kibana_wip API documentation

Apr 2, 2025

Change #6ca522d2

2023-10-31

Breaking

Compare

8 structure changes including:

8 Modifications

Modified 8 Breaking

DELETE /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - actions property Modified
  - QueryRuleResponseFields alternative Modified
    - actions property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - actions property Modified
  - ThresholdRuleResponseFields alternative Modified
    - actions property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - actions property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - actions property Modified
  - NewTermsRuleResponseFields alternative Modified
    - actions property Modified
  - EsqlRuleResponseFields alternative Modified
    - actions property Modified

GET /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - actions property Modified
  - QueryRuleResponseFields alternative Modified
    - actions property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - actions property Modified
  - ThresholdRuleResponseFields alternative Modified
    - actions property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - actions property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - actions property Modified
  - NewTermsRuleResponseFields alternative Modified
    - actions property Modified
  - EsqlRuleResponseFields alternative Modified
    - actions property Modified

GET /api/detection_engine/rules/_find

Response
200 response Modified
- application/json content type Modified
  - data property Modified
    - EqlRuleResponseFields, QueryRuleResponseFields, SavedQueryRuleResponseFields, ThresholdRuleResponseFields, ThreatMatchRuleResponseFields, MachineLearningRuleResponseFields, NewTermsRuleResponseFields, EsqlRuleResponseFields alternatives Modified

PATCH /api/detection_engine/rules

Body
application/json content type Modified
- EqlRulePatchFields alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- QueryRulePatchFields alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- SavedQueryRulePatchFields alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- ThresholdRulePatchFields alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- ThreatMatchRulePatchFields alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- MachineLearningRulePatchFields alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- NewTermsRulePatchFields alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- EsqlRulePatchProps alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - actions property Modified
  - QueryRuleResponseFields alternative Modified
    - actions property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - actions property Modified
  - ThresholdRuleResponseFields alternative Modified
    - actions property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - actions property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - actions property Modified
  - NewTermsRuleResponseFields alternative Modified
    - actions property Modified
  - EsqlRuleResponseFields alternative Modified
    - actions property Modified

POST /api/detection_engine/rules

Body
application/json content type Modified
- EqlRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- QueryRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- SavedQueryRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- ThresholdRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- ThreatMatchRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- MachineLearningRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- NewTermsRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- EsqlRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - actions property Modified
  - QueryRuleResponseFields alternative Modified
    - actions property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - actions property Modified
  - ThresholdRuleResponseFields alternative Modified
    - actions property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - actions property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - actions property Modified
  - NewTermsRuleResponseFields alternative Modified
    - actions property Modified
  - EsqlRuleResponseFields alternative Modified
    - actions property Modified

POST /api/detection_engine/rules/_bulk_action

Response
200 response Modified
- application/json content type Modified
  - BulkEditActionResponse alternative Modified
    - attributes property Modified

POST /api/detection_engine/rules/preview

Body
application/json content type Modified
- RulePreviewParams alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - data_view_id, event_category_override, filters, index, tiebreaker_field, timestamp_field properties Added
- RulePreviewParams alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - language, query properties Modified
    - Properties are no longer required
  - data_view_id, filters, index, saved_id properties Added
- RulePreviewParams alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - query, language properties Modified
    - Properties are no longer required
  - saved_id, data_view_id, filters, index properties Added
- RulePreviewParams alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - alert_suppression property Modified
    - duration property Modified
      - Property is now required
        Breaking
    - group_by, missing_fields_strategy properties Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - language property Modified
    - Property is no longer required
  - threshold, data_view_id, filters, index, saved_id properties Added
- RulePreviewParams alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - language property Modified
    - Property is no longer required
  - threat_index, threat_mapping, threat_query, concurrent_searches, data_view_id, filters, index, items_per_search, saved_id, threat_filters, threat_indicator_path, threat_language properties Added
- RulePreviewParams alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - language, query properties Removed
    - Removing a resource is always breaking unless it was deprecated before
      Breaking
  - anomaly_threshold, array-2 properties Added
- RulePreviewParams alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - language property Modified
    - Property is no longer required
  - history_window_start, new_terms_fields, data_view_id, filters, index properties Added
- RulePreviewParams alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking

PUT /api/detection_engine/rules

Body
application/json content type Modified
- EqlRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- QueryRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- SavedQueryRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- ThresholdRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- ThreatMatchRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- MachineLearningRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- NewTermsRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- EsqlRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - actions property Modified
  - QueryRuleResponseFields alternative Modified
    - actions property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - actions property Modified
  - ThresholdRuleResponseFields alternative Modified
    - actions property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - actions property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - actions property Modified
  - NewTermsRuleResponseFields alternative Modified
    - actions property Modified
  - EsqlRuleResponseFields alternative Modified
    - actions property Modified

Apr 2, 2025

Change #87c08f7b

2023-10-31

Breaking

Compare

8 structure changes including:

8 Modifications

Modified 8 Breaking

DELETE /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - actions property Modified
  - QueryRuleResponseFields alternative Modified
    - actions property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - actions property Modified
  - ThresholdRuleResponseFields alternative Modified
    - actions property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - actions property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - actions property Modified
  - NewTermsRuleResponseFields alternative Modified
    - actions property Modified
  - EsqlRuleResponseFields alternative Modified
    - actions property Modified

GET /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - actions property Modified
  - QueryRuleResponseFields alternative Modified
    - actions property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - actions property Modified
  - ThresholdRuleResponseFields alternative Modified
    - actions property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - actions property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - actions property Modified
  - NewTermsRuleResponseFields alternative Modified
    - actions property Modified
  - EsqlRuleResponseFields alternative Modified
    - actions property Modified

GET /api/detection_engine/rules/_find

Response
200 response Modified
- application/json content type Modified
  - data property Modified
    - EqlRuleResponseFields, QueryRuleResponseFields, SavedQueryRuleResponseFields, ThresholdRuleResponseFields, ThreatMatchRuleResponseFields, MachineLearningRuleResponseFields, NewTermsRuleResponseFields, EsqlRuleResponseFields alternatives Modified

