  Value is 404.

DELETE /api/data_views/data_view/{viewId}/runtime_field/{fieldName}

curl \
 --request DELETE https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field/hour_of_day

Response examples (404)

{
  "error": "Not Found",
  "message": "Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found",
  "statusCode": 404
}

Get agent tags

GET /api/fleet/agents/tags

[Required authorization] Route required privileges: ALL of [fleet-agents-read].

Query parameters

kuery string
showInactive boolean

Default value is false.

Responses

200 application/json
Hide response attribute Show response attribute object
- items array[string] Required
400 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number

GET /api/fleet/agents/tags

curl \
 --request GET https://localhost:5601/api/fleet/agents/tags

Response examples (200)

{
  "items": [
    "string"
  ]
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Check permissions

GET /api/fleet/check-permissions

Query parameters

fleetServerSetup boolean

Responses

200 application/json
Hide response attributes Show response attributes object
- error string
  
  Values are MISSING_SECURITY, MISSING_PRIVILEGES, or MISSING_FLEET_SERVER_SETUP_PRIVILEGES.
- success boolean Required
400 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number

GET /api/fleet/check-permissions

curl \
 --request GET https://localhost:5601/api/fleet/check-permissions

Response examples (200)

{
  "error": "MISSING_SECURITY",
  "success": true
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get settings

GET /api/fleet/settings

[Required authorization] Route required privileges: ALL of [fleet-settings-read].

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  delete_unenrolled_agents object
  
  Additional properties are NOT allowed.
  
  Hide delete_unenrolled_agents attributes Show delete_unenrolled_agents attributes object
  
  enabled boolean Required
  
  is_preconfigured boolean Required
  
  has_seen_add_data_notice boolean
  
  id string Required
  
  output_secret_storage_requirements_met boolean
  
  preconfigured_fields array[string]
  
  Value is fleet_server_hosts.
  
  prerelease_integrations_enabled boolean
  
  secret_storage_requirements_met boolean
  
  use_space_awareness_migration_started_at string | null
  
  use_space_awareness_migration_status string
  
  Values are pending, success, or error.
  
  version string
400 application/json
Hide response attributes Show response attributes object
- error string
- message string Required
- statusCode number
404 application/json
Hide response attribute Show response attribute object
- message string Required

GET /api/fleet/settings

curl \
 --request GET https://localhost:5601/api/fleet/settings

Response examples (200)

{
  "item": {
    "delete_unenrolled_agents": {
      "enabled": true,
      "is_preconfigured": true
    },
    "has_seen_add_data_notice": true,
    "id": "string",
    "output_secret_storage_requirements_met": true,
    "preconfigured_fields": [
      "fleet_server_hosts"
    ],
    "prerelease_integrations_enabled": true,
    "secret_storage_requirements_met": true,
    "use_space_awareness_migration_started_at": "string",
    "use_space_awareness_migration_status": "pending",
    "version": "string"
  }
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Response examples (404)

{
  "message": "string"
}

Search for saved objects Deprecated

GET /api/saved_objects/_find

Retrieve a paginated set of Kibana saved objects.

Query parameters

aggs string

An aggregation structure, serialized as a string. The field format is similar to filter, meaning that to use a saved object type attribute in the aggregation, the savedObjectType.attributes.title: "myTitle" format must be used. For root fields, the syntax is savedObjectType.rootField. NOTE: As objects change in Kibana, the results on each page of the response also change. Use the find API for traditional paginated results, but avoid using it to export large amounts of data.
default_search_operator string

The default operator to use for the simple_query_string.
fields string | array

The fields to return in the attributes key of the response.
filter string

The filter is a KQL string with the caveat that if you filter with an attribute from your saved object type, it should look like that: savedObjectType.attributes.title: "myTitle". However, if you use a root attribute of a saved object such as updated_at, you will have to define your filter like that: savedObjectType.updated_at > 2018-12-22.
has_no_reference object

Filters to objects that do not have a relationship with the type and identifier combination.

