Apply a bulk action to detection rules Beta
Apply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs.
Query parameters
-
dry_run boolean
Enables dry run mode for the request call.
Body object
-
Value is
duplicate
. -
duplicate object
Additional properties are allowed.
Hide duplicate attributes Show duplicate attributes object
-
Whether to copy exceptions from the original rule
-
Whether to copy expired exceptions from the original rule
-
-
ids array[string]
Array of rule IDs
At least
1
element. -
query string
Query to filter rules
-
Value is
edit
. -
Array of objects containing the edit operations
At least
1
element.Any of: Security_Detections_API_BulkActionEditPayloadTags object Security_Detections_API_BulkActionEditPayloadIndexPatterns object Security_Detections_API_BulkActionEditPayloadInvestigationFields object Security_Detections_API_BulkActionEditPayloadTimeline object Security_Detections_API_BulkActionEditPayloadRuleActions object Security_Detections_API_BulkActionEditPayloadSchedule objectHide attributes Show attributes
-
overwrite_data_views boolean
-
Values are
add_index_patterns
,delete_index_patterns
, orset_index_patterns
.
Hide attributes Show attributes
-
Values are
add_investigation_fields
,delete_investigation_fields
, orset_investigation_fields
. -
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as
override
- where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });
Additional properties are allowed.
Hide value attribute Show value attribute object
-
A string that is not empty and does not contain only whitespace
At least
1
element. Minimum length of each is1
. Format of each should match the following pattern:^(?! *$).+$
.
-
Hide attributes Show attributes
-
Value is
set_timeline
. -
Additional properties are allowed.
Hide value attributes Show value attributes object
-
Timeline template ID
-
Timeline template title
-
Hide attributes Show attributes
-
Values are
add_rule_actions
orset_rule_actions
. -
Additional properties are allowed.
Hide value attributes Show value attributes object
-
Hide actions attributes Show actions attributes object
-
alerts_filter object
Additional properties are allowed.
-
frequency object
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Additional properties are allowed.
Hide frequency attributes Show frequency attributes object
-
The condition for throttling the notification:
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
Values are
onActiveAlert
,onThrottleInterval
, oronActionGroupChange
. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group string
Optionally groups actions by use cases. Use
default
for alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
Additional properties are allowed.
-
-
throttle string
The condition for throttling the notification: 'rule', 'no_actions', or time duration
Values are
rule
,1h
,1d
, or7d
.
-
Hide attributes Show attributes
-
Value is
set_schedule
. -
Additional properties are allowed.
Hide value attributes Show value attributes object
-
-
ids array[string]
Array of rule IDs
At least
1
element. -
query string
Query to filter rules
Responses
-
200 application/json; Elastic-Api-Version=2023-10-31
OK
One of: Hide attributes Show attributes
-
Additional properties are allowed.
Hide attributes attributes Show attributes attributes object
-
errors array[object]
Hide errors attributes Show errors attributes object
-
err_code string
Values are
IMMUTABLE
,MACHINE_LEARNING_AUTH
,MACHINE_LEARNING_INDEX_PATTERN
,ESQL_INDEX_PATTERN
,MANUAL_RULE_RUN_FEATURE
, orMANUAL_RULE_RUN_DISABLED_RULE
.
-
-
Additional properties are allowed.
Hide results attributes Show results attributes object
-
Any of: Security_Detections_API_EqlRuleResponseFields object Security_Detections_API_QueryRuleResponseFields object Security_Detections_API_SavedQueryRuleResponseFields object Security_Detections_API_ThresholdRuleResponseFields object Security_Detections_API_ThreatMatchRuleResponseFields object Security_Detections_API_MachineLearningRuleResponseFields object Security_Detections_API_NewTermsRuleResponseFields object Security_Detections_API_EsqlRuleResponseFields objectHide attributes Show attributes
-
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications.
-
alerts_filter object
Additional properties are allowed.
-
frequency object
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Additional properties are allowed.
Hide frequency attributes Show frequency attributes object
-
The condition for throttling the notification:
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
Values are
onActiveAlert
,onThrottleInterval
, oronActionGroupChange
. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group string
Optionally groups actions by use cases. Use
default
for alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
Additional properties are allowed.
-
uuid string
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
alias_purpose string
Values are
savedObjectConversion
orsavedObjectImport
. -
alias_target_id string
-
building_block_type string
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
Minimum length is
1
. -
Determines whether the rule is enabled.
-
Hide exceptions_list attributes Show exceptions_list attributes object
-
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
Determines the exceptions validity in rule's Kibana space
Values are
agnostic
orsingle
. -
The exception type
Values are
detection
,rule_default
,endpoint
,endpoint_trusted_apps
,endpoint_events
,endpoint_host_isolation_exceptions
, orendpoint_blocklists
.
