Find rulesedit
Retrieves a paginated subset of detection rules. By default, the first page is returned with 20 results per page.
Console supports only Elasticsearch APIs. Console doesn’t allow interactions with Kibana APIs. You must use curl
or another HTTP tool instead. For more information, refer to Run Elasticsearch API requests.
Request URLedit
GET <kibana host>:<port>/api/detection_engine/rules/_find
URL query parametersedit
All parameters are optional:
Name | Type | Description |
---|---|---|
|
Integer |
The page number to return. |
|
Integer |
The number of rules to return per page. |
|
String |
Determines which field is used to sort the results. |
|
String |
Determines the sort order, which can be |
|
String |
Filters the returned results according to the value of the
specified field, using the
Even though the JSON rule object uses |
Example requestedit
Retrieves the first five rules with the word windows
in their names, sorted
in ascending order:
GET api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows
Response codeedit
-
200
- Indicates a successful call.
Response payloadedit
A JSON object containing a summary and the returned rules.
Example response:
{ "page": 1, "perPage": 5, "total": 4, "data": [ { "created_at": "2020-02-02T10:05:19.613Z", "updated_at": "2020-02-02T10:05:19.830Z", "created_by": "elastic", "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", "enabled": false, "false_positives": [], "from": "now-6m", "id": "89761517-fdb0-4223-b67b-7621acc48f9e", "immutable": true, "index": [ "winlogbeat-*" ], "interval": "5m", "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", "language": "kuery", "max_signals": 33, "risk_score": 21, "name": "Windows Script Executing PowerShell", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"wscript.exe\" or \"cscript.exe\") and process.name:\"powershell.exe\"", "references": [], "severity": "low", "updated_by": "elastic", "tags": [ "Elastic", "Windows" ], "to": "now", "type": "query", "threat": [ { "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1193", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1193/" } ] } ], "version": 1 }, ... ] }