PATCH /api/detection_engine/rules

Body
application/json content type Modified
- EqlRulePatchFields alternative Modified
  - actions property Modified
    - jacek property Added
- QueryRulePatchFields alternative Modified
  - actions property Modified
    - jacek property Added
- SavedQueryRulePatchFields alternative Modified
  - actions property Modified
    - jacek property Added
- ThresholdRulePatchFields alternative Modified
  - actions property Modified
    - jacek property Added
- ThreatMatchRulePatchFields alternative Modified
  - actions property Modified
    - jacek property Added
- MachineLearningRulePatchFields alternative Modified
  - actions property Modified
    - jacek property Added
- NewTermsRulePatchFields alternative Modified
  - actions property Modified
    - jacek property Added
- EsqlRulePatchProps alternative Modified
  - actions property Modified
    - jacek property Added
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - actions property Modified
  - QueryRuleResponseFields alternative Modified
    - actions property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - actions property Modified
  - ThresholdRuleResponseFields alternative Modified
    - actions property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - actions property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - actions property Modified
  - NewTermsRuleResponseFields alternative Modified
    - actions property Modified
  - EsqlRuleResponseFields alternative Modified
    - actions property Modified

POST /api/detection_engine/rules

Body
application/json content type Modified
- EqlRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Added
- QueryRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Added
- SavedQueryRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Added
- ThresholdRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Added
- ThreatMatchRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Added
- MachineLearningRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Added
- NewTermsRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Added
- EsqlRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Added
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - actions property Modified
  - QueryRuleResponseFields alternative Modified
    - actions property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - actions property Modified
  - ThresholdRuleResponseFields alternative Modified
    - actions property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - actions property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - actions property Modified
  - NewTermsRuleResponseFields alternative Modified
    - actions property Modified
  - EsqlRuleResponseFields alternative Modified
    - actions property Modified

POST /api/detection_engine/rules/_bulk_action

Response
200 response Modified
- application/json content type Modified
  - BulkEditActionResponse alternative Modified
    - attributes property Modified

POST /api/detection_engine/rules/preview

Body
application/json content type Modified
- RulePreviewParams alternative Modified
  - actions property Modified
    - jacek property Added
  - data_view_id, event_category_override, filters, index, tiebreaker_field, timestamp_field properties Added
- RulePreviewParams alternative Modified
  - actions property Modified
    - jacek property Added
  - language, query properties Modified
    - Properties are no longer required
  - data_view_id, filters, index, saved_id properties Added
- RulePreviewParams alternative Modified
  - actions property Modified
    - jacek property Added
  - query, language properties Modified
    - Properties are no longer required
  - saved_id, data_view_id, filters, index properties Added
- RulePreviewParams alternative Modified
  - actions property Modified
    - jacek property Added
  - alert_suppression property Modified
    - duration property Modified
      - Property is now required
        Breaking
    - group_by, missing_fields_strategy properties Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - language property Modified
    - Property is no longer required
  - threshold, data_view_id, filters, index, saved_id properties Added
- RulePreviewParams alternative Modified
  - actions property Modified
    - jacek property Added
  - language property Modified
    - Property is no longer required
  - threat_index, threat_mapping, threat_query, concurrent_searches, data_view_id, filters, index, items_per_search, saved_id, threat_filters, threat_indicator_path, threat_language properties Added
- RulePreviewParams alternative Modified
  - actions property Modified
    - jacek property Added
  - language, query properties Removed
    - Removing a resource is always breaking unless it was deprecated before
      Breaking
  - anomaly_threshold, array-2 properties Added
- RulePreviewParams alternative Modified
  - actions property Modified
    - jacek property Added
  - language property Modified
    - Property is no longer required
  - history_window_start, new_terms_fields, data_view_id, filters, index properties Added
- RulePreviewParams alternative Modified
  - actions property Modified
    - jacek property Added

PUT /api/detection_engine/rules

Body
application/json content type Modified
- EqlRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Added
- QueryRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Added
- SavedQueryRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Added
- ThresholdRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Added
- ThreatMatchRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Added
- MachineLearningRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Added
- NewTermsRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Added
- EsqlRuleCreateFields alternative Modified
  - actions property Modified
    - jacek property Added
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - actions property Modified
  - QueryRuleResponseFields alternative Modified
    - actions property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - actions property Modified
  - ThresholdRuleResponseFields alternative Modified
    - actions property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - actions property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - actions property Modified
  - NewTermsRuleResponseFields alternative Modified
    - actions property Modified
  - EsqlRuleResponseFields alternative Modified
    - actions property Modified

Mar 28, 2025

Change #5c2a052b

2023-10-31

Breaking

Compare

8 structure changes including:

8 Modifications

Modified 8 Breaking

DELETE /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - QueryRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - ThresholdRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - NewTermsRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - EsqlRuleResponseFields alternative Modified
    - exceptions_list property Modified

GET /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - QueryRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - ThresholdRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - NewTermsRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - EsqlRuleResponseFields alternative Modified
    - exceptions_list property Modified

GET /api/detection_engine/rules/_find

Response
200 response Modified
- application/json content type Modified
  - data property Modified
    - EqlRuleResponseFields, QueryRuleResponseFields, SavedQueryRuleResponseFields, ThresholdRuleResponseFields, ThreatMatchRuleResponseFields, MachineLearningRuleResponseFields, NewTermsRuleResponseFields, EsqlRuleResponseFields alternatives Modified

PATCH /api/detection_engine/rules

Body
application/json content type Modified
- EqlRulePatchFields alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
- QueryRulePatchFields alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
- SavedQueryRulePatchFields alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
- ThresholdRulePatchFields alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
- ThreatMatchRulePatchFields alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
- MachineLearningRulePatchFields alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
- NewTermsRulePatchFields alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
- EsqlRulePatchProps alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - QueryRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - ThresholdRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - NewTermsRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - EsqlRuleResponseFields alternative Modified
    - exceptions_list property Modified

POST /api/detection_engine/rules

Body
application/json content type Modified
- EqlRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
- QueryRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
- SavedQueryRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
- ThresholdRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
- ThreatMatchRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
- MachineLearningRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
- NewTermsRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
- EsqlRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - QueryRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - ThresholdRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - NewTermsRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - EsqlRuleResponseFields alternative Modified
    - exceptions_list property Modified

POST /api/detection_engine/rules/_bulk_action

Response
200 response Modified
- application/json content type Modified
  - BulkEditActionResponse alternative Modified
    - attributes property Modified