-
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as
override
- where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
-
A string that is not empty and does not contain only whitespace
At least
1
element. Minimum length of each is1
. Format of each should match the following pattern:^(?! *$).+$
.
-
-
license string
The rule's license.
-
Minimum value is
1
. -
meta object
Additional properties are allowed.
-
Minimum length is
1
. -
namespace string
Has no effect.
-
note string
Notes to help investigate alerts produced by the rule.
-
outcome string
Values are
exactMatch
,aliasMatch
, orconflict
. -
(deprecated) Has no effect.
-
Hide related_integrations attributes Show related_integrations attributes object
-
integration string
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
Hide required_fields attributes Show required_fields attributes object
-
Whether the field is an ECS field
-
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
response_actions array[object]
One of: Hide attributes Show attributes
-
Value is
.osquery
. -
Additional properties are allowed.
Hide params attributes Show params attributes object
-
ecs_mapping object
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id string
-
queries array[object]
Hide queries attributes Show queries attributes object
-
query string
-
saved_query_id string
-
timeout number
-
Hide attributes Show attributes
-
-
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals
. -
risk_score integer
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
.
-
rule_name_override string
Sets the source field for the alert's signal.rule.name value
-
Severity of the rule
Values are
low
,medium
,high
, orcritical
. -
Overrides generated alerts' severity with values from the source event
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Additional properties are allowed.
-
technique array[object]
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
subtechnique array[object]
Array containing more specific information on the attack technique
-
-
-
timeline_id string
Timeline template ID
-
timeline_title string
Timeline template title
-
timestamp_override string
Sets the time field used to query indices
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1
. -
execution_summary object
Additional properties are allowed.
Hide execution_summary attribute Show execution_summary attribute object
-
Additional properties are allowed.
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Additional properties are allowed.
Hide metrics attributes Show metrics attributes object
-
execution_gap_duration_s integer
Duration in seconds of execution gap
Minimum value is
0
. -
total_enrichment_duration_ms integer
Total time spent enriching documents during current rule execution cycle
Minimum value is
0
. -
total_indexing_duration_ms integer
Total time spent indexing documents during current rule execution cycle
Minimum value is
0
. -
total_search_duration_ms integer
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0
.
-
-
Status of the last execution
Values are
going to run
,running
,partial failure
,failed
, orsucceeded
.
-
-
-
A universally unique identifier
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_source
field. -
Minimum value is
0
. -
Could be any string, not necessarily a UUID
rule_source object Required
Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
One of: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
Hide attributes Show attributes
-
Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
-
Value is
external
.
Type of rule source for internally sourced rules, i.e. created within the Kibana apps.
Hide attribute Show attribute
-
Value is
internal
.
-
-
Query language to use
Value is
eql
. -
EQL query to execute
-
Rule type
Value is
eql
. -
alert_suppression object
Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
-
duration object
Additional properties are allowed.
-
At least
1
but not more than3
elements. -
missing_fields_strategy string
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppress
orsuppress
.
-
-
data_view_id string
-
event_category_override string
-
filters array
-
index array[string]
-
tiebreaker_field string
Sets a secondary field for sorting events
-
timestamp_field string
Contains the event timestamp used for sorting a sequence of events
Hide attributes Show attributes
-
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications.
-
alerts_filter object
Additional properties are allowed.
-
frequency object
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Additional properties are allowed.
Hide frequency attributes Show frequency attributes object
-
The condition for throttling the notification:
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
Values are
onActiveAlert
,onThrottleInterval
, oronActionGroupChange
. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group string
Optionally groups actions by use cases. Use
default
for alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
Additional properties are allowed.
-
uuid string
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
alias_purpose string
Values are
savedObjectConversion
orsavedObjectImport
. -
alias_target_id string
-
building_block_type string
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
Minimum length is
1
. -
Determines whether the rule is enabled.
-
Hide exceptions_list attributes Show exceptions_list attributes object
-
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
Determines the exceptions validity in rule's Kibana space
Values are
agnostic
orsingle
. -
The exception type
Values are
detection
,rule_default
,endpoint
,endpoint_trusted_apps
,endpoint_events
,endpoint_host_isolation_exceptions
, orendpoint_blocklists
.
-
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as
override
- where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
-
A string that is not empty and does not contain only whitespace
At least
1
element. Minimum length of each is1
. Format of each should match the following pattern:^(?! *$).+$
.
-
-
license string
The rule's license.
-
Minimum value is
1
. -
meta object
Additional properties are allowed.
-
Minimum length is
1
. -
namespace string
Has no effect.
-
note string
Notes to help investigate alerts produced by the rule.
-
outcome string
Values are
exactMatch
,aliasMatch
, orconflict
. -
(deprecated) Has no effect.
