Find rule information

GET /api/alerting/rules/_find

You must have read privileges for the appropriate Kibana features, depending on the consumer and rule_type_id of the rules you're seeking. For example, you must have privileges for the Management > Stack rules feature, Analytics > Discover and Machine Learning features, Observability features, or Security features. To find rules associated with the Stack Monitoring feature, use the monitoring_user built-in role.

Query parameters

default_search_operator string

The default operator to use for the simple_query_string.

Default value is OR.
fields array[string]

The fields to return in the attributes key of the response.
filter string

A KQL string that you filter with an attribute from your saved object. It should look like savedObjectType.attributes.title: "myTitle". However, if you used a direct attribute of a saved object, such as updatedAt, you must define your filter, for example, savedObjectType.updatedAt > 2018-12-22.
has_reference object

Filters the rules that have a relation with the reference objects with a specific type and identifier.
Hide has_reference attributes Show has_reference attributes object
- id string
- type string
page integer

The page number to return.

Default value is 1.
per_page integer

The number of rules to return per page.

Default value is 20.
search string

An Elasticsearch simple_query_string query that filters the objects in the response.
search_fields string | array[string]

The fields to perform the simple_query_string parsed query against.
sort_field string

Determines which field is used to sort the results. The field must exist in the attributes key of the response.
sort_order string

Determines the sort order.

Values are asc or desc. Default value is desc.

Responses

200 application/json; Elastic-Api-Version=2023-10-31

Indicates a successful call.
Hide response attributes Show response attributes object
- data array[object]
  
  Hide data attributes Show data attributes object
  
  actions array[object] | null Required
  
  Default value is [] (empty).
  
  Hide actions attributes Show actions attributes object
  
  An action that runs under defined conditions.
  
  alerts_filter object
  
  Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
  
  Hide alerts_filter attributes Show alerts_filter attributes object
  
  query object
  
  Defines a query filter that determines whether the action runs.
  
  Hide query attributes Show query attributes object
  
  filters array[object]
  
  Hide filters attributes Show filters attributes object
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.
  
  $state object
  
  meta object
  
  Hide meta attributes Show meta attributes object
  
  alias string | null
  
  controlledBy string
  
  disabled boolean
  
  field string
  
  group string
  
  index string
  
  isMultiIndex boolean
  
  key string
  
  negate boolean
  
  params object
  
  type string
  
  value string
  
  query object
  
  kql string
  
  A filter written in Kibana Query Language (KQL).
  
  timeframe object
  
  Defines a period that limits whether the action runs.
  
  Hide timeframe attributes Show timeframe attributes object
  
  days array[integer]
  
  Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.
  
  hours object
  
  Defines the range of time in a day that the action can run. If the start value is 00:00 and the end value is 24:00, actions be generated all day.
  
  Hide hours attributes Show hours attributes object
  
  end string
  
  The end of the time frame in 24-hour notation (hh:mm).
  
  start string
  
  The start of the time frame in 24-hour notation (hh:mm).
  
  timezone string
  
  The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.
  
  connector_type_id string
  
  The type of connector. This property appears in responses but cannot be set in requests.
  
  frequency object
  
  The properties that affect how often actions are generated. If the rule type supports setting summary to true, the action can be a summary of alerts at the specified notification interval. Otherwise, an action runs for each alert at the specified notification interval. NOTE: You cannot specify these parameters when notify_when or throttle are defined at the rule level.
  
  Hide frequency attributes Show frequency attributes object
  
  notify_when string Required
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
  
  summary boolean Required
  
  Indicates whether the action is a summary.
  
  throttle string | null
  
  The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  group string Required
  
  The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.
  
  id string Required
  
  The identifier for the connector saved object.
  
  params object Required
  
  The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.
  
