List all detection rules Beta
Retrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page.
Query parameters
-
fields array[string]
-
filter string
Search query
-
sort_field string
Field to sort by
Values are
created_at
,createdAt
,enabled
,execution_summary.last_execution.date
,execution_summary.last_execution.metrics.execution_gap_duration_s
,execution_summary.last_execution.metrics.total_indexing_duration_ms
,execution_summary.last_execution.metrics.total_search_duration_ms
,execution_summary.last_execution.status
,name
,risk_score
,riskScore
,severity
,updated_at
, orupdatedAt
. -
sort_order string
Sort order
Values are
asc
ordesc
. -
page integer
Page number
Minimum value is
1
. Default value is1
. -
per_page integer
Rules per page
Minimum value is
0
. Default value is20
.
Responses
-
200 application/json; Elastic-Api-Version=2023-10-31
Successful response
Hide response attributes Show response attributes object
-
Any of: Security_Detections_API_EqlRuleResponseFields object Security_Detections_API_QueryRuleResponseFields object Security_Detections_API_SavedQueryRuleResponseFields object Security_Detections_API_ThresholdRuleResponseFields object Security_Detections_API_ThreatMatchRuleResponseFields object Security_Detections_API_MachineLearningRuleResponseFields object Security_Detections_API_NewTermsRuleResponseFields object Security_Detections_API_EsqlRuleResponseFields objectHide attributes Show attributes
-
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications.
-
alerts_filter object
Additional properties are allowed.
-
frequency object
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Additional properties are allowed.
Hide frequency attributes Show frequency attributes object
-
The condition for throttling the notification:
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
Values are
onActiveAlert
,onThrottleInterval
, oronActionGroupChange
. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group string
Optionally groups actions by use cases. Use
default
for alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
Additional properties are allowed.
-
uuid string(nonempty)
A string that does not contain only whitespace characters
Minimum length is
1
.
-
-
alias_purpose string
Values are
savedObjectConversion
orsavedObjectImport
. -
alias_target_id string
-
building_block_type string
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
Minimum length is
1
. -
Determines whether the rule is enabled.
-
Hide exceptions_list attributes Show exceptions_list attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1
. -
A string that does not contain only whitespace characters
Minimum length is
1
. -
Determines the exceptions validity in rule's Kibana space
Values are
agnostic
orsingle
. -
The exception type
Values are
detection
,rule_default
,endpoint
,endpoint_trusted_apps
,endpoint_events
,endpoint_host_isolation_exceptions
, orendpoint_blocklists
.
-
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as
override
- where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
-
A string that does not contain only whitespace characters
At least
1
element. Minimum length of each is1
.
-
-
license string
The rule's license.
-
Minimum value is
1
. -
meta object
Additional properties are allowed.
-
Minimum length is
1
. -
namespace string
Has no effect.
-
note string
Notes to help investigate alerts produced by the rule.
-
outcome string
Values are
exactMatch
,aliasMatch
, orconflict
. -
(deprecated) Has no effect.
-
Hide related_integrations attributes Show related_integrations attributes object
-
integration string(nonempty)
A string that does not contain only whitespace characters
Minimum length is
1
. -
A string that does not contain only whitespace characters
Minimum length is
1
. -
A string that does not contain only whitespace characters
Minimum length is
1
.
-
-
Hide required_fields attributes Show required_fields attributes object
-
response_actions array[object]
One of: Hide attributes Show attributes
-
Value is
.osquery
. -
Additional properties are allowed.
Hide params attributes Show params attributes object
-
ecs_mapping object
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id string
-
queries array[object]
Hide queries attributes Show queries attributes object
-
query string
-
saved_query_id string
-
timeout number
-
Hide attributes Show attributes
-
-
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals
. -
risk_score integer
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
.
-
rule_name_override string
Sets the source field for the alert's signal.rule.name value
-
Severity of the rule
Values are
low
,medium
,high
, orcritical
. -
Overrides generated alerts' severity with values from the source event
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Additional properties are allowed.
-
technique array[object]
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
subtechnique array[object]
Array containing more specific information on the attack technique
-
-
-
timeline_id string
Timeline template ID
-
timeline_title string
Timeline template title
-
timestamp_override string
Sets the time field used to query indices
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1
. -
execution_summary object
Additional properties are allowed.
Hide execution_summary attribute Show execution_summary attribute object
-
Additional properties are allowed.
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Additional properties are allowed.
Hide metrics attributes Show metrics attributes object
-
execution_gap_duration_s integer
Duration in seconds of execution gap
Minimum value is
0
. -
total_enrichment_duration_ms integer
Total time spent enriching documents during current rule execution cycle
Minimum value is
0
. -
total_indexing_duration_ms integer
Total time spent indexing documents during current rule execution cycle
Minimum value is
0
. -
total_search_duration_ms integer
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0
.
