Index endpointedit

You use the index endpoint to create, get, and delete a signal index in a Kibana space.

You can only create a signal index when the user role has manage privileges for both the Elasticsearch cluster and the .siem-signals-<Kibana space> index.

When you create a signal index, the following index lifecycle management (ILM) policy is created for the signal index:

{
  "policy": {
    "phases": {
      "hot": {
        "min_age": "0ms",
        "actions": {
          "rollover": {
            "max_size": "50gb",
            "max_age": "30d"
          }
        }
      }
    }
  }
}

The policy and rollover_alias use the same name as the signal index.

To make sure administrators can always create indices, use a glob pattern that matches indices from multiple spaces in the Indices field on the Create role page (ManagementRolesCreate role). For example, .siem-signals-*.

Create indexedit

Creates a signal index. The naming convention for the index is .siem-signals-<space name>.

Request URLedit

POST <kibana host>:<port>/api/detection_engine/index

Example requestedit

Creates a signal index in the Kibana siem space.

POST s/siem/api/detection_engine/index

Response codeedit

200
Indicates a successful call.

Get indexedit

Gets the signal index name if it exists.

Request URLedit

GET <kibana host>:<port>/api/detection_engine/index

Example requestedit

Gets the signal index for the Kibana siem space:

GET s/siem/api/detection_engine/index

Response codeedit

200
Indicates a successful call.
404
Indicates no index exists.
Example responsesedit

Example response when index exists:

{
  "name": ".siem-signals-siem"
}

Example response when no index exists:

{
  "statusCode": 404,
  "error": "Not Found",
  "message": "index for this space does not exist"
}

Delete indexedit

Deletes the signal index.

Request URLedit

DELETE <kibana host>:<port>/api/detection_engine/index

Example requestedit

Deletes the signal index for the Kibana siem space:

DELETE s/siem/api/detection_engine/index

Response codeedit

200
Indicates a successful call.