-
Hide related_integrations attributes Show related_integrations attributes object
-
integration string
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
Hide required_fields attributes Show required_fields attributes object
-
Whether the field is an ECS field
-
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
response_actions array[object]
One of: Hide attributes Show attributes
-
Value is
.osquery
. -
Additional properties are allowed.
Hide params attributes Show params attributes object
-
ecs_mapping object
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id string
-
queries array[object]
Hide queries attributes Show queries attributes object
-
query string
-
saved_query_id string
-
timeout number
-
Hide attributes Show attributes
-
-
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals
. -
risk_score integer
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
.
-
rule_name_override string
Sets the source field for the alert's signal.rule.name value
-
Severity of the rule
Values are
low
,medium
,high
, orcritical
. -
Overrides generated alerts' severity with values from the source event
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Additional properties are allowed.
-
technique array[object]
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
subtechnique array[object]
Array containing more specific information on the attack technique
-
-
-
timeline_id string
Timeline template ID
-
timeline_title string
Timeline template title
-
timestamp_override string
Sets the time field used to query indices
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1
. -
execution_summary object
Additional properties are allowed.
Hide execution_summary attribute Show execution_summary attribute object
-
Additional properties are allowed.
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Additional properties are allowed.
Hide metrics attributes Show metrics attributes object
-
execution_gap_duration_s integer
Duration in seconds of execution gap
Minimum value is
0
. -
total_enrichment_duration_ms integer
Total time spent enriching documents during current rule execution cycle
Minimum value is
0
. -
total_indexing_duration_ms integer
Total time spent indexing documents during current rule execution cycle
Minimum value is
0
. -
total_search_duration_ms integer
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0
.
-
-
Status of the last execution
Values are
going to run
,running
,partial failure
,failed
, orsucceeded
.
-
-
-
A universally unique identifier
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_source
field. -
Minimum value is
0
. -
Could be any string, not necessarily a UUID
rule_source object Required
Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
One of: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
Hide attributes Show attributes
-
Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
-
Value is
external
.
Type of rule source for internally sourced rules, i.e. created within the Kibana apps.
Hide attribute Show attribute
-
Value is
internal
.
-
-
Rule type
Value is
query
. -
alert_suppression object
Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
-
duration object
Additional properties are allowed.
-
At least
1
but not more than3
elements. -
missing_fields_strategy string
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppress
orsuppress
.
-
-
data_view_id string
-
filters array
-
index array[string]
-
saved_id string
-
Values are
kuery
orlucene
. -
EQL query to execute
Hide attributes Show attributes
-
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications.
-
alerts_filter object
Additional properties are allowed.
-
frequency object
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Additional properties are allowed.
Hide frequency attributes Show frequency attributes object
-
The condition for throttling the notification:
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
Values are
onActiveAlert
,onThrottleInterval
, oronActionGroupChange
. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group string
Optionally groups actions by use cases. Use
default
for alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
Additional properties are allowed.
-
uuid string
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
alias_purpose string
Values are
savedObjectConversion
orsavedObjectImport
. -
alias_target_id string
-
building_block_type string
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
Minimum length is
1
. -
Determines whether the rule is enabled.
-
Hide exceptions_list attributes Show exceptions_list attributes object
-
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
Determines the exceptions validity in rule's Kibana space
Values are
agnostic
orsingle
. -
The exception type
Values are
detection
,rule_default
,endpoint
,endpoint_trusted_apps
,endpoint_events
,endpoint_host_isolation_exceptions
, orendpoint_blocklists
.
-
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as
override
- where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
-
A string that is not empty and does not contain only whitespace
At least
1
element. Minimum length of each is1
. Format of each should match the following pattern:^(?! *$).+$
.
-
-
license string
The rule's license.
-
Minimum value is
1
. -
meta object
Additional properties are allowed.
-
Minimum length is
1
. -
namespace string
Has no effect.
-
note string
Notes to help investigate alerts produced by the rule.
-
outcome string
Values are
exactMatch
,aliasMatch
, orconflict
. -
(deprecated) Has no effect.
-
Hide related_integrations attributes Show related_integrations attributes object
-
integration string
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
Hide required_fields attributes Show required_fields attributes object
-
Whether the field is an ECS field
-
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
response_actions array[object]
One of: Hide attributes Show attributes
-
Value is
.osquery
. -
Additional properties are allowed.
Hide params attributes Show params attributes object
-
ecs_mapping object
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id string
-
queries array[object]
Hide queries attributes Show queries attributes object
-
query string
-
saved_query_id string
-
timeout number
-
Hide attributes Show attributes
-
-
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals
. -
risk_score integer
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
.
-
rule_name_override string
Sets the source field for the alert's signal.rule.name value
-
Severity of the rule
Values are
low
,medium
,high
, orcritical
. -
Overrides generated alerts' severity with values from the source event
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Additional properties are allowed.