-
-
Status of the last execution
Values are
going to run
,running
,partial failure
,failed
, orsucceeded
.
-
-
-
A universally unique identifier
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_source
field. -
Minimum value is
0
. -
Could be any string, not necessarily a UUID
rule_source object Required
Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
One of: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
Hide attributes Show attributes
-
Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
-
Value is
external
.
Type of rule source for internally sourced rules, i.e. created within the Kibana apps.
Hide attribute Show attribute
-
Value is
internal
.
-
-
Query language to use
Value is
eql
. -
EQL query to execute
-
Rule type
Value is
eql
. -
alert_suppression object
Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
-
duration object
Additional properties are allowed.
-
At least
1
but not more than3
elements. -
missing_fields_strategy string
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppress
orsuppress
.
-
-
data_view_id string
-
event_category_override string
-
filters array
-
index array[string]
-
tiebreaker_field string
Sets a secondary field for sorting events
-
timestamp_field string
Contains the event timestamp used for sorting a sequence of events
Hide attributes Show attributes
-
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications.
-
alerts_filter object
Additional properties are allowed.
-
frequency object
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Additional properties are allowed.
Hide frequency attributes Show frequency attributes object
-
The condition for throttling the notification:
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
Values are
onActiveAlert
,onThrottleInterval
, oronActionGroupChange
. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group string
Optionally groups actions by use cases. Use
default
for alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
Additional properties are allowed.
-
uuid string(nonempty)
A string that does not contain only whitespace characters
Minimum length is
1
.
-
-
alias_purpose string
Values are
savedObjectConversion
orsavedObjectImport
. -
alias_target_id string
-
building_block_type string
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
Minimum length is
1
. -
Determines whether the rule is enabled.
-
Hide exceptions_list attributes Show exceptions_list attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1
. -
A string that does not contain only whitespace characters
Minimum length is
1
. -
Determines the exceptions validity in rule's Kibana space
Values are
agnostic
orsingle
. -
The exception type
Values are
detection
,rule_default
,endpoint
,endpoint_trusted_apps
,endpoint_events
,endpoint_host_isolation_exceptions
, orendpoint_blocklists
.
-
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as
override
- where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
-
A string that does not contain only whitespace characters
At least
1
element. Minimum length of each is1
.
-
-
license string
The rule's license.
-
Minimum value is
1
. -
meta object
Additional properties are allowed.
-
Minimum length is
1
. -
namespace string
Has no effect.
-
note string
Notes to help investigate alerts produced by the rule.
-
outcome string
Values are
exactMatch
,aliasMatch
, orconflict
. -
(deprecated) Has no effect.
-
Hide related_integrations attributes Show related_integrations attributes object
-
integration string(nonempty)
A string that does not contain only whitespace characters
Minimum length is
1
. -
A string that does not contain only whitespace characters
Minimum length is
1
. -
A string that does not contain only whitespace characters
Minimum length is
1
.
-
-
Hide required_fields attributes Show required_fields attributes object
-
response_actions array[object]
One of: Hide attributes Show attributes
-
Value is
.osquery
. -
Additional properties are allowed.
Hide params attributes Show params attributes object
-
ecs_mapping object
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id string
-
queries array[object]
Hide queries attributes Show queries attributes object
-
query string
-
saved_query_id string
-
timeout number
-
Hide attributes Show attributes
-
-
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals
. -
risk_score integer
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
.
-
rule_name_override string
Sets the source field for the alert's signal.rule.name value
-
Severity of the rule
Values are
low
,medium
,high
, orcritical
. -
Overrides generated alerts' severity with values from the source event
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Additional properties are allowed.
-
technique array[object]
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
subtechnique array[object]
Array containing more specific information on the attack technique
-
-
-
timeline_id string
Timeline template ID
-
timeline_title string
Timeline template title
-
timestamp_override string
Sets the time field used to query indices
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1
. -
execution_summary object
Additional properties are allowed.
Hide execution_summary attribute Show execution_summary attribute object
-
Additional properties are allowed.
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Additional properties are allowed.
Hide metrics attributes Show metrics attributes object
-
execution_gap_duration_s integer
Duration in seconds of execution gap
Minimum value is
0
. -
total_enrichment_duration_ms integer
Total time spent enriching documents during current rule execution cycle
Minimum value is
0
. -
total_indexing_duration_ms integer
Total time spent indexing documents during current rule execution cycle
Minimum value is
0
. -
total_search_duration_ms integer
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0
.