Additional properties are allowed.
has_no_reference_operator string

The operator to use for the has_no_reference parameter. Either OR or AND. Defaults to OR.
has_reference object

Filters to objects that have a relationship with the type and ID combination.

Additional properties are allowed.
has_reference_operator string

The operator to use for the has_reference parameter. Either OR or AND. Defaults to OR.
page integer

The page of objects to return.
per_page integer

The number of objects to return per page.
search string

An Elasticsearch simple_query_string query that filters the objects in the response.
search_fields string | array

The fields to perform the simple_query_string parsed query against.
sort_field string

Sorts the response. Includes "root" and "type" fields. "root" fields exist for all saved objects, such as "updated_at". "type" fields are specific to an object type, such as fields returned in the attributes key of the response. When a single type is defined in the type parameter, the "root" and "type" fields are allowed, and validity checks are made in that order. When multiple types are defined in the type parameter, only "root" fields are allowed.
type string | array Required

The saved object types to include.

Responses

200 application/json

Indicates a successful call.

Additional properties are allowed.
400 application/json

Bad request
Hide response attributes Show response attributes object
- error string Required
  
  Value is Bad Request.
- message string Required
- statusCode integer Required
  
  Value is 400.

GET /api/saved_objects/_find

curl \
 --request GET https://localhost:5601/api/saved_objects/_find?type=string

Response examples (200)

{}

Response examples (400)

{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Preview rule alerts generated on specified time range

POST /api/detection_engine/rules/preview

Query parameters

enable_logged_requests boolean

Enables logging and returning in response ES queries, performed during rule execution

application/json

Body object Required

An object containing tags to add or remove and alert ids the changes will be applied

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
language string Required

Query language to use

Value is eql.
query string Required

EQL query to execute
type string Required Discriminator

Rule type

Value is eql.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
- duration object
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
- group_by array[string] Required
  
  At least 1 but not more than 3 elements.
- missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
data_view_id string
event_category_override string
filters array
index array[string]
tiebreaker_field string

Sets a secondary field for sorting events
timestamp_field string

Contains the event timestamp used for sorting a sequence of events
invocationCount integer Required
timeframeEnd string(date-time) Required

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
type string Required Discriminator

Rule type

Value is query.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
- duration object
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
- group_by array[string] Required
  
  At least 1 but not more than 3 elements.
- missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
data_view_id string
filters array
index array[string]
saved_id string
language string

Values are kuery or lucene.
query string

EQL query to execute
invocationCount integer Required
timeframeEnd string(date-time) Required

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
saved_id string Required
type string Required Discriminator

Rule type

Value is saved_query.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
- duration object
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
- group_by array[string] Required
  
  At least 1 but not more than 3 elements.
- missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
data_view_id string
filters array
index array[string]
query string

EQL query to execute
language string

Values are kuery or lucene.
invocationCount integer Required
timeframeEnd string(date-time) Required

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
query string Required

EQL query to execute
threshold object Required

Additional properties are allowed.
Hide threshold attributes Show threshold attributes object
- cardinality array[object]
  Hide cardinality attributes Show cardinality attributes object
  
  field string Required
  
  value integer Required
  
  Minimum value is 0.
- field string | array[string] Required
  
  Field to aggregate on
  
  One of:
  string-1 string array-2 array[string]
- value integer Required
  
  Threshold value
  
  Minimum value is 1.
type string Required Discriminator

Rule type

Value is threshold.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attribute Show alert_suppression attribute object
- duration object Required
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
data_view_id string
filters array
index array[string]
saved_id string
language string

Values are kuery or lucene.
invocationCount integer Required
timeframeEnd string(date-time) Required

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
query string Required

EQL query to execute
threat_index array[string] Required
threat_mapping array[object] Required

At least 1 element.
Hide threat_mapping attribute Show threat_mapping attribute object
- entries array[object] Required
  Hide entries attributes Show entries attributes object
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  type string Required
  
  Value is mapping.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
threat_query string Required

