Index endpointedit
You use the index endpoint to create, get, and delete
.siem-signals-<Kibana-space>
system indices in a Kibana space.
Console supports only Elasticsearch APIs. Console doesn’t allow interactions with Kibana APIs. You must use curl
or another HTTP tool instead. For more information, refer to Run Elasticsearch API requests.
Signal indices store detection alerts.
For information about the permissions and privileges required to create
.siem-signals-<Kibana-space>
indices, see Enable and access detections.
When you create a signal index, the following index lifecycle management (ILM) policy is created for the signal index:
{ "policy": { "phases": { "hot": { "min_age": "0ms", "actions": { "rollover": { "max_size": "50gb", "max_age": "30d" } } } } } }
The policy
and rollover_alias
use the same name as the signal index.
Create indexedit
Creates a signal index. The naming convention for the index is
.siem-signals-<space name>
.
Request URLedit
POST <kibana host>:<port>/api/detection_engine/index
Example requestedit
Creates a signal index in the Kibana siem
space.
POST s/siem/api/detection_engine/index
Response codeedit
-
200
- Indicates a successful call.
Get indexedit
Gets the signal index name if it exists.
Request URLedit
GET <kibana host>:<port>/api/detection_engine/index
Example requestedit
Gets the signal index for the Kibana siem
space:
GET s/siem/api/detection_engine/index
Response codeedit
-
200
- Indicates a successful call.
-
404
- Indicates no index exists.
Example responsesedit
Example response when index exists:
{ "name": ".siem-signals-siem" }
Example response when no index exists:
{ "statusCode": 404, "error": "Not Found", "message": "index for this space does not exist" }