-
-
Status of the last execution
Values are
going to run
,running
,partial failure
,failed
, orsucceeded
.
-
-
-
A universally unique identifier
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_source
field. -
Minimum value is
0
. -
Could be any string, not necessarily a UUID
rule_source object Required
Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
One of: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
Hide attributes Show attributes
-
Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
-
Value is
external
.
Type of rule source for internally sourced rules, i.e. created within the Kibana apps.
Hide attribute Show attribute
-
Value is
internal
.
-
-
Rule type
Value is
query
. -
alert_suppression object
Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
-
duration object
Additional properties are allowed.
-
At least
1
but not more than3
elements. -
missing_fields_strategy string
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppress
orsuppress
.
-
-
data_view_id string
-
filters array
-
index array[string]
-
saved_id string
-
Values are
kuery
orlucene
. -
EQL query to execute
Hide attributes Show attributes
-
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications.
-
alerts_filter object
Additional properties are allowed.
-
frequency object
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Additional properties are allowed.
Hide frequency attributes Show frequency attributes object
-
The condition for throttling the notification:
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
Values are
onActiveAlert
,onThrottleInterval
, oronActionGroupChange
. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group string
Optionally groups actions by use cases. Use
default
for alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
Additional properties are allowed.
-
uuid string(nonempty)
A string that does not contain only whitespace characters
Minimum length is
1
.
-
-
alias_purpose string
Values are
savedObjectConversion
orsavedObjectImport
. -
alias_target_id string
-
building_block_type string
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
Minimum length is
1
. -
Determines whether the rule is enabled.
-
Hide exceptions_list attributes Show exceptions_list attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1
. -
A string that does not contain only whitespace characters
Minimum length is
1
. -
Determines the exceptions validity in rule's Kibana space
Values are
agnostic
orsingle
. -
The exception type
Values are
detection
,rule_default
,endpoint
,endpoint_trusted_apps
,endpoint_events
,endpoint_host_isolation_exceptions
, orendpoint_blocklists
.
-
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as
override
- where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
-
A string that does not contain only whitespace characters
At least
1
element. Minimum length of each is1
.
-
-
license string
The rule's license.
-
Minimum value is
1
. -
meta object
Additional properties are allowed.
-
Minimum length is
1
. -
namespace string
Has no effect.
-
note string
Notes to help investigate alerts produced by the rule.
-
outcome string
Values are
exactMatch
,aliasMatch
, orconflict
. -
(deprecated) Has no effect.
-
Hide related_integrations attributes Show related_integrations attributes object
-
integration string(nonempty)
A string that does not contain only whitespace characters
Minimum length is
1
. -
A string that does not contain only whitespace characters
Minimum length is
1
. -
A string that does not contain only whitespace characters
Minimum length is
1
.
-
-
Hide required_fields attributes Show required_fields attributes object
-
response_actions array[object]
One of: Hide attributes Show attributes
-
Value is
.osquery
. -
Additional properties are allowed.
Hide params attributes Show params attributes object
-
ecs_mapping object
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id string
-
queries array[object]
Hide queries attributes Show queries attributes object
-
query string
-
saved_query_id string
-
timeout number
-
Hide attributes Show attributes
-
-
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals
. -
risk_score integer
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
.
-
rule_name_override string
Sets the source field for the alert's signal.rule.name value
-
Severity of the rule
Values are
low
,medium
,high
, orcritical
. -
Overrides generated alerts' severity with values from the source event
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Additional properties are allowed.
-
technique array[object]
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
subtechnique array[object]
Array containing more specific information on the attack technique
-
-
-
timeline_id string
Timeline template ID
-
timeline_title string
Timeline template title
-
timestamp_override string
Sets the time field used to query indices
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1
. -
execution_summary object
Additional properties are allowed.
Hide execution_summary attribute Show execution_summary attribute object
-
Additional properties are allowed.
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Additional properties are allowed.
Hide metrics attributes Show metrics attributes object
-
execution_gap_duration_s integer
Duration in seconds of execution gap
Minimum value is
0
. -
total_enrichment_duration_ms integer
Total time spent enriching documents during current rule execution cycle
Minimum value is
0
. -
total_indexing_duration_ms integer
Total time spent indexing documents during current rule execution cycle
Minimum value is
0
. -
total_search_duration_ms integer
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0
.
-
-
Status of the last execution
Values are
going to run
,running
,partial failure
,failed
, orsucceeded
.
-
-
-
A universally unique identifier
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_source
field. -
Minimum value is
0
. -
Could be any string, not necessarily a UUID
rule_source object Required
Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
One of: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
Hide attributes Show attributes
-
Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
-
Value is
external
.
