Signals endpoint
editSignals endpoint
editThe signals endpoint is for retrieving, aggregating, and updating detection alerts. For detailed information on how to retrieve and aggregate results from the indices, see:
Get alerts
editAggregates and returns alerts.
Request URL
editPOST <kibana host>:<port>/api/detection_engine/signals/search
Request body
editA query DSL that determines which results are returned.
Example request
editGets aggregated results of all open alerts with a risk score equal to or greater than 70. It also returns the timestamps of the oldest and newest alerts that meet the query’s criteria.
POST api/detection_engine/signals/search { "aggs": { "latest": { "max": { "field": "@timestamp" } }, "oldest": { "min": { "field": "@timestamp" } } }, "query": { "bool": { "filter": [ { "match": { "signal.status": "open" } }, { "range": { "signal.rule.risk_score": { "gte": 70 } } } ] } } }
Gets all in-progress alerts with a risk score equal to or greater than 70.
POST api/detection_engine/signals/search { "query": { "bool": { "filter": [ { "match": { "signal.status": "in-progress" } }, { "range": { "signal.rule.risk_score": { "gte": 70 } } } ] } } }
Response code
edit-
200
- Indicates a successful call.
Response payload
editA JSON object with the aggregated values and requested alerts.
Example response:
{ "took": 3, "timed_out": false, "_shards": { "total": 1, "successful": 1, "skipped": 0, "failed": 0 }, "hits": { "total": { "value": 8794, "relation": "eq" }, "max_score": null, "hits": [] }, "aggregations": { "oldest": { "value": 1576601119930, "value_as_string": "2019-12-17T16:45:19.930Z" }, "latest": { "value": 1576634706400, "value_as_string": "2019-12-18T02:05:06.400Z" } } }
Set alert status
editSets the status of one or more alert.
Request URL
editPOST <kibana host>:<port>/api/detection_engine/signals/status
Request body
editA JSON object with either a query
or signals_id
field:
Name | Type | Description | Required |
---|---|---|---|
|
String[] |
Array of alert IDs. |
Yes, when the |
|
Query DSL |
Query that determines which alerts are updated. |
Yes, when
the |
|
String |
The new status, which can be |
Yes. |
Example requests
editCloses alerts with signal_ids
:
POST api/detection_engine/signals/status { "signal_ids": [ "694156bbe6a487e06d049bd6019bd49fec4172cfb33f5d81c3b4a977f0026fba", "f4d1c62c4e8946c835cb497329127803c09b955de49a8fa186be3899522667b0" ], "status": "closed" }
Closes alerts that are over a month old and have a risk score less than or equal to 20:
POST api/detection_engine/signals/status { "query": { "bool": { "filter": [ { "range": { "signal.rule.risk_score": { "lte": 20 } } }, { "range": { "@timestamp": { "lte": "now-M" } } } ] } }, "status": "closed" }
Response code
edit-
200
- Indicates a successful call.
Response payload
editA JSON object containing the number of updated alerts.
Example response:
{ "took": 9594, "timed_out": false, "total": 8794, "updated": 8794, "deleted": 0, "batches": 9, "version_conflicts": 0, "noops": 0, "retries": { "bulk": 0, "search": 0 }, "throttled_millis": 0, "requests_per_second": -1, "throttled_until_millis": 0, "failures": [] }
Apply alert tags
editAdd and remove alert tags.
Request URL
editPOST <kibana host>:<port>/api/detection_engine/signals/tags
Request body
editA JSON object with the tags
and ids
fields:
Name | Type | Description | Required |
---|---|---|---|
|
Object |
Object containing alert tags. Alert tags are the words and phrases that help categorize alerts. Properties of the
You cannot add and remove the same alert tag. |
No |
|
String[] |
Array of alert IDs. |
Yes |
Example requests
editAdds and remove tags to alerts:
POST api/detection_engine/signals/tags { "tags": { "tags_to_add": ["False Positive"], "tags_to_remove": ["Further Investigation Required"] }, "ids": [ "694156bbe6a487e06d049bd6019bd49fec4172cfb33f5d81c3b4a977f0026fba", "f4d1c62c4e8946c835cb497329127803c09b955de49a8fa186be3899522667b0" ] }
Response code
edit-
200
- Indicates a successful call.
Response payload
editA JSON object containing alerts with newly added or removed alert tags.
Example response:
{ "took": 699, "errors": false, "items": [ { "update": { "_index": ".internal.alerts-security.alerts-default-000001", "_id": "694156bbe6a487e06d049bd6019bd49fec4172cfb33f5d81c3b4a977f0026fba", "_version": 2, "result": "updated", "_shards": { "total": 1, "successful": 1, "failed": 0 }, "_seq_no": 137, "_primary_term": 1, "status": 200 } }, { "update": { "_index": ".internal.alerts-security.alerts-default-000001", "_id": "f4d1c62c4e8946c835cb497329127803c09b955de49a8fa186be3899522667b0", "_version": 2, "result": "updated", "_shards": { "total": 1, "successful": 1, "failed": 0 }, "_seq_no": 138, "_primary_term": 1, "status": 200 } } ] }
Assign or unassign users from alerts
editAllows you to assign and unassign users from alerts.
Request URL
editPOST <kibana host>:<port>/api/detection_engine/signals/assignees
Request body
editA JSON object with the assignees
and ids
fields:
Name | Type | Description | Required |
---|---|---|---|
|
Object[] |
An array of unique identifiers (UIDs) for user profiles. Properties of the
You cannot add and remove the same assignee. |
Yes |
|
String[] |
An array of alert IDs. |
Yes |
Example request
editAssigns and unassigns users to alerts:
POST api/detection_engine/signals/assignees { "assignees": { "add": ["u_o4kzon2tUP0u189YjKVT0rTR_HBOED3JmyLLE6MrulY_0"], "remove": ["u_P4HW8xg4_xRVI7Oa-i6Ys1Gxe7k3jqZteAeZe6ZctEc_0"] }, "ids": [ "854f5eceeec1b4cd5495ad18c4259d6e5631a6677bc10c033edb318397d45459", "00968e97805854d0aa356968cad971d5184cdf91ebd458720c5b4099f4a5229a" ] }
Response code
edit-
200
- Indicates a successful call.
Response payload
editA JSON object containing the number of updated alerts.
Example response:
{ "took": 67, "timed_out": false, "total": 2, "updated": 2, "deleted": 0, "batches": 1, "version_conflicts": 0, "noops": 0, "retries": { "bulk": 0, "search": 0 }, "throttled_millis": 0, "requests_per_second": -1, "throttled_until_millis": 0, "failures": [] }