IMPORTANT: No additional bug fixes or documentation updates will be released for this version.
Create rule
editCreate rule
editCreates a new signal detection rule.
You can create two types of rules:
- Query-based rules, which search the defined indices and creates a signal when a document matches the rule’s query.
- Machine learning rules, which create a signal when a machine learning job discovers an anomaly above the defined threshold (see Anomaly Detection with Machine Learning).
To create machine learning rules, you must have the appropriate license or use a cloud deployment. Additionally, for the machine learning rule to function correctly, the associated machine learning job must be running.
To retrieve machine learning job IDs, which are required to create machine learning jobs, call the
Elasticsearch Get jobs API. Machine learning jobs that contain siem in
the groups field can be used to create rules:
... "job_id": "linux_anomalous_network_activity_ecs", "job_type": "anomaly_detector", "job_version": "7.7.0", "groups": [ "auditbeat", "process", "siem" ], ...
Additionally, you can set up notifications for when rules create signals. The notifications use the Kibana Alerting and Actions framework. Each action type requires a connector. Connectors store the information required to send notifications via external systems. These action types are supported for rule notifications:
- Slack
- PagerDuty
- Webhook
For more information on PagerDuty fields, see PagerDuty Send a v2 Event API.
To retrieve connector IDs, which are required to configure rule notifications,
call GET <kibana host>:<port>/api/action/_find.
For detailed information on Kibana actions and alerting, and additional API calls, see:
Request URL
editPOST <kibana host>:<port>/api/detection_engine/rules
Request body
editA JSON object with these fields:
| Name | Type | Description | Required |
|---|---|---|---|
actions |
Array defining the automated actions (notifications) taken when signals are produced. |
No |
|
anomaly_threshold |
Integer |
Anomaly score threshold above which the rule
creates signals. Valid values are from |
Yes, for machine learning rules. Not
allowed in |
description |
String |
The rule’s description. |
Yes |
enabled |
Boolean |
Determines whether the rule is enabled. |
No, defaults to
|
false_positives |
String[] |
String array used to describe common reasons why the rule may issue false-positive signals. |
No, defaults to an empty array. |
filters |
Object[] |
The query and filter context array used to define the conditions for when signals are created from events. |
No, defaults to an empty array. |
from |
String |
Time from which data is analyzed each time the rule executes,
using a date math range. For example,
|
No, defaults to |
rule_id |
String |
Unique ID used to identify rules. For example, when a rule is converted from a third-party security solution. |
No, automatically created when it is not provided. |
index |
String[] |
Indices on which the rule functions. |
No. For query rules,
defaults to the SIEM indices defined on the Kibana Advanced Settings page
(Kibana → Management → Advanced Settings → |
interval |
String |
Frequency of rule execution, using a
date math range. For example, |
No, defaults to |
machine_learning_job_id |
String |
Machine learning job ID the rule monitors for anomaly scores. |
Yes, for machine learning rules. Not allowed in |
query |
String |
Query used by the rule to create a signal. |
No. For |
language |
String |
Determines the query language, which must be
|
No. For |
output_index |
String |
Index to which signals detected by the rule are saved. |
No, if unspecified signals are saved to |
saved_id |
String |
Kibana saved search used by the rule to create signals. |
Yes, for |
meta |
Object |
Placeholder for metadata about the rule. |
No |
risk_score |
Integer |
A numerical representation of the signal’s severity from 0 to 100, where:
|
Yes |
max_signals |
Integer |
Maximum number of signals the rule can create during a single execution. |
No, defaults to |
name |
String |
The rule’s name. |
Yes |
note |
String |
Notes to help investigate signals produced by the rule. |
No |
severity |
String |
Severity level of signals produced by the rule, which must be one of the following:
|
Yes |
tags |
String[] |
String array containing words and phrases to help categorize, filter, and search rules. |
No, defaults to an empty array. |
throttle |
String |
Determines how often actions are taken:
|
Yes, when actions are used to send notifications. |
type |
String |
Data type on which the rule is based:
|
Yes |
threat |
Object containing attack information about the type of threat the rule monitors, see ECS threat fields. |
No, defaults to an empty array. |
|
references |
String[] |
String array containing notes about or references to relevant information about the rule. |
No, defaults to an empty array. |
version |
Integer |
The rule’s version number. |
No, defaults to |
actions schema
edit| Name | Type | Description | Required |
|---|---|---|---|
action_type_id |
String |
The action type used for sending notifications, can be:
|
Yes |
group |
String |
Optionally groups actions by use cases. Use |
Yes |
id |
String |
The connector ID. |
Yes |
params |
Object |
Object containing the allowed connector fields, which varies according to the connector type:
|
Yes |
All text fields (such as message fields) can contain placeholders for rule
and signal details:
-
{{state.signals_count}}: Number of signals detected -
{{{context.results_link}}}: URL to the signals in Kibana -
{{context.rule.anomaly_threshold}}: Anomaly threshold score above which signals are generated (machine learning rules only) -
{{context.rule.description}}: Rule description -
{{context.rule.false_positives}}: Rule false positives -
{{context.rule.filters}}: Rule filters (query-based rules only) -
{{context.rule.id}}: Unique rule ID returned after creating the rule -
{{context.rule.index}}: Indices rule runs on (query-based rules only) -
{{context.rule.language}}: Rule query language (query-based rules only) -
{{context.rule.machine_learning_job_id}}: ID of associated machine learning job (machine learning rules only) -
{{context.rule.max_signals}}: Maximum allowed number of signals per rule execution -
{{context.rule.name}}: Rule name -
{{context.rule.output_index}}: Index to which signals are written -
{{context.rule.query}}: Rule query (query-based rules only) -
{{context.rule.references}}: Rule references -
{{context.rule.risk_score}}: Rule risk score -
{{context.rule.rule_id}}: Generated or user-defined rule ID that can be used as an identifier across systems -
{{context.rule.saved_id}}: Saved search ID -
{{context.rule.severity}}: Rule severity -
{{context.rule.threat}}: Rule threat framework -
{{context.rule.timeline_id}}: Associated timeline ID -
{{context.rule.timeline_title}}: Associated timeline name -
{{context.rule.type}}: Rule type -
{{context.rule.version}}: Rule version
threat schema
editOnly threats described using the MITRE ATT&CKTM framework are displayed in the UI (SIEM → Detections → Manage signal detection rules → <rule name>).