-
technique array[object]
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
subtechnique array[object]
Array containing more specific information on the attack technique
-
-
-
timeline_id string
Timeline template ID
-
timeline_title string
Timeline template title
-
timestamp_override string
Sets the time field used to query indices
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1
. -
execution_summary object
Additional properties are allowed.
Hide execution_summary attribute Show execution_summary attribute object
-
Additional properties are allowed.
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Additional properties are allowed.
Hide metrics attributes Show metrics attributes object
-
execution_gap_duration_s integer
Duration in seconds of execution gap
Minimum value is
0
. -
total_enrichment_duration_ms integer
Total time spent enriching documents during current rule execution cycle
Minimum value is
0
. -
total_indexing_duration_ms integer
Total time spent indexing documents during current rule execution cycle
Minimum value is
0
. -
total_search_duration_ms integer
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0
.
-
-
Status of the last execution
Values are
going to run
,running
,partial failure
,failed
, orsucceeded
.
-
-
-
A universally unique identifier
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_source
field. -
Minimum value is
0
. -
Could be any string, not necessarily a UUID
rule_source object Required
Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
One of: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
Hide attributes Show attributes
-
Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
-
Value is
external
.
Type of rule source for internally sourced rules, i.e. created within the Kibana apps.
Hide attribute Show attribute
-
Value is
internal
.
-
-
Rule type
Value is
saved_query
. -
alert_suppression object
Additional properties are allowed.
Hide alert_suppression attributes Show alert_suppression attributes object
-
duration object
Additional properties are allowed.
-
At least
1
but not more than3
elements. -
missing_fields_strategy string
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppress
orsuppress
.
-
-
data_view_id string
-
filters array
-
index array[string]
-
query string
EQL query to execute
-
Values are
kuery
orlucene
.
Hide attributes Show attributes
-
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications.
-
alerts_filter object
Additional properties are allowed.
-
frequency object
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Additional properties are allowed.
Hide frequency attributes Show frequency attributes object
-
The condition for throttling the notification:
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
Values are
onActiveAlert
,onThrottleInterval
, oronActionGroupChange
. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
group string
Optionally groups actions by use cases. Use
default
for alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
Additional properties are allowed.
-
uuid string
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
alias_purpose string
Values are
savedObjectConversion
orsavedObjectImport
. -
alias_target_id string
-
building_block_type string
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
Minimum length is
1
. -
Determines whether the rule is enabled.
-
Hide exceptions_list attributes Show exceptions_list attributes object
-
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
Determines the exceptions validity in rule's Kibana space
Values are
agnostic
orsingle
. -
The exception type
Values are
detection
,rule_default
,endpoint
,endpoint_trusted_apps
,endpoint_events
,endpoint_host_isolation_exceptions
, orendpoint_blocklists
.
-
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
investigation_fields object
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as
override
- where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:const investigationFields = z.object({ field_names: NonEmptyArray(NonEmptyString), override: z.boolean().optional(), });
Additional properties are allowed.
Hide investigation_fields attribute Show investigation_fields attribute object
-
A string that is not empty and does not contain only whitespace
At least
1
element. Minimum length of each is1
. Format of each should match the following pattern:^(?! *$).+$
.
-
-
license string
The rule's license.
-
Minimum value is
1
. -
meta object
Additional properties are allowed.
-
Minimum length is
1
. -
namespace string
Has no effect.
-
note string
Notes to help investigate alerts produced by the rule.
-
outcome string
Values are
exactMatch
,aliasMatch
, orconflict
. -
(deprecated) Has no effect.
-
Hide related_integrations attributes Show related_integrations attributes object
-
integration string
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
Hide required_fields attributes Show required_fields attributes object
-
Whether the field is an ECS field
-
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
. -
A string that is not empty and does not contain only whitespace
Minimum length is
1
. Format should match the following pattern:^(?! *$).+$
.
-
-
response_actions array[object]
One of: Hide attributes Show attributes
-
Value is
.osquery
. -
Additional properties are allowed.
Hide params attributes Show params attributes object
-
ecs_mapping object
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
pack_id string
-
queries array[object]
Hide queries attributes Show queries attributes object
-
query string
-
saved_query_id string
-
timeout number
-
Hide attributes Show attributes
-
-
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals
. -
risk_score integer
Risk score (0 to 100)
Minimum value is
0
, maximum value is100
.
-
rule_name_override string
Sets the source field for the alert's signal.rule.name value
-
Severity of the rule
Values are
low
,medium
,high
, orcritical
. -
Overrides generated alerts' severity with values from the source event
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Additional properties are allowed.
-
technique array[object]
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
subtechnique array[object]
Array containing more specific information on the attack technique
-
-
-
timeline_id string
Timeline template ID
-
timeline_title string
Timeline template title
-
timestamp_override string
Sets the time field used to query indices
-
-
-
-