Get information about rules

GET /api/alerting/rules/_find

Api key auth Basic auth

Spaces method and path for this operation:

get /s/{space_id}/api/alerting/rules/_find

Refer to Spaces for more information.

Query parameters

per_page number

The number of rules to return per page.

Minimum value is 0. Default value is 10.
page number

The page number to return.

Minimum value is 1. Default value is 1.
search string

An Elasticsearch simple_query_string query that filters the objects in the response.
default_search_operator string

The default operator to use for the simple_query_string.

Values are OR or AND. Default value is OR.
search_fields array[string]

The fields to perform the simple_query_string parsed query against.
sort_field string

Determines which field is used to sort the results. The field must exist in the attributes key of the response.
sort_order string

Determines the sort order.

Values are asc or desc.
has_reference object | null

Filters the rules that have a relation with the reference objects with a specific type and identifier.

Additional properties are NOT allowed.
Hide has_reference attributes Show has_reference attributes object | null
- id string Required
- type string Required
fields array[string]

The fields to return in the attributes key of the response.
filter string

A KQL string that you filter with an attribute from your saved object. It should look like savedObjectType.attributes.title: "myTitle". However, if you used a direct attribute of a saved object, such as updatedAt, you must define your filter, for example, savedObjectType.updatedAt > 2018-12-22.
filter_consumers array[string]

List of consumers to filter.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- data array[object] Required
  
  Hide data attributes Show data attributes object
  
  actions array[object] Required
  
  Hide actions attributes Show actions attributes object
  
  alerts_filter object
  
  Defines a period that limits whether the action runs.
  
  Additional properties are NOT allowed.
  
  Hide alerts_filter attributes Show alerts_filter attributes object
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  dsl string
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL).
  
  filters array[object] Required
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.
  
  Hide filters attributes Show filters attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  A filter that can be applied to a specific application context or applied globally.
  
  Values are appState or globalState.
  
  meta object Required
  
  query object
  
  kql string Required
  
  A filter written in Kibana Query Language (KQL).
  
  timeframe object
  
  Additional properties are NOT allowed.
  
  Hide timeframe attributes Show timeframe attributes object
  
  days array[integer] Required
  
  Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.
  
  Values are 1, 2, 3, 4, 5, 6, or 7.
  
  hours object Required
  
  Additional properties are NOT allowed.
  
  Hide hours attributes Show hours attributes object
  
  end string Required
  
  The end of the time frame, in 24-hour notation (hh:mm).
  
  start string Required
  
  The start of the time frame, in 24-hour notation (hh:mm).
  
  timezone string Required
  
  The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in support for daylight savings time and are not recommended.
  
  connector_type_id string Required
  
  The type of connector. This property appears in responses but cannot be set in requests.
  
  frequency object
  
  Additional properties are NOT allowed.
  
  Hide frequency attributes Show frequency attributes object
  
  notify_when string Required
  
  Indicates how frequently rule actions are triggered. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify notify_when at both the rule and action level. The recommended approach is to set it for each action individually. If you set notify_when at the rule level and then edit the rule, it will automatically be converted to action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
  
  summary boolean Required
  
  Indicates whether the action is a summary.
  
  throttle string | null Required
  
  The throttle interval defines how frequently rule actions are triggered. It is specified in seconds, minutes, hours, or days and only applies when 'notify_when' is set to 'onThrottleInterval'. You cannot set the throttle interval at both the rule and action level. The recommended approach is to set it for each action individually. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values.
  
  group string
  
  The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.
  
  id string Required
  
  The identifier for the connector saved object.
  
  params object Required
  
  The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.
  
  use_alert_data_for_template boolean
  
  Indicates whether to use alert data as a template.
  
  uuid string
  
  A universally unique identifier (UUID) for the action.
  
  alert_delay object
  
  Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
  
  Additional properties are NOT allowed.
  
  Hide alert_delay attribute Show alert_delay attribute object
  
  active number Required
  
  The number of consecutive runs that must meet the rule conditions.
  
  api_key_created_by_user boolean | null
  
  Indicates whether the API key that is associated with the rule was created by the user.
  
  api_key_owner string | null Required
  
  The owner of the API key that is associated with the rule and used to run background tasks.
  
  artifacts object
  
  Additional properties are NOT allowed.
  
  Hide artifacts attributes Show artifacts attributes object
  
  dashboards array[object]
  
  Hide dashboards attribute Show dashboards attribute object
  
  id string Required
  
  investigation_guide object
  
  Additional properties are NOT allowed.
  
  Hide investigation_guide attribute Show investigation_guide attribute object
  
  blob string Required
  
  User-created content that describes alert causes and remediation.
  
  consumer string Required
  
  The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.
  
  created_at string Required
  
  The date and time that the rule was created.
  
  created_by string | null Required
  
  The identifier for the user that created the rule.
  
  enabled boolean Required
  
  Indicates whether you want the rule to run on an interval basis after it is created.
  
  execution_status object Required
  
  Additional properties are NOT allowed.
  