POST /api/detection_engine/rules/preview

Body
application/json content type Modified
- RulePreviewParams alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
  - data_view_id, event_category_override, filters, index, tiebreaker_field, timestamp_field properties Added
- RulePreviewParams alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
  - language, query properties Modified
    - Properties are no longer required
  - data_view_id, filters, index, saved_id properties Added
- RulePreviewParams alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
  - query, language properties Modified
    - Properties are no longer required
  - saved_id, data_view_id, filters, index properties Added
- RulePreviewParams alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
  - alert_suppression property Modified
    - duration property Modified
      - Property is now required
        Breaking
    - group_by, missing_fields_strategy properties Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - language property Modified
    - Property is no longer required
  - threshold, data_view_id, filters, index, saved_id properties Added
- RulePreviewParams alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
  - language property Modified
    - Property is no longer required
  - threat_index, threat_mapping, threat_query, concurrent_searches, data_view_id, filters, index, items_per_search, saved_id, threat_filters, threat_indicator_path, threat_language properties Added
- RulePreviewParams alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
  - language, query properties Removed
    - Removing a resource is always breaking unless it was deprecated before
      Breaking
  - anomaly_threshold, array-2 properties Added
- RulePreviewParams alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
  - language property Modified
    - Property is no longer required
  - history_window_start, new_terms_fields, data_view_id, filters, index properties Added
- RulePreviewParams alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added

PUT /api/detection_engine/rules

Body
application/json content type Modified
- EqlRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
- QueryRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
- SavedQueryRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
- ThresholdRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
- ThreatMatchRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
- MachineLearningRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
- NewTermsRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
- EsqlRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id property Added
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - QueryRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - ThresholdRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - NewTermsRuleResponseFields alternative Modified
    - exceptions_list property Modified
  - EsqlRuleResponseFields alternative Modified
    - exceptions_list property Modified

Mar 28, 2025

Change #5bc3ace0

2023-10-31

Breaking

Compare

8 structure changes including:

8 Modifications

Modified 8 Breaking

DELETE /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - QueryRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - SavedQueryRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - ThresholdRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - ThreatMatchRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - MachineLearningRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - NewTermsRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - EsqlRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking

GET /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - QueryRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - SavedQueryRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - ThresholdRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - ThreatMatchRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - MachineLearningRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - NewTermsRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - EsqlRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking

GET /api/detection_engine/rules/_find

Response
200 response Modified
- application/json content type Modified
  - data property Modified
    - EqlRuleResponseFields, QueryRuleResponseFields, SavedQueryRuleResponseFields, ThresholdRuleResponseFields, ThreatMatchRuleResponseFields, MachineLearningRuleResponseFields, NewTermsRuleResponseFields, EsqlRuleResponseFields alternatives Modified

PATCH /api/detection_engine/rules

Body
application/json content type Modified
- EqlRulePatchFields alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
- QueryRulePatchFields alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
- SavedQueryRulePatchFields alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
- ThresholdRulePatchFields alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
- ThreatMatchRulePatchFields alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
- MachineLearningRulePatchFields alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
- NewTermsRulePatchFields alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
- EsqlRulePatchProps alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - QueryRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - SavedQueryRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - ThresholdRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - ThreatMatchRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - MachineLearningRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - NewTermsRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - EsqlRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking

POST /api/detection_engine/rules

Body
application/json content type Modified
- EqlRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
- QueryRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
- SavedQueryRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
- ThresholdRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
- ThreatMatchRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
- MachineLearningRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
- NewTermsRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
- EsqlRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - QueryRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - SavedQueryRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - ThresholdRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - ThreatMatchRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - MachineLearningRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - NewTermsRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - EsqlRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking

POST /api/detection_engine/rules/_bulk_action

Response
200 response Modified
- application/json content type Modified
  - BulkEditActionResponse alternative Modified
    - attributes property Modified

POST /api/detection_engine/rules/preview

Body
application/json content type Modified
- RulePreviewParams alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
  - data_view_id, event_category_override, filters, index, tiebreaker_field, timestamp_field properties Added
- RulePreviewParams alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
  - language, query properties Modified
    - Properties are no longer required
  - data_view_id, filters, index, saved_id properties Added
- RulePreviewParams alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
  - query, language properties Modified
    - Properties are no longer required
  - saved_id, data_view_id, filters, index properties Added
- RulePreviewParams alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
  - alert_suppression property Modified
    - duration property Modified
      - Property is now required
        Breaking
    - group_by, missing_fields_strategy properties Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - language property Modified
    - Property is no longer required
  - threshold, data_view_id, filters, index, saved_id properties Added
- RulePreviewParams alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
  - language property Modified
    - Property is no longer required
  - threat_index, threat_mapping, threat_query, concurrent_searches, data_view_id, filters, index, items_per_search, saved_id, threat_filters, threat_indicator_path, threat_language properties Added
- RulePreviewParams alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
  - language, query properties Removed
    - Removing a resource is always breaking unless it was deprecated before
      Breaking
  - anomaly_threshold, array-2 properties Added
- RulePreviewParams alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
  - language property Modified
    - Property is no longer required
  - history_window_start, new_terms_fields, data_view_id, filters, index properties Added
- RulePreviewParams alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added

PUT /api/detection_engine/rules

Body
application/json content type Modified
- EqlRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
- QueryRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
- SavedQueryRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
- ThresholdRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
- ThreatMatchRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
- MachineLearningRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
- NewTermsRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
- EsqlRuleCreateFields alternative Modified
  - exceptions_list property Modified
    - list_id property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - list_id_jacek property Added
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - QueryRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - SavedQueryRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - ThresholdRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - ThreatMatchRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - MachineLearningRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - NewTermsRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - EsqlRuleResponseFields alternative Modified
    - exceptions_list property Modified
    - required_fields_jacek property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking

Mar 28, 2025

Change #614615ae

2023-10-31

Compare

7 structure changes including:

7 Modifications

Modified 7

DELETE /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - QueryRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - SavedQueryRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - ThresholdRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - ThreatMatchRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - MachineLearningRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - NewTermsRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - EsqlRuleResponseFields alternative Modified
    - required_fields_jacek property Added

GET /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - QueryRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - SavedQueryRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - ThresholdRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - ThreatMatchRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - MachineLearningRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - NewTermsRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - EsqlRuleResponseFields alternative Modified
    - required_fields_jacek property Added

GET /api/detection_engine/rules/_find

Response
200 response Modified
- application/json content type Modified
  - data property Modified
    - EqlRuleResponseFields, QueryRuleResponseFields, SavedQueryRuleResponseFields, ThresholdRuleResponseFields, ThreatMatchRuleResponseFields, MachineLearningRuleResponseFields, NewTermsRuleResponseFields, EsqlRuleResponseFields alternatives Modified

