Get rule

edit

Retrieves a single rule using the rule_id or id field.

Request URL

edit

GET <kibana host>:<port>/api/detection_engine/rules

URL query parameters

edit

The URL query must include one of the following:

  • id - GET /api/detection_engine/rules?id=<id>
  • rule_id - GET /api/detection_engine/rules?rule_id=<rule_id>

Example request

edit

Retrieves the rule with an id value of c41d170b-8ba6-4de6-b8ec-76440a35ace3:

GET api/detection_engine/rules?id=c41d170b-8ba6-4de6-b8ec-76440a35ace3

Response code

edit
200
Indicates a successful call.

Response payload

edit

The returned rule’s JSON object.

Example response:

{
  "created_at": "2020-02-03T11:19:04.259Z",
  "updated_at": "2020-02-03T11:19:04.462Z",
  "created_by": "elastic",
  "description": "Process started by MS Office program in user folder",
  "enabled": false,
  "false_positives": [],
  "filters": [
    {
      "query": {
        "match": {
          "event.action": {
            "query": "Process Create (rule: ProcessCreate)",
            "type": "phrase"
          }
        }
      }
    }
  ],
  "from": "now-4200s",
  "id": "c41d170b-8ba6-4de6-b8ec-76440a35ace3",
  "immutable": false,
  "interval": "1h",
  "rule_id": "process_started_by_ms_office_user_folder",
  "related_integrations": [],       
  "required_fields": [],            
  "setup": "",                      
  "language": "kuery",
  "max_signals": 100,
  "risk_score": 21,
  "name": "MS Office child process",
  "query": "process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE",
  "references": [],
  "severity": "low",
  "updated_by": "elastic",
  "tags": [
    "child process",
    "ms office"
  ],
  "to": "now-300s",
  "type": "query",
  "threat": [
    {
      "framework": "MITRE ATT&CK",
      "tactic": {
        "id": "TA0001",
        "reference": "https://attack.mitre.org/tactics/TA0001",
        "name": "Initial Access"
      },
      "technique": [
        {
          "id": "T1193",
          "name": "Spearphishing Attachment",
          "reference": "https://attack.mitre.org/techniques/T1193"
        }
      ]
    }
  ],
  "execution_summary": {                      
    "last_execution": {
      "date": "2022-03-23T16:06:12.787Z",
      "status": "partial failure",
      "status_order": 20,
      "message": "This rule attempted to query data from Elasticsearch indices listed in the \"Index pattern\" section of the rule definition, but no matching index was found.",
      "metrics": {
          "total_search_duration_ms": 135,
          "total_indexing_duration_ms": 15,
          "execution_gap_duration_s": 0,
      }
    }
  },
  "version": 1
}

[dev] This functionality is in development and may be changed or removed completely in a future release. These features are unsupported and not subject to the support SLA of official GA features. These fields are under development and their usage or schema may change: related_integrations, required_fields, setup, and execution_summary.