Query to run
type string Required Discriminator

Rule type

Value is threat_match.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
- duration object
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
- group_by array[string] Required
  
  At least 1 but not more than 3 elements.
- missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
concurrent_searches integer

Minimum value is 1.
data_view_id string
filters array
index array[string]
items_per_search integer

Minimum value is 1.
saved_id string
threat_filters array

Query and filter context array used to filter documents from the Elasticsearch index containing the threat values
threat_indicator_path string

Defines the path to the threat indicator in the indicator documents (optional)
threat_language string

Values are kuery or lucene.
language string

Values are kuery or lucene.
invocationCount integer Required
timeframeEnd string(date-time) Required

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
anomaly_threshold integer Required

Anomaly threshold

Minimum value is 0.
machine_learning_job_id string | array[string] Required

Machine learning job ID

One of:
string-1 string array-2 array[string]
type string Required Discriminator

Rule type

Value is machine_learning.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
- duration object
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
- group_by array[string] Required
  
  At least 1 but not more than 3 elements.
- missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
invocationCount integer Required
timeframeEnd string(date-time) Required

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
history_window_start string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.
new_terms_fields array[string] Required

At least 1 but not more than 3 elements.
query string Required

EQL query to execute
type string Required Discriminator

Rule type

Value is new_terms.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
- duration object
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
- group_by array[string] Required
  
  At least 1 but not more than 3 elements.
- missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
data_view_id string
filters array
index array[string]
language string

Values are kuery or lucene.
invocationCount integer Required
timeframeEnd string(date-time) Required

actions array[object]
Hide actions attributes Show actions attributes object
- action_type_id string Required
  
  The action type used for sending notifications.
- alerts_filter object
  
  Additional properties are allowed.
- frequency object
  
  The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
  
  Additional properties are allowed.
  Hide frequency attributes Show frequency attributes object
  
  notifyWhen string Required
  
  The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval
  
  Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.
  
  summary boolean Required
  
  Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
  
  throttle string | null Required
  
  Defines how often rule actions are taken.
  
  One of:
  string-1 string | null string-2 string | null
  
  Values are no_actions or rule.
- group string
  
  Optionally groups actions by use cases. Use default for alert notifications.
- id string Required
  
  The connector ID.
- params object Required
  
  Object containing the allowed connector fields, which varies according to the connector type.
  
  Additional properties are allowed.
- uuid string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
alias_purpose string

Values are savedObjectConversion or savedObjectImport.
alias_target_id string
author array[string]
building_block_type string

Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
description string Required

Minimum length is 1.
enabled boolean

Determines whether the rule is enabled.
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines the exceptions validity in rule's Kibana space
  
  Values are agnostic or single.
- type string Required
  
  The exception type
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
false_positives array[string]
from string(date-math)

Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
interval string

Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:
```
const investigationFields = z.object({
  field_names: NonEmptyArray(NonEmptyString),
  override: z.boolean().optional(),
});
```
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
- field_names array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
license string

The rule's license.
max_signals integer

Minimum value is 1.
meta object

Additional properties are allowed.
name string Required

Minimum length is 1.
namespace string

Has no effect.
note string

Notes to help investigate alerts produced by the rule.
outcome string

Values are exactMatch, aliasMatch, or conflict.
output_index string Deprecated

(deprecated) Has no effect.
references array[string]
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
- integration string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- package string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- version string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
- name string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- type string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
response_actions array[object]
One of:
Security_Detections_API_OsqueryResponseAction object Security_Detections_API_EndpointResponseAction object
Hide attributes Show attributes

action_type_id string Required

Value is .osquery.

params object Required

Additional properties are allowed.

Hide params attributes Show params attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

pack_id string

queries array[object]

Hide queries attributes Show queries attributes object

ecs_mapping object

Hide ecs_mapping attribute Show ecs_mapping attribute object

* object Additional properties

Additional properties are allowed.

