Index endpoint
editIndex endpoint
editYou use the index endpoint to create, get, and delete
.siem-signals-<Kibana-space>
system indices in a Kibana space.
Signal indices store detection alerts.
For information about the permissions and privileges required to create
.siem-signals-<Kibana-space>
indices, see Enable and access detections.
When you create a signal index, the following index lifecycle management (ILM) policy is created for the signal index:
{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "rollover": { "max_size": "50gb", "max_age": "30d" } } } } } }
The policy
and rollover_alias
use the same name as the signal index.
To reduce clutter on your hot tier, we highly recommend adding a delete action to this ILM policy. Otherwise, the signal indices will remain on your hot tier indefinitely.
Create index
editCreates a signal index. The naming convention for the index is
.siem-signals-<space name>
.
Request URL
editPOST <kibana host>:<port>/api/detection_engine/index
Example request
editCreates a signal index in the Kibana siem
space.
POST s/siem/api/detection_engine/index
Response code
edit-
200
- Indicates a successful call.
Get index
editGets the signal index name if it exists.
Request URL
editGET <kibana host>:<port>/api/detection_engine/index
Example request
editGets the signal index for the Kibana siem
space:
GET s/siem/api/detection_engine/index
Response code
edit-
200
- Indicates a successful call.
-
404
- Indicates no index exists.
Example responses
editExample response when index exists:
{ "name": ".siem-signals-siem" }
Example response when no index exists:
{ "statusCode": 404, "error": "Not Found", "message": "index for this space does not exist" }