Find rulesedit

Retrieves a paginated subset of detection rules. By default, the first page is returned with 20 results per page.

Console supports only Elasticsearch APIs. Console doesn’t allow interactions with Kibana APIs. You must use curl or another HTTP tool instead. For more information, refer to Run Elasticsearch API requests.

Request URLedit

GET <kibana host>:<port>/api/detection_engine/rules/_find

URL query parametersedit

All parameters are optional:

Name Type Description



The page number to return.



The number of rules to return per page.



Determines which field is used to sort the results.



Determines the sort order, which can be desc or asc.



Filters the returned results according to the value of the specified field, using the alert.attributes.<field name>:<field value> syntax, where <field name> can be:

  • name
  • enabled
  • tags
  • createdBy
  • interval
  • updatedBy

Even though the JSON rule object uses created_by and updated_by fields, you must use createdBy and updatedBy fields in the filter.

Example requestedit

Retrieves the first five rules with the word windows in their names, sorted in ascending order:

GET api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&

Response codeedit

Indicates a successful call.

Response payloadedit

A JSON object containing a summary and the returned rules.

Example response:

  "page": 1,
  "perPage": 5,
  "total": 4,
  "data": [
      "created_at": "2020-02-02T10:05:19.613Z",
      "updated_at": "2020-02-02T10:05:19.830Z",
      "created_by": "elastic",
      "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.",
      "enabled": false,
      "false_positives": [],
      "from": "now-6m",
      "id": "89761517-fdb0-4223-b67b-7621acc48f9e",
      "immutable": true,
      "index": [
      "interval": "5m",
      "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc",
      "language": "kuery",
      "output_index": ".siem-signals-siem-test",
      "max_signals": 33,
      "risk_score": 21,
      "name": "Windows Script Executing PowerShell",
      "query": "event.action:\"Process Create (rule: ProcessCreate)\" and\"wscript.exe\" or \"cscript.exe\") and\"powershell.exe\"",
      "references": [],
      "severity": "low",
      "updated_by": "elastic",
      "tags": [
      "to": "now",
      "type": "query",
      "threat": [
          "framework": "MITRE ATT&CK",
          "tactic": {
            "id": "TA0002",
            "name": "Execution",
            "reference": ""
          "technique": [
              "id": "T1193",
              "name": "Spearphishing Attachment",
              "reference": ""
      "version": 1