IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Get rule
editGet rule
editRetrieves a single rule using the rule_id
or id
field.
Request URL
editGET <kibana host>:<port>/api/detection_engine/rules
URL query parameters
editThe URL query must include one of the following:
-
id
-GET /api/detection_engine/rules?id=<id>
-
rule_id
-GET /api/detection_engine/rules?rule_id=<rule_id>
Example request
editRetrieves the rule with an id
value of c41d170b-8ba6-4de6-b8ec-76440a35ace3
:
GET api/detection_engine/rules?id=c41d170b-8ba6-4de6-b8ec-76440a35ace3
Response code
edit-
200
- Indicates a successful call.
Response payload
editThe returned rule’s JSON object.
Example response:
{ "created_at": "2020-02-03T11:19:04.259Z", "updated_at": "2020-02-03T11:19:04.462Z", "created_by": "elastic", "description": "Process started by MS Office program in user folder", "enabled": false, "false_positives": [], "filters": [ { "query": { "match": { "event.action": { "query": "Process Create (rule: ProcessCreate)", "type": "phrase" } } } } ], "from": "now-4200s", "id": "c41d170b-8ba6-4de6-b8ec-76440a35ace3", "immutable": false, "interval": "1h", "rule_id": "process_started_by_ms_office_user_folder", "related_integrations": [], "required_fields": [], "setup": "", "language": "kuery", "max_signals": 100, "risk_score": 21, "name": "MS Office child process", "query": "process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE", "references": [], "severity": "low", "updated_by": "elastic", "tags": [ "child process", "ms office" ], "to": "now-300s", "type": "query", "threat": [ { "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "reference": "https://attack.mitre.org/tactics/TA0001", "name": "Initial Access" }, "technique": [ { "id": "T1193", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1193" } ] } ], "execution_summary": { "last_execution": { "date": "2022-03-23T16:06:12.787Z", "status": "partial failure", "status_order": 20, "message": "This rule attempted to query data from Elasticsearch indices listed in the \"Index pattern\" section of the rule definition, but no matching index was found.", "metrics": { "total_search_duration_ms": 135, "total_indexing_duration_ms": 15, "execution_gap_duration_s": 0, } } }, "version": 1 }
[dev]
This functionality is in development and may be changed or removed completely in a future release. These features are unsupported and not subject to the support SLA of official GA features.
These fields are under development and their usage or schema may change: |