Hide * attributes Show * attributes object

field string

value string | array[string]

One of:
string-1 string array-2 array[string]

id string Required

Query ID

platform string

query string Required

Query to run

removed boolean

snapshot boolean

version string

Query version

query string

saved_query_id string

timeout number
Hide attributes Show attributes

action_type_id string Required

Value is .endpoint.

params object Required

One of:
Security_Detections_API_DefaultParams object Security_Detections_API_ProcessesParams object

Hide attributes Show attributes

command string Required

Value is isolate.

comment string

Hide attributes Show attributes

command string Required

Values are kill-process or suspend-process.

comment string

config object Required

Additional properties are allowed.

Hide config attributes Show config attributes object

field string Required

Field to use instead of process.pid

overwrite boolean

Whether to overwrite field with process.pid

Default value is true.
risk_score integer Required

Risk score (0 to 100)

Minimum value is 0, maximum value is 100.
risk_score_mapping array[object]

Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- risk_score integer
  
  Risk score (0 to 100)
  
  Minimum value is 0, maximum value is 100.
- value string Required
rule_id string

Could be any string, not necessarily a UUID
rule_name_override string

Sets the source field for the alert's signal.rule.name value
setup string
severity string Required

Severity of the rule

Values are low, medium, high, or critical.
severity_mapping array[object]

Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
- field string Required
- operator string Required
  
  Value is equals.
- severity string Required
  
  Severity of the rule
  
  Values are low, medium, high, or critical.
- value string Required
tags array[string]

String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
threat array[object]
Hide threat attributes Show threat attributes object
- framework string Required
  
  Relevant attack framework
- tactic object Required
  
  Additional properties are allowed.
  Hide tactic attributes Show tactic attributes object
  
  id string Required
  
  Tactic ID
  
  name string Required
  
  Tactic name
  
  reference string Required
  
  Tactic reference
- technique array[object]
  
  Array containing information on the attack techniques (optional)
  Hide technique attributes Show technique attributes object
  
  id string Required
  
  Technique ID
  
  name string Required
  
  Technique name
  
  reference string Required
  
  Technique reference
  
  subtechnique array[object]
  
  Array containing more specific information on the attack technique
  
  Hide subtechnique attributes Show subtechnique attributes object
  
  id string Required
  
  Subtechnique ID
  
  name string Required
  
  Subtechnique name
  
  reference string Required
  
  Subtechnique reference
throttle string | null

Defines how often rule actions are taken.

One of:
string-1 string | null string-2 string | null

Values are no_actions or rule.
timeline_id string

Timeline template ID
timeline_title string

Timeline template title
timestamp_override string

Sets the time field used to query indices
timestamp_override_fallback_disabled boolean

Disables the fallback to the event's @timestamp field
to string
version integer

The rule's version number.

Minimum value is 1.
alert_suppression object

Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
- duration object
  
  Additional properties are allowed.
  Hide duration attributes Show duration attributes object
  
  unit string Required
  
  Values are s, m, or h.
  
  value integer Required
  
  Minimum value is 1.
- group_by array[string] Required
  
  At least 1 but not more than 3 elements.
- missing_fields_strategy string
  
  Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
  
  Values are doNotSuppress or suppress.
language string Required

Value is esql.
query string Required

EQL query to execute
type string Required Discriminator

Rule type

Value is esql.
invocationCount integer Required
timeframeEnd string(date-time) Required

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- isAborted boolean
- logs array[object] Required
  
  Hide logs attributes Show logs attributes object
  
  duration integer Required
  
  Execution duration in milliseconds
  
  errors array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  Minimum length of each is 1.
  
  requests array[object]
  
  Hide requests attributes Show requests attributes object
  
  description string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  duration integer
  
  request string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  request_type string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  startedAt string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  warnings array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  Minimum length of each is 1.
- previewId string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
400 application/json

Invalid input data response
One of:
Security_Detections_API_PlatformErrorResponse object Security_Detections_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