PATCH /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - QueryRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - SavedQueryRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - ThresholdRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - ThreatMatchRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - MachineLearningRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - NewTermsRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - EsqlRuleResponseFields alternative Modified
    - required_fields_jacek property Added

POST /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - QueryRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - SavedQueryRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - ThresholdRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - ThreatMatchRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - MachineLearningRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - NewTermsRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - EsqlRuleResponseFields alternative Modified
    - required_fields_jacek property Added

POST /api/detection_engine/rules/_bulk_action

Response
200 response Modified
- application/json content type Modified
  - BulkEditActionResponse alternative Modified
    - attributes property Modified

PUT /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - QueryRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - SavedQueryRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - ThresholdRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - ThreatMatchRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - MachineLearningRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - NewTermsRuleResponseFields alternative Modified
    - required_fields_jacek property Added
  - EsqlRuleResponseFields alternative Modified
    - required_fields_jacek property Added

Mar 28, 2025

Change #de37c03f

2023-10-31

Breaking

Compare

8 structure changes including:

8 Modifications

Modified 8 Breaking

DELETE /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - required_fields property Modified
  - QueryRuleResponseFields alternative Modified
    - required_fields property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - required_fields property Modified
  - ThresholdRuleResponseFields alternative Modified
    - required_fields property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - required_fields property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - required_fields property Modified
  - NewTermsRuleResponseFields alternative Modified
    - required_fields property Modified
  - EsqlRuleResponseFields alternative Modified
    - required_fields property Modified

GET /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - required_fields property Modified
  - QueryRuleResponseFields alternative Modified
    - required_fields property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - required_fields property Modified
  - ThresholdRuleResponseFields alternative Modified
    - required_fields property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - required_fields property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - required_fields property Modified
  - NewTermsRuleResponseFields alternative Modified
    - required_fields property Modified
  - EsqlRuleResponseFields alternative Modified
    - required_fields property Modified

GET /api/detection_engine/rules/_find

Response
200 response Modified
- application/json content type Modified
  - data property Modified
    - EqlRuleResponseFields, QueryRuleResponseFields, SavedQueryRuleResponseFields, ThresholdRuleResponseFields, ThreatMatchRuleResponseFields, MachineLearningRuleResponseFields, NewTermsRuleResponseFields, EsqlRuleResponseFields alternatives Modified

PATCH /api/detection_engine/rules

Body
application/json content type Modified
- EqlRulePatchFields alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
- QueryRulePatchFields alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
- SavedQueryRulePatchFields alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
- ThresholdRulePatchFields alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
- ThreatMatchRulePatchFields alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
- MachineLearningRulePatchFields alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
- NewTermsRulePatchFields alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
- EsqlRulePatchProps alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - required_fields property Modified
  - QueryRuleResponseFields alternative Modified
    - required_fields property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - required_fields property Modified
  - ThresholdRuleResponseFields alternative Modified
    - required_fields property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - required_fields property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - required_fields property Modified
  - NewTermsRuleResponseFields alternative Modified
    - required_fields property Modified
  - EsqlRuleResponseFields alternative Modified
    - required_fields property Modified

POST /api/detection_engine/rules

Body
application/json content type Modified
- EqlRuleCreateFields alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
- QueryRuleCreateFields alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
- SavedQueryRuleCreateFields alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
- ThresholdRuleCreateFields alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
- ThreatMatchRuleCreateFields alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
- MachineLearningRuleCreateFields alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
- NewTermsRuleCreateFields alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
- EsqlRuleCreateFields alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - required_fields property Modified
  - QueryRuleResponseFields alternative Modified
    - required_fields property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - required_fields property Modified
  - ThresholdRuleResponseFields alternative Modified
    - required_fields property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - required_fields property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - required_fields property Modified
  - NewTermsRuleResponseFields alternative Modified
    - required_fields property Modified
  - EsqlRuleResponseFields alternative Modified
    - required_fields property Modified

POST /api/detection_engine/rules/_bulk_action

Response
200 response Modified
- application/json content type Modified
  - BulkEditActionResponse alternative Modified
    - attributes property Modified

POST /api/detection_engine/rules/preview

Body
application/json content type Modified
- RulePreviewParams alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
  - data_view_id, event_category_override, filters, index, tiebreaker_field, timestamp_field properties Added
- RulePreviewParams alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
  - language, query properties Modified
    - Properties are no longer required
  - data_view_id, filters, index, saved_id properties Added
- RulePreviewParams alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
  - query, language properties Modified
    - Properties are no longer required
  - saved_id, data_view_id, filters, index properties Added
- RulePreviewParams alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
  - alert_suppression property Modified
    - duration property Modified
      - Property is now required
        Breaking
    - group_by, missing_fields_strategy properties Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - language property Modified
    - Property is no longer required
  - threshold, data_view_id, filters, index, saved_id properties Added
- RulePreviewParams alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
  - language property Modified
    - Property is no longer required
  - threat_index, threat_mapping, threat_query, concurrent_searches, data_view_id, filters, index, items_per_search, saved_id, threat_filters, threat_indicator_path, threat_language properties Added
- RulePreviewParams alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
  - language, query properties Removed
    - Removing a resource is always breaking unless it was deprecated before
      Breaking
  - anomaly_threshold, array-2 properties Added
- RulePreviewParams alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
  - language property Modified
    - Property is no longer required
  - history_window_start, new_terms_fields, data_view_id, filters, index properties Added
- RulePreviewParams alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added

PUT /api/detection_engine/rules

Body
application/json content type Modified
- EqlRuleCreateFields alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
- QueryRuleCreateFields alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
- SavedQueryRuleCreateFields alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
- ThresholdRuleCreateFields alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
- ThreatMatchRuleCreateFields alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
- MachineLearningRuleCreateFields alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
- NewTermsRuleCreateFields alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
- EsqlRuleCreateFields alternative Modified
  - required_fields property Modified
    - name-jacek2 property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name property Added
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - required_fields property Modified
  - QueryRuleResponseFields alternative Modified
    - required_fields property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - required_fields property Modified
  - ThresholdRuleResponseFields alternative Modified
    - required_fields property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - required_fields property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - required_fields property Modified
  - NewTermsRuleResponseFields alternative Modified
    - required_fields property Modified
  - EsqlRuleResponseFields alternative Modified
    - required_fields property Modified

