Create multiple detection rules
Deprecated
Create new detection rules in bulk.
This API is deprecated and will be removed in Kibana v9.0.
When used with API key authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.
If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.
Body
object
Required
A JSON array of rules, where each rule contains the required fields.
-
actions
array[object] Array defining the automated actions (notifications) taken when alerts are generated.
Hide actions attributes Show actions attributes object
-
action_type_id
string Required The action type used for sending notifications, can be:
.slack.slack_api.email.index.pagerduty.swimlane.webhook.servicenow.servicenow-itom.servicenow-sir.jira.resilient.opsgenie.teams.torq.tines.d3security
-
alerts_filter
object Object containing an action’s conditional filters.
timeframe(object, optional): Object containing the time frame for when this action can be run.days(array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array.hours(object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the formathh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day.- start (string, required): Start time in
hh:mmformat. - end (string, required): End time in
hh:mmformat.
- start (string, required): Start time in
timezone(string, required): An ISO timezone name, such asEurope/MadridorAmerica/New_York. Specific offsets such asUTCorUTC+1will also work, but lack built-in DST.
query(object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.kql(string, required): A KQL string.filters(array of objects, required): Array of filter objects, as defined in thekbn-es-querypackage.
Additional properties are allowed.
-
frequency
object The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
notifyWhen
string Required Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
summary
boolean Required Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group
string Optionally groups actions by use cases. Use
defaultfor alert notifications. -
id
string Required The connector ID.
-
params
object Required Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
message(string, required): The notification message.
For email:
to,cc,bcc(string): Email addresses to which the notifications are sent. At least one field must have a value.subject(string, optional): Email subject line.message(string, required): Email body text.
For Webhook:
body(string, required): JSON payload.
For PagerDuty:
severity(string, required): Severity of on the alert notification, can be:Critical,Error,WarningorInfo.eventAction(string, required): Event action type, which can betrigger,resolve, oracknowledge.dedupKey(string, optional): Groups alert notifications with the same PagerDuty alert.timestamp(DateTime, optional): ISO-8601 format timestamp.component(string, optional): Source machine component responsible for the event, for examplesecurity-solution.group(string, optional): Enables logical grouping of service components.source(string, optional): The affected system. Defaults to the Kibana saved object ID of the action.summary(string, options): Summary of the event. Defaults toNo summary provided. Maximum length is 1024 characters.class(string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
uuid
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1.
-
-
alias_purpose
string Values are
savedObjectConversionorsavedObjectImport. -
alias_target_id
string -
author
array[string] The rule’s author.
-
building_block_type
string Determines if the rule acts as a building block. If yes, the value must be
default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules. -
description
string Required The rule’s description.
Minimum length is
1. -
enabled
boolean Determines whether the rule is enabled. Defaults to true.
-
exceptions_list
array[object] Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
id
string(nonempty) Required ID of the exception container
Minimum length is
1. -
list_id
string(nonempty) Required List ID of the exception container
Minimum length is
1. -
namespace_type
string Required Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
type
string Required The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
false_positives
array[string] String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
from
string(date-math) Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
interval
string Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields
object Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
Hide investigation_fields attribute Show investigation_fields attribute object
-
field_names
array[string(nonempty)] Required A string that does not contain only whitespace characters
At least
1element. Minimum length of each is1.
-
-
license
string The rule's license.
-
max_signals
integer Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. Default value is100. -
meta
object Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
name
string Required A human-readable name for the rule.
Minimum length is
1. -
namespace
string Has no effect.
-
note
string Notes to help investigate alerts produced by the rule.
-
outcome
string Values are
exactMatch,aliasMatch, orconflict. -
output_index
string Deprecated (deprecated) Has no effect.
-
references
array[string] Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
related_integrations
array[object] Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
integration
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1. -
package
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1. -
version
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1.
-
required_fields
array[object] Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
response_actions
array[object] One of: Hide attributes Show attributes
-
action_type_id
string Required Value is
.osquery. -
params
object Required Hide params attributes Show params attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id
string To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
queries
array[object] Hide queries attributes Show queries attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
id
string Required Query ID
-
platform
string -
query
string Required Query to run
-
removed
boolean -
snapshot
boolean -
version
string Query version
-
-
query
string To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
saved_query_id
string To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
timeout
number A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
action_type_id
string Required Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
command
string Required To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
comment
string Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
config
object Required
-
-
-
risk_score
integer Required A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
risk_score_mapping
array[object] Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
field
string Required Source event field used to override the default
risk_score. -
operator
string Required Value is
equals. -
risk_score
integer A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
value
string Required
-
-
rule_id
string A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same
rule_ids. -
rule_name_override
string Sets which field in the source event is used to populate the alert's
signal.rule.namevalue (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’snamevalue is used. The source field must be a string data type. -
setup
string Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
severity_mapping
array[object] Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
field
string Required Source event field used to override the default
severity. -
operator
string Required Value is
equals. -
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
value
string Required
-
-
tags
array[string] String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
threat
array[object] Currently, only threats described using the MITRE ATT&CK™ framework are supported.
Hide threat attributes Show threat attributes object
-
framework
string Required Relevant attack framework
-
tactic
object Required Object containing information on the attack type
-
technique
array[object] Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
id
string Required Technique ID
-
name
string Required Technique name
-
reference
string Required Technique reference
-
subtechnique
array[object] Array containing more specific information on the attack technique.
-
-
-
timeline_id
string Timeline template ID
-
timeline_title
string Timeline template title
-
timestamp_override
string Sets the time field used to query indices. When unspecified, rules query the
@timestampfield. The source field must be an Elasticsearch date data type. -
Disables the fallback to the event's @timestamp field
-
to
string -
version
integer The rule's version number.
- For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
security_detection_engineFleet package that is used for distributing prebuilt rules). - For custom rules it is set to
1when the rule is created.
It is not incremented on each update. Compare this to the
revisionfield.Minimum value is
1. - For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
-
language
string Required Query language to use
Value is
eql. -
query
string Required Query used by the rule to create alerts.
- For indicator match rules, only the query’s results are used to determine whether an alert is generated.
- ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.
-
type
string Required Discriminator Rule type
Value is
eql. -
alert_suppression
object Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
duration
object -
group_by
array[string] Required At least
1but not more than3elements. -
missing_fields_strategy
string Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
-
data_view_id
string -
event_category_override
string -
filters
array The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
index
array[string] Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings →
securitySolution:defaultIndex).This field is not supported for ES|QL rules.
-
tiebreaker_field
string Sets a secondary field for sorting events
-
timestamp_field
string Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with
timestamp_override, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field.
-
actions
array[object] Array defining the automated actions (notifications) taken when alerts are generated.
Hide actions attributes Show actions attributes object
-
action_type_id
string Required The action type used for sending notifications, can be:
.slack.slack_api.email.index.pagerduty.swimlane.webhook.servicenow.servicenow-itom.servicenow-sir.jira.resilient.opsgenie.teams.torq.tines.d3security
-
alerts_filter
object Object containing an action’s conditional filters.
timeframe(object, optional): Object containing the time frame for when this action can be run.days(array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array.hours(object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the formathh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day.- start (string, required): Start time in
hh:mmformat. - end (string, required): End time in
hh:mmformat.
- start (string, required): Start time in
timezone(string, required): An ISO timezone name, such asEurope/MadridorAmerica/New_York. Specific offsets such asUTCorUTC+1will also work, but lack built-in DST.
query(object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.kql(string, required): A KQL string.filters(array of objects, required): Array of filter objects, as defined in thekbn-es-querypackage.
Additional properties are allowed.
-
frequency
object The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
notifyWhen
string Required Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
summary
boolean Required Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group
string Optionally groups actions by use cases. Use
defaultfor alert notifications. -
id
string Required The connector ID.
-
params
object Required Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
message(string, required): The notification message.
For email:
to,cc,bcc(string): Email addresses to which the notifications are sent. At least one field must have a value.subject(string, optional): Email subject line.message(string, required): Email body text.
For Webhook:
body(string, required): JSON payload.
For PagerDuty:
severity(string, required): Severity of on the alert notification, can be:Critical,Error,WarningorInfo.eventAction(string, required): Event action type, which can betrigger,resolve, oracknowledge.dedupKey(string, optional): Groups alert notifications with the same PagerDuty alert.timestamp(DateTime, optional): ISO-8601 format timestamp.component(string, optional): Source machine component responsible for the event, for examplesecurity-solution.group(string, optional): Enables logical grouping of service components.source(string, optional): The affected system. Defaults to the Kibana saved object ID of the action.summary(string, options): Summary of the event. Defaults toNo summary provided. Maximum length is 1024 characters.class(string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
uuid
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1.
-
-
alias_purpose
string Values are
savedObjectConversionorsavedObjectImport. -
alias_target_id
string -
author
array[string] The rule’s author.
-
building_block_type
string Determines if the rule acts as a building block. If yes, the value must be
default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules. -
description
string Required The rule’s description.
Minimum length is
1. -
enabled
boolean Determines whether the rule is enabled. Defaults to true.
-
exceptions_list
array[object] Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
id
string(nonempty) Required ID of the exception container
Minimum length is
1. -
list_id
string(nonempty) Required List ID of the exception container
Minimum length is
1. -
namespace_type
string Required Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
type
string Required The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
false_positives
array[string] String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
from
string(date-math) Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
interval
string Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields
object Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
Hide investigation_fields attribute Show investigation_fields attribute object
-
field_names
array[string(nonempty)] Required A string that does not contain only whitespace characters
At least
1element. Minimum length of each is1.
-
-
license
string The rule's license.
-
max_signals
integer Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. Default value is100. -
meta
object Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
name
string Required A human-readable name for the rule.
Minimum length is
1. -
namespace
string Has no effect.
-
note
string Notes to help investigate alerts produced by the rule.
-
outcome
string Values are
exactMatch,aliasMatch, orconflict. -
output_index
string Deprecated (deprecated) Has no effect.
-
references
array[string] Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
related_integrations
array[object] Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
integration
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1. -
package
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1. -
version
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1.
-
required_fields
array[object] Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
response_actions
array[object] One of: Hide attributes Show attributes
-
action_type_id
string Required Value is
.osquery. -
params
object Required Hide params attributes Show params attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id
string To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
queries
array[object] Hide queries attributes Show queries attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
id
string Required Query ID
-
platform
string -
query
string Required Query to run
-
removed
boolean -
snapshot
boolean -
version
string Query version
-
-
query
string To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
saved_query_id
string To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
timeout
number A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
action_type_id
string Required Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
command
string Required To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
comment
string Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
config
object Required
-
-
-
risk_score
integer Required A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
risk_score_mapping
array[object] Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
field
string Required Source event field used to override the default
risk_score. -
operator
string Required Value is
equals. -
risk_score
integer A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
value
string Required
-
-
rule_id
string A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same
rule_ids. -
rule_name_override
string Sets which field in the source event is used to populate the alert's
signal.rule.namevalue (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’snamevalue is used. The source field must be a string data type. -
setup
string Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
severity_mapping
array[object] Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
field
string Required Source event field used to override the default
severity. -
operator
string Required Value is
equals. -
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
value
string Required
-
-
tags
array[string] String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
threat
array[object] Currently, only threats described using the MITRE ATT&CK™ framework are supported.
Hide threat attributes Show threat attributes object
-
framework
string Required Relevant attack framework
-
tactic
object Required Object containing information on the attack type
-
technique
array[object] Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
id
string Required Technique ID
-
name
string Required Technique name
-
reference
string Required Technique reference
-
subtechnique
array[object] Array containing more specific information on the attack technique.
-
-
-
timeline_id
string Timeline template ID
-
timeline_title
string Timeline template title
-
timestamp_override
string Sets the time field used to query indices. When unspecified, rules query the
@timestampfield. The source field must be an Elasticsearch date data type. -
Disables the fallback to the event's @timestamp field
-
to
string -
version
integer The rule's version number.
- For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
security_detection_engineFleet package that is used for distributing prebuilt rules). - For custom rules it is set to
1when the rule is created.
It is not incremented on each update. Compare this to the
revisionfield.Minimum value is
1. - For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
-
type
string Required Discriminator Rule type
Value is
query. -
alert_suppression
object Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
duration
object -
group_by
array[string] Required At least
1but not more than3elements. -
missing_fields_strategy
string Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
-
data_view_id
string -
filters
array The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
index
array[string] Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings →
securitySolution:defaultIndex).This field is not supported for ES|QL rules.
-
saved_id
string Kibana saved search used by the rule to create alerts.
-
language
string Values are
kueryorlucene. -
query
string Query used by the rule to create alerts.
- For indicator match rules, only the query’s results are used to determine whether an alert is generated.
- ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.
-
actions
array[object] Array defining the automated actions (notifications) taken when alerts are generated.
Hide actions attributes Show actions attributes object
-
action_type_id
string Required The action type used for sending notifications, can be:
.slack.slack_api.email.index.pagerduty.swimlane.webhook.servicenow.servicenow-itom.servicenow-sir.jira.resilient.opsgenie.teams.torq.tines.d3security
-
alerts_filter
object Object containing an action’s conditional filters.
timeframe(object, optional): Object containing the time frame for when this action can be run.days(array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array.hours(object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the formathh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day.- start (string, required): Start time in
hh:mmformat. - end (string, required): End time in
hh:mmformat.
- start (string, required): Start time in
timezone(string, required): An ISO timezone name, such asEurope/MadridorAmerica/New_York. Specific offsets such asUTCorUTC+1will also work, but lack built-in DST.
query(object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.kql(string, required): A KQL string.filters(array of objects, required): Array of filter objects, as defined in thekbn-es-querypackage.
Additional properties are allowed.
-
frequency
object The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
notifyWhen
string Required Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
summary
boolean Required Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group
string Optionally groups actions by use cases. Use
defaultfor alert notifications. -
id
string Required The connector ID.
-
params
object Required Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
message(string, required): The notification message.
For email:
to,cc,bcc(string): Email addresses to which the notifications are sent. At least one field must have a value.subject(string, optional): Email subject line.message(string, required): Email body text.
For Webhook:
body(string, required): JSON payload.
For PagerDuty:
severity(string, required): Severity of on the alert notification, can be:Critical,Error,WarningorInfo.eventAction(string, required): Event action type, which can betrigger,resolve, oracknowledge.dedupKey(string, optional): Groups alert notifications with the same PagerDuty alert.timestamp(DateTime, optional): ISO-8601 format timestamp.component(string, optional): Source machine component responsible for the event, for examplesecurity-solution.group(string, optional): Enables logical grouping of service components.source(string, optional): The affected system. Defaults to the Kibana saved object ID of the action.summary(string, options): Summary of the event. Defaults toNo summary provided. Maximum length is 1024 characters.class(string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
uuid
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1.
