POST /api/alerting/rule/{id}
Api key auth Basic auth

Spaces method and path for this operation:

post /s/{space_id}/api/alerting/rule/{id}

Refer to Spaces for more information.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule. If it is omitted, an ID is randomly generated.

application/json

Body object

Any of:
CCR read exceptions object Cluster health object CPU usage object Disk usage object Elasticsearch version mismatch object Kibana version mismatch object License expiration object Logstash version mismatch object JVM memory usage object Missing monitoring data object Nodes changed object Large shard size object Thread pool search rejections object Thread pool write rejections object Anomaly detection object Anomaly detection jobs health object Degraded docs object ES query object Index threshold object Geo containment object Transform health object APM anomaly object Error rate object Transaction error rate object Transaction duration object Synthetics monitor status object Synthetics TLS object Uptime monitor status object Uptime TLS certificate object Uptime duration anomaly object Metric inventory threshold object Metric threshold object Custom threshold object Log threshold object SLO burn rate object new_rule object

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • actions array[object] Required
      Hide actions attributes Show actions attributes object
      • alerts_filter object

        Defines a period that limits whether the action runs.

        Additional properties are NOT allowed.

        Hide alerts_filter attributes Show alerts_filter attributes object
        • query object

          Additional properties are NOT allowed.

          Hide query attributes Show query attributes object
          • dsl string

            A filter written in Elasticsearch Query Domain Specific Language (DSL).

          • filters array[object] Required

            A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.

            Hide filters attributes Show filters attributes object
            • $state object

              Additional properties are NOT allowed.

              Hide $state attribute Show $state attribute object
              • store string Required

                A filter that can be applied to a specific application context or applied globally.

                Values are appState or globalState.

            • meta object Required
            • query object
          • kql string Required

            A filter written in Kibana Query Language (KQL).

        • timeframe object

          Additional properties are NOT allowed.

          Hide timeframe attributes Show timeframe attributes object
          • days array[integer] Required

            Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.

            Values are 1, 2, 3, 4, 5, 6, or 7.

          • hours object Required

            Additional properties are NOT allowed.

            Hide hours attributes Show hours attributes object
            • end string Required

              The end of the time frame, in 24-hour notation (hh:mm).

            • start string Required

              The start of the time frame, in 24-hour notation (hh:mm).

          • timezone string Required

            The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in support for daylight savings time and are not recommended.

      • connector_type_id string Required

        The type of connector. This property appears in responses but cannot be set in requests.

      • frequency object

        Additional properties are NOT allowed.

        Hide frequency attributes Show frequency attributes object
        • notify_when string Required

          Indicates how frequently rule actions are triggered. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify notify_when at both the rule and action level. The recommended approach is to set it for each action individually. If you set notify_when at the rule level and then edit the rule, it will automatically be converted to action-specific values.

          Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

        • summary boolean Required

          Indicates whether the action is a summary.

        • throttle string | null Required

          The throttle interval defines how frequently rule actions are triggered. It is specified in seconds, minutes, hours, or days and only applies when 'notify_when' is set to 'onThrottleInterval'. You cannot set the throttle interval at both the rule and action level. The recommended approach is to set it for each action individually. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values.

      • group string

        The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.

      • id string Required

        The identifier for the connector saved object.

      • params object Required

        The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.

      • use_alert_data_for_template boolean

        Indicates whether to use alert data as a template.

      • uuid string

        A universally unique identifier (UUID) for the action.

    • alert_delay object

      Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

      Additional properties are NOT allowed.

      Hide alert_delay attribute Show alert_delay attribute object
      • active number Required

        The number of consecutive runs that must meet the rule conditions.

    • api_key_created_by_user boolean | null

      Indicates whether the API key that is associated with the rule was created by the user.

    • api_key_owner string | null Required

      The owner of the API key that is associated with the rule and used to run background tasks.

    • artifacts object

      Additional properties are NOT allowed.

      Hide artifacts attributes Show artifacts attributes object
      • dashboards array[object]
        Hide dashboards attribute Show dashboards attribute object
        • id string Required
      • investigation_guide object

        Additional properties are NOT allowed.

        Hide investigation_guide attribute Show investigation_guide attribute object
        • blob string Required

          User-created content that describes alert causes and remediation.

    • consumer string Required

      The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.

    • created_at string Required

      The date and time that the rule was created.

    • created_by string | null Required

      The identifier for the user that created the rule.

