Update a detection rule
Update a detection rule using the rule_id
or id
field. The original rule is replaced, and all unspecified fields are deleted.
You cannot modify the id
or rule_id
values.
Body object Required
-
actions array[object]
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications.
-
alerts_filter object
Additional properties are allowed.
-
frequency object
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Additional properties are allowed.
Hide frequency attributes Show frequency attributes object
-
The condition for throttling the notification:
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
Values are
onActiveAlert
,onThrottleInterval
, oronActionGroupChange
. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group string
Optionally groups actions by use cases. Use
default
for alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
Additional properties are allowed.
-
uuid string
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
alias_purpose string
Values are
savedObjectConversion
orsavedObjectImport
. -
alias_target_id string
-
author array[string]
-
building_block_type string
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
Minimum length is
1
. -
enabled boolean
Determines whether the rule is enabled.
-
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
-
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
Determines the exceptions validity in rule's Kibana space
Values are
agnostic
orsingle
. -
The exception type
Values are
detection
,rule_default
,endpoint
,endpoint_trusted_apps
,endpoint_events
,endpoint_host_isolation_exceptions
, orendpoint_blocklists
.
-
-
false_positives array[string]
-
from string(date-math)
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
id string(uuid)
A universally unique identifier
-
interval string
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as
override
- where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
-
A string that is not empty and does not contain only whitespace
At least
1
element. Minimum length of each is1
. Format of each should match the following pattern:^(?! *$).+$
.
-
-
license string
The rule's license.
-
max_signals integer
Minimum value is
1
. -
meta object
Additional properties are allowed.
-
Minimum length is
1
. -
namespace string
Has no effect.
-
note string
Notes to help investigate alerts produced by the rule.
-
outcome string
Values are
exactMatch
,aliasMatch
, orconflict
. -
(deprecated) Has no effect.
-
references array[string]
-
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
-
integration string
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
-
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
response_actions array[object]
One of: Hide attributes Show attributes
-
Value is
.osquery
. -
Additional properties are allowed.
Hide params attributes Show params attributes object
-
ecs_mapping object
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id string
-
queries array[object]
Hide queries attributes Show queries attributes object
-
query string
-
saved_query_id string
-
timeout number
-
Hide attributes Show attributes
-
-
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
. -
risk_score_mapping array[object]
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals
. -
risk_score integer
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
.
-
rule_id string
Could be any string, not necessarily a UUID
-
rule_name_override string
Sets the source field for the alert's signal.rule.name value
-
setup string
-
Severity of the rule
Values are
low
,medium
,high
, orcritical
. -
severity_mapping array[object]
Overrides generated alerts' severity with values from the source event
-
tags array[string]
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
threat array[object]
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Additional properties are allowed.
-
technique array[object]
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
subtechnique array[object]
Array containing more specific information on the attack technique
-
-
-
timeline_id string
Timeline template ID
-
timeline_title string
Timeline template title
-
timestamp_override string
Sets the time field used to query indices
-
Disables the fallback to the event's @timestamp field
-
to string
-
version integer
The rule's version number.
Minimum value is
1
. -
Query language to use
Value is
eql
. -
EQL query to execute
-
Rule type
Value is
eql
. -
alert_suppression object
Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
-
duration object
Additional properties are allowed.
-
At least
1
but not more than3
elements. -
missing_fields_strategy string
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppress
orsuppress
.
-
-
data_view_id string
-
event_category_override string
-
filters array
-
index array[string]
-
tiebreaker_field string
Sets a secondary field for sorting events
-
timestamp_field string
Contains the event timestamp used for sorting a sequence of events
-
actions array[object]
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications.
-
alerts_filter object
Additional properties are allowed.
-
frequency object
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Additional properties are allowed.
Hide frequency attributes Show frequency attributes object
-
The condition for throttling the notification:
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
Values are
onActiveAlert
,onThrottleInterval
, oronActionGroupChange
. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group string
Optionally groups actions by use cases. Use
default
for alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
Additional properties are allowed.
-
uuid string
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
alias_purpose string
Values are
savedObjectConversion
orsavedObjectImport
. -
alias_target_id string
-
author array[string]
-
building_block_type string
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
Minimum length is
1
. -
enabled boolean
Determines whether the rule is enabled.
-
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
-
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
Determines the exceptions validity in rule's Kibana space
Values are
agnostic
orsingle
. -
The exception type
Values are
detection
,rule_default
,endpoint
,endpoint_trusted_apps
,endpoint_events
,endpoint_host_isolation_exceptions
, orendpoint_blocklists
.
-
-
false_positives array[string]
-
from string(date-math)
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
id string(uuid)
A universally unique identifier
-
interval string
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as
override
- where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
-
A string that is not empty and does not contain only whitespace
At least
1
element. Minimum length of each is1
. Format of each should match the following pattern:^(?! *$).+$
.