-
-
alias_purpose
string Values are
savedObjectConversionorsavedObjectImport. -
alias_target_id
string -
author
array[string] The rule’s author.
-
building_block_type
string Determines if the rule acts as a building block. If yes, the value must be
default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules. -
description
string Required The rule’s description.
Minimum length is
1. -
enabled
boolean Determines whether the rule is enabled. Defaults to true.
-
exceptions_list
array[object] Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
id
string(nonempty) Required ID of the exception container
Minimum length is
1. -
list_id
string(nonempty) Required List ID of the exception container
Minimum length is
1. -
namespace_type
string Required Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
type
string Required The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
false_positives
array[string] String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
from
string(date-math) Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
interval
string Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields
object Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
Hide investigation_fields attribute Show investigation_fields attribute object
-
field_names
array[string(nonempty)] Required A string that does not contain only whitespace characters
At least
1element. Minimum length of each is1.
-
-
license
string The rule's license.
-
max_signals
integer Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. Default value is100. -
meta
object Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
name
string Required A human-readable name for the rule.
Minimum length is
1. -
namespace
string Has no effect.
-
note
string Notes to help investigate alerts produced by the rule.
-
outcome
string Values are
exactMatch,aliasMatch, orconflict. -
output_index
string Deprecated (deprecated) Has no effect.
-
references
array[string] Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
related_integrations
array[object] Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
integration
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1. -
package
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1. -
version
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1.
-
required_fields
array[object] Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
response_actions
array[object] One of: Hide attributes Show attributes
-
action_type_id
string Required Value is
.osquery. -
params
object Required Hide params attributes Show params attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id
string To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
queries
array[object] Hide queries attributes Show queries attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
id
string Required Query ID
-
platform
string -
query
string Required Query to run
-
removed
boolean -
snapshot
boolean -
version
string Query version
-
-
query
string To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
saved_query_id
string To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
timeout
number A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
action_type_id
string Required Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
command
string Required To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
comment
string Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
config
object Required
-
-
-
risk_score
integer Required A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
risk_score_mapping
array[object] Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
field
string Required Source event field used to override the default
risk_score. -
operator
string Required Value is
equals. -
risk_score
integer A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
value
string Required
-
-
rule_id
string A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same
rule_ids. -
rule_name_override
string Sets which field in the source event is used to populate the alert's
signal.rule.namevalue (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’snamevalue is used. The source field must be a string data type. -
setup
string Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
severity_mapping
array[object] Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
field
string Required Source event field used to override the default
severity. -
operator
string Required Value is
equals. -
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
value
string Required
-
-
tags
array[string] String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
threat
array[object] Currently, only threats described using the MITRE ATT&CK™ framework are supported.
Hide threat attributes Show threat attributes object
-
framework
string Required Relevant attack framework
-
tactic
object Required Object containing information on the attack type
-
technique
array[object] Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
id
string Required Technique ID
-
name
string Required Technique name
-
reference
string Required Technique reference
-
subtechnique
array[object] Array containing more specific information on the attack technique.
-
-
-
timeline_id
string Timeline template ID
-
timeline_title
string Timeline template title
-
timestamp_override
string Sets the time field used to query indices. When unspecified, rules query the
@timestampfield. The source field must be an Elasticsearch date data type. -
Disables the fallback to the event's @timestamp field
-
to
string -
version
integer The rule's version number.
- For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
security_detection_engineFleet package that is used for distributing prebuilt rules). - For custom rules it is set to
1when the rule is created.
It is not incremented on each update. Compare this to the
revisionfield.Minimum value is
1. - For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
-
saved_id
string Required Kibana saved search used by the rule to create alerts.
-
type
string Required Discriminator Rule type
Value is
saved_query. -
alert_suppression
object Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
duration
object -
group_by
array[string] Required At least
1but not more than3elements. -
missing_fields_strategy
string Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
-
data_view_id
string -
filters
array The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
index
array[string] Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings →
securitySolution:defaultIndex).This field is not supported for ES|QL rules.
-
query
string Query used by the rule to create alerts.
- For indicator match rules, only the query’s results are used to determine whether an alert is generated.
- ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.
-
language
string Values are
kueryorlucene.
-
actions
array[object] Array defining the automated actions (notifications) taken when alerts are generated.
Hide actions attributes Show actions attributes object
-
action_type_id
string Required The action type used for sending notifications, can be:
.slack.slack_api.email.index.pagerduty.swimlane.webhook.servicenow.servicenow-itom.servicenow-sir.jira.resilient.opsgenie.teams.torq.tines.d3security
-
alerts_filter
object Object containing an action’s conditional filters.
timeframe(object, optional): Object containing the time frame for when this action can be run.days(array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array.hours(object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the formathh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day.- start (string, required): Start time in
hh:mmformat. - end (string, required): End time in
hh:mmformat.
- start (string, required): Start time in
timezone(string, required): An ISO timezone name, such asEurope/MadridorAmerica/New_York. Specific offsets such asUTCorUTC+1will also work, but lack built-in DST.
query(object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.kql(string, required): A KQL string.filters(array of objects, required): Array of filter objects, as defined in thekbn-es-querypackage.
Additional properties are allowed.
-
frequency
object The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
notifyWhen
string Required Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
summary
boolean Required Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group
string Optionally groups actions by use cases. Use
defaultfor alert notifications. -
id
string Required The connector ID.
-
params
object Required Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
message(string, required): The notification message.
For email:
to,cc,bcc(string): Email addresses to which the notifications are sent. At least one field must have a value.subject(string, optional): Email subject line.message(string, required): Email body text.
For Webhook:
body(string, required): JSON payload.
For PagerDuty:
severity(string, required): Severity of on the alert notification, can be:Critical,Error,WarningorInfo.eventAction(string, required): Event action type, which can betrigger,resolve, oracknowledge.dedupKey(string, optional): Groups alert notifications with the same PagerDuty alert.timestamp(DateTime, optional): ISO-8601 format timestamp.component(string, optional): Source machine component responsible for the event, for examplesecurity-solution.group(string, optional): Enables logical grouping of service components.source(string, optional): The affected system. Defaults to the Kibana saved object ID of the action.summary(string, options): Summary of the event. Defaults toNo summary provided. Maximum length is 1024 characters.class(string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
uuid
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1.
-
-
alias_purpose
string Values are
savedObjectConversionorsavedObjectImport. -
alias_target_id
string -
author
array[string] The rule’s author.
-
building_block_type
string Determines if the rule acts as a building block. If yes, the value must be
default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules. -
description
string Required The rule’s description.
Minimum length is
1. -
enabled
boolean Determines whether the rule is enabled. Defaults to true.
-
exceptions_list
array[object] Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
id
string(nonempty) Required ID of the exception container
Minimum length is
1. -
list_id
string(nonempty) Required List ID of the exception container
Minimum length is
1. -
namespace_type
string Required Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
type
string Required The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
false_positives
array[string] String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
from
string(date-math) Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
interval
string Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields
object Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
Hide investigation_fields attribute Show investigation_fields attribute object
-
field_names
array[string(nonempty)] Required A string that does not contain only whitespace characters
At least
1element. Minimum length of each is1.
-
-
license
string The rule's license.
-
max_signals
integer Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. Default value is100. -
meta
object Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
name
string Required A human-readable name for the rule.
Minimum length is
1. -
namespace
string Has no effect.
-
note
string Notes to help investigate alerts produced by the rule.
-
outcome
string Values are
exactMatch,aliasMatch, orconflict. -
output_index
string Deprecated (deprecated) Has no effect.
-
references
array[string] Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
related_integrations
array[object] Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
integration
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1. -
package
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1. -
version
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1.
-
required_fields
array[object] Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
response_actions
array[object] One of: Hide attributes Show attributes
-
action_type_id
string Required Value is
.osquery. -
params
object Required Hide params attributes Show params attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id
string To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
queries
array[object] Hide queries attributes Show queries attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
id
string Required Query ID
-
platform
string -
query
string Required Query to run
-
removed
boolean -
snapshot
boolean -
version
string Query version
-
-
query
string To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
saved_query_id
string To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
timeout
number A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
action_type_id
string Required Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
command
string Required To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
comment
string Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
config
object Required
-
-
-
risk_score
integer Required A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
risk_score_mapping
array[object] Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
field
string Required Source event field used to override the default
risk_score. -
operator
string Required Value is
equals. -
risk_score
integer A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
value
string Required
-
-
rule_id
string A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same
rule_ids. -
rule_name_override
string Sets which field in the source event is used to populate the alert's
signal.rule.namevalue (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’snamevalue is used. The source field must be a string data type. -
setup
string Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
severity_mapping
array[object] Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
field
string Required Source event field used to override the default
severity. -
operator
string Required Value is
equals. -
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
value
string Required
-
-
tags
array[string] String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
threat
array[object] Currently, only threats described using the MITRE ATT&CK™ framework are supported.
Hide threat attributes Show threat attributes object
-
framework
string Required Relevant attack framework
-
tactic
object Required Object containing information on the attack type
-
technique
array[object] Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
id
string Required Technique ID
-
name
string Required Technique name
-
reference
string Required Technique reference
-
subtechnique
array[object] Array containing more specific information on the attack technique.
-
-
-
timeline_id
string Timeline template ID
-
timeline_title
string Timeline template title
-
timestamp_override
string Sets the time field used to query indices. When unspecified, rules query the
@timestampfield. The source field must be an Elasticsearch date data type. -
Disables the fallback to the event's @timestamp field
-
to
string -
version
integer The rule's version number.
- For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
security_detection_engineFleet package that is used for distributing prebuilt rules). - For custom rules it is set to
1when the rule is created.
It is not incremented on each update. Compare this to the
revisionfield.Minimum value is
1. - For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
-
query
string Required Query used by the rule to create alerts.
- For indicator match rules, only the query’s results are used to determine whether an alert is generated.
- ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.
-
threshold
object Required Hide threshold attributes Show threshold attributes object
-
cardinality
array[object] The field on which the cardinality is applied.
field
string | array[string] Required The field on which the threshold is applied. If you specify an empty array ([]), alerts are generated when the query returns at least the number of results specified in the value field.
-
value
integer Required The threshold value from which an alert is generated.
Minimum value is
1.
-
-
type
string Required Discriminator Rule type
Value is
threshold. -
alert_suppression
object Defines alert suppression configuration.
-
data_view_id
string -
filters
array The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
index
array[string] Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings →
securitySolution:defaultIndex).This field is not supported for ES|QL rules.
-
saved_id
string Kibana saved search used by the rule to create alerts.
-
language
string Values are
kueryorlucene.
-
actions
array[object] Array defining the automated actions (notifications) taken when alerts are generated.
Hide actions attributes Show actions attributes object
-
action_type_id
string Required The action type used for sending notifications, can be:
.slack.slack_api.email.index.pagerduty.swimlane.webhook.servicenow.servicenow-itom.servicenow-sir.jira.resilient.opsgenie.teams.torq.tines.d3security
-
alerts_filter
object Object containing an action’s conditional filters.
timeframe(object, optional): Object containing the time frame for when this action can be run.days(array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array.hours(object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the formathh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day.- start (string, required): Start time in
hh:mmformat. - end (string, required): End time in
hh:mmformat.
- start (string, required): Start time in
timezone(string, required): An ISO timezone name, such asEurope/MadridorAmerica/New_York. Specific offsets such asUTCorUTC+1will also work, but lack built-in DST.
query(object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.kql(string, required): A KQL string.filters(array of objects, required): Array of filter objects, as defined in thekbn-es-querypackage.
Additional properties are allowed.
-
frequency
object The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
notifyWhen
string Required Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
summary
boolean Required Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group
string Optionally groups actions by use cases. Use
defaultfor alert notifications. -
id
string Required The connector ID.
-
params
object Required Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
message(string, required): The notification message.
For email:
to,cc,bcc(string): Email addresses to which the notifications are sent. At least one field must have a value.subject(string, optional): Email subject line.message(string, required): Email body text.
For Webhook:
body(string, required): JSON payload.
For PagerDuty:
severity(string, required): Severity of on the alert notification, can be:Critical,Error,WarningorInfo.eventAction(string, required): Event action type, which can betrigger,resolve, oracknowledge.dedupKey(string, optional): Groups alert notifications with the same PagerDuty alert.timestamp(DateTime, optional): ISO-8601 format timestamp.component(string, optional): Source machine component responsible for the event, for examplesecurity-solution.group(string, optional): Enables logical grouping of service components.source(string, optional): The affected system. Defaults to the Kibana saved object ID of the action.summary(string, options): Summary of the event. Defaults toNo summary provided. Maximum length is 1024 characters.class(string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
uuid
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1.
-
-
alias_purpose
string Values are
savedObjectConversionorsavedObjectImport. -
alias_target_id
string -
author
array[string] The rule’s author.
-
building_block_type
string Determines if the rule acts as a building block. If yes, the value must be
default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules. -
description
string Required The rule’s description.
Minimum length is
1. -
enabled
boolean Determines whether the rule is enabled. Defaults to true.
-
exceptions_list
array[object] Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
id
string(nonempty) Required ID of the exception container
Minimum length is
1. -
list_id
string(nonempty) Required List ID of the exception container
Minimum length is
1. -
namespace_type
string Required Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
type
string Required The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
false_positives
array[string] String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
from
string(date-math) Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
interval
string Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields
object Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
Hide investigation_fields attribute Show investigation_fields attribute object
-
field_names
array[string(nonempty)] Required A string that does not contain only whitespace characters
At least
1element. Minimum length of each is1.
-
-
license
string The rule's license.
-
max_signals
integer Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. Default value is100. -
meta
object Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
name
string Required A human-readable name for the rule.
Minimum length is
1. -
namespace
string Has no effect.
-
note
string Notes to help investigate alerts produced by the rule.
-
outcome
string Values are
exactMatch,aliasMatch, orconflict. -
output_index
string Deprecated (deprecated) Has no effect.
-
references
array[string] Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
related_integrations
array[object] Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
integration
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1. -
package
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1. -
version
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1.
