Set a detection alert status

POST /api/detection_engine/signals/status

Api key auth

Spaces method and path for this operation:

post /s/{space_id}/api/detection_engine/signals/status

Refer to Spaces for more information.

Set the status of one or more detection alerts.

application/json

Body Required

An object containing desired status and explicit alert ids or a query to select alerts

status Required Discriminator
reason string

The reason for closing the alerts. Can be one of following predefined reasons: [false_positive, duplicate, true_positive, benign_positive, automated_closure, other] or a custom reason provided by the user through the advanced settings.

One of:
Security_Detections_API_ReasonEnum string string-2 string

Values are false_positive, duplicate, true_positive, benign_positive, automated_closure, or other.
signal_ids array[string(nonempty)] Required

List of alert ids. Use field _id on alert document or kibana.alert.uuid. Note: signals are a deprecated term for alerts.

At least 1 element. Minimum length of each is 1.

status Required Discriminator

The status of an alert, which can be open, acknowledged, in-progress, or closed.

Value is Security_Detections_API_SetAlertsStatusByIds.
signal_ids array[string(nonempty)] Required

List of alert ids. Use field _id on alert document or kibana.alert.uuid. Note: signals are a deprecated term for alerts.

At least 1 element. Minimum length of each is 1.

status Required Discriminator
conflicts string

Values are abort or proceed. Default value is abort.
query object Required

Additional properties are allowed.
reason string

The reason for closing the alerts. Can be one of following predefined reasons: [false_positive, duplicate, true_positive, benign_positive, automated_closure, other] or a custom reason provided by the user through the advanced settings.

One of:
Security_Detections_API_ReasonEnum string string-2 string

Values are false_positive, duplicate, true_positive, benign_positive, automated_closure, or other.

status Required Discriminator

The status of an alert, which can be open, acknowledged, in-progress, or closed.

Value is Security_Detections_API_SetAlertsStatusByQuery.
conflicts string

Values are abort or proceed. Default value is abort.
query object Required

Additional properties are allowed.

Responses

200 application/json

Successful response

Elasticsearch update by query response

Additional properties are allowed.
400 application/json

Invalid input data response
One of:
Security_Detections_API_PlatformErrorResponse object Security_Detections_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

POST /api/detection_engine/signals/status

curl \
 --request POST 'https://<KIBANA_URL>/api/detection_engine/signals/status' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"signal_ids":["80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1"],"status":"closed"}'

Request examples

{
  "signal_ids": [
    "80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1"
  ],
  "status": "closed"
}

{
  "conflicts": "proceed",
  "query": {
    "bool": {
      "filter": [
        {
          "@timestamp": {
            "format": "strict_date_optional_time",
            "gte": "2024-10-23T07:00:00.000Z",
            "lte": "2025-01-21T20:12:11.704Z"
          },
          "range": null
        },
        {
          "bool": {
            "filter": {
              "bool": {
                "filter": [
                  {
                    "match_phrase": {
                      "kibana.alert.workflow_status": "open"
                    }
                  },
                  {
                    "@timestamp": {
                      "format": "strict_date_optional_time",
                      "gte": "2024-10-23T07:00:00.000Z",
                      "lte": "2025-01-21T20:12:11.704Z"
                    },
                    "range": null
                  }
                ],
                "must": [],
                "must_not": [
                  {
                    "exists": {
                      "field": "kibana.alert.building_block_type"
                    }
                  }
                ],
                "should": []
              }
            }
          }
        }
      ],
      "must": [],
      "must_not": [],
      "should": []
    }
  },
  "status": "closed"
}

Response examples (200)

{
  "batches": 1,
  "deleted": 0,
  "failures": [],
  "noops": 0,
  "requests_per_second": -1,
  "retries": {
    "bulk": 0,
    "search": 0
  },
  "throttled_millis": 0,
  "throttled_until_millis": 0,
  "timed_out": false,
  "took": 81,
  "total": 1,
  "updated": 1,
  "version_conflicts": 0
}

{
  "batches": 1,
  "deleted": 0,
  "failures": [],
  "noops": 0,
  "requests_per_second": -1,
  "retries": {
    "bulk": 0,
    "search": 0
  },
  "throttled_millis": 0,
  "throttled_until_millis": 0,
  "timed_out": false,
  "took": 100,
  "total": 17,
  "updated": 17,
  "version_conflicts": 0
}

Response examples (400)

{
  "error": "Bad Request",
  "message": "[request body].signal_ids: at least one alert id is required to update status",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (500)

{
  "message": "Internal Server Error",
  "status_code": 500
}