Type of rule source for internally sourced rules, i.e. created within the Kibana apps.
Hide attribute Show attribute
-
Value is
internal
.
-
-
Rule type
Value is
saved_query
. -
alert_suppression object
Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
-
duration object
Additional properties are allowed.
-
At least
1
but not more than3
elements. -
missing_fields_strategy string
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppress
orsuppress
.
-
-
data_view_id string
-
filters array
-
index array[string]
-
query string
EQL query to execute
-
Values are
kuery
orlucene
.
Hide attributes Show attributes
-
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications.
-
alerts_filter object
Additional properties are allowed.
-
frequency object
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Additional properties are allowed.
Hide frequency attributes Show frequency attributes object
-
The condition for throttling the notification:
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
Values are
onActiveAlert
,onThrottleInterval
, oronActionGroupChange
. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group string
Optionally groups actions by use cases. Use
default
for alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
Additional properties are allowed.
-
uuid string(nonempty)
A string that does not contain only whitespace characters
Minimum length is
1
.
-
-
alias_purpose string
Values are
savedObjectConversion
orsavedObjectImport
. -
alias_target_id string
-
building_block_type string
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
Minimum length is
1
. -
Determines whether the rule is enabled.
-
Hide exceptions_list attributes Show exceptions_list attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1
. -
A string that does not contain only whitespace characters
Minimum length is
1
. -
Determines the exceptions validity in rule's Kibana space
Values are
agnostic
orsingle
. -
The exception type
Values are
detection
,rule_default
,endpoint
,endpoint_trusted_apps
,endpoint_events
,endpoint_host_isolation_exceptions
, orendpoint_blocklists
.
-
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as
override
- where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
-
A string that does not contain only whitespace characters
At least
1
element. Minimum length of each is1
.
-
-
license string
The rule's license.
-
Minimum value is
1
. -
meta object
Additional properties are allowed.
-
Minimum length is
1
. -
namespace string
Has no effect.
-
note string
Notes to help investigate alerts produced by the rule.
-
outcome string
Values are
exactMatch
,aliasMatch
, orconflict
. -
(deprecated) Has no effect.
-
Hide related_integrations attributes Show related_integrations attributes object
-
integration string(nonempty)
A string that does not contain only whitespace characters
Minimum length is
1
. -
A string that does not contain only whitespace characters
Minimum length is
1
. -
A string that does not contain only whitespace characters
Minimum length is
1
.
-
-
Hide required_fields attributes Show required_fields attributes object
-
response_actions array[object]
One of: Hide attributes Show attributes
-
Value is
.osquery
. -
Additional properties are allowed.
Hide params attributes Show params attributes object
-
ecs_mapping object
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id string
-
queries array[object]
Hide queries attributes Show queries attributes object
-
query string
-
saved_query_id string
-
timeout number
-
Hide attributes Show attributes
-
-
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals
. -
risk_score integer
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
.
-
rule_name_override string
Sets the source field for the alert's signal.rule.name value
-
Severity of the rule
Values are
low
,medium
,high
, orcritical
. -
Overrides generated alerts' severity with values from the source event
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Additional properties are allowed.
-
technique array[object]
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
subtechnique array[object]
Array containing more specific information on the attack technique
-
-
-
timeline_id string
Timeline template ID
-
timeline_title string
Timeline template title
-
timestamp_override string
Sets the time field used to query indices
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1
. -
execution_summary object
Additional properties are allowed.
Hide execution_summary attribute Show execution_summary attribute object
-
Additional properties are allowed.
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Additional properties are allowed.
Hide metrics attributes Show metrics attributes object
-
execution_gap_duration_s integer
Duration in seconds of execution gap
Minimum value is
0
. -
total_enrichment_duration_ms integer
Total time spent enriching documents during current rule execution cycle
Minimum value is
0
. -
total_indexing_duration_ms integer
Total time spent indexing documents during current rule execution cycle
Minimum value is
0
. -
total_search_duration_ms integer
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0
.
-
-
Status of the last execution
Values are
going to run
,running
,partial failure
,failed
, orsucceeded
.
-
-
-
A universally unique identifier
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_source
field. -
Minimum value is
0
. -
Could be any string, not necessarily a UUID
rule_source object Required
Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
One of: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
Hide attributes Show attributes
-
Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
-
Value is
external
.
Type of rule source for internally sourced rules, i.e. created within the Kibana apps.
Hide attribute Show attribute
-
Value is
internal
.
-
-
EQL query to execute
-
Additional properties are allowed.
Hide threshold attributes Show threshold attributes object
-
cardinality array[object]
field string | array[string] Required
Field to aggregate on
-
Threshold value
Minimum value is
1
.