-
required_fields
array[object] Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
response_actions
array[object] One of: Hide attributes Show attributes
-
action_type_id
string Required Value is
.osquery. -
params
object Required Hide params attributes Show params attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id
string To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
queries
array[object] Hide queries attributes Show queries attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
id
string Required Query ID
-
platform
string -
query
string Required Query to run
-
removed
boolean -
snapshot
boolean -
version
string Query version
-
-
query
string To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
saved_query_id
string To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
timeout
number A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
action_type_id
string Required Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
command
string Required To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
comment
string Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
config
object Required
-
-
-
risk_score
integer Required A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
risk_score_mapping
array[object] Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
field
string Required Source event field used to override the default
risk_score. -
operator
string Required Value is
equals. -
risk_score
integer A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
value
string Required
-
-
rule_id
string A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same
rule_ids. -
rule_name_override
string Sets which field in the source event is used to populate the alert's
signal.rule.namevalue (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’snamevalue is used. The source field must be a string data type. -
setup
string Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
severity_mapping
array[object] Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
field
string Required Source event field used to override the default
severity. -
operator
string Required Value is
equals. -
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
value
string Required
-
-
tags
array[string] String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
threat
array[object] Currently, only threats described using the MITRE ATT&CK™ framework are supported.
Hide threat attributes Show threat attributes object
-
framework
string Required Relevant attack framework
-
tactic
object Required Object containing information on the attack type
-
technique
array[object] Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
id
string Required Technique ID
-
name
string Required Technique name
-
reference
string Required Technique reference
-
subtechnique
array[object] Array containing more specific information on the attack technique.
-
-
-
timeline_id
string Timeline template ID
-
timeline_title
string Timeline template title
-
timestamp_override
string Sets the time field used to query indices. When unspecified, rules query the
@timestampfield. The source field must be an Elasticsearch date data type. -
Disables the fallback to the event's @timestamp field
-
to
string -
version
integer The rule's version number.
- For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
security_detection_engineFleet package that is used for distributing prebuilt rules). - For custom rules it is set to
1when the rule is created.
It is not incremented on each update. Compare this to the
revisionfield.Minimum value is
1. - For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
-
query
string Required Query used by the rule to create alerts.
- For indicator match rules, only the query’s results are used to determine whether an alert is generated.
- ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.
-
threat_index
array[string] Required Elasticsearch indices used to check which field values generate alerts.
-
threat_mapping
array[object] Required Array of entries objects that define mappings between the source event fields and the values in the Elasticsearch threat index. Each entries object must contain these fields:
- field: field from the event indices on which the rule runs
- type: must be mapping
- value: field from the Elasticsearch threat index
You can use Boolean and and or logic to define the conditions for when matching fields and values generate alerts. Sibling entries objects are evaluated using or logic, whereas multiple entries in a single entries object use and logic. See Example of Threat Match rule which uses both
andandorlogic.At least
1element.Hide threat_mapping attribute Show threat_mapping attribute object
-
entries
array[object] Required Hide entries attributes Show entries attributes object
-
threat_query
string Required Query used to determine which fields in the Elasticsearch index are used for generating alerts.
-
type
string Required Discriminator Rule type
Value is
threat_match. -
alert_suppression
object Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
duration
object -
group_by
array[string] Required At least
1but not more than3elements. -
missing_fields_strategy
string Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
-
concurrent_searches
integer Minimum value is
1. -
data_view_id
string -
filters
array The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
index
array[string] Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings →
securitySolution:defaultIndex).This field is not supported for ES|QL rules.
-
items_per_search
integer Minimum value is
1. -
saved_id
string Kibana saved search used by the rule to create alerts.
-
threat_filters
array Query and filter context array used to filter documents from the Elasticsearch index containing the threat values
-
threat_indicator_path
string Defines the path to the threat indicator in the indicator documents (optional)
-
threat_language
string Values are
kueryorlucene. -
language
string Values are
kueryorlucene.
-
actions
array[object] Array defining the automated actions (notifications) taken when alerts are generated.
Hide actions attributes Show actions attributes object
-
action_type_id
string Required The action type used for sending notifications, can be:
.slack.slack_api.email.index.pagerduty.swimlane.webhook.servicenow.servicenow-itom.servicenow-sir.jira.resilient.opsgenie.teams.torq.tines.d3security
-
alerts_filter
object Object containing an action’s conditional filters.
timeframe(object, optional): Object containing the time frame for when this action can be run.days(array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array.hours(object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the formathh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day.- start (string, required): Start time in
hh:mmformat. - end (string, required): End time in
hh:mmformat.
- start (string, required): Start time in
timezone(string, required): An ISO timezone name, such asEurope/MadridorAmerica/New_York. Specific offsets such asUTCorUTC+1will also work, but lack built-in DST.
query(object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.kql(string, required): A KQL string.filters(array of objects, required): Array of filter objects, as defined in thekbn-es-querypackage.
Additional properties are allowed.
-
frequency
object The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
notifyWhen
string Required Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
summary
boolean Required Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group
string Optionally groups actions by use cases. Use
defaultfor alert notifications. -
id
string Required The connector ID.
-
params
object Required Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
message(string, required): The notification message.
For email:
to,cc,bcc(string): Email addresses to which the notifications are sent. At least one field must have a value.subject(string, optional): Email subject line.message(string, required): Email body text.
For Webhook:
body(string, required): JSON payload.
For PagerDuty:
severity(string, required): Severity of on the alert notification, can be:Critical,Error,WarningorInfo.eventAction(string, required): Event action type, which can betrigger,resolve, oracknowledge.dedupKey(string, optional): Groups alert notifications with the same PagerDuty alert.timestamp(DateTime, optional): ISO-8601 format timestamp.component(string, optional): Source machine component responsible for the event, for examplesecurity-solution.group(string, optional): Enables logical grouping of service components.source(string, optional): The affected system. Defaults to the Kibana saved object ID of the action.summary(string, options): Summary of the event. Defaults toNo summary provided. Maximum length is 1024 characters.class(string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
uuid
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1.
-
-
alias_purpose
string Values are
savedObjectConversionorsavedObjectImport. -
alias_target_id
string -
author
array[string] The rule’s author.
-
building_block_type
string Determines if the rule acts as a building block. If yes, the value must be
default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules. -
description
string Required The rule’s description.
Minimum length is
1. -
enabled
boolean Determines whether the rule is enabled. Defaults to true.
-
exceptions_list
array[object] Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
id
string(nonempty) Required ID of the exception container
Minimum length is
1. -
list_id
string(nonempty) Required List ID of the exception container
Minimum length is
1. -
namespace_type
string Required Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
type
string Required The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
false_positives
array[string] String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
from
string(date-math) Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
interval
string Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields
object Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
Hide investigation_fields attribute Show investigation_fields attribute object
-
field_names
array[string(nonempty)] Required A string that does not contain only whitespace characters
At least
1element. Minimum length of each is1.
-
-
license
string The rule's license.
-
max_signals
integer Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. Default value is100. -
meta
object Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
name
string Required A human-readable name for the rule.
Minimum length is
1. -
namespace
string Has no effect.
-
note
string Notes to help investigate alerts produced by the rule.
-
outcome
string Values are
exactMatch,aliasMatch, orconflict. -
output_index
string Deprecated (deprecated) Has no effect.
-
references
array[string] Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
related_integrations
array[object] Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
integration
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1. -
package
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1. -
version
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1.
-
required_fields
array[object] Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
response_actions
array[object] One of: Hide attributes Show attributes
-
action_type_id
string Required Value is
.osquery. -
params
object Required Hide params attributes Show params attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id
string To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
queries
array[object] Hide queries attributes Show queries attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
id
string Required Query ID
-
platform
string -
query
string Required Query to run
-
removed
boolean -
snapshot
boolean -
version
string Query version
-
-
query
string To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
saved_query_id
string To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
timeout
number A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
action_type_id
string Required Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
command
string Required To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
comment
string Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
config
object Required
-
-
-
risk_score
integer Required A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
risk_score_mapping
array[object] Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
field
string Required Source event field used to override the default
risk_score. -
operator
string Required Value is
equals. -
risk_score
integer A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
value
string Required
-
-
rule_id
string A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same
rule_ids. -
rule_name_override
string Sets which field in the source event is used to populate the alert's
signal.rule.namevalue (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’snamevalue is used. The source field must be a string data type. -
setup
string Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
severity_mapping
array[object] Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
field
string Required Source event field used to override the default
severity. -
operator
string Required Value is
equals. -
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
value
string Required
-
-
tags
array[string] String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
threat
array[object] Currently, only threats described using the MITRE ATT&CK™ framework are supported.
Hide threat attributes Show threat attributes object
-
framework
string Required Relevant attack framework
-
tactic
object Required Object containing information on the attack type
-
technique
array[object] Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
id
string Required Technique ID
-
name
string Required Technique name
-
reference
string Required Technique reference
-
subtechnique
array[object] Array containing more specific information on the attack technique.
-
-
-
timeline_id
string Timeline template ID
-
timeline_title
string Timeline template title
-
timestamp_override
string Sets the time field used to query indices. When unspecified, rules query the
@timestampfield. The source field must be an Elasticsearch date data type. -
Disables the fallback to the event's @timestamp field
-
to
string -
version
integer The rule's version number.
- For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
security_detection_engineFleet package that is used for distributing prebuilt rules). - For custom rules it is set to
1when the rule is created.
It is not incremented on each update. Compare this to the
revisionfield.Minimum value is
1. - For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
-
anomaly_threshold
integer Required Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100.
Minimum value is
0. machine_learning_job_id
string | array[string] Required Machine learning job ID(s) the rule monitors for anomaly scores.
One of: At least
1element.-
type
string Required Discriminator Rule type
Value is
machine_learning. -
alert_suppression
object Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
duration
object -
group_by
array[string] Required At least
1but not more than3elements. -
missing_fields_strategy
string Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
-
actions
array[object] Array defining the automated actions (notifications) taken when alerts are generated.
Hide actions attributes Show actions attributes object
-
action_type_id
string Required The action type used for sending notifications, can be:
.slack.slack_api.email.index.pagerduty.swimlane.webhook.servicenow.servicenow-itom.servicenow-sir.jira.resilient.opsgenie.teams.torq.tines.d3security
-
alerts_filter
object Object containing an action’s conditional filters.
timeframe(object, optional): Object containing the time frame for when this action can be run.days(array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array.hours(object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the formathh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day.- start (string, required): Start time in
hh:mmformat. - end (string, required): End time in
hh:mmformat.
- start (string, required): Start time in
timezone(string, required): An ISO timezone name, such asEurope/MadridorAmerica/New_York. Specific offsets such asUTCorUTC+1will also work, but lack built-in DST.
query(object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.kql(string, required): A KQL string.filters(array of objects, required): Array of filter objects, as defined in thekbn-es-querypackage.
Additional properties are allowed.
-
frequency
object The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
notifyWhen
string Required Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
summary
boolean Required Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group
string Optionally groups actions by use cases. Use
defaultfor alert notifications. -
id
string Required The connector ID.
-
params
object Required Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
message(string, required): The notification message.
For email:
to,cc,bcc(string): Email addresses to which the notifications are sent. At least one field must have a value.subject(string, optional): Email subject line.message(string, required): Email body text.
For Webhook:
body(string, required): JSON payload.
For PagerDuty:
severity(string, required): Severity of on the alert notification, can be:Critical,Error,WarningorInfo.eventAction(string, required): Event action type, which can betrigger,resolve, oracknowledge.dedupKey(string, optional): Groups alert notifications with the same PagerDuty alert.timestamp(DateTime, optional): ISO-8601 format timestamp.component(string, optional): Source machine component responsible for the event, for examplesecurity-solution.group(string, optional): Enables logical grouping of service components.source(string, optional): The affected system. Defaults to the Kibana saved object ID of the action.summary(string, options): Summary of the event. Defaults toNo summary provided. Maximum length is 1024 characters.class(string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
uuid
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1.
-
-
alias_purpose
string Values are
savedObjectConversionorsavedObjectImport. -
alias_target_id
string -
author
array[string] The rule’s author.
-
building_block_type
string Determines if the rule acts as a building block. If yes, the value must be
default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules. -
description
string Required The rule’s description.
Minimum length is
1. -
enabled
boolean Determines whether the rule is enabled. Defaults to true.
-
exceptions_list
array[object] Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
id
string(nonempty) Required ID of the exception container
Minimum length is
1. -
list_id
string(nonempty) Required List ID of the exception container
Minimum length is
1. -
namespace_type
string Required Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
type
string Required The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
false_positives
array[string] String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
from
string(date-math) Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
interval
string Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields
object Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
Hide investigation_fields attribute Show investigation_fields attribute object
-
field_names
array[string(nonempty)] Required A string that does not contain only whitespace characters
At least
1element. Minimum length of each is1.
-
-
license
string The rule's license.
-
max_signals
integer Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. Default value is100. -
meta
object Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
name
string Required A human-readable name for the rule.
Minimum length is
1. -
namespace
string Has no effect.
-
note
string Notes to help investigate alerts produced by the rule.
-
outcome
string Values are
exactMatch,aliasMatch, orconflict. -
output_index
string Deprecated (deprecated) Has no effect.
-
references
array[string] Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
related_integrations
array[object] Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
integration
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1. -
package
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1. -
version
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1.
-
required_fields
array[object] Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
response_actions
array[object] One of: Hide attributes Show attributes
-
action_type_id
string Required Value is
.osquery. -
params
object Required Hide params attributes Show params attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id
string To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
queries
array[object] Hide queries attributes Show queries attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
id
string Required Query ID
-
platform
string -
query
string Required Query to run
-
removed
boolean -
snapshot
boolean -
version
string Query version
-
-
query
string To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
saved_query_id
string To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
timeout
number A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
action_type_id
string Required Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
command
string Required To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
comment
string Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
config
object Required
-
-
-
risk_score
integer Required A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
risk_score_mapping
array[object] Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
field
string Required Source event field used to override the default
risk_score. -
operator
string Required Value is
equals. -
risk_score
integer A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
value
string Required
-
-
rule_id
string A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same
rule_ids. -
rule_name_override
string Sets which field in the source event is used to populate the alert's
signal.rule.namevalue (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’snamevalue is used. The source field must be a string data type. -
setup
string Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
severity_mapping
array[object] Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
field
string Required Source event field used to override the default
severity. -
operator
string Required Value is
equals. -
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
value
string Required
-
-
tags
array[string] String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
threat
array[object] Currently, only threats described using the MITRE ATT&CK™ framework are supported.
Hide threat attributes Show threat attributes object
-
framework
string Required Relevant attack framework
-
tactic
object Required Object containing information on the attack type
-
technique
array[object] Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
id
string Required Technique ID
-
name
string Required Technique name
-
reference
string Required Technique reference
-
subtechnique
array[object] Array containing more specific information on the attack technique.