    • enabled boolean Required

      Indicates whether you want the rule to run on an interval basis after it is created.

    • execution_status object Required

      Additional properties are NOT allowed.

      Hide execution_status attributes Show execution_status attributes object
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
        • message string Required

          Error message.

        • reason string Required

          Reason for error.

          Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.

      • last_duration number

        Duration of last rule execution.

      • last_execution_date string Required

        The date and time of the last rule execution.

      • status string Required

        Status of rule execution.

        Values are ok, active, error, warning, pending, or unknown.

      • warning object

        Additional properties are NOT allowed.

        Hide warning attributes Show warning attributes object
        • message string Required

          Warning message.

        • reason string Required

          Reason for warning.

          Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • flapping object

      When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

      Additional properties are NOT allowed.

      Hide flapping attributes Show flapping attributes object
      • enabled boolean

        Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.

      • look_back_window number Required

        The minimum number of runs in which the threshold must be met.

        Minimum value is 2, maximum value is 20.

      • status_change_threshold number Required

        The minimum number of times an alert must switch states within the defined look back window time.

        Minimum value is 2, maximum value is 20.

    • id string Required

      The identifier for the rule.

    • last_run object | null

      Additional properties are NOT allowed.

      Hide last_run attributes Show last_run attributes object | null
      • alerts_count object Required

        Additional properties are NOT allowed.

        Hide alerts_count attributes Show alerts_count attributes object
        • active number | null

          Number of active alerts during last run.

        • ignored number | null

          Number of ignored alerts during last run.

        • new number | null

          Number of new alerts during last run.

        • recovered number | null

          Number of recovered alerts during last run.

      • outcome string Required

        Outcome of the last rule run. Value can be succeeded, warning, or failed.

        Values are succeeded, warning, or failed.

      • outcome_msg array[string] | null

        Outcome message generated during last rule run.

      • outcome_order number

        Order of the outcome.

      • warning string | null

        Warning of last rule execution.

        Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • mapped_params object
    • mute_all boolean Required

      Indicates whether all alerts are muted.

    • muted_alert_ids array[string] Required

      List of identifiers of muted alerts.

    • name string Required

      The name of the rule.

    • next_run string | null

      Date and time of the next rule run.

    • notify_when string | null

      Indicates how frequently rule actions are triggered. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. You cannot specify notify_when at both the rule and action level. The recommended approach is to set it for each action individually. If you set notify_when at the rule level and then edit the rule, it will automatically be converted to action-specific values.

      Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

    • params object Required

      The parameters for the rule.

    • revision number Required

      The rule revision number.

    • rule_type_id string Required

      The rule type identifier.

    • running boolean | null

      Indicates whether the rule is running.

    • schedule object Required

      Additional properties are NOT allowed.

      Hide schedule attribute Show schedule attribute object
      • interval string Required

        The interval is specified in seconds, minutes, hours, or days.

    • scheduled_task_id string

      Identifier of the scheduled task.

    • tags array[string] Required

      The tags for the rule.

    • throttle string | null Deprecated

      Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how frequently rule actions are triggered. You cannot specify the throttle interval at both the rule and action level. If you set the throttle interval at the rule level and then edit the rule, it will automatically be converted to action-specific values.

    • updated_at string Required

      The date and time of the latest updates to the rule.

    • updated_by string | null Required

      The identifier for the user who was the last to update the rule.
  • 400

    Indicates an invalid schema or parameters.

  • 403

    Indicates that this call is forbidden.

  • 409

    Indicates that the rule id is already in use.