-
-
license string
The rule's license.
-
max_signals integer
Minimum value is
1
. -
meta object
Additional properties are allowed.
-
Minimum length is
1
. -
namespace string
Has no effect.
-
note string
Notes to help investigate alerts produced by the rule.
-
outcome string
Values are
exactMatch
,aliasMatch
, orconflict
. -
(deprecated) Has no effect.
-
references array[string]
-
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
-
integration string
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
-
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
response_actions array[object]
One of: Hide attributes Show attributes
-
Value is
.osquery
. -
Additional properties are allowed.
Hide params attributes Show params attributes object
-
ecs_mapping object
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id string
-
queries array[object]
Hide queries attributes Show queries attributes object
-
query string
-
saved_query_id string
-
timeout number
-
Hide attributes Show attributes
-
-
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
. -
risk_score_mapping array[object]
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals
. -
risk_score integer
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
.
-
rule_id string
Could be any string, not necessarily a UUID
-
rule_name_override string
Sets the source field for the alert's signal.rule.name value
-
setup string
-
Severity of the rule
Values are
low
,medium
,high
, orcritical
. -
severity_mapping array[object]
Overrides generated alerts' severity with values from the source event
-
tags array[string]
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
threat array[object]
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Additional properties are allowed.
-
technique array[object]
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
subtechnique array[object]
Array containing more specific information on the attack technique
-
-
-
timeline_id string
Timeline template ID
-
timeline_title string
Timeline template title
-
timestamp_override string
Sets the time field used to query indices
-
Disables the fallback to the event's @timestamp field
-
to string
-
version integer
The rule's version number.
Minimum value is
1
. -
Rule type
Value is
query
. -
alert_suppression object
Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
-
duration object
Additional properties are allowed.
-
At least
1
but not more than3
elements. -
missing_fields_strategy string
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppress
orsuppress
.
-
-
data_view_id string
-
filters array
-
index array[string]
-
saved_id string
-
language string
Values are
kuery
orlucene
. -
query string
EQL query to execute
-
actions array[object]
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications.
-
alerts_filter object
Additional properties are allowed.
-
frequency object
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Additional properties are allowed.
Hide frequency attributes Show frequency attributes object
-
The condition for throttling the notification:
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
Values are
onActiveAlert
,onThrottleInterval
, oronActionGroupChange
. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group string
Optionally groups actions by use cases. Use
default
for alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
Additional properties are allowed.
-
uuid string
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
alias_purpose string
Values are
savedObjectConversion
orsavedObjectImport
. -
alias_target_id string
-
author array[string]
-
building_block_type string
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
Minimum length is
1
. -
enabled boolean
Determines whether the rule is enabled.
-
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
-
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
Determines the exceptions validity in rule's Kibana space
Values are
agnostic
orsingle
. -
The exception type
Values are
detection
,rule_default
,endpoint
,endpoint_trusted_apps
,endpoint_events
,endpoint_host_isolation_exceptions
, orendpoint_blocklists
.
-
-
false_positives array[string]
-
from string(date-math)
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
id string(uuid)
A universally unique identifier
-
interval string
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as
override
- where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
-
A string that is not empty and does not contain only whitespace
At least
1
element. Minimum length of each is1
. Format of each should match the following pattern:^(?! *$).+$
.
-
-
license string
The rule's license.
-
max_signals integer
Minimum value is
1
. -
meta object
Additional properties are allowed.
-
Minimum length is
1
. -
namespace string
Has no effect.
-
note string
Notes to help investigate alerts produced by the rule.
-
outcome string
Values are
exactMatch
,aliasMatch
, orconflict
. -
(deprecated) Has no effect.
-
references array[string]
-
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
-
integration string
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
-
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
response_actions array[object]
One of: Hide attributes Show attributes
-
Value is
.osquery
. -
Additional properties are allowed.
Hide params attributes Show params attributes object
-
ecs_mapping object
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id string
-
queries array[object]
Hide queries attributes Show queries attributes object
-
query string
-
saved_query_id string
-
timeout number
-
Hide attributes Show attributes
-
-
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
. -
risk_score_mapping array[object]
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals
. -
risk_score integer
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
.
-
rule_id string
Could be any string, not necessarily a UUID
-
rule_name_override string
Sets the source field for the alert's signal.rule.name value
-
setup string
-
Severity of the rule
Values are
low
,medium
,high
, orcritical
. -
severity_mapping array[object]
Overrides generated alerts' severity with values from the source event
-
tags array[string]
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
threat array[object]
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Additional properties are allowed.
-
technique array[object]
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
subtechnique array[object]
Array containing more specific information on the attack technique
-
-
-
timeline_id string
Timeline template ID
-
timeline_title string
Timeline template title
-
timestamp_override string
Sets the time field used to query indices
-
Disables the fallback to the event's @timestamp field
-
to string
-
version integer
The rule's version number.