-
-
-
timeline_id
string Timeline template ID
-
timeline_title
string Timeline template title
-
timestamp_override
string Sets the time field used to query indices. When unspecified, rules query the
@timestampfield. The source field must be an Elasticsearch date data type. -
Disables the fallback to the event's @timestamp field
-
to
string -
version
integer The rule's version number.
- For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
security_detection_engineFleet package that is used for distributing prebuilt rules). - For custom rules it is set to
1when the rule is created.
It is not incremented on each update. Compare this to the
revisionfield.Minimum value is
1. - For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
-
history_window_start
string(nonempty) Required Start date to use when checking if a term has been seen before. Supports relative dates – for example, now-30d will search the last 30 days of data when checking if a term is new. We do not recommend using absolute dates, which can cause issues with rule performance due to querying increasing amounts of data over time.
Minimum length is
1. -
new_terms_fields
array[string] Required Fields to monitor for new values.
At least
1but not more than3elements. -
query
string Required Query used by the rule to create alerts.
- For indicator match rules, only the query’s results are used to determine whether an alert is generated.
- ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.
-
type
string Required Discriminator Rule type
Value is
new_terms. -
alert_suppression
object Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
duration
object -
group_by
array[string] Required At least
1but not more than3elements. -
missing_fields_strategy
string Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
-
data_view_id
string -
filters
array The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
index
array[string] Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings →
securitySolution:defaultIndex).This field is not supported for ES|QL rules.
-
language
string Values are
kueryorlucene.
-
actions
array[object] Array defining the automated actions (notifications) taken when alerts are generated.
Hide actions attributes Show actions attributes object
-
action_type_id
string Required The action type used for sending notifications, can be:
.slack.slack_api.email.index.pagerduty.swimlane.webhook.servicenow.servicenow-itom.servicenow-sir.jira.resilient.opsgenie.teams.torq.tines.d3security
-
alerts_filter
object Object containing an action’s conditional filters.
timeframe(object, optional): Object containing the time frame for when this action can be run.days(array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array.hours(object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the formathh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day.- start (string, required): Start time in
hh:mmformat. - end (string, required): End time in
hh:mmformat.
- start (string, required): Start time in
timezone(string, required): An ISO timezone name, such asEurope/MadridorAmerica/New_York. Specific offsets such asUTCorUTC+1will also work, but lack built-in DST.
query(object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.kql(string, required): A KQL string.filters(array of objects, required): Array of filter objects, as defined in thekbn-es-querypackage.
Additional properties are allowed.
-
frequency
object The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
notifyWhen
string Required Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
summary
boolean Required Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group
string Optionally groups actions by use cases. Use
defaultfor alert notifications. -
id
string Required The connector ID.
-
params
object Required Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
message(string, required): The notification message.
For email:
to,cc,bcc(string): Email addresses to which the notifications are sent. At least one field must have a value.subject(string, optional): Email subject line.message(string, required): Email body text.
For Webhook:
body(string, required): JSON payload.
For PagerDuty:
severity(string, required): Severity of on the alert notification, can be:Critical,Error,WarningorInfo.eventAction(string, required): Event action type, which can betrigger,resolve, oracknowledge.dedupKey(string, optional): Groups alert notifications with the same PagerDuty alert.timestamp(DateTime, optional): ISO-8601 format timestamp.component(string, optional): Source machine component responsible for the event, for examplesecurity-solution.group(string, optional): Enables logical grouping of service components.source(string, optional): The affected system. Defaults to the Kibana saved object ID of the action.summary(string, options): Summary of the event. Defaults toNo summary provided. Maximum length is 1024 characters.class(string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
uuid
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1.
-
-
alias_purpose
string Values are
savedObjectConversionorsavedObjectImport. -
alias_target_id
string -
author
array[string] The rule’s author.
-
building_block_type
string Determines if the rule acts as a building block. If yes, the value must be
default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules. -
description
string Required The rule’s description.
Minimum length is
1. -
enabled
boolean Determines whether the rule is enabled. Defaults to true.
-
exceptions_list
array[object] Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
id
string(nonempty) Required ID of the exception container
Minimum length is
1. -
list_id
string(nonempty) Required List ID of the exception container
Minimum length is
1. -
namespace_type
string Required Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
type
string Required The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
false_positives
array[string] String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
from
string(date-math) Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
interval
string Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields
object Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
Hide investigation_fields attribute Show investigation_fields attribute object
-
field_names
array[string(nonempty)] Required A string that does not contain only whitespace characters
At least
1element. Minimum length of each is1.
-
-
license
string The rule's license.
-
max_signals
integer Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. Default value is100. -
meta
object Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
name
string Required A human-readable name for the rule.
Minimum length is
1. -
namespace
string Has no effect.
-
note
string Notes to help investigate alerts produced by the rule.
-
outcome
string Values are
exactMatch,aliasMatch, orconflict. -
output_index
string Deprecated (deprecated) Has no effect.
-
references
array[string] Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
related_integrations
array[object] Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
integration
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1. -
package
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1. -
version
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1.
-
required_fields
array[object] Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
response_actions
array[object] One of: Hide attributes Show attributes
-
action_type_id
string Required Value is
.osquery. -
params
object Required Hide params attributes Show params attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id
string To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
queries
array[object] Hide queries attributes Show queries attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
id
string Required Query ID
-
platform
string -
query
string Required Query to run
-
removed
boolean -
snapshot
boolean -
version
string Query version
-
-
query
string To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
saved_query_id
string To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
timeout
number A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
action_type_id
string Required Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
command
string Required To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
comment
string Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
config
object Required
-
-
-
risk_score
integer Required A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
risk_score_mapping
array[object] Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
field
string Required Source event field used to override the default
risk_score. -
operator
string Required Value is
equals. -
risk_score
integer A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
value
string Required
-
-
rule_id
string A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same
rule_ids. -
rule_name_override
string Sets which field in the source event is used to populate the alert's
signal.rule.namevalue (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’snamevalue is used. The source field must be a string data type. -
setup
string Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
severity_mapping
array[object] Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
field
string Required Source event field used to override the default
severity. -
operator
string Required Value is
equals. -
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
value
string Required
-
-
tags
array[string] String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
threat
array[object] Currently, only threats described using the MITRE ATT&CK™ framework are supported.
Hide threat attributes Show threat attributes object
-
framework
string Required Relevant attack framework
-
tactic
object Required Object containing information on the attack type
-
technique
array[object] Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
id
string Required Technique ID
-
name
string Required Technique name
-
reference
string Required Technique reference
-
subtechnique
array[object] Array containing more specific information on the attack technique.
-
-
-
timeline_id
string Timeline template ID
-
timeline_title
string Timeline template title
-
timestamp_override
string Sets the time field used to query indices. When unspecified, rules query the
@timestampfield. The source field must be an Elasticsearch date data type. -
Disables the fallback to the event's @timestamp field
-
to
string -
version
integer The rule's version number.
- For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
security_detection_engineFleet package that is used for distributing prebuilt rules). - For custom rules it is set to
1when the rule is created.
It is not incremented on each update. Compare this to the
revisionfield.Minimum value is
1. - For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
-
alert_suppression
object Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
duration
object -
group_by
array[string] Required At least
1but not more than3elements. -
missing_fields_strategy
string Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
-
language
string Required Value is
esql. -
query
string Required Query used by the rule to create alerts.
- For indicator match rules, only the query’s results are used to determine whether an alert is generated.
- ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.
-
type
string Required Discriminator Rule type
Value is
esql.
Responses
-
200 application/json
Indicates a successful call.
One of: Security_Detections_API_EqlRuleResponseFieldsobject Security_Detections_API_QueryRuleResponseFieldsobject Security_Detections_API_SavedQueryRuleResponseFieldsobject Security_Detections_API_ThresholdRuleResponseFieldsobject Security_Detections_API_ThreatMatchRuleResponseFieldsobject Security_Detections_API_MachineLearningRuleResponseFieldsobject Security_Detections_API_NewTermsRuleResponseFieldsobject Security_Detections_API_EsqlRuleResponseFieldsobject Security_Detections_API_ErrorSchemaobject Hide attributes Show attributes
-
actions
array[object] Required Array defining the automated actions (notifications) taken when alerts are generated.
Hide actions attributes Show actions attributes object
-
action_type_id
string Required The action type used for sending notifications, can be:
.slack.slack_api.email.index.pagerduty.swimlane.webhook.servicenow.servicenow-itom.servicenow-sir.jira.resilient.opsgenie.teams.torq.tines.d3security
-
alerts_filter
object Object containing an action’s conditional filters.
timeframe(object, optional): Object containing the time frame for when this action can be run.days(array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array.hours(object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the formathh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day.- start (string, required): Start time in
hh:mmformat. - end (string, required): End time in
hh:mmformat.
- start (string, required): Start time in
timezone(string, required): An ISO timezone name, such asEurope/MadridorAmerica/New_York. Specific offsets such asUTCorUTC+1will also work, but lack built-in DST.
query(object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.kql(string, required): A KQL string.filters(array of objects, required): Array of filter objects, as defined in thekbn-es-querypackage.
Additional properties are allowed.
-
frequency
object The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
notifyWhen
string Required Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
summary
boolean Required Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group
string Optionally groups actions by use cases. Use
defaultfor alert notifications. -
id
string Required The connector ID.
-
params
object Required Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
message(string, required): The notification message.
For email:
to,cc,bcc(string): Email addresses to which the notifications are sent. At least one field must have a value.subject(string, optional): Email subject line.message(string, required): Email body text.
For Webhook:
body(string, required): JSON payload.
For PagerDuty:
severity(string, required): Severity of on the alert notification, can be:Critical,Error,WarningorInfo.eventAction(string, required): Event action type, which can betrigger,resolve, oracknowledge.dedupKey(string, optional): Groups alert notifications with the same PagerDuty alert.timestamp(DateTime, optional): ISO-8601 format timestamp.component(string, optional): Source machine component responsible for the event, for examplesecurity-solution.group(string, optional): Enables logical grouping of service components.source(string, optional): The affected system. Defaults to the Kibana saved object ID of the action.summary(string, options): Summary of the event. Defaults toNo summary provided. Maximum length is 1024 characters.class(string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
uuid
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1.
-
-
alias_purpose
string Values are
savedObjectConversionorsavedObjectImport. -
alias_target_id
string -
author
array[string] Required The rule’s author.
-
building_block_type
string Determines if the rule acts as a building block. If yes, the value must be
default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules. -
description
string Required The rule’s description.
Minimum length is
1. -
enabled
boolean Required Determines whether the rule is enabled. Defaults to true.
-
exceptions_list
array[object] Required Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
id
string(nonempty) Required ID of the exception container
Minimum length is
1. -
list_id
string(nonempty) Required List ID of the exception container
Minimum length is
1. -
namespace_type
string Required Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
type
string Required The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
false_positives
array[string] Required String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
from
string(date-math) Required Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
interval
string Required Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields
object Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
Hide investigation_fields attribute Show investigation_fields attribute object
-
field_names
array[string(nonempty)] Required A string that does not contain only whitespace characters
At least
1element. Minimum length of each is1.
-
-
license
string The rule's license.
-
max_signals
integer Required Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. Default value is100. -
meta
object Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
name
string Required A human-readable name for the rule.
Minimum length is
1. -
namespace
string Has no effect.
-
note
string Notes to help investigate alerts produced by the rule.
-
outcome
string Values are
exactMatch,aliasMatch, orconflict. -
output_index
string Deprecated (deprecated) Has no effect.
-
references
array[string] Required Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
related_integrations
array[object] Required Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
integration
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1. -
package
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1. -
version
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1.
-
required_fields
array[object] Required Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
response_actions
array[object] One of: Hide attributes Show attributes
-
action_type_id
string Required Value is
.osquery. -
params
object Required Hide params attributes Show params attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id
string To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
queries
array[object] Hide queries attributes Show queries attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
id
string Required Query ID
-
platform
string -
query
string Required Query to run
-
removed
boolean -
snapshot
boolean -
version
string Query version
-
-
query
string To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
saved_query_id
string To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
timeout
number A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
action_type_id
string Required Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
command
string Required To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
comment
string Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
config
object Required
-
-
-
risk_score
integer Required A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
risk_score_mapping
array[object] Required Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
field
string Required Source event field used to override the default
risk_score. -
operator
string Required Value is
equals. -
risk_score
integer A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
value
string Required
-
-
rule_name_override
string Sets which field in the source event is used to populate the alert's
signal.rule.namevalue (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’snamevalue is used. The source field must be a string data type. -
setup
string Required Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
severity_mapping
array[object] Required Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
field
string Required Source event field used to override the default
severity. -
operator
string Required Value is
equals. -
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
value
string Required
-
-
tags
array[string] Required String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
threat
array[object] Required Currently, only threats described using the MITRE ATT&CK™ framework are supported.
Hide threat attributes Show threat attributes object
-
framework
string Required Relevant attack framework
-
tactic
object Required Object containing information on the attack type
-
technique
array[object] Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
id
string Required Technique ID
-
name
string Required Technique name
-
reference
string Required Technique reference
-
subtechnique
array[object] Array containing more specific information on the attack technique.
-
-
-
timeline_id
string Timeline template ID
-
timeline_title
string Timeline template title
-
timestamp_override
string Sets the time field used to query indices. When unspecified, rules query the
@timestampfield. The source field must be an Elasticsearch date data type. -
Disables the fallback to the event's @timestamp field
-
to
string Required -
version
integer Required The rule's version number.
- For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
security_detection_engineFleet package that is used for distributing prebuilt rules). - For custom rules it is set to
1when the rule is created.
It is not incremented on each update. Compare this to the
revisionfield.Minimum value is
1. - For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
-
created_at
string(date-time) Required -
created_by
string Required -
execution_summary
object Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
last_execution
object Required Hide last_execution attributes Show last_execution attributes object
-
date
string(date-time) Required Date of the last execution
-
message
string Required -
metrics
object Required Hide metrics attributes Show metrics attributes object
-
execution_gap_duration_s
integer Duration in seconds of execution gap
Minimum value is
0. -
gap_range
object Range of the execution gap
-
total_enrichment_duration_ms
integer Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
total_indexing_duration_ms
integer Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
total_search_duration_ms
integer Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
status
string Required Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded. -
status_order
integer Required
-
-
-
id
string(uuid) Required A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object
ids. -
immutable
boolean Required Deprecated This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
revision
integer Required The rule's revision number.
It represents the version of rule's object in Kibana. It is set to
0when the rule is installed or created and then gets incremented on each update.Not all updates to any rule fields will increment the revision. Only those fields that are considered static
rule parameterscan trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.Minimum value is
0. -
rule_id
string Required A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same
rule_ids. rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
One of: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
Hide attributes Show attributes
-
is_customized
boolean Required Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
-
type
string Required Discriminator Value is
external.
