Find rules
editFind rules
editRetrieves a paginated subset of detection rules. By default, the first page is returned with 20 results per page.
Console supports only Elasticsearch APIs. Console doesn’t allow interactions with Kibana APIs. You must use curl or another HTTP tool instead. For more information, refer to Run Elasticsearch API requests.
Request URL
editGET <kibana host>:<port>/api/detection_engine/rules/_find
URL query parameters
editAll parameters are optional:
| Name | Type | Description |
|---|---|---|
|
Integer |
The page number to return. |
|
Integer |
The number of rules to return per page. |
|
String |
Determines which field is used to sort the results. |
|
String |
Determines the sort order, which can be |
|
String |
Filters the returned results according to the value of the
specified field, using the
Even though the JSON rule object uses |
Example request
editRetrieves the first five rules with the word windows in their names, sorted
in ascending order:
GET api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows
Response code
edit-
200 - Indicates a successful call.
Response payload
editA JSON object containing a summary and the returned rules.
Example response:
{
"page": 1,
"perPage": 5,
"total": 4,
"data": [
{
"created_at": "2020-02-02T10:05:19.613Z",
"updated_at": "2020-02-02T10:05:19.830Z",
"created_by": "elastic",
"description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.",
"enabled": false,
"false_positives": [],
"from": "now-6m",
"id": "89761517-fdb0-4223-b67b-7621acc48f9e",
"immutable": true,
"index": [
"winlogbeat-*"
],
"interval": "5m",
"rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc",
"language": "kuery",
"max_signals": 33,
"risk_score": 21,
"name": "Windows Script Executing PowerShell",
"query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"wscript.exe\" or \"cscript.exe\") and process.name:\"powershell.exe\"",
"references": [],
"severity": "low",
"updated_by": "elastic",
"tags": [
"Elastic",
"Windows"
],
"to": "now",
"type": "query",
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0002",
"name": "Execution",
"reference": "https://attack.mitre.org/tactics/TA0002/"
},
"technique": [
{
"id": "T1193",
"name": "Spearphishing Attachment",
"reference": "https://attack.mitre.org/techniques/T1193/"
}
]
}
],
"execution_summary": {
"last_execution": {
"date": "2022-03-23T16:06:12.787Z",
"status": "partial failure",
"status_order": 20,
"message": "This rule attempted to query data from Elasticsearch indices listed in the \"Index pattern\" section of the rule definition, but no matching index was found.",
"metrics": {
"total_search_duration_ms": 135,
"total_indexing_duration_ms": 15,
"execution_gap_duration_s": 0,
}
}
},
"version": 1
},
...
]
}