POST /api/alerting/rule/{id} 
curl \
 --request POST 'https://localhost:5601/api/alerting/rule/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"actions":[{"frequency":{"notify_when":"onActiveAlert","summary":false},"group":"query matched","id":"d0db1fe0-78d6-11ee-9177-f7d404c8c945","params":{"level":"info","message":"Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"}}],"consumer":"stackAlerts","name":"my Elasticsearch query ESQL rule","params":{"esqlQuery":{"esql":"FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes \u003e 5000 | SORT sumbytes desc | LIMIT 10"},"searchType":"esqlQuery","size":0,"threshold":[0],"thresholdComparator":"\u003e","timeField":"@timestamp","timeWindowSize":1,"timeWindowUnit":"d"},"rule_type_id":".es-query","schedule":{"interval":"1d"}}'
Request examples
Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL) to define its query and a server log connector to send notifications. 
{
  "actions": [
    {
      "frequency": {
        "notify_when": "onActiveAlert",
        "summary": false
      },
      "group": "query matched",
      "id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
      "params": {
        "level": "info",
        "message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
      }
    }
  ],
  "consumer": "stackAlerts",
  "name": "my Elasticsearch query ESQL rule",
  "params": {
    "esqlQuery": {
      "esql": "FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10"
    },
    "searchType": "esqlQuery",
    "size": 0,
    "threshold": [
      0
    ],
    "thresholdComparator": ">",
    "timeField": "@timestamp",
    "timeWindowSize": 1,
    "timeWindowUnit": "d"
  },
  "rule_type_id": ".es-query",
  "schedule": {
    "interval": "1d"
  }
}
Create an Elasticsearch query rule that uses Kibana query language (KQL). 
{
  "consumer": "alerts",
  "name": "my Elasticsearch query KQL rule",
  "params": {
    "aggType": "count",
    "excludeHitsFromPreviousRun": true,
    "groupBy": "all",
    "searchConfiguration": {
      "index": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "query": {
        "language": "kuery",
        "query": "\"\"geo.src : \"US\" \"\""
      }
    },
    "searchType": "searchSource",
    "size": 100,
    "threshold": [
      1000
    ],
    "thresholdComparator": ">",
    "timeWindowSize": 5,
    "timeWindowUnit": "m"
  },
  "rule_type_id": ".es-query",
  "schedule": {
    "interval": "1m"
  }
}
Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications. 
{
  "actions": [
    {
      "frequency": {
        "notify_when": "onThrottleInterval",
        "summary": true,
        "throttle": "1d"
      },
      "group": "query matched",
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "params": {
        "level": "info",
        "message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
      }
    },
    {
      "frequency": {
        "notify_when": "onActionGroupChange",
        "summary": false
      },
      "group": "recovered",
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "params": {
        "level": "info",
        "message": "Recovered"
      }
    }
  ],
  "consumer": "alerts",
  "name": "my Elasticsearch query rule",
  "params": {
    "esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
    "index": [
      "kibana_sample_data_logs"
    ],
    "size": 100,
    "threshold": [
      100
    ],
    "thresholdComparator": ">",
    "timeField": "@timestamp",
    "timeWindowSize": 1,
    "timeWindowUnit": "d"
  },
  "rule_type_id": ".es-query",
  "schedule": {
    "interval": "1d"
  }
}
Create an index threshold rule that uses a server log connector to send notifications when the threshold is met. 
{
  "actions": [
    {
      "frequency": {
        "notify_when": "onActionGroupChange",
        "summary": false
      },
      "group": "threshold met",
      "id": "48de3460-f401-11ed-9f8e-399c75a2deeb",
      "params": {
        "level": "info",
        "message": "Rule '{{rule.name}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
      }
    }
  ],
  "alert_delay": {
    "active": 3
  },
  "consumer": "alerts",
  "name": "my rule",
  "params": {
    "aggField": "sheet.version",
    "aggType": "avg",
    "groupBy": "top",
    "index": [
      ".test-index"
    ],
    "termField": "name.keyword",
    "termSize": 6,
    "threshold": [
      1000
    ],
    "thresholdComparator": ">",
    "timeField": "@timestamp",
    "timeWindowSize": 5,
    "timeWindowUnit": "m"
  },
  "rule_type_id": ".index-threshold",
  "schedule": {
    "interval": "1m"
  },
  "tags": [
    "cpu"