Type of rule source for internally sourced rules, i.e. created within the Kibana apps.
Hide attribute Show attribute
-
type
string Required Discriminator Value is
internal.
-
-
updated_at
string(date-time) Required -
updated_by
string Required -
language
string Required Query language to use
Value is
eql. -
query
string Required Query used by the rule to create alerts.
- For indicator match rules, only the query’s results are used to determine whether an alert is generated.
- ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.
-
type
string Required Rule type
Value is
eql. -
alert_suppression
object Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
duration
object -
group_by
array[string] Required At least
1but not more than3elements. -
missing_fields_strategy
string Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
-
data_view_id
string -
event_category_override
string -
filters
array The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
index
array[string] Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings →
securitySolution:defaultIndex).This field is not supported for ES|QL rules.
-
tiebreaker_field
string Sets a secondary field for sorting events
-
timestamp_field
string Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with
timestamp_override, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field.
Hide attributes Show attributes
-
actions
array[object] Required Array defining the automated actions (notifications) taken when alerts are generated.
Hide actions attributes Show actions attributes object
-
action_type_id
string Required The action type used for sending notifications, can be:
.slack.slack_api.email.index.pagerduty.swimlane.webhook.servicenow.servicenow-itom.servicenow-sir.jira.resilient.opsgenie.teams.torq.tines.d3security
-
alerts_filter
object Object containing an action’s conditional filters.
timeframe(object, optional): Object containing the time frame for when this action can be run.days(array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array.hours(object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the formathh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day.- start (string, required): Start time in
hh:mmformat. - end (string, required): End time in
hh:mmformat.
- start (string, required): Start time in
timezone(string, required): An ISO timezone name, such asEurope/MadridorAmerica/New_York. Specific offsets such asUTCorUTC+1will also work, but lack built-in DST.
query(object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.kql(string, required): A KQL string.filters(array of objects, required): Array of filter objects, as defined in thekbn-es-querypackage.
Additional properties are allowed.
-
frequency
object The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
notifyWhen
string Required Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
summary
boolean Required Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group
string Optionally groups actions by use cases. Use
defaultfor alert notifications. -
id
string Required The connector ID.
-
params
object Required Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
message(string, required): The notification message.
For email:
to,cc,bcc(string): Email addresses to which the notifications are sent. At least one field must have a value.subject(string, optional): Email subject line.message(string, required): Email body text.
For Webhook:
body(string, required): JSON payload.
For PagerDuty:
severity(string, required): Severity of on the alert notification, can be:Critical,Error,WarningorInfo.eventAction(string, required): Event action type, which can betrigger,resolve, oracknowledge.dedupKey(string, optional): Groups alert notifications with the same PagerDuty alert.timestamp(DateTime, optional): ISO-8601 format timestamp.component(string, optional): Source machine component responsible for the event, for examplesecurity-solution.group(string, optional): Enables logical grouping of service components.source(string, optional): The affected system. Defaults to the Kibana saved object ID of the action.summary(string, options): Summary of the event. Defaults toNo summary provided. Maximum length is 1024 characters.class(string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
uuid
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1.
-
-
alias_purpose
string Values are
savedObjectConversionorsavedObjectImport. -
alias_target_id
string -
author
array[string] Required The rule’s author.
-
building_block_type
string Determines if the rule acts as a building block. If yes, the value must be
default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules. -
description
string Required The rule’s description.
Minimum length is
1. -
enabled
boolean Required Determines whether the rule is enabled. Defaults to true.
-
exceptions_list
array[object] Required Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
id
string(nonempty) Required ID of the exception container
Minimum length is
1. -
list_id
string(nonempty) Required List ID of the exception container
Minimum length is
1. -
namespace_type
string Required Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
type
string Required The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
false_positives
array[string] Required String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
from
string(date-math) Required Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
interval
string Required Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields
object Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
Hide investigation_fields attribute Show investigation_fields attribute object
-
field_names
array[string(nonempty)] Required A string that does not contain only whitespace characters
At least
1element. Minimum length of each is1.
-
-
license
string The rule's license.
-
max_signals
integer Required Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. Default value is100. -
meta
object Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
name
string Required A human-readable name for the rule.
Minimum length is
1. -
namespace
string Has no effect.
-
note
string Notes to help investigate alerts produced by the rule.
-
outcome
string Values are
exactMatch,aliasMatch, orconflict. -
output_index
string Deprecated (deprecated) Has no effect.
-
references
array[string] Required Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
related_integrations
array[object] Required Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
integration
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1. -
package
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1. -
version
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1.
-
required_fields
array[object] Required Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
response_actions
array[object] One of: Hide attributes Show attributes
-
action_type_id
string Required Value is
.osquery. -
params
object Required Hide params attributes Show params attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id
string To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
queries
array[object] Hide queries attributes Show queries attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
id
string Required Query ID
-
platform
string -
query
string Required Query to run
-
removed
boolean -
snapshot
boolean -
version
string Query version
-
-
query
string To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
saved_query_id
string To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
timeout
number A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
action_type_id
string Required Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
command
string Required To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
comment
string Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
config
object Required
-
-
-
risk_score
integer Required A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
risk_score_mapping
array[object] Required Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
field
string Required Source event field used to override the default
risk_score. -
operator
string Required Value is
equals. -
risk_score
integer A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
value
string Required
-
-
rule_name_override
string Sets which field in the source event is used to populate the alert's
signal.rule.namevalue (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’snamevalue is used. The source field must be a string data type. -
setup
string Required Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
severity_mapping
array[object] Required Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
field
string Required Source event field used to override the default
severity. -
operator
string Required Value is
equals. -
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
value
string Required
-
-
tags
array[string] Required String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
threat
array[object] Required Currently, only threats described using the MITRE ATT&CK™ framework are supported.
Hide threat attributes Show threat attributes object
-
framework
string Required Relevant attack framework
-
tactic
object Required Object containing information on the attack type
-
technique
array[object] Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
id
string Required Technique ID
-
name
string Required Technique name
-
reference
string Required Technique reference
-
subtechnique
array[object] Array containing more specific information on the attack technique.
-
-
-
timeline_id
string Timeline template ID
-
timeline_title
string Timeline template title
-
timestamp_override
string Sets the time field used to query indices. When unspecified, rules query the
@timestampfield. The source field must be an Elasticsearch date data type. -
Disables the fallback to the event's @timestamp field
-
to
string Required -
version
integer Required The rule's version number.
- For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
security_detection_engineFleet package that is used for distributing prebuilt rules). - For custom rules it is set to
1when the rule is created.
It is not incremented on each update. Compare this to the
revisionfield.Minimum value is
1. - For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
-
created_at
string(date-time) Required -
created_by
string Required -
execution_summary
object Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
last_execution
object Required Hide last_execution attributes Show last_execution attributes object
-
date
string(date-time) Required Date of the last execution
-
message
string Required -
metrics
object Required Hide metrics attributes Show metrics attributes object
-
execution_gap_duration_s
integer Duration in seconds of execution gap
Minimum value is
0. -
gap_range
object Range of the execution gap
-
total_enrichment_duration_ms
integer Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
total_indexing_duration_ms
integer Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
total_search_duration_ms
integer Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
status
string Required Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded. -
status_order
integer Required
-
-
-
id
string(uuid) Required A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object
ids. -
immutable
boolean Required Deprecated This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
revision
integer Required The rule's revision number.
It represents the version of rule's object in Kibana. It is set to
0when the rule is installed or created and then gets incremented on each update.Not all updates to any rule fields will increment the revision. Only those fields that are considered static
rule parameterscan trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.Minimum value is
0. -
rule_id
string Required A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same
rule_ids. rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
One of: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
Hide attributes Show attributes
-
is_customized
boolean Required Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
-
type
string Required Discriminator Value is
external.
Type of rule source for internally sourced rules, i.e. created within the Kibana apps.
Hide attribute Show attribute
-
type
string Required Discriminator Value is
internal.
-
-
updated_at
string(date-time) Required -
updated_by
string Required -
type
string Required Rule type
Value is
query. -
alert_suppression
object Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
duration
object -
group_by
array[string] Required At least
1but not more than3elements. -
missing_fields_strategy
string Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
-
data_view_id
string -
filters
array The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
index
array[string] Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings →
securitySolution:defaultIndex).This field is not supported for ES|QL rules.
-
saved_id
string Kibana saved search used by the rule to create alerts.
-
language
string Required Values are
kueryorlucene. -
query
string Required Query used by the rule to create alerts.
- For indicator match rules, only the query’s results are used to determine whether an alert is generated.
- ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.
Hide attributes Show attributes
-
actions
array[object] Required Array defining the automated actions (notifications) taken when alerts are generated.
Hide actions attributes Show actions attributes object
-
action_type_id
string Required The action type used for sending notifications, can be:
.slack.slack_api.email.index.pagerduty.swimlane.webhook.servicenow.servicenow-itom.servicenow-sir.jira.resilient.opsgenie.teams.torq.tines.d3security
-
alerts_filter
object Object containing an action’s conditional filters.
timeframe(object, optional): Object containing the time frame for when this action can be run.days(array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array.hours(object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the formathh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day.- start (string, required): Start time in
hh:mmformat. - end (string, required): End time in
hh:mmformat.
- start (string, required): Start time in
timezone(string, required): An ISO timezone name, such asEurope/MadridorAmerica/New_York. Specific offsets such asUTCorUTC+1will also work, but lack built-in DST.
query(object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.kql(string, required): A KQL string.filters(array of objects, required): Array of filter objects, as defined in thekbn-es-querypackage.
Additional properties are allowed.
-
frequency
object The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
notifyWhen
string Required Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
summary
boolean Required Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group
string Optionally groups actions by use cases. Use
defaultfor alert notifications. -
id
string Required The connector ID.
-
params
object Required Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
message(string, required): The notification message.
For email:
to,cc,bcc(string): Email addresses to which the notifications are sent. At least one field must have a value.subject(string, optional): Email subject line.message(string, required): Email body text.
For Webhook:
body(string, required): JSON payload.
For PagerDuty:
severity(string, required): Severity of on the alert notification, can be:Critical,Error,WarningorInfo.eventAction(string, required): Event action type, which can betrigger,resolve, oracknowledge.dedupKey(string, optional): Groups alert notifications with the same PagerDuty alert.timestamp(DateTime, optional): ISO-8601 format timestamp.component(string, optional): Source machine component responsible for the event, for examplesecurity-solution.group(string, optional): Enables logical grouping of service components.source(string, optional): The affected system. Defaults to the Kibana saved object ID of the action.summary(string, options): Summary of the event. Defaults toNo summary provided. Maximum length is 1024 characters.class(string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
uuid
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1.
-
-
alias_purpose
string Values are
savedObjectConversionorsavedObjectImport. -
alias_target_id
string -
author
array[string] Required The rule’s author.
-
building_block_type
string Determines if the rule acts as a building block. If yes, the value must be
default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules. -
description
string Required The rule’s description.
Minimum length is
1. -
enabled
boolean Required Determines whether the rule is enabled. Defaults to true.
-
exceptions_list
array[object] Required Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
id
string(nonempty) Required ID of the exception container
Minimum length is
1. -
list_id
string(nonempty) Required List ID of the exception container
Minimum length is
1. -
namespace_type
string Required Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
type
string Required The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
false_positives
array[string] Required String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
from
string(date-math) Required Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
interval
string Required Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields
object Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
Hide investigation_fields attribute Show investigation_fields attribute object
-
field_names
array[string(nonempty)] Required A string that does not contain only whitespace characters
At least
1element. Minimum length of each is1.
-
-
license
string The rule's license.
-
max_signals
integer Required Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. Default value is100. -
meta
object Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
name
string Required A human-readable name for the rule.
Minimum length is
1. -
namespace
string Has no effect.
-
note
string Notes to help investigate alerts produced by the rule.
-
outcome
string Values are
exactMatch,aliasMatch, orconflict. -
output_index
string Deprecated (deprecated) Has no effect.
-
references
array[string] Required Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
related_integrations
array[object] Required Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
integration
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1. -
package
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1. -
version
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1.
-
required_fields
array[object] Required Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
response_actions
array[object] One of: Hide attributes Show attributes
-
action_type_id
string Required Value is
.osquery. -
params
object Required Hide params attributes Show params attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id
string To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
queries
array[object] Hide queries attributes Show queries attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
id
string Required Query ID
-
platform
string -
query
string Required Query to run
-
removed
boolean -
snapshot
boolean -
version
string Query version
-
-
query
string To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
saved_query_id
string To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
timeout
number A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
action_type_id
string Required Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
command
string Required To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
comment
string Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
config
object Required
-
-
-
risk_score
integer Required A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
risk_score_mapping
array[object] Required Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
field
string Required Source event field used to override the default
risk_score. -
operator
string Required Value is
equals. -
risk_score
integer A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
value
string Required
-
-
rule_name_override
string Sets which field in the source event is used to populate the alert's
signal.rule.namevalue (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’snamevalue is used. The source field must be a string data type. -
setup
string Required Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
severity_mapping
array[object] Required Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
field
string Required Source event field used to override the default
severity. -
operator
string Required Value is
equals. -
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
value
string Required
-
-
tags
array[string] Required String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
threat
array[object] Required Currently, only threats described using the MITRE ATT&CK™ framework are supported.
Hide threat attributes Show threat attributes object
-
framework
string Required Relevant attack framework
-
tactic
object Required Object containing information on the attack type
-
technique
array[object] Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
id
string Required Technique ID
-
name
string Required Technique name
-
reference
string Required Technique reference
-
subtechnique
array[object] Array containing more specific information on the attack technique.
-
-
-
timeline_id
string Timeline template ID
-
timeline_title
string Timeline template title
-
timestamp_override
string Sets the time field used to query indices. When unspecified, rules query the
@timestampfield. The source field must be an Elasticsearch date data type. -
Disables the fallback to the event's @timestamp field
-
to
string Required -
version
integer Required The rule's version number.
- For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
security_detection_engineFleet package that is used for distributing prebuilt rules). - For custom rules it is set to
1when the rule is created.
It is not incremented on each update. Compare this to the
revisionfield.Minimum value is
1. - For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
-
created_at
string(date-time) Required -
created_by
string Required -
execution_summary
object Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
last_execution
object Required Hide last_execution attributes Show last_execution attributes object
-
date
string(date-time) Required Date of the last execution
-
message
string Required -
metrics
object Required Hide metrics attributes Show metrics attributes object
-
execution_gap_duration_s
integer Duration in seconds of execution gap
Minimum value is
0. -
gap_range
object Range of the execution gap
-
total_enrichment_duration_ms
integer Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
total_indexing_duration_ms
integer Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
total_search_duration_ms
integer Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
status
string Required Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded. -
status_order
integer Required
-
-
-
id
string(uuid) Required A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object
ids. -
immutable
boolean Required Deprecated This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
revision
integer Required The rule's revision number.