  Hide execution_status attributes Show execution_status attributes object
  
  error object
  
  Additional properties are NOT allowed.
  
  Hide error attributes Show error attributes object
  
  message string Required
  
  Error message.
  
  reason string Required
  
  Reason for error.
  
  Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.
  
  last_duration number
  
  Duration of last rule execution.
  
  last_execution_date string Required
  
  The date and time of the last rule execution.
  
  status string Required
  
  Status of rule execution.
  
  Values are ok, active, error, warning, pending, or unknown.
  
  warning object
  
  Additional properties are NOT allowed.
  
  Hide warning attributes Show warning attributes object
  
  message string Required
  
  Warning message.
  
  reason string Required
  
  Reason for warning.
  
  Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.
  
  flapping object
  
  When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
  
  Additional properties are NOT allowed.
  
  Hide flapping attributes Show flapping attributes object
  
  enabled boolean
  
  Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
  
  look_back_window number Required
  
  The minimum number of runs in which the threshold must be met.
  
  Minimum value is 2, maximum value is 20.
  
  status_change_threshold number Required
  
  The minimum number of times an alert must switch states within the defined look back window time.
  
  Minimum value is 2, maximum value is 20.
  
  id string Required
  
  The identifier for the rule.
  
  last_run object | null
  
  Additional properties are NOT allowed.
  
  Hide last_run attributes Show last_run attributes object | null
  
  alerts_count object Required
  
  Additional properties are NOT allowed.
  
  Hide alerts_count attributes Show alerts_count attributes object
  
  active number | null
  
  Number of active alerts during last run.
  
  ignored number | null
  
  Number of ignored alerts during last run.
  
  new number | null
  
  Number of new alerts during last run.
  
  recovered number | null
  
  Number of recovered alerts during last run.
  
  outcome string Required
  
  Outcome of the last rule run. Value can be succeeded, warning, or failed.
  
  Values are succeeded, warning, or failed.
  
  outcome_msg array[string] | null
  
  Outcome message generated during last rule run.
  
  outcome_order number
  
  Order of the outcome.
  
  warning string | null
  
  Warning of last rule execution.
  
  Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.
  
  mapped_params object
  
  mute_all boolean Required
  
  Indicates whether all alerts are muted.
  
  muted_alert_ids array[string] Required
  
  List of identifiers of muted alerts.
  
  name string Required
  
  The name of the rule.
  
  next_run string | null
  
  Date and time of the next rule run.
  
  notify_when string | null
  
  Indicates how frequently rule actions are triggered. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify notify_when at both the rule and action level. The recommended approach is to set it for each action individually. If you set notify_when at the rule level and then edit the rule, it will automatically be converted to action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
  
  params object Required
  
  The parameters for the rule.
  
  revision number Required
  
  The rule revision number.
  
  rule_type_id string Required
  
  The rule type identifier.
  
  running boolean | null
  
  Indicates whether the rule is running.
  
  schedule object Required
  
  Additional properties are NOT allowed.
  
  Hide schedule attribute Show schedule attribute object
  
  interval string Required
  
  The interval is specified in seconds, minutes, hours, or days.
  
  scheduled_task_id string
  
  Identifier of the scheduled task.
  
  tags array[string] Required
  
  The tags for the rule.
  
  throttle string | null Deprecated
  
  Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values.
  
  updated_at string Required
  
  The date and time of the latest updates to the rule.
  
  updated_by string | null Required
  
  The identifier for the user who was the last to update the rule.
- page number Required
- per_page number Required
- total number Required
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.

GET /api/alerting/rules/_find

curl \
 --request GET 'https://localhost:5601/api/alerting/rules/_find' \
 --header "Authorization: $API_KEY"

Response examples (200)

A response that contains information about an index threshold rule.

