Update rule
editUpdate rule
editUpdates an existing signal detection rule.
You can use PUT or PATCH methods to update rules, where:
-
PUTreplaces the original rule and deletes fields that are not specified. -
PATCHupdates the specified fields.
Request URL
editPUT <kibana host>:<port>/api/detection_engine/rules
PATCH <kibana host>:<port>/api/detection_engine/rules
Request body
editA JSON object with:
-
The
idorrule_idfield of the rule you want to update. - The fields you want to modify.
If you call PUT to update a rule, all unspecified fields are
deleted. You cannot modify the id or rule_id values.
For PATCH calls, any of the fields can be modified, whereas for PUT calls,
some fields are required.
| Name | Type | Description | Required (PUT calls) |
|---|---|---|---|
description |
String |
The rule’s description. |
Yes |
enabled |
Boolean |
Determines whether the rule is enabled. |
No, defaults to
|
false_positives |
String[] |
String array used to describe common reasons why the rule may issue false-positive signals. |
No, defaults to an empty array. |
filters |
Object[] |
The query and filter context array used to define the conditions for when signals are created from events. |
No, defaults to an empty array. |
from |
String |
Time from which data is analyzed each time the rule executes,
using a date math range. For example,
|
No, defaults to |
index |
String[] |
Indices on which the rule functions. |
No, defaults to the
SIEM indices defined on the Kibana Advanced Settings page (Kibana →
Management → Advanced Settings → |
interval |
String |
Frequency of rule execution, using a
date math range. For example, |
No, defaults to |
query |
String |
Query used by the rule to create a signal. |
No, defaults to an empty string. |
language |
String |
Determines the query language, which must be
|
No, defaults to |
output_index |
String |
Index to which signals detected by the rule are saved. |
No, if unspecified signals are saved to |
saved_id |
String |
Kibana saved search used by the rule to create signals. |
Yes, for |
meta |
Object |
Placeholder for metadata about the rule. |
No |
risk_score |
Integer |
A numerical representation of the signal’s severity from 0 to 100, where:
|
Yes |
max_signals |
Integer |
Maximum number of signals the rule can create during a single execution. |
No, defaults to |
name |
String |
The rule’s name. |
Yes |
severity |
String |
Severity level of signals produced by the rule, which must be one of the following:
|
Yes |
tags |
String[] |
String array containing words and phrases to help categorize, filter, and search rules. |
No, defaults to an empty array. |
type |
String |
Data type on which the rule is based:
|
Yes |
threat |
Object containing attack information about the type of threat the rule monitors, see ECS threat fields. |
No, defaults to an empty array. |
|
references |
String[] |
String array containing notes about or references to relevant information about the rule. |
No, defaults to an empty array. |
version |
Integer |
The rule’s version number. If this is not provided, the rule’s version number is incremented by 1.
|
No |
threat schema
editOnly threats described using the MITRE ATT&CKTM framework are displayed in the UI (SIEM → Detections → Manage signal detection rules → <rule name>).
| Name | Type | Description |
|---|---|---|
framework |
String |
Relevant attack framework. |
tactic |
Object |
Object containing information on the attack type:
|
technique |
Object |
Object containing information on the attack technique:
|
Example request
editUpdates the threat object:
PATCH api/detection_engine/rules
{
"rule_id": "process_started_by_ms_office_program_possible_payload",
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0001",
"reference": "https://attack.mitre.org/tactics/TA0001",
"name": "Initial Access"
},
"technique": [
{
"id": "T1193",
"name": "Spearphishing Attachment",
"reference": "https://attack.mitre.org/techniques/T1193"
}
]
}
]
}
Response code
edit-
200 - Indicates a successful call.
Response payload
editThe rule’s updated JSON object, including the time the rule was updated and an incremented version number.
Example response:
{
"created_at": "2020-01-05T09:56:11.805Z",
"updated_at": "2020-01-05T09:59:59.129Z",
"created_by": "elastic",
"description": "Process started by MS Office program - possible payload",
"enabled": false,
"false_positives": [],
"filters": [
{
"query": {
"match": {
"event.action": {
"query": "Process Create (rule: ProcessCreate)",
"type": "phrase"
}
}
}
}
],
"from": "now-6m",
"id": "4f228868-9928-47e4-9785-9a1a9b520c7f",
"interval": "5m",
"rule_id": "process_started_by_ms_office_program_possible_payload",
"language": "kuery",
"output_index": ".siem-signals-default",
"max_signals": 100,
"risk_score": 50,
"name": "MS Office child process",
"query": "process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE",
"references": [],
"severity": "low",
"updated_by": "elastic",
"tags": [
"child process",
"ms office"
],
"type": "query",
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0001",
"reference": "https://attack.mitre.org/tactics/TA0001",
"name": "Initial Access"
},
"technique": [
{
"id": "T1193",
"name": "Spearphishing Attachment",
"reference": "https://attack.mitre.org/techniques/T1193"
}
]
}
],
"version": 2
}