Mar 28, 2025

Change #d0fdf3c7

2023-10-31

Breaking

Compare

8 structure changes including:

8 Modifications

Modified 8 Breaking

DELETE /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - required_fields property Modified
  - QueryRuleResponseFields alternative Modified
    - required_fields property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - required_fields property Modified
  - ThresholdRuleResponseFields alternative Modified
    - required_fields property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - required_fields property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - required_fields property Modified
  - NewTermsRuleResponseFields alternative Modified
    - required_fields property Modified
  - EsqlRuleResponseFields alternative Modified
    - required_fields property Modified

GET /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - required_fields property Modified
  - QueryRuleResponseFields alternative Modified
    - required_fields property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - required_fields property Modified
  - ThresholdRuleResponseFields alternative Modified
    - required_fields property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - required_fields property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - required_fields property Modified
  - NewTermsRuleResponseFields alternative Modified
    - required_fields property Modified
  - EsqlRuleResponseFields alternative Modified
    - required_fields property Modified

GET /api/detection_engine/rules/_find

Response
200 response Modified
- application/json content type Modified
  - data property Modified
    - EqlRuleResponseFields, QueryRuleResponseFields, SavedQueryRuleResponseFields, ThresholdRuleResponseFields, ThreatMatchRuleResponseFields, MachineLearningRuleResponseFields, NewTermsRuleResponseFields, EsqlRuleResponseFields alternatives Modified

PATCH /api/detection_engine/rules

Body
application/json content type Modified
- EqlRulePatchFields alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
- QueryRulePatchFields alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
- SavedQueryRulePatchFields alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
- ThresholdRulePatchFields alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
- ThreatMatchRulePatchFields alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
- MachineLearningRulePatchFields alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
- NewTermsRulePatchFields alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
- EsqlRulePatchProps alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - required_fields property Modified
  - QueryRuleResponseFields alternative Modified
    - required_fields property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - required_fields property Modified
  - ThresholdRuleResponseFields alternative Modified
    - required_fields property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - required_fields property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - required_fields property Modified
  - NewTermsRuleResponseFields alternative Modified
    - required_fields property Modified
  - EsqlRuleResponseFields alternative Modified
    - required_fields property Modified

POST /api/detection_engine/rules

Body
application/json content type Modified
- EqlRuleCreateFields alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
- QueryRuleCreateFields alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
- SavedQueryRuleCreateFields alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
- ThresholdRuleCreateFields alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
- ThreatMatchRuleCreateFields alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
- MachineLearningRuleCreateFields alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
- NewTermsRuleCreateFields alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
- EsqlRuleCreateFields alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - required_fields property Modified
  - QueryRuleResponseFields alternative Modified
    - required_fields property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - required_fields property Modified
  - ThresholdRuleResponseFields alternative Modified
    - required_fields property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - required_fields property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - required_fields property Modified
  - NewTermsRuleResponseFields alternative Modified
    - required_fields property Modified
  - EsqlRuleResponseFields alternative Modified
    - required_fields property Modified

POST /api/detection_engine/rules/_bulk_action

Response
200 response Modified
- application/json content type Modified
  - BulkEditActionResponse alternative Modified
    - attributes property Modified

POST /api/detection_engine/rules/preview

Body
application/json content type Modified
- RulePreviewParams alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
  - data_view_id, event_category_override, filters, index, tiebreaker_field, timestamp_field properties Added
- RulePreviewParams alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
  - language, query properties Modified
    - Properties are no longer required
  - data_view_id, filters, index, saved_id properties Added
- RulePreviewParams alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
  - query, language properties Modified
    - Properties are no longer required
  - saved_id, data_view_id, filters, index properties Added
- RulePreviewParams alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
  - alert_suppression property Modified
    - duration property Modified
      - Property is now required
        Breaking
    - group_by, missing_fields_strategy properties Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - language property Modified
    - Property is no longer required
  - threshold, data_view_id, filters, index, saved_id properties Added
- RulePreviewParams alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
  - language property Modified
    - Property is no longer required
  - threat_index, threat_mapping, threat_query, concurrent_searches, data_view_id, filters, index, items_per_search, saved_id, threat_filters, threat_indicator_path, threat_language properties Added
- RulePreviewParams alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
  - language, query properties Removed
    - Removing a resource is always breaking unless it was deprecated before
      Breaking
  - anomaly_threshold, array-2 properties Added
- RulePreviewParams alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
  - language property Modified
    - Property is no longer required
  - history_window_start, new_terms_fields, data_view_id, filters, index properties Added
- RulePreviewParams alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added

PUT /api/detection_engine/rules

Body
application/json content type Modified
- EqlRuleCreateFields alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
- QueryRuleCreateFields alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
- SavedQueryRuleCreateFields alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
- ThresholdRuleCreateFields alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
- ThreatMatchRuleCreateFields alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
- MachineLearningRuleCreateFields alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
- NewTermsRuleCreateFields alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
- EsqlRuleCreateFields alternative Modified
  - required_fields property Modified
    - name property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
    - name-jacek2 property Added
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - required_fields property Modified
  - QueryRuleResponseFields alternative Modified
    - required_fields property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - required_fields property Modified
  - ThresholdRuleResponseFields alternative Modified
    - required_fields property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - required_fields property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - required_fields property Modified
  - NewTermsRuleResponseFields alternative Modified
    - required_fields property Modified
  - EsqlRuleResponseFields alternative Modified
    - required_fields property Modified

Mar 28, 2025

Change #6dc3e6bd

2023-10-31

Breaking

Compare

8 structure changes including:

8 Modifications

Modified 8 Breaking

DELETE /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - actions property Modified
  - QueryRuleResponseFields alternative Modified
    - actions property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - actions property Modified
  - ThresholdRuleResponseFields alternative Modified
    - actions property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - actions property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - actions property Modified
  - NewTermsRuleResponseFields alternative Modified
    - actions property Modified
  - EsqlRuleResponseFields alternative Modified
    - actions property Modified

GET /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - actions property Modified
  - QueryRuleResponseFields alternative Modified
    - actions property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - actions property Modified
  - ThresholdRuleResponseFields alternative Modified
    - actions property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - actions property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - actions property Modified
  - NewTermsRuleResponseFields alternative Modified
    - actions property Modified
  - EsqlRuleResponseFields alternative Modified
    - actions property Modified