  ]
}
Create a tracking containment rule that checks when an entity is contained or no longer contained within a boundary. 
{
  "consumer": "alerts",
  "name": "my tracking rule",
  "params": {
    "boundaryGeoField": "location",
    "boundaryIndexId": "0cd90abf-abe7-44c7-909a-f621bbbcfefc",
    "boundaryIndexTitle": "boundary*",
    "boundaryNameField": "name",
    "boundaryType": "entireIndex",
    "dateField\"": "@timestamp",
    "entity": "agent.keyword",
    "geoField": "geo.coordinates",
    "index": "kibana_sample_data_logs",
    "indexId": "90943e30-9a47-11e8-b64d-95841ca0b247"
  },
  "rule_type_id": ".geo-containment",
  "schedule": {
    "interval": "1h"
  }
}
Response examples (200)
The response for successfully creating an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL). 
{
  "actions": [
    {
      "connector_type_id": ".server-log",
      "frequency": {
        "notify_when": "onActiveAlert",
        "summary": false,
        "throttle": null
      },
      "group": "query matched",
      "id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
      "params": {
        "level": "info",
        "message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
      },
      "uuid": "bfe370a3-531b-4855-bbe6-ad739f578844"
    }
  ],
  "api_key_created_by_user": false,
  "api_key_owner": "elastic",
  "consumer": "stackAlerts",
  "created_at": "2023-11-01T19:00:10.453Z",
  "created_by": "elastic",
  "enabled": true,
  "execution_status": {
    "last_execution_date": "2023-11-01T19:00:10.453Z",
    "status": "pending"
  },
  "id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
  "mute_all": false,
  "muted_alert_ids": [],
  "name": "my Elasticsearch query ESQL rule",
  "notify_when": null,
  "params": {
    "aggType": "count",
    "esqlQuery": {
      "esql": "FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != \"GB\" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10"
    },
    "excludeHitsFromPreviousRun\"": "true,",
    "groupBy": "all",
    "searchType": "esqlQuery",
    "size": 0,
    "threshold": [
      0
    ],
    "thresholdComparator": ">",
    "timeField": "@timestamp",
    "timeWindowSize": 1,
    "timeWindowUnit": "d"
  },
  "revision": 0,
  "rule_type_id": ".es-query",
  "running": false,
  "schedule": {
    "interval": "1d"
  },
  "scheduled_task_id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
  "tags": [],
  "throttle": null,
  "updated_at": "2023-11-01T19:00:10.453Z",
  "updated_by": "elastic\","
}
The response for successfully creating an Elasticsearch query rule that uses Kibana query language (KQL). 
{
  "actions": [],
  "api_key_created_by_user": false,
  "api_key_owner": "elastic",
  "consumer": "alerts",
  "created_at": "2023-07-14T20:24:50.729Z",
  "created_by": "elastic",
  "enabled": true,
  "execution_status": {
    "last_execution_date": "2023-07-14T20:24:50.729Z",
    "status": "pending"
  },
  "id": "7bd506d0-2284-11ee-8fad-6101956ced88",
  "mute_all": false,
  "muted_alert_ids": [],
  "name": "my Elasticsearch query KQL rule\"",
  "notify_when": null,
  "params": {
    "aggType": "count",
    "excludeHitsFromPreviousRun": true,
    "groupBy": "all",
    "searchConfiguration": {
      "index": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "query": {
        "language": "kuery",
        "query": "\"\"geo.src : \"US\" \"\""
      }
    },
    "searchType": "searchSource",
    "size": 100,
    "threshold": [
      1000
    ],
    "thresholdComparator": ">",
    "timeWindowSize": 5,
    "timeWindowUnit": "m"
  },
  "revision": 0,
  "rule_type_id": ".es-query",
  "running": false,
  "schedule": {
    "interval": "1m"
  },
  "scheduled_task_id": "7bd506d0-2284-11ee-8fad-6101956ced88",
  "tags": [],
  "throttle": null,
  "updated_at": "2023-07-14T20:24:50.729Z",
  "updated_by": "elastic"
}
The response for successfully creating an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL). 
{
  "actions": [
    {
      "connector_type_id": ".server-log",
      "frequency": {
        "notify_when": "onThrottleInterval",
        "summary": true,
        "throttle": "1d"
      },
      "group": "query matched",
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "params": {
        "level": "info",
        "message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
      },
      "uuid": "53f3c2a3-e5d0-4cfa-af3b-6f0881385e78"
    },
    {
      "connector_type_id": ".server-log",
      "frequency": {
        "notify_when": "onActionGroupChange",
        "summary": false,
        "throttle": null
      },
      "group": "recovered",
