Index endpoint

edit

You use the index endpoint to create, get, and delete .siem-signals-<Kibana-space> system indices in a Kibana space.

Signal indices store detection alerts.

For information about the permissions and privileges required to create .siem-signals-<Kibana-space> indices, see Enable and access detections.

When you create a signal index, the following index lifecycle management (ILM) policy is created for the signal index:

{
  "policy": {
    "phases": {
      "hot": {
        "min_age": "0ms",
        "actions": {
          "rollover": {
            "max_size": "50gb",
            "max_age": "30d"
          }
        }
      }
    }
  }
}

The policy and rollover_alias use the same name as the signal index.

To reduce clutter on your hot tier, we highly recommend adding a delete action to this ILM policy. Otherwise, the signal indices will remain on your hot tier indefinitely.

Create index

edit

Creates a signal index. The naming convention for the index is .siem-signals-<space name>.

Request URL

edit

POST <kibana host>:<port>/api/detection_engine/index

Example request
edit

Creates a signal index in the Kibana siem space.

POST s/siem/api/detection_engine/index

Response code

edit
200
Indicates a successful call.

Get index

edit

Gets the signal index name if it exists.

Request URL

edit

GET <kibana host>:<port>/api/detection_engine/index

Example request
edit

Gets the signal index for the Kibana siem space:

GET s/siem/api/detection_engine/index

Response code

edit
200
Indicates a successful call.
404
Indicates no index exists.
Example responses
edit

Example response when index exists:

{
  "name": ".siem-signals-siem"
}

Example response when no index exists:

{
  "statusCode": 404,
  "error": "Not Found",
  "message": "index for this space does not exist"
}

Delete index

edit

Deletes the signal index.

This deletes Elastic Security 7.x signals indices (.siem-signals-<space-id>) only. It does not delete 8.x alert indices (.alerts-security.alerts-<space-id>).

Request URL

edit

DELETE <kibana host>:<port>/api/detection_engine/index

Example request
edit

Deletes the signal index for the Kibana siem space:

DELETE s/siem/api/detection_engine/index

Response code

edit
200
Indicates a successful call.