GET /api/detection_engine/rules/_find

Response
200 response Modified
- application/json content type Modified
  - data property Modified
    - EqlRuleResponseFields, QueryRuleResponseFields, SavedQueryRuleResponseFields, ThresholdRuleResponseFields, ThreatMatchRuleResponseFields, MachineLearningRuleResponseFields, NewTermsRuleResponseFields, EsqlRuleResponseFields alternatives Modified

PATCH /api/detection_engine/rules

Body
application/json content type Modified
- EqlRulePatchFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- QueryRulePatchFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- SavedQueryRulePatchFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- ThresholdRulePatchFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- ThreatMatchRulePatchFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- MachineLearningRulePatchFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- NewTermsRulePatchFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- EsqlRulePatchProps alternative Modified
  - actions property Modified
    - alerts_filter property Modified
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - actions property Modified
  - QueryRuleResponseFields alternative Modified
    - actions property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - actions property Modified
  - ThresholdRuleResponseFields alternative Modified
    - actions property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - actions property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - actions property Modified
  - NewTermsRuleResponseFields alternative Modified
    - actions property Modified
  - EsqlRuleResponseFields alternative Modified
    - actions property Modified

POST /api/detection_engine/rules

Body
application/json content type Modified
- EqlRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- QueryRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- SavedQueryRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- ThresholdRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- ThreatMatchRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- MachineLearningRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- NewTermsRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- EsqlRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - actions property Modified
  - QueryRuleResponseFields alternative Modified
    - actions property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - actions property Modified
  - ThresholdRuleResponseFields alternative Modified
    - actions property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - actions property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - actions property Modified
  - NewTermsRuleResponseFields alternative Modified
    - actions property Modified
  - EsqlRuleResponseFields alternative Modified
    - actions property Modified

POST /api/detection_engine/rules/_bulk_action

Body
application/json content type Modified
- BulkEditRules alternative Modified
  - edit property Modified
    - BulkActionEditPayloadRuleActions alternative Modified
Response
200 response Modified
- application/json content type Modified
  - BulkEditActionResponse alternative Modified
    - attributes property Modified

POST /api/detection_engine/rules/preview

Body
application/json content type Modified
- RulePreviewParams alternative Modified
  - actions property Modified
    - alerts_filter property Modified
  - data_view_id, event_category_override, filters, index, tiebreaker_field, timestamp_field properties Added
- RulePreviewParams alternative Modified
  - actions property Modified
    - alerts_filter property Modified
  - language, query properties Modified
    - Properties are no longer required
  - data_view_id, filters, index, saved_id properties Added
- RulePreviewParams alternative Modified
  - actions property Modified
    - alerts_filter property Modified
  - query, language properties Modified
    - Properties are no longer required
  - saved_id, data_view_id, filters, index properties Added
- RulePreviewParams alternative Modified
  - actions property Modified
    - alerts_filter property Modified
  - alert_suppression property Modified
    - duration property Modified
      - Property is now required
        Breaking
    - group_by, missing_fields_strategy properties Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - language property Modified
    - Property is no longer required
  - threshold, data_view_id, filters, index, saved_id properties Added
- RulePreviewParams alternative Modified
  - actions property Modified
    - alerts_filter property Modified
  - language property Modified
    - Property is no longer required
  - threat_index, threat_mapping, threat_query, concurrent_searches, data_view_id, filters, index, items_per_search, saved_id, threat_filters, threat_indicator_path, threat_language properties Added
- RulePreviewParams alternative Modified
  - actions property Modified
    - alerts_filter property Modified
  - language, query properties Removed
    - Removing a resource is always breaking unless it was deprecated before
      Breaking
  - anomaly_threshold, array-2 properties Added
- RulePreviewParams alternative Modified
  - actions property Modified
    - alerts_filter property Modified
  - language property Modified
    - Property is no longer required
  - history_window_start, new_terms_fields, data_view_id, filters, index properties Added
- RulePreviewParams alternative Modified
  - actions property Modified
    - alerts_filter property Modified

PUT /api/detection_engine/rules

Body
application/json content type Modified
- EqlRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- QueryRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- SavedQueryRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- ThresholdRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- ThreatMatchRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- MachineLearningRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- NewTermsRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- EsqlRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - actions property Modified
  - QueryRuleResponseFields alternative Modified
    - actions property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - actions property Modified
  - ThresholdRuleResponseFields alternative Modified
    - actions property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - actions property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - actions property Modified
  - NewTermsRuleResponseFields alternative Modified
    - actions property Modified
  - EsqlRuleResponseFields alternative Modified
    - actions property Modified

Mar 19, 2025

Change #3729c3d7

2023-10-31

Compare

5 structure changes including:

5 Removals

Removed 5

DELETE /api/detection_engine/rules/_bulk_delete

PATCH /api/detection_engine/rules/_bulk_update

POST /api/detection_engine/rules/_bulk_create

POST /api/detection_engine/rules/_bulk_delete

PUT /api/detection_engine/rules/_bulk_update

Mar 17, 2025

Change #f2700e38

2023-10-31

Breaking

Compare

13 structure changes including:

13 Modifications

Modified 13 Breaking

DELETE /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - related_integrations property Modified
  - QueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThresholdRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - related_integrations property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - related_integrations property Modified
  - NewTermsRuleResponseFields alternative Modified
    - related_integrations property Modified
  - EsqlRuleResponseFields alternative Modified
    - related_integrations property Modified

DELETE /api/detection_engine/rules/_bulk_delete

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - related_integrations property Modified
  - QueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThresholdRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - related_integrations property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - related_integrations property Modified
  - NewTermsRuleResponseFields alternative Modified
    - related_integrations property Modified
  - EsqlRuleResponseFields alternative Modified
    - related_integrations property Modified

GET /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - related_integrations property Modified
  - QueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThresholdRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - related_integrations property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - related_integrations property Modified
  - NewTermsRuleResponseFields alternative Modified
    - related_integrations property Modified
  - EsqlRuleResponseFields alternative Modified
    - related_integrations property Modified

GET /api/detection_engine/rules/_find

Response
200 response Modified
- application/json content type Modified
  - data property Modified
    - EqlRuleResponseFields, QueryRuleResponseFields, SavedQueryRuleResponseFields, ThresholdRuleResponseFields, ThreatMatchRuleResponseFields, MachineLearningRuleResponseFields, NewTermsRuleResponseFields, EsqlRuleResponseFields alternatives Modified

