IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Get ruleedit
Retrieves a single rule using the rule_id
or id
field.
Console supports only Elasticsearch APIs. Console doesn’t allow interactions with Kibana APIs. You must use curl
or another HTTP tool instead. For more information, refer to Run Elasticsearch API requests.
Request URLedit
GET <kibana host>:<port>/api/detection_engine/rules
URL query parametersedit
The URL query must include one of the following:
-
id
-GET /api/detection_engine/rules?id=<id>
-
rule_id
-GET /api/detection_engine/rules?rule_id=<rule_id>
Example requestedit
Retrieves the rule with an id
value of c41d170b-8ba6-4de6-b8ec-76440a35ace3
:
GET api/detection_engine/rules?id=c41d170b-8ba6-4de6-b8ec-76440a35ace3
Response codeedit
-
200
- Indicates a successful call.
Response payloadedit
The returned rule’s JSON object.
Example response:
{ "created_at": "2020-02-03T11:19:04.259Z", "updated_at": "2020-02-03T11:19:04.462Z", "created_by": "elastic", "description": "Process started by MS Office program in user folder", "enabled": false, "false_positives": [], "filters": [ { "query": { "match": { "event.action": { "query": "Process Create (rule: ProcessCreate)", "type": "phrase" } } } } ], "from": "now-4200s", "id": "c41d170b-8ba6-4de6-b8ec-76440a35ace3", "immutable": false, "interval": "1h", "rule_id": "process_started_by_ms_office_user_folder", "language": "kuery", "output_index": ".siem-signals-siem-test", "max_signals": 100, "risk_score": 21, "name": "MS Office child process", "query": "process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE", "references": [], "severity": "low", "updated_by": "elastic", "tags": [ "child process", "ms office" ], "to": "now-300s", "type": "query", "threat": [ { "framework": "MITRE ATT&CK", "tactic": { "id": "TA0001", "reference": "https://attack.mitre.org/tactics/TA0001", "name": "Initial Access" }, "technique": [ { "id": "T1193", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1193" } ] } ], "version": 1 }