-
-
Rule type
Value is
threshold
. -
alert_suppression object
Additional properties are allowed.
-
data_view_id string
-
filters array
-
index array[string]
-
saved_id string
-
Values are
kuery
orlucene
.
Hide attributes Show attributes
-
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications.
-
alerts_filter object
Additional properties are allowed.
-
frequency object
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Additional properties are allowed.
Hide frequency attributes Show frequency attributes object
-
The condition for throttling the notification:
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
Values are
onActiveAlert
,onThrottleInterval
, oronActionGroupChange
. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group string
Optionally groups actions by use cases. Use
default
for alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
Additional properties are allowed.
-
uuid string(nonempty)
A string that does not contain only whitespace characters
Minimum length is
1
.
-
-
alias_purpose string
Values are
savedObjectConversion
orsavedObjectImport
. -
alias_target_id string
-
building_block_type string
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
Minimum length is
1
. -
Determines whether the rule is enabled.
-
Hide exceptions_list attributes Show exceptions_list attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1
. -
A string that does not contain only whitespace characters
Minimum length is
1
. -
Determines the exceptions validity in rule's Kibana space
Values are
agnostic
orsingle
. -
The exception type
Values are
detection
,rule_default
,endpoint
,endpoint_trusted_apps
,endpoint_events
,endpoint_host_isolation_exceptions
, orendpoint_blocklists
.
-
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as
override
- where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
-
A string that does not contain only whitespace characters
At least
1
element. Minimum length of each is1
.
-
-
license string
The rule's license.
-
Minimum value is
1
. -
meta object
Additional properties are allowed.
-
Minimum length is
1
. -
namespace string
Has no effect.
-
note string
Notes to help investigate alerts produced by the rule.
-
outcome string
Values are
exactMatch
,aliasMatch
, orconflict
. -
(deprecated) Has no effect.
-
Hide related_integrations attributes Show related_integrations attributes object
-
integration string(nonempty)
A string that does not contain only whitespace characters
Minimum length is
1
. -
A string that does not contain only whitespace characters
Minimum length is
1
. -
A string that does not contain only whitespace characters
Minimum length is
1
.
-
-
Hide required_fields attributes Show required_fields attributes object
-
response_actions array[object]
One of: Hide attributes Show attributes
-
Value is
.osquery
. -
Additional properties are allowed.
Hide params attributes Show params attributes object
-
ecs_mapping object
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id string
-
queries array[object]
Hide queries attributes Show queries attributes object
-
query string
-
saved_query_id string
-
timeout number
-
Hide attributes Show attributes
-
-
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals
. -
risk_score integer
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
.
-
rule_name_override string
Sets the source field for the alert's signal.rule.name value
-
Severity of the rule
Values are
low
,medium
,high
, orcritical
. -
Overrides generated alerts' severity with values from the source event
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Additional properties are allowed.
-
technique array[object]
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
subtechnique array[object]
Array containing more specific information on the attack technique
-
-
-
timeline_id string
Timeline template ID
-
timeline_title string
Timeline template title
-
timestamp_override string
Sets the time field used to query indices
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1
. -
execution_summary object
Additional properties are allowed.
Hide execution_summary attribute Show execution_summary attribute object
-
Additional properties are allowed.
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Additional properties are allowed.
Hide metrics attributes Show metrics attributes object
-
execution_gap_duration_s integer
Duration in seconds of execution gap
Minimum value is
0
. -
total_enrichment_duration_ms integer
Total time spent enriching documents during current rule execution cycle
Minimum value is
0
. -
total_indexing_duration_ms integer
Total time spent indexing documents during current rule execution cycle
Minimum value is
0
. -
total_search_duration_ms integer
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0
.
-
-
Status of the last execution
Values are
going to run
,running
,partial failure
,failed
, orsucceeded
.
-
-
-
A universally unique identifier
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_source
field. -
Minimum value is
0
. -
Could be any string, not necessarily a UUID
rule_source object Required
Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
One of: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
Hide attributes Show attributes
-
Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
-
Value is
external
.
Type of rule source for internally sourced rules, i.e. created within the Kibana apps.
Hide attribute Show attribute
-
Value is
internal
.
-
-
EQL query to execute
-
At least
1
element.Hide threat_mapping attribute Show threat_mapping attribute object
-
Hide entries attributes Show entries attributes object
-
-
Query to run
-
Rule type
Value is
threat_match
. -
alert_suppression object
Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
-
duration object
Additional properties are allowed.
-
At least
1
but not more than3
elements. -
missing_fields_strategy string
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppress
orsuppress
.
