Find rulesedit

Retrieves a paginated subset of detection rules. By default, the first page is returned with 20 results per page.

Request URLedit

GET <kibana host>:<port>/api/detection_engine/rules/_find

URL query parametersedit

All parameters are optional:

Name Type Description

page

Integer

The page number to return.

per_page

Integer

The number of rules to return per page.

sort_field

String

Determines which field is used to sort the results.

sort_order

String

Determines the sort order, which can be desc or asc.

filter

String

Filters the returned results according to the value of the specified field, using the alert.attributes.<field name>:<field value> syntax, where <field name> can be:

  • name
  • enabled
  • tags
  • createdBy
  • interval
  • updatedBy

Even though the JSON rule object uses created_by and updated_by fields, you must use createdBy and updatedBy fields in the filter.

Example requestedit

Retrieves the first five rules with the word windows in their names, sorted in ascending order:

GET api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows

Response codeedit

200
Indicates a successful call.

Response payloadedit

A JSON object containing a summary and the returned rules.

Example response:

{
  "page": 1,
  "perPage": 5,
  "total": 4,
  "data": [
    {
      "created_at": "2020-02-02T10:05:19.613Z",
      "updated_at": "2020-02-02T10:05:19.830Z",
      "created_by": "elastic",
      "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.",
      "enabled": false,
      "false_positives": [],
      "from": "now-6m",
      "id": "89761517-fdb0-4223-b67b-7621acc48f9e",
      "immutable": true,
      "index": [
        "winlogbeat-*"
      ],
      "interval": "5m",
      "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc",
      "language": "kuery",
      "output_index": ".siem-signals-siem-test",
      "max_signals": 33,
      "risk_score": 21,
      "name": "Windows Script Executing PowerShell",
      "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"wscript.exe\" or \"cscript.exe\") and process.name:\"powershell.exe\"",
      "references": [],
      "severity": "low",
      "updated_by": "elastic",
      "tags": [
        "Elastic",
        "Windows"
      ],
      "to": "now",
      "related_integrations": [],       
      "required_fields": [],            
      "setup": "",                      
      "type": "query",
      "threat": [
        {
          "framework": "MITRE ATT&CK",
          "tactic": {
            "id": "TA0002",
            "name": "Execution",
            "reference": "https://attack.mitre.org/tactics/TA0002/"
          },
          "technique": [
            {
              "id": "T1193",
              "name": "Spearphishing Attachment",
              "reference": "https://attack.mitre.org/techniques/T1193/"
            }
          ]
        }
      ],
      "execution_summary": {                      
        "last_execution": {
          "date": "2022-03-23T16:06:12.787Z",
          "status": "partial failure",
          "status_order": 20,
          "message": "This rule attempted to query data from Elasticsearch indices listed in the \"Index pattern\" section of the rule definition, but no matching index was found.",
          "metrics": {
              "total_search_duration_ms": 135,
              "total_indexing_duration_ms": 15,
              "execution_gap_duration_s": 0,
          }
        }
      },
      "version": 1
    },
    ...
  ]
}

[dev] This functionality is in development and may be changed or removed completely in a future release. These features are unsupported and not subject to the support SLA of official GA features. These fields are under development and their usage or schema may change: related_integrations, required_fields, setup, and execution_summary.