Index endpoint
editIndex endpoint
editYou use the index endpoint to create, get, and delete
.siem-signals-<Kibana-space> system indices in a Kibana space.
Signal indices store detection alerts.
For information about the permissions and privileges required to create
.siem-signals-<Kibana-space> indices, see Enable and access detections.
When you create a signal index, the following index lifecycle management (ILM) policy is created for the signal index:
{
"policy": {
"phases": {
"hot": {
"min_age": "0ms",
"actions": {
"rollover": {
"max_size": "50gb",
"max_age": "30d"
}
}
}
}
}
}
The policy and rollover_alias use the same name as the signal index.
To reduce clutter on your hot tier, we highly recommend adding a delete action to this ILM policy. Otherwise, the signal indices will remain on your hot tier indefinitely.
Create index
editCreates a signal index. The naming convention for the index is
.siem-signals-<space name>.
Request URL
editPOST <kibana host>:<port>/api/detection_engine/index
Example request
editCreates a signal index in the Kibana siem space.
POST s/siem/api/detection_engine/index
Response code
edit-
200 - Indicates a successful call.
Get index
editGets the signal index name if it exists.
Request URL
editGET <kibana host>:<port>/api/detection_engine/index
Example request
editGets the signal index for the Kibana siem space:
GET s/siem/api/detection_engine/index
Response code
edit-
200 - Indicates a successful call.
-
404 - Indicates no index exists.
Example responses
editExample response when index exists:
{
"name": ".siem-signals-siem"
}
Example response when no index exists:
{
"statusCode": 404,
"error": "Not Found",
"message": "index for this space does not exist"
}