PATCH /api/detection_engine/rules

Body
application/json content type Modified
- EqlRulePatchFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- QueryRulePatchFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- SavedQueryRulePatchFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- ThresholdRulePatchFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- ThreatMatchRulePatchFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- MachineLearningRulePatchFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- NewTermsRulePatchFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- EsqlRulePatchProps alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - related_integrations property Modified
  - QueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThresholdRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - related_integrations property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - related_integrations property Modified
  - NewTermsRuleResponseFields alternative Modified
    - related_integrations property Modified
  - EsqlRuleResponseFields alternative Modified
    - related_integrations property Modified

PATCH /api/detection_engine/rules/_bulk_update

Body
application/json content type Modified
- EqlRulePatchFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
- QueryRulePatchFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
- SavedQueryRulePatchFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
- ThresholdRulePatchFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
- ThreatMatchRulePatchFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
- MachineLearningRulePatchFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
- NewTermsRulePatchFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
- EsqlRulePatchProps alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - related_integrations property Modified
  - QueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThresholdRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - related_integrations property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - related_integrations property Modified
  - NewTermsRuleResponseFields alternative Modified
    - related_integrations property Modified
  - EsqlRuleResponseFields alternative Modified
    - related_integrations property Modified

POST /api/detection_engine/rules

Body
application/json content type Modified
- EqlRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- QueryRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- SavedQueryRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- ThresholdRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- ThreatMatchRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- MachineLearningRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- NewTermsRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- EsqlRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - related_integrations property Modified
  - QueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThresholdRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - related_integrations property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - related_integrations property Modified
  - NewTermsRuleResponseFields alternative Modified
    - related_integrations property Modified
  - EsqlRuleResponseFields alternative Modified
    - related_integrations property Modified

POST /api/detection_engine/rules/_bulk_action

Response
200 response Modified
- application/json content type Modified
  - BulkEditActionResponse alternative Modified
    - attributes property Modified

POST /api/detection_engine/rules/_bulk_create

Body
application/json content type Modified
- EqlRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
- QueryRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
- SavedQueryRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
- ThresholdRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
- ThreatMatchRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
- MachineLearningRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
- NewTermsRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
- EsqlRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - related_integrations property Modified
  - QueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThresholdRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - related_integrations property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - related_integrations property Modified
  - NewTermsRuleResponseFields alternative Modified
    - related_integrations property Modified
  - EsqlRuleResponseFields alternative Modified
    - related_integrations property Modified

POST /api/detection_engine/rules/_bulk_delete

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - related_integrations property Modified
  - QueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThresholdRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - related_integrations property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - related_integrations property Modified
  - NewTermsRuleResponseFields alternative Modified
    - related_integrations property Modified
  - EsqlRuleResponseFields alternative Modified
    - related_integrations property Modified

POST /api/detection_engine/rules/preview

Body
application/json content type Modified
- RulePreviewParams alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - data_view_id, event_category_override, filters, index, tiebreaker_field, timestamp_field properties Added
- RulePreviewParams alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - language, query properties Modified
    - Properties are no longer required
  - data_view_id, filters, index, saved_id properties Added
- RulePreviewParams alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - query, language properties Modified
    - Properties are no longer required
  - saved_id, data_view_id, filters, index properties Added
- RulePreviewParams alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - alert_suppression property Modified
    - duration property Modified
      - Property is now required
        Breaking
    - group_by, missing_fields_strategy properties Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - language property Modified
    - Property is no longer required
  - threshold, data_view_id, filters, index, saved_id properties Added
- RulePreviewParams alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - language property Modified
    - Property is no longer required
  - threat_index, threat_mapping, threat_query, concurrent_searches, data_view_id, filters, index, items_per_search, saved_id, threat_filters, threat_indicator_path, threat_language properties Added
- RulePreviewParams alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - language, query properties Removed
    - Removing a resource is always breaking unless it was deprecated before
      Breaking
  - anomaly_threshold property Added
  - machine_learning_job_id property Added
    - string-1, array-2 properties Added
- RulePreviewParams alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - language property Modified
    - Property is no longer required
  - history_window_start, new_terms_fields, data_view_id, filters, index properties Added
- RulePreviewParams alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking

PUT /api/detection_engine/rules

Body
application/json content type Modified
- EqlRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- QueryRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- SavedQueryRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- ThresholdRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- ThreatMatchRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- MachineLearningRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- NewTermsRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
- EsqlRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - related_integrations property Modified
  - QueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThresholdRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - related_integrations property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - related_integrations property Modified
  - NewTermsRuleResponseFields alternative Modified
    - related_integrations property Modified
  - EsqlRuleResponseFields alternative Modified
    - related_integrations property Modified

PUT /api/detection_engine/rules/_bulk_update

Body
application/json content type Modified
- EqlRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
- QueryRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
- SavedQueryRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
- ThresholdRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
- ThreatMatchRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
- MachineLearningRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
- NewTermsRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
- EsqlRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Removed
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - related_integrations property Modified
  - QueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThresholdRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - related_integrations property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - related_integrations property Modified
  - NewTermsRuleResponseFields alternative Modified
    - related_integrations property Modified
  - EsqlRuleResponseFields alternative Modified
    - related_integrations property Modified

Mar 14, 2025

Change #6f800d29

2023-10-31

Breaking

Compare

13 structure changes including:

13 Modifications

Modified 13 Breaking

DELETE /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - related_integrations property Modified
  - QueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThresholdRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - related_integrations property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - related_integrations property Modified
  - NewTermsRuleResponseFields alternative Modified
    - related_integrations property Modified
  - EsqlRuleResponseFields alternative Modified
    - related_integrations property Modified

DELETE /api/detection_engine/rules/_bulk_delete

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - related_integrations property Modified
  - QueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThresholdRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - related_integrations property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - related_integrations property Modified
  - NewTermsRuleResponseFields alternative Modified
    - related_integrations property Modified
  - EsqlRuleResponseFields alternative Modified
    - related_integrations property Modified

GET /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - related_integrations property Modified
  - QueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThresholdRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - related_integrations property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - related_integrations property Modified
  - NewTermsRuleResponseFields alternative Modified
    - related_integrations property Modified
  - EsqlRuleResponseFields alternative Modified
    - related_integrations property Modified

