Find rulesedit

Retrieves a paginated subset of detection rules. By default, the first page is returned with 20 results per page.

The Kibana Console supports only Elasticsearch APIs. You cannot interact with the Kibana APIs with the Console and must use curl or another HTTP tool instead. For more information, refer to Console.

Request URLedit

GET <kibana host>:<port>/api/detection_engine/rules/_find

URL query parametersedit

All parameters are optional:

Name Type Description

page

Integer

The page number to return.

per_page

Integer

The number of rules to return per page.

sort_field

String

Determines which field is used to sort the results.

sort_order

String

Determines the sort order, which can be desc or asc.

filter

String

Filters the returned results according to the value of the specified field, using the alert.attributes.<field name>:<field value> syntax, where <field name> can be:

  • name
  • enabled
  • tags
  • createdBy
  • interval
  • updatedBy

Even though the JSON rule object uses created_by and updated_by fields, you must use createdBy and updatedBy fields in the filter.

Example requestedit

Retrieves the first five rules with the word windows in their names, sorted in ascending order:

GET api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows

Response codeedit

200
Indicates a successful call.

Response payloadedit

A JSON object containing a summary and the returned rules.

Example response:

{
  "page": 1,
  "perPage": 5,
  "total": 4,
  "data": [
    {
      "created_at": "2020-02-02T10:05:19.613Z",
      "updated_at": "2020-02-02T10:05:19.830Z",
      "created_by": "elastic",
      "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.",
      "enabled": false,
      "false_positives": [],
      "from": "now-6m",
      "id": "89761517-fdb0-4223-b67b-7621acc48f9e",
      "immutable": true,
      "index": [
        "winlogbeat-*"
      ],
      "interval": "5m",
      "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc",
      "language": "kuery",
      "output_index": ".siem-signals-siem-test",
      "max_signals": 33,
      "risk_score": 21,
      "name": "Windows Script Executing PowerShell",
      "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"wscript.exe\" or \"cscript.exe\") and process.name:\"powershell.exe\"",
      "references": [],
      "severity": "low",
      "updated_by": "elastic",
      "tags": [
        "Elastic",
        "Windows"
      ],
      "to": "now",
      "type": "query",
      "threat": [
        {
          "framework": "MITRE ATT&CK",
          "tactic": {
            "id": "TA0002",
            "name": "Execution",
            "reference": "https://attack.mitre.org/tactics/TA0002/"
          },
          "technique": [
            {
              "id": "T1193",
              "name": "Spearphishing Attachment",
              "reference": "https://attack.mitre.org/techniques/T1193/"
            }
          ]
        }
      ],
      "version": 1
    },
    ...
  ]
}