Minimum value is
1
. -
Rule type
Value is
saved_query
. -
alert_suppression object
Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
-
duration object
Additional properties are allowed.
-
At least
1
but not more than3
elements. -
missing_fields_strategy string
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppress
orsuppress
.
-
-
data_view_id string
-
filters array
-
index array[string]
-
query string
EQL query to execute
-
language string
Values are
kuery
orlucene
.
-
actions array[object]
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications.
-
alerts_filter object
Additional properties are allowed.
-
frequency object
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Additional properties are allowed.
Hide frequency attributes Show frequency attributes object
-
The condition for throttling the notification:
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
Values are
onActiveAlert
,onThrottleInterval
, oronActionGroupChange
. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group string
Optionally groups actions by use cases. Use
default
for alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
Additional properties are allowed.
-
uuid string
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
alias_purpose string
Values are
savedObjectConversion
orsavedObjectImport
. -
alias_target_id string
-
author array[string]
-
building_block_type string
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
Minimum length is
1
. -
enabled boolean
Determines whether the rule is enabled.
-
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
-
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
Determines the exceptions validity in rule's Kibana space
Values are
agnostic
orsingle
. -
The exception type
Values are
detection
,rule_default
,endpoint
,endpoint_trusted_apps
,endpoint_events
,endpoint_host_isolation_exceptions
, orendpoint_blocklists
.
-
-
false_positives array[string]
-
from string(date-math)
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
id string(uuid)
A universally unique identifier
-
interval string
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as
override
- where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
-
A string that is not empty and does not contain only whitespace
At least
1
element. Minimum length of each is1
. Format of each should match the following pattern:^(?! *$).+$
.
-
-
license string
The rule's license.
-
max_signals integer
Minimum value is
1
. -
meta object
Additional properties are allowed.
-
Minimum length is
1
. -
namespace string
Has no effect.
-
note string
Notes to help investigate alerts produced by the rule.
-
outcome string
Values are
exactMatch
,aliasMatch
, orconflict
. -
(deprecated) Has no effect.
-
references array[string]
-
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
-
integration string
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
-
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
response_actions array[object]
One of: Hide attributes Show attributes
-
Value is
.osquery
. -
Additional properties are allowed.
Hide params attributes Show params attributes object
-
ecs_mapping object
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id string
-
queries array[object]
Hide queries attributes Show queries attributes object
-
query string
-
saved_query_id string
-
timeout number
-
Hide attributes Show attributes
-
-
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
. -
risk_score_mapping array[object]
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals
. -
risk_score integer
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
.
-
rule_id string
Could be any string, not necessarily a UUID
-
rule_name_override string
Sets the source field for the alert's signal.rule.name value
-
setup string
-
Severity of the rule
Values are
low
,medium
,high
, orcritical
. -
severity_mapping array[object]
Overrides generated alerts' severity with values from the source event
-
tags array[string]
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
threat array[object]
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Additional properties are allowed.
-
technique array[object]
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
subtechnique array[object]
Array containing more specific information on the attack technique
-
-
-
timeline_id string
Timeline template ID
-
timeline_title string
Timeline template title
-
timestamp_override string
Sets the time field used to query indices
-
Disables the fallback to the event's @timestamp field
-
to string
-
version integer
The rule's version number.
Minimum value is
1
. -
EQL query to execute
-
Additional properties are allowed.
Hide threshold attributes Show threshold attributes object
-
cardinality array[object]
field string | array[string] Required
Field to aggregate on
-
Threshold value
Minimum value is
1
.
-
-
Rule type
Value is
threshold
. -
alert_suppression object
Additional properties are allowed.
-
data_view_id string
-
filters array
-
index array[string]
-
saved_id string
-
language string
Values are
kuery
orlucene
.
-
actions array[object]
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications.
-
alerts_filter object
Additional properties are allowed.
-
frequency object
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Additional properties are allowed.
Hide frequency attributes Show frequency attributes object
-
The condition for throttling the notification:
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
Values are
onActiveAlert
,onThrottleInterval
, oronActionGroupChange
. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group string
Optionally groups actions by use cases. Use
default
for alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
Additional properties are allowed.
-
uuid string
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
alias_purpose string
Values are
savedObjectConversion
orsavedObjectImport
. -
alias_target_id string
-
author array[string]
-
building_block_type string
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
Minimum length is
1
. -
enabled boolean
Determines whether the rule is enabled.
-
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
-
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
Determines the exceptions validity in rule's Kibana space
Values are
agnostic
orsingle
. -
The exception type
Values are
detection
,rule_default
,endpoint
,endpoint_trusted_apps
,endpoint_events
,endpoint_host_isolation_exceptions
, orendpoint_blocklists
.
