Find rules
editFind rules
editRetrieves a paginated subset of detection rules. By default, the first page is returned with 20 results per page.
Request URL
editGET <kibana host>:<port>/api/detection_engine/rules/_find
URL query parameters
editAll parameters are optional:
| Name | Type | Description |
|---|---|---|
|
Integer |
The page number to return. |
|
Integer |
The number of rules to return per page. |
|
String |
Determines which field is used to sort the results. |
|
String |
Determines the sort order, which can be |
|
String |
Filters the returned results according to the value of the
specified field, using the
Even though the JSON rule object uses |
Example request
editRetrieves the first five rules with the word windows in their names, sorted
in ascending order:
GET api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows
Response code
edit-
200 - Indicates a successful call.
Response payload
editA JSON object containing a summary and the returned rules.
Example response:
{
"page": 1,
"perPage": 5,
"total": 4,
"data": [
{
"created_at": "2020-02-02T10:05:19.613Z",
"updated_at": "2020-02-02T10:05:19.830Z",
"created_by": "elastic",
"description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.",
"enabled": false,
"false_positives": [],
"from": "now-6m",
"id": "89761517-fdb0-4223-b67b-7621acc48f9e",
"immutable": true,
"index": [
"winlogbeat-*"
],
"interval": "5m",
"rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc",
"language": "kuery",
"max_signals": 33,
"risk_score": 21,
"name": "Windows Script Executing PowerShell",
"query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"wscript.exe\" or \"cscript.exe\") and process.name:\"powershell.exe\"",
"references": [],
"severity": "low",
"updated_by": "elastic",
"tags": [
"Elastic",
"Windows"
],
"to": "now",
"related_integrations": [],
"required_fields": [],
"setup": "",
"type": "query",
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1193",
"name": "Spearphishing Attachment",
"reference": "https://attack.mitre.org/techniques/T1193/"
}
]
}
],
"execution_summary": {
"last_execution": {
"date": "2022-03-23T16:06:12.787Z",
"status": "partial failure",
"status_order": 20,
"message": "This rule attempted to query data from Elasticsearch indices listed in the \"Index pattern\" section of the rule definition, but no matching index was found.",
"metrics": {
"total_search_duration_ms": 135,
"total_indexing_duration_ms": 15,
"execution_gap_duration_s": 0,
}
}
},
"version": 1
},
...
]
}
|
[dev]
This functionality is in development and may be changed or removed completely in a future release. These features are unsupported and not subject to the support SLA of official GA features.
These fields are under development and their usage or schema may change: |