  Hide params attribute Show params attribute object
  
  Additional properties are allowed
  
  uuid string
  
  A universally unique identifier (UUID) for the action.
  
  alert_delay object
  
  Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
  
  Hide alert_delay attribute Show alert_delay attribute object
  
  active number Required
  
  The number of consecutive runs that must meet the rule conditions.
  
  api_key_created_by_user boolean
  
  Indicates whether the API key that is associated with the rule was created by the user.
  
  api_key_owner string | null Required
  
  The owner of the API key that is associated with the rule and used to run background tasks.
  
  consumer string Required
  
  The application or feature that owns the rule. For example, alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.
  
  created_at string(date-time) Required
  
  The date and time that the rule was created.
  
  created_by string | null Required
  
  The identifier for the user that created the rule.
  
  enabled boolean Required
  
  Indicates whether the rule is currently enabled.
  
  execution_status object Required
  
  Hide execution_status attributes Show execution_status attributes object
  
  last_duration integer
  
  last_execution_date string(date-time)
  
  status string
  
  id string Required
  
  The identifier for the rule.
  
  last_run object
  
  Hide last_run attributes Show last_run attributes object
  
  alerts_count object
  
  Hide alerts_count attributes Show alerts_count attributes object
  
  active integer
  
  ignored integer
  
  new integer
  
  recovered integer
  
  outcome string
  
  outcome_msg array[string] | null
  
  outcome_order integer
  
  warning string | null
  
  mute_all boolean Required
  
  muted_alert_ids array[string] | null Required
  
  name string Required
  
  The name of the rule.
  
  next_run string(date-time) | null
  
  notify_when string | null
  
  Indicates how often alerts generate actions.
  
  params object Required
  
  The parameters for the rule.
  
  Hide params attribute Show params attribute object
  
  Additional properties are allowed
  
  revision integer
  
  The rule revision number.
  
  rule_type_id string Required
  
  The identifier for the type of rule. For example, .es-query, .index-threshold, logs.alert.document.count, monitoring_alert_cluster_health, siem.thresholdRule, or xpack.ml.anomaly_detection_alert.
  
  running boolean
  
  Indicates whether the rule is running.
  
  schedule object Required
  
  The check interval, which specifies how frequently the rule conditions are checked. The interval is specified in seconds, minutes, hours, or days.
  
  Hide schedule attribute Show schedule attribute object
  
  interval string
  
  scheduled_task_id string
  
  tags array[string] Required
  
  The tags for the rule.
  
  Default value is [] (empty).
  
  throttle string | null Required Deprecated
  
  Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  updated_at string Required
  
  The date and time that the rule was updated most recently.
  
  updated_by string | null Required
  
  The identifier for the user that updated this rule most recently.
- page integer
- per_page integer
- total integer
401 application/json; Elastic-Api-Version=2023-10-31

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
  
  Value is Unauthorized.
- message string
- statusCode integer
  
  Value is 401.

GET /api/alerting/rules/_find

curl \
 -X GET https://localhost:5601/api/alerting/rules/_find

Response examples (200)