It represents the version of rule's object in Kibana. It is set to
0when the rule is installed or created and then gets incremented on each update.Not all updates to any rule fields will increment the revision. Only those fields that are considered static
rule parameterscan trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.Minimum value is
0. -
rule_id
string Required A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same
rule_ids. rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
One of: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
Hide attributes Show attributes
-
is_customized
boolean Required Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
-
type
string Required Discriminator Value is
external.
Type of rule source for internally sourced rules, i.e. created within the Kibana apps.
Hide attribute Show attribute
-
type
string Required Discriminator Value is
internal.
-
-
updated_at
string(date-time) Required -
updated_by
string Required -
saved_id
string Required Kibana saved search used by the rule to create alerts.
-
type
string Required Rule type
Value is
saved_query. -
alert_suppression
object Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
duration
object -
group_by
array[string] Required At least
1but not more than3elements. -
missing_fields_strategy
string Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
-
data_view_id
string -
filters
array The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
index
array[string] Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings →
securitySolution:defaultIndex).This field is not supported for ES|QL rules.
-
query
string Query used by the rule to create alerts.
- For indicator match rules, only the query’s results are used to determine whether an alert is generated.
- ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.
-
language
string Required Values are
kueryorlucene.
Hide attributes Show attributes
-
actions
array[object] Required Array defining the automated actions (notifications) taken when alerts are generated.
Hide actions attributes Show actions attributes object
-
action_type_id
string Required The action type used for sending notifications, can be:
.slack.slack_api.email.index.pagerduty.swimlane.webhook.servicenow.servicenow-itom.servicenow-sir.jira.resilient.opsgenie.teams.torq.tines.d3security
-
alerts_filter
object Object containing an action’s conditional filters.
timeframe(object, optional): Object containing the time frame for when this action can be run.days(array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array.hours(object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the formathh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day.- start (string, required): Start time in
hh:mmformat. - end (string, required): End time in
hh:mmformat.
- start (string, required): Start time in
timezone(string, required): An ISO timezone name, such asEurope/MadridorAmerica/New_York. Specific offsets such asUTCorUTC+1will also work, but lack built-in DST.
query(object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.kql(string, required): A KQL string.filters(array of objects, required): Array of filter objects, as defined in thekbn-es-querypackage.
Additional properties are allowed.
-
frequency
object The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
notifyWhen
string Required Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
summary
boolean Required Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group
string Optionally groups actions by use cases. Use
defaultfor alert notifications. -
id
string Required The connector ID.
-
params
object Required Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
message(string, required): The notification message.
For email:
to,cc,bcc(string): Email addresses to which the notifications are sent. At least one field must have a value.subject(string, optional): Email subject line.message(string, required): Email body text.
For Webhook:
body(string, required): JSON payload.
For PagerDuty:
severity(string, required): Severity of on the alert notification, can be:Critical,Error,WarningorInfo.eventAction(string, required): Event action type, which can betrigger,resolve, oracknowledge.dedupKey(string, optional): Groups alert notifications with the same PagerDuty alert.timestamp(DateTime, optional): ISO-8601 format timestamp.component(string, optional): Source machine component responsible for the event, for examplesecurity-solution.group(string, optional): Enables logical grouping of service components.source(string, optional): The affected system. Defaults to the Kibana saved object ID of the action.summary(string, options): Summary of the event. Defaults toNo summary provided. Maximum length is 1024 characters.class(string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
uuid
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1.
-
-
alias_purpose
string Values are
savedObjectConversionorsavedObjectImport. -
alias_target_id
string -
author
array[string] Required The rule’s author.
-
building_block_type
string Determines if the rule acts as a building block. If yes, the value must be
default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules. -
description
string Required The rule’s description.
Minimum length is
1. -
enabled
boolean Required Determines whether the rule is enabled. Defaults to true.
-
exceptions_list
array[object] Required Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
id
string(nonempty) Required ID of the exception container
Minimum length is
1. -
list_id
string(nonempty) Required List ID of the exception container
Minimum length is
1. -
namespace_type
string Required Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
type
string Required The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
false_positives
array[string] Required String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
from
string(date-math) Required Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
interval
string Required Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields
object Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
Hide investigation_fields attribute Show investigation_fields attribute object
-
field_names
array[string(nonempty)] Required A string that does not contain only whitespace characters
At least
1element. Minimum length of each is1.
-
-
license
string The rule's license.
-
max_signals
integer Required Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. Default value is100. -
meta
object Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
name
string Required A human-readable name for the rule.
Minimum length is
1. -
namespace
string Has no effect.
-
note
string Notes to help investigate alerts produced by the rule.
-
outcome
string Values are
exactMatch,aliasMatch, orconflict. -
output_index
string Deprecated (deprecated) Has no effect.
-
references
array[string] Required Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
related_integrations
array[object] Required Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
integration
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1. -
package
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1. -
version
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1.
-
required_fields
array[object] Required Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
response_actions
array[object] One of: Hide attributes Show attributes
-
action_type_id
string Required Value is
.osquery. -
params
object Required Hide params attributes Show params attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id
string To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
queries
array[object] Hide queries attributes Show queries attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
id
string Required Query ID
-
platform
string -
query
string Required Query to run
-
removed
boolean -
snapshot
boolean -
version
string Query version
-
-
query
string To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
saved_query_id
string To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
timeout
number A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
action_type_id
string Required Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
command
string Required To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
comment
string Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
config
object Required
-
-
-
risk_score
integer Required A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
risk_score_mapping
array[object] Required Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
field
string Required Source event field used to override the default
risk_score. -
operator
string Required Value is
equals. -
risk_score
integer A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
value
string Required
-
-
rule_name_override
string Sets which field in the source event is used to populate the alert's
signal.rule.namevalue (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’snamevalue is used. The source field must be a string data type. -
setup
string Required Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
severity_mapping
array[object] Required Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
field
string Required Source event field used to override the default
severity. -
operator
string Required Value is
equals. -
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
value
string Required
-
-
tags
array[string] Required String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
threat
array[object] Required Currently, only threats described using the MITRE ATT&CK™ framework are supported.
Hide threat attributes Show threat attributes object
-
framework
string Required Relevant attack framework
-
tactic
object Required Object containing information on the attack type
-
technique
array[object] Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
id
string Required Technique ID
-
name
string Required Technique name
-
reference
string Required Technique reference
-
subtechnique
array[object] Array containing more specific information on the attack technique.
-
-
-
timeline_id
string Timeline template ID
-
timeline_title
string Timeline template title
-
timestamp_override
string Sets the time field used to query indices. When unspecified, rules query the
@timestampfield. The source field must be an Elasticsearch date data type. -
Disables the fallback to the event's @timestamp field
-
to
string Required -
version
integer Required The rule's version number.
- For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
security_detection_engineFleet package that is used for distributing prebuilt rules). - For custom rules it is set to
1when the rule is created.
It is not incremented on each update. Compare this to the
revisionfield.Minimum value is
1. - For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
-
created_at
string(date-time) Required -
created_by
string Required -
execution_summary
object Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
last_execution
object Required Hide last_execution attributes Show last_execution attributes object
-
date
string(date-time) Required Date of the last execution
-
message
string Required -
metrics
object Required Hide metrics attributes Show metrics attributes object
-
execution_gap_duration_s
integer Duration in seconds of execution gap
Minimum value is
0. -
gap_range
object Range of the execution gap
-
total_enrichment_duration_ms
integer Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
total_indexing_duration_ms
integer Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
total_search_duration_ms
integer Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
status
string Required Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded. -
status_order
integer Required
-
-
-
id
string(uuid) Required A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object
ids. -
immutable
boolean Required Deprecated This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
revision
integer Required The rule's revision number.
It represents the version of rule's object in Kibana. It is set to
0when the rule is installed or created and then gets incremented on each update.Not all updates to any rule fields will increment the revision. Only those fields that are considered static
rule parameterscan trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.Minimum value is
0. -
rule_id
string Required A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same
rule_ids. rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
One of: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
Hide attributes Show attributes
-
is_customized
boolean Required Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
-
type
string Required Discriminator Value is
external.
Type of rule source for internally sourced rules, i.e. created within the Kibana apps.
Hide attribute Show attribute
-
type
string Required Discriminator Value is
internal.
-
-
updated_at
string(date-time) Required -
updated_by
string Required -
query
string Required Query used by the rule to create alerts.
- For indicator match rules, only the query’s results are used to determine whether an alert is generated.
- ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.
-
threshold
object Required Hide threshold attributes Show threshold attributes object
-
cardinality
array[object] The field on which the cardinality is applied.
field
string | array[string] Required The field on which the threshold is applied. If you specify an empty array ([]), alerts are generated when the query returns at least the number of results specified in the value field.
-
value
integer Required The threshold value from which an alert is generated.
Minimum value is
1.
-
-
type
string Required Rule type
Value is
threshold. -
alert_suppression
object Defines alert suppression configuration.
-
data_view_id
string -
filters
array The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
index
array[string] Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings →
securitySolution:defaultIndex).This field is not supported for ES|QL rules.
-
saved_id
string Kibana saved search used by the rule to create alerts.
-
language
string Required Values are
kueryorlucene.
Hide attributes Show attributes
-
actions
array[object] Required Array defining the automated actions (notifications) taken when alerts are generated.
Hide actions attributes Show actions attributes object
-
action_type_id
string Required The action type used for sending notifications, can be:
.slack.slack_api.email.index.pagerduty.swimlane.webhook.servicenow.servicenow-itom.servicenow-sir.jira.resilient.opsgenie.teams.torq.tines.d3security
-
alerts_filter
object Object containing an action’s conditional filters.
timeframe(object, optional): Object containing the time frame for when this action can be run.days(array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array.hours(object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the formathh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day.- start (string, required): Start time in
hh:mmformat. - end (string, required): End time in
hh:mmformat.
- start (string, required): Start time in
timezone(string, required): An ISO timezone name, such asEurope/MadridorAmerica/New_York. Specific offsets such asUTCorUTC+1will also work, but lack built-in DST.
query(object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.kql(string, required): A KQL string.filters(array of objects, required): Array of filter objects, as defined in thekbn-es-querypackage.
Additional properties are allowed.
-
frequency
object The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
notifyWhen
string Required Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
summary
boolean Required Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group
string Optionally groups actions by use cases. Use
defaultfor alert notifications. -
id
string Required The connector ID.
-
params
object Required Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
message(string, required): The notification message.
For email:
to,cc,bcc(string): Email addresses to which the notifications are sent. At least one field must have a value.subject(string, optional): Email subject line.message(string, required): Email body text.
For Webhook:
body(string, required): JSON payload.
For PagerDuty:
severity(string, required): Severity of on the alert notification, can be:Critical,Error,WarningorInfo.eventAction(string, required): Event action type, which can betrigger,resolve, oracknowledge.dedupKey(string, optional): Groups alert notifications with the same PagerDuty alert.timestamp(DateTime, optional): ISO-8601 format timestamp.component(string, optional): Source machine component responsible for the event, for examplesecurity-solution.group(string, optional): Enables logical grouping of service components.source(string, optional): The affected system. Defaults to the Kibana saved object ID of the action.summary(string, options): Summary of the event. Defaults toNo summary provided. Maximum length is 1024 characters.class(string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
uuid
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1.
-
-
alias_purpose
string Values are
savedObjectConversionorsavedObjectImport. -
alias_target_id
string -
author
array[string] Required The rule’s author.
-
building_block_type
string Determines if the rule acts as a building block. If yes, the value must be
default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules. -
description
string Required The rule’s description.
Minimum length is
1. -
enabled
boolean Required Determines whether the rule is enabled. Defaults to true.
-
exceptions_list
array[object] Required Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
id
string(nonempty) Required ID of the exception container
Minimum length is
1. -
list_id
string(nonempty) Required List ID of the exception container
Minimum length is
1. -
namespace_type
string Required Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
type
string Required The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
false_positives
array[string] Required String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
from
string(date-math) Required Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
interval
string Required Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields
object Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
Hide investigation_fields attribute Show investigation_fields attribute object
-
field_names
array[string(nonempty)] Required A string that does not contain only whitespace characters
At least
1element. Minimum length of each is1.
-
-
license
string The rule's license.
-
max_signals
integer Required Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. Default value is100. -
meta
object Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
name
string Required A human-readable name for the rule.
Minimum length is
1. -
namespace
string Has no effect.
-
note
string Notes to help investigate alerts produced by the rule.
-
outcome
string Values are
exactMatch,aliasMatch, orconflict. -
output_index
string Deprecated (deprecated) Has no effect.
-
references
array[string] Required Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
related_integrations
array[object] Required Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
integration
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1. -
package
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1. -
version
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1.
-
required_fields
array[object] Required Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
response_actions
array[object] One of: Hide attributes Show attributes
-
action_type_id
string Required Value is
.osquery. -
params
object Required Hide params attributes Show params attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id
string To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
queries
array[object] Hide queries attributes Show queries attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
id
string Required Query ID
-
platform
string -
query
string Required Query to run
-
removed
boolean -
snapshot
boolean -
version
string Query version
-
-
query
string To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
saved_query_id
string To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
timeout
number A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
action_type_id
string Required Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
command
string Required To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
comment
string Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
config
object Required
-
-
-
risk_score
integer Required A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
risk_score_mapping
array[object] Required Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
field
string Required Source event field used to override the default
risk_score. -
operator
string Required Value is
equals. -
risk_score
integer A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
value
string Required
-
-
rule_name_override
string Sets which field in the source event is used to populate the alert's
signal.rule.namevalue (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’snamevalue is used. The source field must be a string data type. -
setup
string Required Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
severity_mapping
array[object] Required Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
field
string Required Source event field used to override the default
severity. -
operator
string Required Value is
equals. -
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
value
string Required
-
-
tags
array[string] Required String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
threat
array[object] Required Currently, only threats described using the MITRE ATT&CK™ framework are supported.
Hide threat attributes Show threat attributes object
-
framework
string Required Relevant attack framework
-
tactic
object Required Object containing information on the attack type
-
technique
array[object] Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
id
string Required Technique ID
-
name
string Required Technique name
-
reference
string Required Technique reference
-
subtechnique
array[object] Array containing more specific information on the attack technique.