POST /api/detection_engine/rules/preview

curl \
 --request POST https://localhost:5601/api/detection_engine/rules/preview \
 --header "Content-Type: application/json" \
 --data '{"actions":[{"action_type_id":"string","alerts_filter":{},"frequency":{"notifyWhen":"onActiveAlert","summary":true,"throttle":"no_actions"},"group":"string","id":"string","params":{},"uuid":"string"}],"alias_purpose":"savedObjectConversion","alias_target_id":"string","author":["string"],"building_block_type":"string","description":"string","enabled":true,"exceptions_list":[{"id":"string","list_id":"string","namespace_type":"agnostic","type":"detection"}],"false_positives":["string"],"from":"string","interval":"string","investigation_fields":{"field_names":["string"]},"license":"string","max_signals":42,"meta":{},"name":"string","namespace":"string","note":"string","outcome":"exactMatch","output_index":"string","references":["string"],"related_integrations":[{"integration":"string","package":"string","version":"string"}],"required_fields":[{"name":"string","type":"string"}],"response_actions":[{"action_type_id":".osquery","params":{"ecs_mapping":{"additionalProperty1":{"field":"string","value":"string"},"additionalProperty2":{"field":"string","value":"string"}},"pack_id":"string","queries":[{"ecs_mapping":{"additionalProperty1":{"field":"string","value":"string"},"additionalProperty2":{"field":"string","value":"string"}},"id":"string","platform":"string","query":"string","removed":true,"snapshot":true,"version":"string"}],"query":"string","saved_query_id":"string","timeout":42.0}}],"risk_score":42,"risk_score_mapping":[{"field":"string","operator":"equals","risk_score":42,"value":"string"}],"rule_id":"string","rule_name_override":"string","setup":"string","severity":"low","severity_mapping":[{"field":"string","operator":"equals","severity":"low","value":"string"}],"tags":["string"],"threat":[{"framework":"string","tactic":{"id":"string","name":"string","reference":"string"},"technique":[{"id":"string","name":"string","reference":"string","subtechnique":[{"id":"string","name":"string","reference":"string"}]}]}],"throttle":"no_actions","timeline_id":"string","timeline_title":"string","timestamp_override":"string","timestamp_override_fallback_disabled":true,"to":"string","version":42,"language":"eql","query":"string","type":"eql","alert_suppression":{"duration":{"unit":"s","value":42},"group_by":["string"],"missing_fields_strategy":"doNotSuppress"},"data_view_id":"string","event_category_override":"string","filters":[],"index":["string"],"tiebreaker_field":"string","timestamp_field":"string","invocationCount":42,"timeframeEnd":"2025-05-04T09:42:00+00:00"}'

Request examples

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "language": "eql",
  "query": "string",
  "type": "eql",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "event_category_override": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "tiebreaker_field": "string",
  "timestamp_field": "string",
  "invocationCount": 42,
  "timeframeEnd": "2025-05-04T09:42:00+00:00"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "type": "query",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "saved_id": "string",
  "language": "kuery",
  "query": "string",
  "invocationCount": 42,
  "timeframeEnd": "2025-05-04T09:42:00+00:00"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "saved_id": "string",
  "type": "saved_query",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "query": "string",
  "language": "kuery",
  "invocationCount": 42,
  "timeframeEnd": "2025-05-04T09:42:00+00:00"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "query": "string",
  "threshold": {
    "cardinality": [
      {
        "field": "string",
        "value": 42
      }
    ],
    "field": "string",
    "value": 42
  },
  "type": "threshold",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    }
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "saved_id": "string",
  "language": "kuery",
  "invocationCount": 42,
  "timeframeEnd": "2025-05-04T09:42:00+00:00"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "query": "string",
  "threat_index": [
    "string"
  ],
  "threat_mapping": [
    {
      "entries": [
        {
          "field": "string",
          "type": "mapping",
          "value": "string"
        }
      ]
    }
  ],
  "threat_query": "string",
  "type": "threat_match",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "concurrent_searches": 42,
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "items_per_search": 42,
  "saved_id": "string",
  "threat_filters": [],
  "threat_indicator_path": "string",
  "threat_language": "kuery",
  "language": "kuery",
  "invocationCount": 42,
  "timeframeEnd": "2025-05-04T09:42:00+00:00"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "anomaly_threshold": 42,
  "machine_learning_job_id": "string",
  "type": "machine_learning",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "invocationCount": 42,
  "timeframeEnd": "2025-05-04T09:42:00+00:00"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "history_window_start": "string",
  "new_terms_fields": [
    "string"
  ],
  "query": "string",
  "type": "new_terms",
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "data_view_id": "string",
  "filters": [],
  "index": [
    "string"
  ],
  "language": "kuery",
  "invocationCount": 42,
  "timeframeEnd": "2025-05-04T09:42:00+00:00"
}