-
-
concurrent_searches integer
Minimum value is
1
. -
data_view_id string
-
filters array
-
index array[string]
-
items_per_search integer
Minimum value is
1
. -
saved_id string
-
threat_filters array
Query and filter context array used to filter documents from the Elasticsearch index containing the threat values
-
threat_indicator_path string
Defines the path to the threat indicator in the indicator documents (optional)
-
threat_language string
Values are
kuery
orlucene
. -
Values are
kuery
orlucene
.
Hide attributes Show attributes
-
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications.
-
alerts_filter object
Additional properties are allowed.
-
frequency object
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Additional properties are allowed.
Hide frequency attributes Show frequency attributes object
-
The condition for throttling the notification:
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
Values are
onActiveAlert
,onThrottleInterval
, oronActionGroupChange
. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group string
Optionally groups actions by use cases. Use
default
for alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
Additional properties are allowed.
-
uuid string(nonempty)
A string that does not contain only whitespace characters
Minimum length is
1
.
-
-
alias_purpose string
Values are
savedObjectConversion
orsavedObjectImport
. -
alias_target_id string
-
building_block_type string
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
Minimum length is
1
. -
Determines whether the rule is enabled.
-
Hide exceptions_list attributes Show exceptions_list attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1
. -
A string that does not contain only whitespace characters
Minimum length is
1
. -
Determines the exceptions validity in rule's Kibana space
Values are
agnostic
orsingle
. -
The exception type
Values are
detection
,rule_default
,endpoint
,endpoint_trusted_apps
,endpoint_events
,endpoint_host_isolation_exceptions
, orendpoint_blocklists
.
-
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as
override
- where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
-
A string that does not contain only whitespace characters
At least
1
element. Minimum length of each is1
.
-
-
license string
The rule's license.
-
Minimum value is
1
. -
meta object
Additional properties are allowed.
-
Minimum length is
1
. -
namespace string
Has no effect.
-
note string
Notes to help investigate alerts produced by the rule.
-
outcome string
Values are
exactMatch
,aliasMatch
, orconflict
. -
(deprecated) Has no effect.
-
Hide related_integrations attributes Show related_integrations attributes object
-
integration string(nonempty)
A string that does not contain only whitespace characters
Minimum length is
1
. -
A string that does not contain only whitespace characters
Minimum length is
1
. -
A string that does not contain only whitespace characters
Minimum length is
1
.
-
-
Hide required_fields attributes Show required_fields attributes object
-
response_actions array[object]
One of: Hide attributes Show attributes
-
Value is
.osquery
. -
Additional properties are allowed.
Hide params attributes Show params attributes object
-
ecs_mapping object
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id string
-
queries array[object]
Hide queries attributes Show queries attributes object
-
query string
-
saved_query_id string
-
timeout number
-
Hide attributes Show attributes
-
-
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals
. -
risk_score integer
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
.
-
rule_name_override string
Sets the source field for the alert's signal.rule.name value
-
Severity of the rule
Values are
low
,medium
,high
, orcritical
. -
Overrides generated alerts' severity with values from the source event
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Additional properties are allowed.
-
technique array[object]
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
subtechnique array[object]
Array containing more specific information on the attack technique
-
-
-
timeline_id string
Timeline template ID
-
timeline_title string
Timeline template title
-
timestamp_override string
Sets the time field used to query indices
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1
. -
execution_summary object
Additional properties are allowed.
Hide execution_summary attribute Show execution_summary attribute object
-
Additional properties are allowed.
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Additional properties are allowed.
Hide metrics attributes Show metrics attributes object
-
execution_gap_duration_s integer
Duration in seconds of execution gap
Minimum value is
0
. -
total_enrichment_duration_ms integer
Total time spent enriching documents during current rule execution cycle
Minimum value is
0
. -
total_indexing_duration_ms integer
Total time spent indexing documents during current rule execution cycle
Minimum value is
0
. -
total_search_duration_ms integer
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0
.
-
-
Status of the last execution
Values are
going to run
,running
,partial failure
,failed
, orsucceeded
.
-
-
-
A universally unique identifier
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_source
field. -
Minimum value is
0
. -
Could be any string, not necessarily a UUID
rule_source object Required
Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
One of: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
Hide attributes Show attributes
-
Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
-
Value is
external
.
Type of rule source for internally sourced rules, i.e. created within the Kibana apps.
Hide attribute Show attribute
-
Value is
internal
.
-
-
Anomaly threshold
Minimum value is
0
. machine_learning_job_id string | array[string] Required
Machine learning job ID
One of: At least
1
element.-
Rule type
Value is
machine_learning
. -
alert_suppression object
Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
-
duration object
Additional properties are allowed.
