Index endpointedit

You use the index endpoint to create, get, and delete .siem-signals-<Kibana-space> system indices in a Kibana space.

Console supports only Elasticsearch APIs. Console doesn’t allow interactions with Kibana APIs. You must use curl or another HTTP tool instead. For more information, refer to Run Elasticsearch API requests.

Signal indices store detection alerts.

For information about the permissions and privileges required to create .siem-signals-<Kibana-space> indices, see Enable and access detections.

When you create a signal index, the following index lifecycle management (ILM) policy is created for the signal index:

{
  "policy": {
    "phases": {
      "hot": {
        "min_age": "0ms",
        "actions": {
          "rollover": {
            "max_size": "50gb",
            "max_age": "30d"
          }
        }
      }
    }
  }
}

The policy and rollover_alias use the same name as the signal index.

Create indexedit

Creates a signal index. The naming convention for the index is .siem-signals-<space name>.

Request URLedit

POST <kibana host>:<port>/api/detection_engine/index

Example requestedit

Creates a signal index in the Kibana siem space.

POST s/siem/api/detection_engine/index

Response codeedit

200
Indicates a successful call.

Get indexedit

Gets the signal index name if it exists.

Request URLedit

GET <kibana host>:<port>/api/detection_engine/index

Example requestedit

Gets the signal index for the Kibana siem space:

GET s/siem/api/detection_engine/index

Response codeedit

200
Indicates a successful call.
404
Indicates no index exists.
Example responsesedit

Example response when index exists:

{
  "name": ".siem-signals-siem"
}

Example response when no index exists:

{
  "statusCode": 404,
  "error": "Not Found",
  "message": "index for this space does not exist"
}

Delete indexedit

Deletes the signal index.

Request URLedit

DELETE <kibana host>:<port>/api/detection_engine/index

Example requestedit

Deletes the signal index for the Kibana siem space:

DELETE s/siem/api/detection_engine/index

Response codeedit

200
Indicates a successful call.