Index endpoint
editIndex endpoint
editYou use the index endpoint to create, get, and delete
.siem-signals-<Kibana-space> system indices in a Kibana space.
The Kibana Console supports only Elasticsearch APIs. You cannot interact with the Kibana APIs with the Console and must use curl or another HTTP tool instead. For more information, refer to Console.
Signal indices store detection alerts.
For information about the permissions and privileges required to create
.siem-signals-<Kibana-space> indices, see Enable and access detections.
When you create a signal index, the following index lifecycle management (ILM) policy is created for the signal index:
{
"policy": {
"phases": {
"hot": {
"min_age": "0ms",
"actions": {
"rollover": {
"max_size": "50gb",
"max_age": "30d"
}
}
}
}
}
}
The policy and rollover_alias use the same name as the signal index.
Create index
editCreates a signal index. The naming convention for the index is
.siem-signals-<space name>.
Request URL
editPOST <kibana host>:<port>/api/detection_engine/index
Example request
editCreates a signal index in the Kibana siem space.
POST s/siem/api/detection_engine/index
Response code
edit-
200 - Indicates a successful call.
Get index
editGets the signal index name if it exists.
Request URL
editGET <kibana host>:<port>/api/detection_engine/index
Example request
editGets the signal index for the Kibana siem space:
GET s/siem/api/detection_engine/index
Response code
edit-
200 - Indicates a successful call.
-
404 - Indicates no index exists.
Example responses
editExample response when index exists:
{
"name": ".siem-signals-siem"
}
Example response when no index exists:
{
"statusCode": 404,
"error": "Not Found",
"message": "index for this space does not exist"
}