POST /api/detection_engine/signals/search
Api key auth

Spaces method and path for this operation:

post /s/{space_id}/api/detection_engine/signals/search

Refer to Spaces for more information.

Find and/or aggregate detection alerts that match the given query.

application/json

Body Required

Search and/or aggregation query

Responses

  • 200 application/json

    Successful response

    Elasticsearch search response

    Additional properties are allowed.
  • 400 application/json

    Invalid input data response

    One of:
    Security_Detections_API_PlatformErrorResponse object Security_Detections_API_SiemErrorResponse object
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
    • error string Required
    • message string Required
    • statusCode integer Required
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
    • message string Required
    • status_code integer Required
POST /api/detection_engine/signals/search 
curl \
 --request POST 'https://<KIBANA_URL>/api/detection_engine/signals/search' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"aggs":{"alertsByGrouping":{"terms":{"field":"host.name","size":10}},"missingFields":{"missing":{"field":"host.name"}}},"query":{"bool":{"filter":[{"bool":{"filter":[{"match_phrase":{"kibana.alert.workflow_status":"open"}}],"must":[],"must_not":[{"exists":{"field":"kibana.alert.building_block_type"}}],"should":[]}},{"range":{"@timestamp":{"gte":"2025-01-17T08:00:00.000Z","lte":"2025-01-18T07:59:59.999Z"}}}]}},"runtime_mappings":{},"size":0}'
Request example 
{
  "aggs": {
    "alertsByGrouping": {
      "terms": {
        "field": "host.name",
        "size": 10
      }
    },
    "missingFields": {
      "missing": {
        "field": "host.name"
      }
    }
  },
  "query": {
    "bool": {
      "filter": [
        {
          "bool": {
            "filter": [
              {
                "match_phrase": {
                  "kibana.alert.workflow_status": "open"
                }
              }
            ],
            "must": [],
            "must_not": [
              {
                "exists": {
                  "field": "kibana.alert.building_block_type"
                }
              }
            ],
            "should": []
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2025-01-17T08:00:00.000Z",
              "lte": "2025-01-18T07:59:59.999Z"
            }
          }
        }
      ]
    }
  },
  "runtime_mappings": {},
  "size": 0
}
Response examples (200) 
{
  "_shards": {
    "failed": 0,
    "skipped": 0,
    "successful": 1,
    "total": 1
  },
  "aggregations": {
    "alertsByGrouping": {
      "buckets": [
        {
          "doc_count": 5,
          "key": "Host-f43kkddfyc"
        }
      ],
      "doc_count_error_upper_bound": 0,
      "sum_other_doc_count": 0
    },
    "missingFields": {
      "doc_count": 0
    }
  },
  "hits": {
    "hits": [],
    "max_score": null,
    "total": {
      "relation": "eq",
      "value": 5
    }
  },
  "timed_out": false,
  "took": 0
}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "Failed to parse search request: unknown query clause in bool filter",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}
Response examples (500) 
{
  "message": "Internal Server Error",
  "status_code": 500
}