IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
Index endpoint
editIndex endpoint
editYou use the index endpoint to create, get, and delete a signal index in a Kibana space.
You can only create a signal index when the user role has manage privileges
for both the Elasticsearch cluster and the
.siem-signals-<Kibana space> index.
When you create a signal index, the following index lifecycle management (ILM) policy is created for the signal index:
{
"policy": {
"phases": {
"hot": {
"min_age": "0ms",
"actions": {
"rollover": {
"max_size": "50gb",
"max_age": "30d"
}
}
}
}
}
}
The policy and rollover_alias use the same name as the signal index.
To make sure administrators can always create indices, use a glob
pattern that matches indices from multiple spaces in the Indices field on
the Create role page (Management → Roles → Create role). For
example, .siem-signals-*.
Create index
editCreates a signal index. The naming convention for the index is
.siem-signals-<space name>.
Request URL
editPOST <kibana host>:<port>/api/detection_engine/index
Example request
editCreates a signal index in the Kibana siem space.
POST s/siem/api/detection_engine/index
Response code
edit-
200 - Indicates a successful call.
Get index
editGets the signal index name if it exists.
Request URL
editGET <kibana host>:<port>/api/detection_engine/index
Example request
editGets the signal index for the Kibana siem space:
GET s/siem/api/detection_engine/index
Response code
edit-
200 - Indicates a successful call.
-
404 - Indicates no index exists.
Example responses
editExample response when index exists:
{
"name": ".siem-signals-siem"
}
Example response when no index exists:
{
"statusCode": 404,
"error": "Not Found",
"message": "index for this space does not exist"
}