{
  "actions": [
    {
      "action_type_id": "string",
      "alerts_filter": {},
      "frequency": {
        "notifyWhen": "onActiveAlert",
        "summary": true,
        "throttle": "no_actions"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "uuid": "string"
    }
  ],
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "author": [
    "string"
  ],
  "building_block_type": "string",
  "description": "string",
  "enabled": true,
  "exceptions_list": [
    {
      "id": "string",
      "list_id": "string",
      "namespace_type": "agnostic",
      "type": "detection"
    }
  ],
  "false_positives": [
    "string"
  ],
  "from": "string",
  "interval": "string",
  "investigation_fields": {
    "field_names": [
      "string"
    ]
  },
  "license": "string",
  "max_signals": 42,
  "meta": {},
  "name": "string",
  "namespace": "string",
  "note": "string",
  "outcome": "exactMatch",
  "output_index": "string",
  "references": [
    "string"
  ],
  "related_integrations": [
    {
      "integration": "string",
      "package": "string",
      "version": "string"
    }
  ],
  "required_fields": [
    {
      "name": "string",
      "type": "string"
    }
  ],
  "response_actions": [
    {
      "action_type_id": ".osquery",
      "params": {
        "ecs_mapping": {
          "additionalProperty1": {
            "field": "string",
            "value": "string"
          },
          "additionalProperty2": {
            "field": "string",
            "value": "string"
          }
        },
        "pack_id": "string",
        "queries": [
          {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "id": "string",
            "platform": "string",
            "query": "string",
            "removed": true,
            "snapshot": true,
            "version": "string"
          }
        ],
        "query": "string",
        "saved_query_id": "string",
        "timeout": 42.0
      }
    }
  ],
  "risk_score": 42,
  "risk_score_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "risk_score": 42,
      "value": "string"
    }
  ],
  "rule_id": "string",
  "rule_name_override": "string",
  "setup": "string",
  "severity": "low",
  "severity_mapping": [
    {
      "field": "string",
      "operator": "equals",
      "severity": "low",
      "value": "string"
    }
  ],
  "tags": [
    "string"
  ],
  "threat": [
    {
      "framework": "string",
      "tactic": {
        "id": "string",
        "name": "string",
        "reference": "string"
      },
      "technique": [
        {
          "id": "string",
          "name": "string",
          "reference": "string",
          "subtechnique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string"
            }
          ]
        }
      ]
    }
  ],
  "throttle": "no_actions",
  "timeline_id": "string",
  "timeline_title": "string",
  "timestamp_override": "string",
  "timestamp_override_fallback_disabled": true,
  "to": "string",
  "version": 42,
  "alert_suppression": {
    "duration": {
      "unit": "s",
      "value": 42
    },
    "group_by": [
      "string"
    ],
    "missing_fields_strategy": "doNotSuppress"
  },
  "language": "esql",
  "query": "string",
  "type": "esql",
  "invocationCount": 42,
  "timeframeEnd": "2025-05-04T09:42:00+00:00"
}

Response examples (200)

{
  "isAborted": true,
  "logs": [
    {
      "duration": 42,
      "errors": [
        "string"
      ],
      "requests": [
        {
          "description": "string",
          "duration": 42,
          "request": "string",
          "request_type": "string"
        }
      ],
      "startedAt": "string",
      "warnings": [
        "string"
      ]
    }
  ],
  "previewId": "string"
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

{
  "message": "string",
  "status_code": 42
}

Response examples (401)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (500)

{
  "message": "string",
  "status_code": 42
}

POST /api/detection_engine/signals/status

Set the status of one or more detection alerts.

application/json

Body object Required

An object containing desired status and explicit alert ids or a query to select alerts

signal_ids array[string(nonempty)] Required

List of alert ids.

