The SIEM app is now a part of the Elastic Security solution.
Click
here to view the current documentation.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
Detections APIedit
This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
You can create rules that automatically turn events and alerts sent to the SIEM app into signals. These signals are displayed on the Detections page.
For more information on signals, and the difference between signals, events, and alerts, see detections terminology.
The API has these endpoints:
-
<kibana host>:<port>/api/detection_engine/rules- Signal detection rules CRUD functions -
<kibana host>:<port>/api/detection_engine/index- Signal index operations -
<kibana host>:<port>/api/detection_engine/tags- Aggregates and returns rule tags -
<kibana host>:<port>/api/detection_engine/_import- Imports rules from an ndjson file -
<kibana host>:<port>/api/detection_engine/_export- Exports rules to an ndjson file -
<kibana host>:<port>/api/detection_engine/privileges- Returns the user’s Kibana space and signal index permissions, and whether the user is authenticated -
<kibana host>:<port>/api/detection_engine/signals- Aggregates, queries, and returns signals, and updates their statuses -
<kibana host>:<port>/api/detection_engine/prepackaged- Loads and retrieves the status of Elastic prebuilt rules
You can view and download a Detections API Postman collection here.
Kibana role requirementsedit
To create and run rules, the user role for the Kibana space must have:
-
the
manage_api_keyprivilege. -
read,write,create, andview_index_metadataprivileges for the signals index (the system index used for storing signals created from rules). -
allprivileges forSIEMfeatures.