| Name | Type | Description | Required |
|---|---|---|---|
framework |
String |
Relevant attack framework. |
Yes |
tactic |
Object |
Object containing information on the attack type:
|
Yes |
technique |
Object |
Object containing information on the attack technique:
|
Yes |
Example requests
editExample 1
Query-based rule that searches for processes started by MS Office:
POST api/detection_engine/rules
{
"rule_id": "process_started_by_ms_office_program",
"risk_score": 50,
"description": "Process started by MS Office program - possible payload",
"interval": "1h",
"name": "MS Office child process",
"severity": "low",
"tags": [
"child process",
"ms office"
],
"type": "query",
"from": "now-70m",
"query": "process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE",
"language": "kuery",
"filters": [
{
"query": {
"match": {
"event.action": {
"query": "Process Create (rule: ProcessCreate)",
"type": "phrase"
}
}
}
}
],
"enabled": false
}
|
The rule runs every hour. |
|
|
When the rule runs it analyzes data from 70 minutes before its start time. |
If the rule starts to run at 15:00, it analyzes data from 13:50 until 15:00. When it runs next, at 16:00, it will analyze data from 14:50 until 16:00.
Example 2
Machine learning rule that creates signals, and sends Slack notifications, when the
linux_anomalous_network_activity_ecs machine learning job discovers anomalies with a
threshold of 70 or above:
POST api/detection_engine/rules
{
"anomaly_threshold": 70,
"rule_id": "ml_linux_network_high_threshold",
"risk_score": 70,
"machine_learning_job_id": "linux_anomalous_network_activity_ecs",
"description": "Generates signals when the job discovers anomalies over 70",
"interval": "5m",
"name": "Anomalous Linux network activity",
"note": "Shut down the internet.",
"severity": "high",
"tags": [
"machine learning",
"Linux"
],
"type": "machine_learning",
"from": "now-6m",
"enabled": true,
"throttle": "rule",
"actions": [
{
"action_type_id": ".slack",
"group": "default",
"id": "5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5",
"params": {
"message": "Urgent: {{context.rule.description}}"
}
}
]
}
Response code
edit-
200 - Indicates a successful call.
Response payload
editA JSON object that includes a unique ID, the time the rule was created, and its
version number. If the request payload did not include a rule_id field, a
unique rule ID is also generated.
Example response for a query-based rule:
{
"created_at": "2020-04-07T14:51:09.755Z",
"updated_at": "2020-04-07T14:51:09.970Z",
"created_by": "LiverpoolFC",
"description": "Process started by MS Office program - possible payload",
"enabled": false,
"false_positives": [],
"from": "now-70m",
"id": "6541b99a-dee9-4f6d-a86d-dbd1869d73b1",
"immutable": false,
"interval": "1h",
"rule_id": "process_started_by_ms_office_program",
"output_index": ".siem-signals-default",
"max_signals": 100,
"risk_score": 50,
"name": "MS Office child process",
"references": [],
"severity": "low",
"updated_by": "LiverpoolFC",
"tags": [
"child process",
"ms office"
],
"to": "now",
"type": "query",
"threat": [],
"version": 1,
"actions": [],
"filters": [
{
"query": {
"match": {
"event.action": {
"query": "Process Create (rule: ProcessCreate)",
"type": "phrase"
}
}
}
}
],
"throttle": "no_actions",
"query": "process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE",
"language": "kuery"
}
Example response for a machine learning job rule:
{
"created_at": "2020-04-07T14:45:15.679Z",
"updated_at": "2020-04-07T14:45:15.892Z",
"created_by": "LiverpoolFC",
"description": "Generates signals when the job discovers anomalies over 70",
"enabled": true,
"false_positives": [],
"from": "now-6m",
"id": "83876f66-3a57-4a99-bf37-416494c80f3b",
"immutable": false,
"interval": "5m",
"rule_id": "ml_linux_network_high_threshold",
"output_index": ".siem-signals-default",
"max_signals": 100,
"risk_score": 70,
"name": "Anomalous Linux network activity",
"references": [],
"severity": "high",
"updated_by": "LiverpoolFC",
"tags": [
"machine learning",
"Linux"
],
"to": "now",
"type": "machine_learning",
"threat": [],
"version": 1,
"actions": [
{
"action_type_id": ".slack",
"group": "default",
"id": "5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5",
"params": {
"message": "Urgent: {{context.rule.description}}"
}
}
],
"throttle": "rule",
"note": "Shut down the internet.",
"status": "going to run",
"status_date": "2020-04-07T14:45:21.685Z",
"anomaly_threshold": 70,
"machine_learning_job_id": "linux_anomalous_network_activity_ecs"
}