Find rules
editFind rules
editRetrieves a paginated subset of detection rules. By default, the first page is returned with 20 results per page.
Request URL
editGET <kibana host>:<port>/api/detection_engine/rules/_find
URL query parameters
editAll parameters are optional:
Name | Type | Description |
---|---|---|
|
Integer |
The page number to return. |
|
Integer |
The number of rules to return per page. |
|
String |
Determines which field is used to sort the results. |
|
String |
Determines the sort order, which can be |
|
String |
Filters the returned results according to the value of the
specified field, using the
Even though the JSON rule object uses |
Example request
editRetrieves the first five rules with the word windows
in their names, sorted
in ascending order:
GET api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows
Response code
edit-
200
- Indicates a successful call.
Response payload
editA JSON object containing a summary and the returned rules.
Example response:
{ "page": 1, "perPage": 5, "total": 4, "data": [ { "created_at": "2020-02-02T10:05:19.613Z", "updated_at": "2020-02-02T10:05:19.830Z", "created_by": "elastic", "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", "enabled": false, "false_positives": [], "from": "now-6m", "id": "89761517-fdb0-4223-b67b-7621acc48f9e", "immutable": true, "index": [ "winlogbeat-*" ], "interval": "5m", "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", "language": "kuery", "max_signals": 33, "risk_score": 21, "name": "Windows Script Executing PowerShell", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"wscript.exe\" or \"cscript.exe\") and process.name:\"powershell.exe\"", "references": [], "severity": "low", "updated_by": "elastic", "tags": [ "Elastic", "Windows" ], "to": "now", "related_integrations": [], "required_fields": [], "setup": "", "type": "query", "threat": [ { "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1193", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1193/" } ] } ], "execution_summary": { "last_execution": { "date": "2022-03-23T16:06:12.787Z", "status": "partial failure", "status_order": 20, "message": "This rule attempted to query data from Elasticsearch indices listed in the \"Index pattern\" section of the rule definition, but no matching index was found.", "metrics": { "total_search_duration_ms": 135, "total_indexing_duration_ms": 15, "execution_gap_duration_s": 0, } } }, "version": 1 }, ... ] }
[dev]
This functionality is in development and may be changed or removed completely in a future release. These features are unsupported and not subject to the support SLA of official GA features.
These fields are under development and their usage or schema may change: |