-
-
-
timeline_id
string Timeline template ID
-
timeline_title
string Timeline template title
-
timestamp_override
string Sets the time field used to query indices. When unspecified, rules query the
@timestampfield. The source field must be an Elasticsearch date data type. -
Disables the fallback to the event's @timestamp field
-
to
string Required -
version
integer Required The rule's version number.
- For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
security_detection_engineFleet package that is used for distributing prebuilt rules). - For custom rules it is set to
1when the rule is created.
It is not incremented on each update. Compare this to the
revisionfield.Minimum value is
1. - For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
-
created_at
string(date-time) Required -
created_by
string Required -
execution_summary
object Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
last_execution
object Required Hide last_execution attributes Show last_execution attributes object
-
date
string(date-time) Required Date of the last execution
-
message
string Required -
metrics
object Required Hide metrics attributes Show metrics attributes object
-
execution_gap_duration_s
integer Duration in seconds of execution gap
Minimum value is
0. -
gap_range
object Range of the execution gap
-
total_enrichment_duration_ms
integer Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
total_indexing_duration_ms
integer Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
total_search_duration_ms
integer Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
status
string Required Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded. -
status_order
integer Required
-
-
-
id
string(uuid) Required A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object
ids. -
immutable
boolean Required Deprecated This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
revision
integer Required The rule's revision number.
It represents the version of rule's object in Kibana. It is set to
0when the rule is installed or created and then gets incremented on each update.Not all updates to any rule fields will increment the revision. Only those fields that are considered static
rule parameterscan trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.Minimum value is
0. -
rule_id
string Required A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same
rule_ids. rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
One of: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
Hide attributes Show attributes
-
is_customized
boolean Required Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
-
type
string Required Discriminator Value is
external.
Type of rule source for internally sourced rules, i.e. created within the Kibana apps.
Hide attribute Show attribute
-
type
string Required Discriminator Value is
internal.
-
-
updated_at
string(date-time) Required -
updated_by
string Required -
query
string Required Query used by the rule to create alerts.
- For indicator match rules, only the query’s results are used to determine whether an alert is generated.
- ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.
-
threat_index
array[string] Required Elasticsearch indices used to check which field values generate alerts.
-
threat_mapping
array[object] Required Array of entries objects that define mappings between the source event fields and the values in the Elasticsearch threat index. Each entries object must contain these fields:
- field: field from the event indices on which the rule runs
- type: must be mapping
- value: field from the Elasticsearch threat index
You can use Boolean and and or logic to define the conditions for when matching fields and values generate alerts. Sibling entries objects are evaluated using or logic, whereas multiple entries in a single entries object use and logic. See Example of Threat Match rule which uses both
andandorlogic.At least
1element.Hide threat_mapping attribute Show threat_mapping attribute object
-
entries
array[object] Required Hide entries attributes Show entries attributes object
-
threat_query
string Required Query used to determine which fields in the Elasticsearch index are used for generating alerts.
-
type
string Required Rule type
Value is
threat_match. -
alert_suppression
object Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
duration
object -
group_by
array[string] Required At least
1but not more than3elements. -
missing_fields_strategy
string Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
-
concurrent_searches
integer Minimum value is
1. -
data_view_id
string -
filters
array The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
index
array[string] Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings →
securitySolution:defaultIndex).This field is not supported for ES|QL rules.
-
items_per_search
integer Minimum value is
1. -
saved_id
string Kibana saved search used by the rule to create alerts.
-
threat_filters
array Query and filter context array used to filter documents from the Elasticsearch index containing the threat values
-
threat_indicator_path
string Defines the path to the threat indicator in the indicator documents (optional)
-
threat_language
string Values are
kueryorlucene. -
language
string Required Values are
kueryorlucene.
Hide attributes Show attributes
-
actions
array[object] Required Array defining the automated actions (notifications) taken when alerts are generated.
Hide actions attributes Show actions attributes object
-
action_type_id
string Required The action type used for sending notifications, can be:
.slack.slack_api.email.index.pagerduty.swimlane.webhook.servicenow.servicenow-itom.servicenow-sir.jira.resilient.opsgenie.teams.torq.tines.d3security
-
alerts_filter
object Object containing an action’s conditional filters.
timeframe(object, optional): Object containing the time frame for when this action can be run.days(array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array.hours(object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the formathh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day.- start (string, required): Start time in
hh:mmformat. - end (string, required): End time in
hh:mmformat.
- start (string, required): Start time in
timezone(string, required): An ISO timezone name, such asEurope/MadridorAmerica/New_York. Specific offsets such asUTCorUTC+1will also work, but lack built-in DST.
query(object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.kql(string, required): A KQL string.filters(array of objects, required): Array of filter objects, as defined in thekbn-es-querypackage.
Additional properties are allowed.
-
frequency
object The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
notifyWhen
string Required Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
summary
boolean Required Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group
string Optionally groups actions by use cases. Use
defaultfor alert notifications. -
id
string Required The connector ID.
-
params
object Required Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
message(string, required): The notification message.
For email:
to,cc,bcc(string): Email addresses to which the notifications are sent. At least one field must have a value.subject(string, optional): Email subject line.message(string, required): Email body text.
For Webhook:
body(string, required): JSON payload.
For PagerDuty:
severity(string, required): Severity of on the alert notification, can be:Critical,Error,WarningorInfo.eventAction(string, required): Event action type, which can betrigger,resolve, oracknowledge.dedupKey(string, optional): Groups alert notifications with the same PagerDuty alert.timestamp(DateTime, optional): ISO-8601 format timestamp.component(string, optional): Source machine component responsible for the event, for examplesecurity-solution.group(string, optional): Enables logical grouping of service components.source(string, optional): The affected system. Defaults to the Kibana saved object ID of the action.summary(string, options): Summary of the event. Defaults toNo summary provided. Maximum length is 1024 characters.class(string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
uuid
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1.
-
-
alias_purpose
string Values are
savedObjectConversionorsavedObjectImport. -
alias_target_id
string -
author
array[string] Required The rule’s author.
-
building_block_type
string Determines if the rule acts as a building block. If yes, the value must be
default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules. -
description
string Required The rule’s description.
Minimum length is
1. -
enabled
boolean Required Determines whether the rule is enabled. Defaults to true.
-
exceptions_list
array[object] Required Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
id
string(nonempty) Required ID of the exception container
Minimum length is
1. -
list_id
string(nonempty) Required List ID of the exception container
Minimum length is
1. -
namespace_type
string Required Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
type
string Required The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
false_positives
array[string] Required String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
from
string(date-math) Required Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
interval
string Required Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields
object Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
Hide investigation_fields attribute Show investigation_fields attribute object
-
field_names
array[string(nonempty)] Required A string that does not contain only whitespace characters
At least
1element. Minimum length of each is1.
-
-
license
string The rule's license.
-
max_signals
integer Required Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. Default value is100. -
meta
object Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
name
string Required A human-readable name for the rule.
Minimum length is
1. -
namespace
string Has no effect.
-
note
string Notes to help investigate alerts produced by the rule.
-
outcome
string Values are
exactMatch,aliasMatch, orconflict. -
output_index
string Deprecated (deprecated) Has no effect.
-
references
array[string] Required Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
related_integrations
array[object] Required Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
integration
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1. -
package
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1. -
version
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1.
-
required_fields
array[object] Required Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
response_actions
array[object] One of: Hide attributes Show attributes
-
action_type_id
string Required Value is
.osquery. -
params
object Required Hide params attributes Show params attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id
string To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
queries
array[object] Hide queries attributes Show queries attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
id
string Required Query ID
-
platform
string -
query
string Required Query to run
-
removed
boolean -
snapshot
boolean -
version
string Query version
-
-
query
string To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
saved_query_id
string To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
timeout
number A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
action_type_id
string Required Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
command
string Required To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
comment
string Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
config
object Required
-
-
-
risk_score
integer Required A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
risk_score_mapping
array[object] Required Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
field
string Required Source event field used to override the default
risk_score. -
operator
string Required Value is
equals. -
risk_score
integer A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
value
string Required
-
-
rule_name_override
string Sets which field in the source event is used to populate the alert's
signal.rule.namevalue (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’snamevalue is used. The source field must be a string data type. -
setup
string Required Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
severity_mapping
array[object] Required Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
field
string Required Source event field used to override the default
severity. -
operator
string Required Value is
equals. -
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
value
string Required
-
-
tags
array[string] Required String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
threat
array[object] Required Currently, only threats described using the MITRE ATT&CK™ framework are supported.
Hide threat attributes Show threat attributes object
-
framework
string Required Relevant attack framework
-
tactic
object Required Object containing information on the attack type
-
technique
array[object] Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
id
string Required Technique ID
-
name
string Required Technique name
-
reference
string Required Technique reference
-
subtechnique
array[object] Array containing more specific information on the attack technique.
-
-
-
timeline_id
string Timeline template ID
-
timeline_title
string Timeline template title
-
timestamp_override
string Sets the time field used to query indices. When unspecified, rules query the
@timestampfield. The source field must be an Elasticsearch date data type. -
Disables the fallback to the event's @timestamp field
-
to
string Required -
version
integer Required The rule's version number.
- For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
security_detection_engineFleet package that is used for distributing prebuilt rules). - For custom rules it is set to
1when the rule is created.
It is not incremented on each update. Compare this to the
revisionfield.Minimum value is
1. - For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
-
created_at
string(date-time) Required -
created_by
string Required -
execution_summary
object Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
last_execution
object Required Hide last_execution attributes Show last_execution attributes object
-
date
string(date-time) Required Date of the last execution
-
message
string Required -
metrics
object Required Hide metrics attributes Show metrics attributes object
-
execution_gap_duration_s
integer Duration in seconds of execution gap
Minimum value is
0. -
gap_range
object Range of the execution gap
-
total_enrichment_duration_ms
integer Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
total_indexing_duration_ms
integer Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
total_search_duration_ms
integer Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
status
string Required Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded. -
status_order
integer Required
-
-
-
id
string(uuid) Required A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object
ids. -
immutable
boolean Required Deprecated This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
revision
integer Required The rule's revision number.
It represents the version of rule's object in Kibana. It is set to
0when the rule is installed or created and then gets incremented on each update.Not all updates to any rule fields will increment the revision. Only those fields that are considered static
rule parameterscan trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.Minimum value is
0. -
rule_id
string Required A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same
rule_ids. rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
One of: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
Hide attributes Show attributes
-
is_customized
boolean Required Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
-
type
string Required Discriminator Value is
external.
Type of rule source for internally sourced rules, i.e. created within the Kibana apps.
Hide attribute Show attribute
-
type
string Required Discriminator Value is
internal.
-
-
updated_at
string(date-time) Required -
updated_by
string Required -
anomaly_threshold
integer Required Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100.
Minimum value is
0. machine_learning_job_id
string | array[string] Required Machine learning job ID(s) the rule monitors for anomaly scores.
One of: At least
1element.-
type
string Required Rule type
Value is
machine_learning. -
alert_suppression
object Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
duration
object -
group_by
array[string] Required At least
1but not more than3elements. -
missing_fields_strategy
string Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
Hide attributes Show attributes
-
actions
array[object] Required Array defining the automated actions (notifications) taken when alerts are generated.
Hide actions attributes Show actions attributes object
-
action_type_id
string Required The action type used for sending notifications, can be:
.slack.slack_api.email.index.pagerduty.swimlane.webhook.servicenow.servicenow-itom.servicenow-sir.jira.resilient.opsgenie.teams.torq.tines.d3security
-
alerts_filter
object Object containing an action’s conditional filters.
timeframe(object, optional): Object containing the time frame for when this action can be run.days(array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array.hours(object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the formathh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day.- start (string, required): Start time in
hh:mmformat. - end (string, required): End time in
hh:mmformat.
- start (string, required): Start time in
timezone(string, required): An ISO timezone name, such asEurope/MadridorAmerica/New_York. Specific offsets such asUTCorUTC+1will also work, but lack built-in DST.
query(object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.kql(string, required): A KQL string.filters(array of objects, required): Array of filter objects, as defined in thekbn-es-querypackage.
Additional properties are allowed.
-
frequency
object The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
notifyWhen
string Required Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
summary
boolean Required Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group
string Optionally groups actions by use cases. Use
defaultfor alert notifications. -
id
string Required The connector ID.
-
params
object Required Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
message(string, required): The notification message.
For email:
to,cc,bcc(string): Email addresses to which the notifications are sent. At least one field must have a value.subject(string, optional): Email subject line.message(string, required): Email body text.
For Webhook:
body(string, required): JSON payload.
For PagerDuty:
severity(string, required): Severity of on the alert notification, can be:Critical,Error,WarningorInfo.eventAction(string, required): Event action type, which can betrigger,resolve, oracknowledge.dedupKey(string, optional): Groups alert notifications with the same PagerDuty alert.timestamp(DateTime, optional): ISO-8601 format timestamp.component(string, optional): Source machine component responsible for the event, for examplesecurity-solution.group(string, optional): Enables logical grouping of service components.source(string, optional): The affected system. Defaults to the Kibana saved object ID of the action.summary(string, options): Summary of the event. Defaults toNo summary provided. Maximum length is 1024 characters.class(string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
uuid
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1.
-
-
alias_purpose
string Values are
savedObjectConversionorsavedObjectImport. -
alias_target_id
string -
author
array[string] Required The rule’s author.
-
building_block_type
string Determines if the rule acts as a building block. If yes, the value must be
default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules. -
description
string Required The rule’s description.
Minimum length is
1. -
enabled
boolean Required Determines whether the rule is enabled. Defaults to true.
-
exceptions_list
array[object] Required Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
id
string(nonempty) Required ID of the exception container
Minimum length is
1. -
list_id
string(nonempty) Required List ID of the exception container
Minimum length is
1. -
namespace_type
string Required Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
type
string Required The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
false_positives
array[string] Required String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
from
string(date-math) Required Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
interval
string Required Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields
object Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
Hide investigation_fields attribute Show investigation_fields attribute object
-
field_names
array[string(nonempty)] Required A string that does not contain only whitespace characters
At least
1element. Minimum length of each is1.
-
-
license
string The rule's license.
-
max_signals
integer Required Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. Default value is100. -
meta
object Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
name
string Required A human-readable name for the rule.
Minimum length is
1. -
namespace
string Has no effect.
-
note
string Notes to help investigate alerts produced by the rule.
-
outcome
string Values are
exactMatch,aliasMatch, orconflict. -
output_index
string Deprecated (deprecated) Has no effect.
-
references
array[string] Required Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
related_integrations
array[object] Required Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
integration
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1. -
package
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1. -
version
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1.