{
  "data": [
    {
      "id": "6107a8f0-f401-11ed-9f8e-399c75a2deeb",
      "name": "security_rule",
      "tags": [],
      "params": {
        "to": "now",
        "from": "now-3660s",
        "meta": {
          "from": "1h",
          "kibana_siem_app_url": "https://localhost:5601/app/security"
        },
        "type": "threshold",
        "index": [
          "kibana_sample_data_logs"
        ],
        "query": "*",
        "author": [],
        "ruleId": "an_internal_rule_id",
        "threat": [],
        "filters": [],
        "license": "",
        "version": 1,
        "language": "kuery",
        "severity": "low",
        "immutable": false,
        "riskScore": 21,
        "threshold": {
          "field": [
            "bytes"
          ],
          "value": 1,
          "cardinality": []
        },
        "maxSignals": 100,
        "references": [],
        "description": "A security threshold rule.",
        "outputIndex": "",
        "exceptionsList": [],
        "falsePositives": [],
        "severityMapping": [],
        "riskScoreMapping": []
      },
      "actions": [
        {
          "id": "49eae970-f401-11ed-9f8e-399c75a2deeb",
          "uuid": "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
          "group": "default",
          "params": {
            "documents": [
              {
                "rule_id": {
                  "[object Object]": null
                },
                "alert_id": {
                  "[object Object]": null
                },
                "rule_name": {
                  "[object Object]": null
                },
                "context_message": {
                  "[object Object]": null
                }
              }
            ]
          },
          "frequency": {
            "summary": true,
            "throttle": null,
            "notify_when": "onActiveAlert"
          },
          "alerts_filter": {
            "query": {
              "kql": "",
              "filters": [
                {
                  "meta": {
                    "key": "client.geo.region_iso_code",
                    "alias": null,
                    "field": "client.geo.region_iso_code",
                    "index": "c4bdca79-e69e-4d80-82a1-e5192c621bea",
                    "negate": false,
                    "params": {
                      "type": "phrase",
                      "query": "CA-QC"
                    },
                    "disabled": false
                  },
                  "query": {
                    "match_phrase": {
                      "client.geo.region_iso_code": "CA-QC"
                    }
                  },
                  "$state": {
                    "store": "appState"
                  }
                }
              ]
            },
            "timeframe": {
              "days": [
                7
              ],
              "hours": {
                "end": "17:00",
                "start": "08:00"
              },
              "timezone": "UTC"
            }
          },
          "connector_type_id": ".index"
        }
      ],
      "enabled": true,
      "running": false,
      "consumer": "siem",
      "last_run": {
        "outcome": "succeeded",
        "warning": null,
        "outcome_msg": [
          "Rule execution completed successfully"
        ],
        "alerts_count": {
          "new": 0,
          "active": 0,
          "ignored": 0,
          "recovered": 0
        },
        "outcome_order": 0
      },
      "mute_all": false,
      "next_run": "2023-05-16T20:27:49.507Z",
      "revision": 1,
      "schedule": {
        "interval": "1m"
      },
      "throttle": null,
      "created_at": "2023-05-16T15:50:28.358Z",
      "created_by": "elastic",
      "updated_at": "2023-05-16T20:25:42.559Z",
      "updated_by": "elastic",
      "notify_when": null,
      "rule_type_id": "siem.thresholdRule",
      "api_key_owner": "elastic",
      "muted_alert_ids": [],
      "execution_status": {
        "status": "ok",
        "last_duration": 166,
        "last_execution_date": "2023-05-16T20:26:49.590Z"
      },
      "scheduled_task_id": "6107a8f0-f401-11ed-9f8e-399c75a2deeb",
      "api_key_created_by_user": false
    }
  ],
  "page": 1,
  "total": 1,
  "per_page": 10
}

{
  "data": [
    {
      "id": "3583a470-74f6-11ed-9801-35303b735aef",
      "name": "my alert",
      "tags": [
        "cpu"
      ],
      "params": {
        "index": [
          "test-index"
        ],
        "aggType": "avg",
        "groupBy": "top",
        "aggField": "sheet.version",
        "termSize": 6,
        "termField": "name.keyword",
        "threshold": [
          1000
        ],
        "timeField": "@timestamp",
        "timeWindowSize": 5,
        "timeWindowUnit": "m",
        "thresholdComparator": ">"
      },
      "actions": [
        {
          "id": "9dca3e00-74f5-11ed-9801-35303b735aef",
          "uuid": "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
          "group": "threshold met",
          "params": {
            "level": "info",
            "message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}",
            "connector_type_id": ".server-log"
          },
          "frequency": {
            "summary": false,
            "throttle": null,
            "notify_when": "onActionGroupChange"
          }
        }
      ],
      "enabled": true,
      "consumer": "alerts",
      "last_run": {
        "outcome": "succeeded",
        "warning": null,
        "outcome_msg": null,
        "alerts_count": {
          "new": 0,
          "active": 0,
          "ignored": 0,
          "recovered": 0
        }
      },
      "mute_all": false,
      "next_run": "2022-12-06T01:45:23.912Z",
      "revision": 1,
      "schedule": {
        "interval": "1m"
      },
      "throttle": null,
      "created_at": "2022-12-05T23:40:33.132Z",
      "created_by": "elastic",
      "updated_at": "2022-12-05T23:40:33.132Z",
      "updated_by": "elastic",
      "rule_type_id": ".index-threshold",
      "api_key_owner": "elastic",
      "muted_alert_ids": [],
      "execution_status": {
        "status": "ok",
        "last_duration": 48,
        "last_execution_date": "2022-12-06T01:44:23.983Z"
      },
      "scheduled_task_id": "3583a470-74f6-11ed-9801-35303b735aef",
      "api_key_created_by_user": false
    }
  ],
  "page": 1,
  "total": 1,
  "per_page": 10
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}