-
-
false_positives array[string]
-
from string(date-math)
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
id string(uuid)
A universally unique identifier
-
interval string
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as
override
- where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
-
A string that is not empty and does not contain only whitespace
At least
1
element. Minimum length of each is1
. Format of each should match the following pattern:^(?! *$).+$
.
-
-
license string
The rule's license.
-
max_signals integer
Minimum value is
1
. -
meta object
Additional properties are allowed.
-
Minimum length is
1
. -
namespace string
Has no effect.
-
note string
Notes to help investigate alerts produced by the rule.
-
outcome string
Values are
exactMatch
,aliasMatch
, orconflict
. -
(deprecated) Has no effect.
-
references array[string]
-
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
-
integration string
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
required_fields array[object]
Hide required_fields attributes Show required_fields attributes object
-
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
response_actions array[object]
One of: Hide attributes Show attributes
-
Value is
.osquery
. -
Additional properties are allowed.
Hide params attributes Show params attributes object
-
ecs_mapping object
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id string
-
queries array[object]
Hide queries attributes Show queries attributes object
-
query string
-
saved_query_id string
-
timeout number
-
Hide attributes Show attributes
-
-
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
. -
risk_score_mapping array[object]
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals
. -
risk_score integer
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
.
-
rule_id string
Could be any string, not necessarily a UUID
-
rule_name_override string
Sets the source field for the alert's signal.rule.name value
-
setup string
-
Severity of the rule
Values are
low
,medium
,high
, orcritical
. -
severity_mapping array[object]
Overrides generated alerts' severity with values from the source event
-
tags array[string]
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
threat array[object]
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Additional properties are allowed.
-
technique array[object]
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
subtechnique array[object]
Array containing more specific information on the attack technique
-
-
-
timeline_id string
Timeline template ID
-
timeline_title string
Timeline template title
-
timestamp_override string
Sets the time field used to query indices
-
Disables the fallback to the event's @timestamp field
-
to string
-
version integer
The rule's version number.
Minimum value is
1
. -
EQL query to execute
-
At least
1
element.Hide threat_mapping attribute Show threat_mapping attribute object
-
Hide entries attributes Show entries attributes object
-
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
Value is
mapping
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
-
Query to run
-
Rule type
Value is
threat_match
. -
alert_suppression object
Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
-
duration object
Additional properties are allowed.
-
At least
1
but not more than3
elements. -
missing_fields_strategy string
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppress
orsuppress
.
-
-
concurrent_searches integer
Minimum value is
1
. -
data_view_id string
-
filters array
-
index array[string]
-
items_per_search integer
Minimum value is
1
. -
saved_id string
-
threat_filters array
Query and filter context array used to filter documents from the Elasticsearch index containing the threat values
-
threat_indicator_path string
Defines the path to the threat indicator in the indicator documents (optional)
-
threat_language string
Values are
kuery
orlucene
. -
language string
Values are
kuery
orlucene
.
-
actions array[object]
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications.
-
alerts_filter object
Additional properties are allowed.
-
frequency object
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Additional properties are allowed.
Hide frequency attributes Show frequency attributes object
-
The condition for throttling the notification:
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
Values are
onActiveAlert
,onThrottleInterval
, oronActionGroupChange
. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group string
Optionally groups actions by use cases. Use
default
for alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
Additional properties are allowed.
-
uuid string
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
alias_purpose string
Values are
savedObjectConversion
orsavedObjectImport
. -
alias_target_id string
-
author array[string]
-
building_block_type string
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
Minimum length is
1
. -
enabled boolean
Determines whether the rule is enabled.
-
exceptions_list array[object]
Hide exceptions_list attributes Show exceptions_list attributes object
-
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
Determines the exceptions validity in rule's Kibana space
Values are
agnostic
orsingle
. -
The exception type
Values are
detection
,rule_default
,endpoint
,endpoint_trusted_apps
,endpoint_events
,endpoint_host_isolation_exceptions
, orendpoint_blocklists
.
-
-
false_positives array[string]
-
from string(date-math)
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
id string(uuid)
A universally unique identifier
-
interval string
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as
override
- where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
-
A string that is not empty and does not contain only whitespace
At least
1
element. Minimum length of each is1
. Format of each should match the following pattern:^(?! *$).+$
.
-
-
license string
The rule's license.
-
max_signals integer
Minimum value is
1
. -
meta object
Additional properties are allowed.
-
Minimum length is
1
. -
namespace string
Has no effect.
-
note string
Notes to help investigate alerts produced by the rule.
-
outcome string
Values are
exactMatch
,aliasMatch
, orconflict
. -
(deprecated) Has no effect.
-
references array[string]
-
related_integrations array[object]
Hide related_integrations attributes Show related_integrations attributes object
-
integration string
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
required_fields array[object]