Get ruleedit

Retrieves a single rule using the rule_id or id field.

Console supports only Elasticsearch APIs. Console doesn’t allow interactions with Kibana APIs. You must use curl or another HTTP tool instead. For more information, refer to Run Elasticsearch API requests.

Request URLedit

GET <kibana host>:<port>/api/detection_engine/rules

URL query parametersedit

The URL query must include one of the following:

  • id - GET /api/detection_engine/rules?id=<id>
  • rule_id - GET /api/detection_engine/rules?rule_id=<rule_id>

Example requestedit

Retrieves the rule with an id value of c41d170b-8ba6-4de6-b8ec-76440a35ace3:

GET api/detection_engine/rules?id=c41d170b-8ba6-4de6-b8ec-76440a35ace3

Response codeedit

Indicates a successful call.

Response payloadedit

The returned rule’s JSON object.

Example response:

  "created_at": "2020-02-03T11:19:04.259Z",
  "updated_at": "2020-02-03T11:19:04.462Z",
  "created_by": "elastic",
  "description": "Process started by MS Office program in user folder",
  "enabled": false,
  "false_positives": [],
  "filters": [
      "query": {
        "match": {
          "event.action": {
            "query": "Process Create (rule: ProcessCreate)",
            "type": "phrase"
  "from": "now-4200s",
  "id": "c41d170b-8ba6-4de6-b8ec-76440a35ace3",
  "immutable": false,
  "interval": "1h",
  "rule_id": "process_started_by_ms_office_user_folder",
  "language": "kuery",
  "output_index": ".siem-signals-siem-test",
  "max_signals": 100,
  "risk_score": 21,
  "name": "MS Office child process",
  "query": " or or or or or",
  "references": [],
  "severity": "low",
  "updated_by": "elastic",
  "tags": [
    "child process",
    "ms office"
  "to": "now-300s",
  "type": "query",
  "threat": [
      "framework": "MITRE ATT&CK",
      "tactic": {
        "id": "TA0001",
        "reference": "",
        "name": "Initial Access"
      "technique": [
          "id": "T1193",
          "name": "Spearphishing Attachment",
          "reference": ""
  "version": 1