At least 1 element. Minimum length of each is 1.
status string Required

The status of an alert, which can be open, acknowledged, in-progress, or closed.

Values are open, closed, acknowledged, or in-progress.

conflicts string

Values are abort or proceed. Default value is abort.
query object Required

Additional properties are allowed.
status string Required

The status of an alert, which can be open, acknowledged, in-progress, or closed.

Values are open, closed, acknowledged, or in-progress.

Responses

200 application/json

Successful response

Elasticsearch update by query response

Additional properties are allowed.
400 application/json

Invalid input data response
One of:
Security_Detections_API_PlatformErrorResponse object Security_Detections_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

POST /api/detection_engine/signals/status

curl \
 --request POST https://localhost:5601/api/detection_engine/signals/status \
 --header "Content-Type: application/json" \
 --data '{"status":"closed","signal_ids":["80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1"]}'

Request examples

{
  "status": "closed",
  "signal_ids": [
    "80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1"
  ]
}

{
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "range": null,
          "@timestamp": {
            "gte": "2024-10-23T07:00:00.000Z",
            "lte": "2025-01-21T20:12:11.704Z",
            "format": "strict_date_optional_time"
          }
        },
        {
          "bool": {
            "filter": {
              "bool": {
                "must": [],
                "filter": [
                  {
                    "match_phrase": {
                      "kibana.alert.workflow_status": "open"
                    }
                  },
                  {
                    "range": null,
                    "@timestamp": {
                      "gte": "2024-10-23T07:00:00.000Z",
                      "lte": "2025-01-21T20:12:11.704Z",
                      "format": "strict_date_optional_time"
                    }
                  }
                ],
                "should": [],
                "must_not": [
                  {
                    "exists": {
                      "field": "kibana.alert.building_block_type"
                    }
                  }
                ]
              }
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  },
  "status": "closed",
  "conflicts": "proceed"
}

Response examples (200)

{
  "took": 81,
  "noops": 0,
  "total": 1,
  "batches": 1,
  "deleted": 0,
  "retries": {
    "bulk": 0,
    "search": 0
  },
  "updated": 1,
  "failures": [],
  "timed_out": false,
  "throttled_millis": 0,
  "version_conflicts": 0,
  "requests_per_second": -1,
  "throttled_until_millis": 0
}

{
  "took": 100,
  "noops": 0,
  "total": 17,
  "batches": 1,
  "deleted": 0,
  "retries": {
    "bulk": 0,
    "search": 0
  },
  "updated": 17,
  "failures": [],
  "timed_out": false,
  "throttled_millis": 0,
  "version_conflicts": 0,
  "requests_per_second": -1,
  "throttled_until_millis": 0
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

{
  "message": "string",
  "status_code": 42
}

Response examples (401)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (500)

{
  "message": "string",
  "status_code": 42
}

Body Required

Search for saved objects Deprecated

Body object Required

throttle string | null Required

value string | array[string]

value string | array[string]

throttle string | null

throttle string | null Required

value string | array[string]

value string | array[string]

throttle string | null Required

value string | array[string]

value string | array[string]

throttle string | null Required

value string | array[string]

value string | array[string]

throttle string | null Required

value string | array[string]

value string | array[string]

throttle string | null Required

value string | array[string]

value string | array[string]

throttle string | null Required

value string | array[string]

value string | array[string]

throttle string | null Required

value string | array[string]

value string | array[string]

Body object Required