-
At least
1
but not more than3
elements. -
missing_fields_strategy string
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppress
orsuppress
.
-
Hide attributes Show attributes
-
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications.
-
alerts_filter object
Additional properties are allowed.
-
frequency object
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Additional properties are allowed.
Hide frequency attributes Show frequency attributes object
-
The condition for throttling the notification:
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
Values are
onActiveAlert
,onThrottleInterval
, oronActionGroupChange
. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group string
Optionally groups actions by use cases. Use
default
for alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
Additional properties are allowed.
-
uuid string(nonempty)
A string that does not contain only whitespace characters
Minimum length is
1
.
-
-
alias_purpose string
Values are
savedObjectConversion
orsavedObjectImport
. -
alias_target_id string
-
building_block_type string
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
Minimum length is
1
. -
Determines whether the rule is enabled.
-
Hide exceptions_list attributes Show exceptions_list attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1
. -
A string that does not contain only whitespace characters
Minimum length is
1
. -
Determines the exceptions validity in rule's Kibana space
Values are
agnostic
orsingle
. -
The exception type
Values are
detection
,rule_default
,endpoint
,endpoint_trusted_apps
,endpoint_events
,endpoint_host_isolation_exceptions
, orendpoint_blocklists
.
-
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as
override
- where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
-
A string that does not contain only whitespace characters
At least
1
element. Minimum length of each is1
.
-
-
license string
The rule's license.
-
Minimum value is
1
. -
meta object
Additional properties are allowed.
-
Minimum length is
1
. -
namespace string
Has no effect.
-
note string
Notes to help investigate alerts produced by the rule.
-
outcome string
Values are
exactMatch
,aliasMatch
, orconflict
. -
(deprecated) Has no effect.
-
Hide related_integrations attributes Show related_integrations attributes object
-
integration string(nonempty)
A string that does not contain only whitespace characters
Minimum length is
1
. -
A string that does not contain only whitespace characters
Minimum length is
1
. -
A string that does not contain only whitespace characters
Minimum length is
1
.
-
-
Hide required_fields attributes Show required_fields attributes object
-
response_actions array[object]
One of: Hide attributes Show attributes
-
Value is
.osquery
. -
Additional properties are allowed.
Hide params attributes Show params attributes object
-
ecs_mapping object
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id string
-
queries array[object]
Hide queries attributes Show queries attributes object
-
query string
-
saved_query_id string
-
timeout number
-
Hide attributes Show attributes
-
-
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals
. -
risk_score integer
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
.
-
rule_name_override string
Sets the source field for the alert's signal.rule.name value
-
Severity of the rule
Values are
low
,medium
,high
, orcritical
. -
Overrides generated alerts' severity with values from the source event
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Additional properties are allowed.
-
technique array[object]
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
subtechnique array[object]
Array containing more specific information on the attack technique
-
-
-
timeline_id string
Timeline template ID
-
timeline_title string
Timeline template title
-
timestamp_override string
Sets the time field used to query indices
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1
. -
execution_summary object
Additional properties are allowed.
Hide execution_summary attribute Show execution_summary attribute object
-
Additional properties are allowed.
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Additional properties are allowed.
Hide metrics attributes Show metrics attributes object
-
execution_gap_duration_s integer
Duration in seconds of execution gap
Minimum value is
0
. -
total_enrichment_duration_ms integer
Total time spent enriching documents during current rule execution cycle
Minimum value is
0
. -
total_indexing_duration_ms integer
Total time spent indexing documents during current rule execution cycle
Minimum value is
0
. -
total_search_duration_ms integer
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0
.
-
-
Status of the last execution
Values are
going to run
,running
,partial failure
,failed
, orsucceeded
.
-
-
-
A universally unique identifier
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_source
field. -
Minimum value is
0
. -
Could be any string, not necessarily a UUID
rule_source object Required
Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
One of: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
Hide attributes Show attributes
-
Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
-
Value is
external
.
Type of rule source for internally sourced rules, i.e. created within the Kibana apps.
Hide attribute Show attribute
-
Value is
internal
.
-
-
A string that does not contain only whitespace characters
Minimum length is
1
. -
At least
1
but not more than3
elements. -
EQL query to execute
-
Rule type
Value is
new_terms
. -
alert_suppression object
Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
-
duration object
Additional properties are allowed.
-
At least
1
but not more than3
elements. -
missing_fields_strategy string
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppress
orsuppress
.
-
-
data_view_id string
-
filters array
-
index array[string]
-
Values are
kuery
orlucene
.
Hide attributes Show attributes
-
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications.
-
alerts_filter object
Additional properties are allowed.
-
frequency object
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Additional properties are allowed.