-
required_fields
array[object] Required Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
response_actions
array[object] One of: Hide attributes Show attributes
-
action_type_id
string Required Value is
.osquery. -
params
object Required Hide params attributes Show params attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id
string To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
queries
array[object] Hide queries attributes Show queries attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
id
string Required Query ID
-
platform
string -
query
string Required Query to run
-
removed
boolean -
snapshot
boolean -
version
string Query version
-
-
query
string To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
saved_query_id
string To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
timeout
number A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
action_type_id
string Required Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
command
string Required To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
comment
string Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
config
object Required
-
-
-
risk_score
integer Required A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
risk_score_mapping
array[object] Required Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
field
string Required Source event field used to override the default
risk_score. -
operator
string Required Value is
equals. -
risk_score
integer A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
value
string Required
-
-
rule_name_override
string Sets which field in the source event is used to populate the alert's
signal.rule.namevalue (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’snamevalue is used. The source field must be a string data type. -
setup
string Required Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
severity_mapping
array[object] Required Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
field
string Required Source event field used to override the default
severity. -
operator
string Required Value is
equals. -
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
value
string Required
-
-
tags
array[string] Required String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
threat
array[object] Required Currently, only threats described using the MITRE ATT&CK™ framework are supported.
Hide threat attributes Show threat attributes object
-
framework
string Required Relevant attack framework
-
tactic
object Required Object containing information on the attack type
-
technique
array[object] Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
id
string Required Technique ID
-
name
string Required Technique name
-
reference
string Required Technique reference
-
subtechnique
array[object] Array containing more specific information on the attack technique.
-
-
-
timeline_id
string Timeline template ID
-
timeline_title
string Timeline template title
-
timestamp_override
string Sets the time field used to query indices. When unspecified, rules query the
@timestampfield. The source field must be an Elasticsearch date data type. -
Disables the fallback to the event's @timestamp field
-
to
string Required -
version
integer Required The rule's version number.
- For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
security_detection_engineFleet package that is used for distributing prebuilt rules). - For custom rules it is set to
1when the rule is created.
It is not incremented on each update. Compare this to the
revisionfield.Minimum value is
1. - For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
-
created_at
string(date-time) Required -
created_by
string Required -
execution_summary
object Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
last_execution
object Required Hide last_execution attributes Show last_execution attributes object
-
date
string(date-time) Required Date of the last execution
-
message
string Required -
metrics
object Required Hide metrics attributes Show metrics attributes object
-
execution_gap_duration_s
integer Duration in seconds of execution gap
Minimum value is
0. -
gap_range
object Range of the execution gap
-
total_enrichment_duration_ms
integer Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
total_indexing_duration_ms
integer Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
total_search_duration_ms
integer Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
status
string Required Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded. -
status_order
integer Required
-
-
-
id
string(uuid) Required A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object
ids. -
immutable
boolean Required Deprecated This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
revision
integer Required The rule's revision number.
It represents the version of rule's object in Kibana. It is set to
0when the rule is installed or created and then gets incremented on each update.Not all updates to any rule fields will increment the revision. Only those fields that are considered static
rule parameterscan trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.Minimum value is
0. -
rule_id
string Required A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same
rule_ids. rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
One of: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
Hide attributes Show attributes
-
is_customized
boolean Required Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
-
type
string Required Discriminator Value is
external.
Type of rule source for internally sourced rules, i.e. created within the Kibana apps.
Hide attribute Show attribute
-
type
string Required Discriminator Value is
internal.
-
-
updated_at
string(date-time) Required -
updated_by
string Required -
history_window_start
string(nonempty) Required Start date to use when checking if a term has been seen before. Supports relative dates – for example, now-30d will search the last 30 days of data when checking if a term is new. We do not recommend using absolute dates, which can cause issues with rule performance due to querying increasing amounts of data over time.
Minimum length is
1. -
new_terms_fields
array[string] Required Fields to monitor for new values.
At least
1but not more than3elements. -
query
string Required Query used by the rule to create alerts.
- For indicator match rules, only the query’s results are used to determine whether an alert is generated.
- ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.
-
type
string Required Rule type
Value is
new_terms. -
alert_suppression
object Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
duration
object -
group_by
array[string] Required At least
1but not more than3elements. -
missing_fields_strategy
string Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
-
data_view_id
string -
filters
array The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
index
array[string] Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings →
securitySolution:defaultIndex).This field is not supported for ES|QL rules.
-
language
string Required Values are
kueryorlucene.
Hide attributes Show attributes
-
actions
array[object] Required Array defining the automated actions (notifications) taken when alerts are generated.
Hide actions attributes Show actions attributes object
-
action_type_id
string Required The action type used for sending notifications, can be:
.slack.slack_api.email.index.pagerduty.swimlane.webhook.servicenow.servicenow-itom.servicenow-sir.jira.resilient.opsgenie.teams.torq.tines.d3security
-
alerts_filter
object Object containing an action’s conditional filters.
timeframe(object, optional): Object containing the time frame for when this action can be run.days(array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array.hours(object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the formathh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day.- start (string, required): Start time in
hh:mmformat. - end (string, required): End time in
hh:mmformat.
- start (string, required): Start time in
timezone(string, required): An ISO timezone name, such asEurope/MadridorAmerica/New_York. Specific offsets such asUTCorUTC+1will also work, but lack built-in DST.
query(object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.kql(string, required): A KQL string.filters(array of objects, required): Array of filter objects, as defined in thekbn-es-querypackage.
Additional properties are allowed.
-
frequency
object The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
notifyWhen
string Required Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
summary
boolean Required Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group
string Optionally groups actions by use cases. Use
defaultfor alert notifications. -
id
string Required The connector ID.
-
params
object Required Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
message(string, required): The notification message.
For email:
to,cc,bcc(string): Email addresses to which the notifications are sent. At least one field must have a value.subject(string, optional): Email subject line.message(string, required): Email body text.
For Webhook:
body(string, required): JSON payload.
For PagerDuty:
severity(string, required): Severity of on the alert notification, can be:Critical,Error,WarningorInfo.eventAction(string, required): Event action type, which can betrigger,resolve, oracknowledge.dedupKey(string, optional): Groups alert notifications with the same PagerDuty alert.timestamp(DateTime, optional): ISO-8601 format timestamp.component(string, optional): Source machine component responsible for the event, for examplesecurity-solution.group(string, optional): Enables logical grouping of service components.source(string, optional): The affected system. Defaults to the Kibana saved object ID of the action.summary(string, options): Summary of the event. Defaults toNo summary provided. Maximum length is 1024 characters.class(string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
uuid
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1.
-
-
alias_purpose
string Values are
savedObjectConversionorsavedObjectImport. -
alias_target_id
string -
author
array[string] Required The rule’s author.
-
building_block_type
string Determines if the rule acts as a building block. If yes, the value must be
default. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to About building block rules. -
description
string Required The rule’s description.
Minimum length is
1. -
enabled
boolean Required Determines whether the rule is enabled. Defaults to true.
-
exceptions_list
array[object] Required Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
id
string(nonempty) Required ID of the exception container
Minimum length is
1. -
list_id
string(nonempty) Required List ID of the exception container
Minimum length is
1. -
namespace_type
string Required Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
type
string Required The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
false_positives
array[string] Required String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
from
string(date-math) Required Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
interval
string Required Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields
object Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
Hide investigation_fields attribute Show investigation_fields attribute object
-
field_names
array[string(nonempty)] Required A string that does not contain only whitespace characters
At least
1element. Minimum length of each is1.
-
-
license
string The rule's license.
-
max_signals
integer Required Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run advanced setting value).
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. Default value is100. -
meta
object Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
name
string Required A human-readable name for the rule.
Minimum length is
1. -
namespace
string Has no effect.
-
note
string Notes to help investigate alerts produced by the rule.
-
outcome
string Values are
exactMatch,aliasMatch, orconflict. -
output_index
string Deprecated (deprecated) Has no effect.
-
references
array[string] Required Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
related_integrations
array[object] Required Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
integration
string(nonempty) A string that does not contain only whitespace characters
Minimum length is
1. -
package
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1. -
version
string(nonempty) Required A string that does not contain only whitespace characters
Minimum length is
1.
-
required_fields
array[object] Required Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
response_actions
array[object] One of: Hide attributes Show attributes
-
action_type_id
string Required Value is
.osquery. -
params
object Required Hide params attributes Show params attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id
string To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
queries
array[object] Hide queries attributes Show queries attributes object
-
ecs_mapping
object Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
id
string Required Query ID
-
platform
string -
query
string Required Query to run
-
removed
boolean -
snapshot
boolean -
version
string Query version
-
-
query
string To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
saved_query_id
string To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
timeout
number A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
action_type_id
string Required Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
command
string Required To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
comment
string Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
config
object Required
-
-
-
risk_score
integer Required A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
risk_score_mapping
array[object] Required Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
field
string Required Source event field used to override the default
risk_score. -
operator
string Required Value is
equals. -
risk_score
integer A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
value
string Required
-
-
rule_name_override
string Sets which field in the source event is used to populate the alert's
signal.rule.namevalue (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’snamevalue is used. The source field must be a string data type. -
setup
string Required Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
severity_mapping
array[object] Required Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
field
string Required Source event field used to override the default
severity. -
operator
string Required Value is
equals. -
severity
string Required Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
value
string Required
-
-
tags
array[string] Required String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
threat
array[object] Required Currently, only threats described using the MITRE ATT&CK™ framework are supported.
Hide threat attributes Show threat attributes object
-
framework
string Required Relevant attack framework
-
tactic
object Required Object containing information on the attack type
-
technique
array[object] Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
id
string Required Technique ID
-
name
string Required Technique name
-
reference
string Required Technique reference
-
subtechnique
array[object] Array containing more specific information on the attack technique.
-
-
-
timeline_id
string Timeline template ID
-
timeline_title
string Timeline template title
-
timestamp_override
string Sets the time field used to query indices. When unspecified, rules query the
@timestampfield. The source field must be an Elasticsearch date data type. -
Disables the fallback to the event's @timestamp field
-
to
string Required -
version
integer Required The rule's version number.
- For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
security_detection_engineFleet package that is used for distributing prebuilt rules). - For custom rules it is set to
1when the rule is created.
It is not incremented on each update. Compare this to the
revisionfield.Minimum value is
1. - For prebuilt rules it represents the version of the rule's content in the source detection-rules repository (and the corresponding
-
created_at
string(date-time) Required -
created_by
string Required -
execution_summary
object Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
last_execution
object Required Hide last_execution attributes Show last_execution attributes object
-
date
string(date-time) Required Date of the last execution
-
message
string Required -
metrics
object Required Hide metrics attributes Show metrics attributes object
-
execution_gap_duration_s
integer Duration in seconds of execution gap
Minimum value is
0. -
gap_range
object Range of the execution gap
-
total_enrichment_duration_ms
integer Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
total_indexing_duration_ms
integer Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
total_search_duration_ms
integer Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
status
string Required Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded. -
status_order
integer Required
-
-
-
id
string(uuid) Required A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object
ids. -
immutable
boolean Required Deprecated This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
revision
integer Required The rule's revision number.
It represents the version of rule's object in Kibana. It is set to
0when the rule is installed or created and then gets incremented on each update.Not all updates to any rule fields will increment the revision. Only those fields that are considered static
rule parameterscan trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by1. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.Minimum value is
0. -
rule_id
string Required A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same
rule_ids. rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
One of: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
Hide attributes Show attributes
-
is_customized
boolean Required Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
-
type
string Required Discriminator Value is
external.
Type of rule source for internally sourced rules, i.e. created within the Kibana apps.
Hide attribute Show attribute
-
type
string Required Discriminator Value is
internal.
-
-
updated_at
string(date-time) Required -
updated_by
string Required -
alert_suppression
object Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
duration
object -
group_by
array[string] Required At least
1but not more than3elements. -
missing_fields_strategy
string Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
-
language
string Required Value is
esql. -
query
string Required Query used by the rule to create alerts.
- For indicator match rules, only the query’s results are used to determine whether an alert is generated.
- ES|QL rules have additional query requirements. Refer to Create ES|QL rules for more information.
-
type
string Required Rule type
Value is
esql.
Hide attributes Show attributes
-
error
object Required Hide error attributes Show error attributes object
-
message
string Required -
status_code
integer Required Minimum value is
400.
-
-
id
string -
item_id
string Minimum length is
1. -
list_id
string Minimum length is
1. -
rule_id
string A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same
rule_ids.
-
curl \
--request POST 'https://localhost:5601/api/detection_engine/rules/_bulk_create' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '[{"from":"now-6m","name":"MS Office child process","tags":["child process","ms office"],"type":"query","query":"process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE","enabled":false,"filters":[{"query":{"match":{"event.action":{"type":"phrase","query":"Process Create (rule: ProcessCreate)"}}}}],"rule_id":"process_started_by_ms_office_program_possible_payload","interval":"5m","language":"kuery","severity":"low","risk_score":50,"description":"Process started by MS Office program - possible payload"},{"from":"now-6m","name":"Second bulk rule","type":"query","query":"user.name: root or user.name: admin","rule_id":"query-rule-id-2","severity":"low","risk_score":2,"description":"Query with a rule_id for referencing an external id"}]'[
{
"from": "now-6m",
"name": "MS Office child process",
"tags": [
"child process",
"ms office"
],
"type": "query",
"query": "process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE",
"enabled": false,
"filters": [
{
"query": {
"match": {
"event.action": {
"type": "phrase",
"query": "Process Create (rule: ProcessCreate)"
}
}
}
}
],
"rule_id": "process_started_by_ms_office_program_possible_payload",
"interval": "5m",
"language": "kuery",
"severity": "low",
"risk_score": 50,
"description": "Process started by MS Office program - possible payload"
},
{
"from": "now-6m",
"name": "Second bulk rule",
"type": "query",
"query": "user.name: root or user.name: admin",
"rule_id": "query-rule-id-2",
"severity": "low",
"risk_score": 2,
"description": "Query with a rule_id for referencing an external id"
}
][
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "Detects anomalous Windows process creation events.",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 100,
"meta": {},
"name": "Anomalous Windows Process Creation",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"package": "azure",
"version": "~1.1.6",
"integration": "activitylogs"
}
],
"required_fields": [
{
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00Z",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00Z",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00Z",
"updated_by": "string",
"language": "eql",
"query": "string",
"type": "eql",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"event_category_override": "string",
"filters": [],
"index": [
"string"
],
"tiebreaker_field": "string",
"timestamp_field": "string"
}
]