Index endpoint
editIndex endpoint
editYou use the index endpoint to create, get, and delete
.siem-signals-<Kibana-space>
system indices in a Kibana space.
Console supports only Elasticsearch APIs. Console doesn’t allow interactions with Kibana APIs. You must use curl
or another HTTP tool instead. For more information, refer to Run Elasticsearch API requests.
Signal indices store detection alerts.
For information about the permissions and privileges required to create
.siem-signals-<Kibana-space>
indices, see Enable and access detections.
When you create a signal index, the following index lifecycle management (ILM) policy is created for the signal index:
{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "rollover": { "max_size": "50gb", "max_age": "30d" } } } } } }
The policy
and rollover_alias
use the same name as the signal index.
Create index
editCreates a signal index. The naming convention for the index is
.siem-signals-<space name>
.
Request URL
editPOST <kibana host>:<port>/api/detection_engine/index
Example request
editCreates a signal index in the Kibana siem
space.
POST s/siem/api/detection_engine/index
Response code
edit-
200
- Indicates a successful call.
Get index
editGets the signal index name if it exists.
Request URL
editGET <kibana host>:<port>/api/detection_engine/index
Example request
editGets the signal index for the Kibana siem
space:
GET s/siem/api/detection_engine/index
Response code
edit-
200
- Indicates a successful call.
-
404
- Indicates no index exists.
Example responses
editExample response when index exists:
{ "name": ".siem-signals-siem" }
Example response when no index exists:
{ "statusCode": 404, "error": "Not Found", "message": "index for this space does not exist" }