Hide frequency attributes Show frequency attributes object
-
The condition for throttling the notification:
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
Values are
onActiveAlert
,onThrottleInterval
, oronActionGroupChange
. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group string
Optionally groups actions by use cases. Use
default
for alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
Additional properties are allowed.
-
uuid string(nonempty)
A string that does not contain only whitespace characters
Minimum length is
1
.
-
-
alias_purpose string
Values are
savedObjectConversion
orsavedObjectImport
. -
alias_target_id string
-
building_block_type string
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
Minimum length is
1
. -
Determines whether the rule is enabled.
-
Hide exceptions_list attributes Show exceptions_list attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1
. -
A string that does not contain only whitespace characters
Minimum length is
1
. -
Determines the exceptions validity in rule's Kibana space
Values are
agnostic
orsingle
. -
The exception type
Values are
detection
,rule_default
,endpoint
,endpoint_trusted_apps
,endpoint_events
,endpoint_host_isolation_exceptions
, orendpoint_blocklists
.
-
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as
override
- where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
-
A string that does not contain only whitespace characters
At least
1
element. Minimum length of each is1
.
-
-
license string
The rule's license.
-
Minimum value is
1
. -
meta object
Additional properties are allowed.
-
Minimum length is
1
. -
namespace string
Has no effect.
-
note string
Notes to help investigate alerts produced by the rule.
-
outcome string
Values are
exactMatch
,aliasMatch
, orconflict
. -
(deprecated) Has no effect.
-
Hide related_integrations attributes Show related_integrations attributes object
-
integration string(nonempty)
A string that does not contain only whitespace characters
Minimum length is
1
. -
A string that does not contain only whitespace characters
Minimum length is
1
. -
A string that does not contain only whitespace characters
Minimum length is
1
.
-
-
Hide required_fields attributes Show required_fields attributes object
-
response_actions array[object]
One of: Hide attributes Show attributes
-
Value is
.osquery
. -
Additional properties are allowed.
Hide params attributes Show params attributes object
-
ecs_mapping object
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id string
-
queries array[object]
Hide queries attributes Show queries attributes object
-
query string
-
saved_query_id string
-
timeout number
-
Hide attributes Show attributes
-
-
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals
. -
risk_score integer
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
.
-
rule_name_override string
Sets the source field for the alert's signal.rule.name value
-
Severity of the rule
Values are
low
,medium
,high
, orcritical
. -
Overrides generated alerts' severity with values from the source event
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Additional properties are allowed.
-
technique array[object]
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
subtechnique array[object]
Array containing more specific information on the attack technique
-
-
-
timeline_id string
Timeline template ID
-
timeline_title string
Timeline template title
-
timestamp_override string
Sets the time field used to query indices
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1
. -
execution_summary object
Additional properties are allowed.
Hide execution_summary attribute Show execution_summary attribute object
-
Additional properties are allowed.
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Additional properties are allowed.
Hide metrics attributes Show metrics attributes object
-
execution_gap_duration_s integer
Duration in seconds of execution gap
Minimum value is
0
. -
total_enrichment_duration_ms integer
Total time spent enriching documents during current rule execution cycle
Minimum value is
0
. -
total_indexing_duration_ms integer
Total time spent indexing documents during current rule execution cycle
Minimum value is
0
. -
total_search_duration_ms integer
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0
.
-
-
Status of the last execution
Values are
going to run
,running
,partial failure
,failed
, orsucceeded
.
-
-
-
A universally unique identifier
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_source
field. -
Minimum value is
0
. -
Could be any string, not necessarily a UUID
rule_source object Required
Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
One of: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
Hide attributes Show attributes
-
Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
-
Value is
external
.
Type of rule source for internally sourced rules, i.e. created within the Kibana apps.
Hide attribute Show attribute
-
Value is
internal
.
-
-
alert_suppression object
Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
-
duration object
Additional properties are allowed.
-
At least
1
but not more than3
elements. -
missing_fields_strategy string
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppress
orsuppress
.
-
-
Value is
esql
. -
EQL query to execute
-
Rule type
Value is
esql
.
-
-
curl \
-X GET https://<KIBANA_URL>/api/detection_engine/rules/_find
{
"data": [
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"ecs": true,
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2024-05-04T09:42:00+00:00",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2024-05-04T09:42:00+00:00",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2024-05-04T09:42:00+00:00",
"updated_by": "string",
"language": "eql",
"query": "string",
"type": "eql",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"event_category_override": "string",
"filters": [],
"index": [
"string"
],
"tiebreaker_field": "string",
"timestamp_field": "string"
}
],
"page": 42,
"perPage": 42,
"total": 42
}