IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Get rule
editGet rule
editRetrieves a single rule using the rule_id
or id
field.
Console supports only Elasticsearch APIs. Console doesn’t allow interactions with Kibana APIs. You must use curl
or another HTTP tool instead. For more information, refer to Run Elasticsearch API requests.
Request URL
editGET <kibana host>:<port>/api/detection_engine/rules
URL query parameters
editThe URL query must include one of the following:
-
id
-GET /api/detection_engine/rules?id=<id>
-
rule_id
-GET /api/detection_engine/rules?rule_id=<rule_id>
Example request
editRetrieves the rule with an id
value of c41d170b-8ba6-4de6-b8ec-76440a35ace3
:
GET api/detection_engine/rules?id=c41d170b-8ba6-4de6-b8ec-76440a35ace3
Response code
edit-
200
- Indicates a successful call.
Response payload
editThe returned rule’s JSON object.
Example response:
{ "created_at": "2020-02-03T11:19:04.259Z", "updated_at": "2020-02-03T11:19:04.462Z", "created_by": "elastic", "description": "Process started by MS Office program in user folder", "enabled": false, "false_positives": [], "filters": [ { "query": { "match": { "event.action": { "query": "Process Create (rule: ProcessCreate)", "type": "phrase" } } } } ], "from": "now-4200s", "id": "c41d170b-8ba6-4de6-b8ec-76440a35ace3", "immutable": false, "interval": "1h", "rule_id": "process_started_by_ms_office_user_folder", "language": "kuery", "output_index": ".siem-signals-siem-test", "max_signals": 100, "risk_score": 21, "name": "MS Office child process", "query": "process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE", "references": [], "severity": "low", "updated_by": "elastic", "tags": [ "child process", "ms office" ], "to": "now-300s", "type": "query", "threat": [ { "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "reference": "https://attack.mitre.org/tactics/TA0001", "name": "Initial Access" }, "technique": [ { "id": "T1193", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1193" } ] } ], "version": 1 }