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "params": {
        "level": "info",
        "message": "Recovered"
      },
      "uuid": "2324e45b-c0df-45c7-9d70-4993e30be758"
    }
  ],
  "api_key_created_by_user": false,
  "api_key_owner": "elastic",
  "consumer": "alerts",
  "created_at": "2023-08-22T00:03:38.263Z",
  "created_by": "elastic",
  "enabled": true,
  "execution_status": {
    "last_execution_date": "2023-08-22T00:03:38.263Z",
    "status": "pending"
  },
  "id": "58148c70-407f-11ee-850e-c71febc4ca7f",
  "mute_all": false,
  "muted_alert_ids": [],
  "name": "my Elasticsearch query rule",
  "notify_when": null,
  "params": {
    "aggType": "count",
    "esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
    "excludeHitsFromPreviousRun": true,
    "groupBy": "all",
    "index": [
      "kibana_sample_data_logs"
    ],
    "searchType": "esQuery",
    "size": 100,
    "threshold": [
      100
    ],
    "thresholdComparator": ">",
    "timeField": "@timestamp",
    "timeWindowSize": 1,
    "timeWindowUnit": "d"
  },
  "revision": 0,
  "rule_type_id": ".es-query",
  "running": false,
  "schedule": {
    "interval": "1d"
  },
  "scheduled_task_id": "58148c70-407f-11ee-850e-c71febc4ca7f",
  "tags": [],
  "throttle": null,
  "updated_at": "2023-08-22T00:03:38.263Z",
  "updated_by": "elastic"
}
The response for successfully creating an index threshold rule. 
{
  "actions": [
    {
      "connector_type_id": ".server-log",
      "frequency": {
        "notify_when": "onActionGroupChange",
        "summary": false,
        "throttle": null
      },
      "group": "threshold met",
      "id": "dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2",
      "params": {
        "level": "info",
        "message": "Rule {{rule.name}} is active for group {{context.group} :\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
      },
      "uuid": "07aef2a0-9eed-4ef9-94ec-39ba58eb609d"
    }
  ],
  "alert_delay": {
    "active": 3
  },
  "api_key_created_by_user": false,
  "api_key_owner": "elastic",
  "consumer": "alerts",
  "created_at": "2022-06-08T17:20:31.632Z",
  "created_by": "elastic",
  "enabled": true,
  "execution_status": {
    "last_execution_date": "2022-06-08T17:20:31.632Z",
    "status": "pending"
  },
  "id": "41893910-6bca-11eb-9e0d-85d233e3ee35",
  "mute_all": false,
  "muted_alert_ids": [],
  "name": "my rule",
  "notify_when": null,
  "params": {
    "aggField": "sheet.version",
    "aggType": "avg",
    "groupBy": "top",
    "index": [
      ".test-index"
    ],
    "termField": "name.keyword",
    "termSize": 6,
    "threshold": [
      1000
    ],
    "thresholdComparator": ">",
    "timeField": "@timestamp",
    "timeWindowSize": 5,
    "timeWindowUnit": "m"
  },
  "revision": 0,
  "rule_type_id": ".index-threshold",
  "running": false,
  "schedule": {
    "interval": "1m"
  },
  "scheduled_task_id": "425b0800-6bca-11eb-9e0d-85d233e3ee35",
  "tags": [
    "cpu"
  ],
  "throttle": null,
  "updated_at": "2022-06-08T17:20:31.632Z",
  "updated_by": "elastic"
}
The response for successfully creating a tracking containment rule. 
{
  "actions": [],
  "api_key_created_by_user": false,
  "api_key_owner": "elastic",
  "consumer": "alerts",
  "created_at": "2024-02-14T19:52:55.920Z",
  "created_by": "elastic",
  "enabled": true,
  "execution_status": {
    "last_duration": 74,
    "last_execution_date": "2024-02-15T03:25:38.125Z",
    "status": "ok"
  },
  "id": "b6883f9d-5f70-4758-a66e-369d7c26012f",
  "last_run": {
    "alerts_count": {
      "active": 0,
      "ignored": 0,
      "new": 0,
      "recovered": 0
    },
    "outcome": "succeeded",
    "outcome_msg": null,
    "outcome_order": 0,
    "warning": null
  },
  "mute_all": false,
  "muted_alert_ids": [],
  "name": "my tracking rule",
  "next_run": "2024-02-15T03:26:38.033Z",
  "notify_when": null,
  "params": {
    "boundaryGeoField": "location",
    "boundaryIndexId": "0cd90abf-abe7-44c7-909a-f621bbbcfefc",
    "boundaryIndexTitle": "boundary*",
    "boundaryNameField": "name",
    "boundaryType": "entireIndex",
    "dateField": "@timestamp",
    "entity": "agent.keyword",
    "geoField": "geo.coordinates",
    "index": "kibana_sample_data_logs",
    "indexId": "90943e30-9a47-11e8-b64d-95841ca0b247"
  },
  "revision": 1,
  "rule_type_id": ".geo-containment",
  "running": false,
  "schedule": {
    "interval": "1h"
  },
  "scheduled_task_id": "b6883f9d-5f70-4758-a66e-369d7c26012f",
  "tags": [],
  "throttle": null,
  "updated_at": "2024-02-15T03:24:32.574Z",
  "updated_by": "elastic"
}