{
  "data": [
    {
      "actions": [
        {
          "frequency": {
            "notify_when": "onActionGroupChange",
            "summary": false,
            "throttle": null
          },
          "group": "threshold met",
          "id": "9dca3e00-74f5-11ed-9801-35303b735aef",
          "params": {
            "connector_type_id": ".server-log",
            "level": "info",
            "message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
          },
          "uuid": "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61"
        }
      ],
      "api_key_created_by_user": false,
      "api_key_owner": "elastic",
      "consumer": "alerts",
      "created_at": "2022-12-05T23:40:33.132Z",
      "created_by": "elastic",
      "enabled": true,
      "execution_status": {
        "last_duration": 48,
        "last_execution_date": "2022-12-06T01:44:23.983Z",
        "status": "ok"
      },
      "id": "3583a470-74f6-11ed-9801-35303b735aef",
      "last_run": {
        "alerts_count": {
          "active": 0,
          "ignored": 0,
          "new": 0,
          "recovered": 0
        },
        "outcome": "succeeded",
        "outcome_msg": null,
        "warning": null
      },
      "mute_all": false,
      "muted_alert_ids": [],
      "name": "my alert",
      "next_run": "2022-12-06T01:45:23.912Z",
      "params": {
        "aggField": "sheet.version",
        "aggType": "avg",
        "groupBy": "top",
        "index": [
          "test-index"
        ],
        "termField": "name.keyword",
        "termSize": 6,
        "threshold": [
          1000
        ],
        "thresholdComparator": ">",
        "timeField": "@timestamp",
        "timeWindowSize": 5,
        "timeWindowUnit": "m"
      },
      "revision": 1,
      "rule_type_id": ".index-threshold",
      "schedule": {
        "interval": "1m"
      },
      "scheduled_task_id": "3583a470-74f6-11ed-9801-35303b735aef",
      "tags": [
        "cpu"
      ],
      "throttle": null,
      "updated_at": "2022-12-05T23:40:33.132Z",
      "updated_by": "elastic"
    }
  ],
  "page": 1,
  "per_page": 10,
  "total": 1
}

A response that contains information about a security rule that has conditional actions.

{
  "data": [
    {
      "actions": [
        {
          "alerts_filter": {
            "query": {
              "filters": [
                {
                  "$state": {
                    "store": "appState"
                  },
                  "meta": {
                    "alias": null,
                    "disabled": false,
                    "field": "client.geo.region_iso_code",
                    "index": "c4bdca79-e69e-4d80-82a1-e5192c621bea",
                    "key": "client.geo.region_iso_code",
                    "negate": false,
                    "params": {
                      "query": "CA-QC",
                      "type": "phrase"
                    }
                  },
                  "query": {
                    "match_phrase": {
                      "client.geo.region_iso_code": "CA-QC"
                    }
                  }
                }
              ],
              "kql": ""
            },
            "timeframe": {
              "days": [
                7
              ],
              "hours": {
                "end": "17:00",
                "start": "08:00"
              },
              "timezone": "UTC"
            }
          },
          "connector_type_id": ".index",
          "frequency": {
            "notify_when": "onActiveAlert",
            "summary": true,
            "throttle": null
          },
          "group": "default",
          "id": "49eae970-f401-11ed-9f8e-399c75a2deeb",
          "params": {
            "documents": [
              {
                "alert_id": {
                  "[object Object]": null
                },
                "context_message": {
                  "[object Object]": null
                },
                "rule_id": {
                  "[object Object]": null
                },
                "rule_name": {
                  "[object Object]": null
                }
              }
            ]
          },
          "uuid": "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61"
        }
      ],
      "api_key_created_by_user": false,
      "api_key_owner": "elastic",
      "consumer": "siem",
      "created_at": "2023-05-16T15:50:28.358Z",
      "created_by": "elastic",
      "enabled": true,
      "execution_status": {
        "last_duration": 166,
        "last_execution_date": "2023-05-16T20:26:49.590Z",
        "status": "ok"
      },
      "id": "6107a8f0-f401-11ed-9f8e-399c75a2deeb",
      "last_run": {
        "alerts_count": {
          "active": 0,
          "ignored": 0,
          "new": 0,
          "recovered": 0
        },
        "outcome": "succeeded",
        "outcome_msg": [
          "Rule execution completed successfully"
        ],
        "outcome_order": 0,
        "warning": null
      },
      "mute_all": false,
      "muted_alert_ids": [],
      "name": "security_rule",
      "next_run": "2023-05-16T20:27:49.507Z",
      "notify_when": null,
      "params": {
        "author": [],
        "description": "A security threshold rule.",
        "exceptionsList": [],
        "falsePositives": [],
        "filters": [],
        "from": "now-3660s",
        "immutable": false,
        "index": [
          "kibana_sample_data_logs"
        ],
        "language": "kuery",
        "license": "",
        "maxSignals": 100,
        "meta": {
          "from": "1h",
          "kibana_siem_app_url": "https://localhost:5601/app/security"
        },
        "outputIndex": "",
        "query": "*",
        "references": [],
        "riskScore": 21,
        "riskScoreMapping": [],
        "ruleId": "an_internal_rule_id",
        "severity": "low",
        "severityMapping": [],
        "threat": [],
        "threshold": {
          "cardinality": [],
          "field": [
            "bytes"
          ],
          "value": 1
        },
        "to": "now",
        "type": "threshold",
        "version": 1
      },
      "revision": 1,
      "rule_type_id": "siem.thresholdRule",
      "running": false,
      "schedule": {
        "interval": "1m"
      },
      "scheduled_task_id": "6107a8f0-f401-11ed-9f8e-399c75a2deeb",
      "tags": [],
      "throttle": null,
      "updated_at": "2023-05-16T20:25:42.559Z",
      "updated_by": "elastic"
    }
  ],
  "page": 1,
  "per_page": 10,
  "total": 1
}