Find rulesedit

Retrieves a paginated subset of detection rules. By default, the first page is returned with 20 results per page.

Request URLedit

GET <kibana host>:<port>/api/detection_engine/rules/_find

URL query parametersedit

All parameters are optional:

Name Type Description



The page number to return.



The number of rules to return per page.



Determines which field is used to sort the results.



Determines the sort order, which can be desc or asc.



Filters the returned results according to the value of the specified field, using the alert.attributes.<field name>:<field value> syntax, where <field name> can be:

  • name
  • enabled
  • tags
  • createdBy
  • interval
  • updatedBy

Even though the JSON rule object uses created_by and updated_by fields, you must use createdBy and updatedBy fields in the filter.

Example requestedit

Retrieves the first five rules with the word windows in their names, sorted in ascending order:

GET api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&

Response codeedit

Indicates a successful call.

Response payloadedit

A JSON object containing a summary and the returned rules.

Example response:

  "page": 1,
  "perPage": 5,
  "total": 4,
  "data": [
      "created_at": "2020-02-02T10:05:19.613Z",
      "updated_at": "2020-02-02T10:05:19.830Z",
      "created_by": "elastic",
      "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.",
      "enabled": false,
      "false_positives": [],
      "from": "now-6m",
      "id": "89761517-fdb0-4223-b67b-7621acc48f9e",
      "immutable": true,
      "index": [
      "interval": "5m",
      "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc",
      "language": "kuery",
      "max_signals": 33,
      "risk_score": 21,
      "name": "Windows Script Executing PowerShell",
      "query": "event.action:\"Process Create (rule: ProcessCreate)\" and\"wscript.exe\" or \"cscript.exe\") and\"powershell.exe\"",
      "references": [],
      "severity": "low",
      "updated_by": "elastic",
      "tags": [
      "to": "now",
      "related_integrations": [],       
      "required_fields": [],            
      "setup": "",                      
      "type": "query",
      "threat": [
          "framework": "MITRE ATT&CK",
          "tactic": {
            "id": "TA0002",
            "name": "Execution",
            "reference": ""
          "technique": [
              "id": "T1193",
              "name": "Spearphishing Attachment",
              "reference": ""
      "execution_summary": {                      
        "last_execution": {
          "date": "2022-03-23T16:06:12.787Z",
          "status": "partial failure",
          "status_order": 20,
          "message": "This rule attempted to query data from Elasticsearch indices listed in the \"Index pattern\" section of the rule definition, but no matching index was found.",
          "metrics": {
              "total_search_duration_ms": 135,
              "total_indexing_duration_ms": 15,
              "execution_gap_duration_s": 0,
      "version": 1

[dev] This functionality is in development and may be changed or removed completely in a future release. These features are unsupported and not subject to the support SLA of official GA features. These fields are under development and their usage or schema may change: related_integrations, required_fields, setup, and execution_summary.