GET /api/detection_engine/rules/_find

Response
200 response Modified
- application/json content type Modified
  - data property Modified
    - EqlRuleResponseFields, QueryRuleResponseFields, SavedQueryRuleResponseFields, ThresholdRuleResponseFields, ThreatMatchRuleResponseFields, MachineLearningRuleResponseFields, NewTermsRuleResponseFields, EsqlRuleResponseFields alternatives Modified

PATCH /api/detection_engine/rules

Body
application/json content type Modified
- EqlRulePatchFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- QueryRulePatchFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- SavedQueryRulePatchFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- ThresholdRulePatchFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- ThreatMatchRulePatchFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- MachineLearningRulePatchFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- NewTermsRulePatchFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- EsqlRulePatchProps alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - related_integrations property Modified
  - QueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThresholdRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - related_integrations property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - related_integrations property Modified
  - NewTermsRuleResponseFields alternative Modified
    - related_integrations property Modified
  - EsqlRuleResponseFields alternative Modified
    - related_integrations property Modified

PATCH /api/detection_engine/rules/_bulk_update

Body
application/json content type Modified
- EqlRulePatchFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- QueryRulePatchFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- SavedQueryRulePatchFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- ThresholdRulePatchFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- ThreatMatchRulePatchFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- MachineLearningRulePatchFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- NewTermsRulePatchFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- EsqlRulePatchProps alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - related_integrations property Modified
  - QueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThresholdRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - related_integrations property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - related_integrations property Modified
  - NewTermsRuleResponseFields alternative Modified
    - related_integrations property Modified
  - EsqlRuleResponseFields alternative Modified
    - related_integrations property Modified

POST /api/detection_engine/rules

Body
application/json content type Modified
- EqlRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- QueryRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- SavedQueryRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- ThresholdRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- ThreatMatchRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- MachineLearningRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- NewTermsRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- EsqlRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - related_integrations property Modified
  - QueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThresholdRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - related_integrations property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - related_integrations property Modified
  - NewTermsRuleResponseFields alternative Modified
    - related_integrations property Modified
  - EsqlRuleResponseFields alternative Modified
    - related_integrations property Modified

POST /api/detection_engine/rules/_bulk_action

Response
200 response Modified
- application/json content type Modified
  - BulkEditActionResponse alternative Modified
    - attributes property Modified

POST /api/detection_engine/rules/_bulk_create

Body
application/json content type Modified
- EqlRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- QueryRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- SavedQueryRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- ThresholdRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- ThreatMatchRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- MachineLearningRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- NewTermsRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- EsqlRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - related_integrations property Modified
  - QueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThresholdRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - related_integrations property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - related_integrations property Modified
  - NewTermsRuleResponseFields alternative Modified
    - related_integrations property Modified
  - EsqlRuleResponseFields alternative Modified
    - related_integrations property Modified

POST /api/detection_engine/rules/_bulk_delete

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - related_integrations property Modified
  - QueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThresholdRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - related_integrations property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - related_integrations property Modified
  - NewTermsRuleResponseFields alternative Modified
    - related_integrations property Modified
  - EsqlRuleResponseFields alternative Modified
    - related_integrations property Modified

POST /api/detection_engine/rules/preview

Body
application/json content type Modified
- RulePreviewParams alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
  - data_view_id, event_category_override, filters, index, tiebreaker_field, timestamp_field properties Added
- RulePreviewParams alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
  - language, query properties Modified
    - Properties are no longer required
  - data_view_id, filters, index, saved_id properties Added
- RulePreviewParams alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
  - query, language properties Modified
    - Properties are no longer required
  - saved_id, data_view_id, filters, index properties Added
- RulePreviewParams alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
  - alert_suppression property Modified
    - duration property Modified
      - Property is now required
        Breaking
    - group_by, missing_fields_strategy properties Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - language property Modified
    - Property is no longer required
  - threshold, data_view_id, filters, index, saved_id properties Added
- RulePreviewParams alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
  - language property Modified
    - Property is no longer required
  - threat_index, threat_mapping, threat_query, concurrent_searches, data_view_id, filters, index, items_per_search, saved_id, threat_filters, threat_indicator_path, threat_language properties Added
- RulePreviewParams alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
  - language, query properties Removed
    - Removing a resource is always breaking unless it was deprecated before
      Breaking
  - anomaly_threshold property Added
  - machine_learning_job_id property Added
    - string-1, array-2 properties Added
- RulePreviewParams alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
  - language property Modified
    - Property is no longer required
  - history_window_start, new_terms_fields, data_view_id, filters, index properties Added
- RulePreviewParams alternative Modified
  - related_integrations property Modified
    - jacek_param property Added

PUT /api/detection_engine/rules

Body
application/json content type Modified
- EqlRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- QueryRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- SavedQueryRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- ThresholdRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- ThreatMatchRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- MachineLearningRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- NewTermsRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- EsqlRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - related_integrations property Modified
  - QueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThresholdRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - related_integrations property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - related_integrations property Modified
  - NewTermsRuleResponseFields alternative Modified
    - related_integrations property Modified
  - EsqlRuleResponseFields alternative Modified
    - related_integrations property Modified

PUT /api/detection_engine/rules/_bulk_update

Body
application/json content type Modified
- EqlRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- QueryRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- SavedQueryRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- ThresholdRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- ThreatMatchRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- MachineLearningRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- NewTermsRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
- EsqlRuleCreateFields alternative Modified
  - related_integrations property Modified
    - jacek_param property Added
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - related_integrations property Modified
  - QueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThresholdRuleResponseFields alternative Modified
    - related_integrations property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - related_integrations property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - related_integrations property Modified
  - NewTermsRuleResponseFields alternative Modified
    - related_integrations property Modified
  - EsqlRuleResponseFields alternative Modified
    - related_integrations property Modified

Mar 11, 2025

Change #8bc6cc8a

2023-10-31

Breaking

Compare

13 structure changes including:

13 Modifications

Modified 13 Breaking

DELETE /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - NewTermsRuleResponseFields alternative Modified
    - history_window_start property Modified
      - Type is now string(nonempty)

DELETE /api/detection_engine/rules/_bulk_delete

Response
200 response Modified
- application/json content type Modified
  - NewTermsRuleResponseFields alternative Modified
    - history_window_start property Modified
      - Type is now string(nonempty)

GET /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - NewTermsRuleResponseFields alternative Modified
    - history_window_start property Modified
      - Type is now string(nonempty)

GET /api/detection_engine/rules/_find

Response
200 response Modified
- application/json content type Modified
  - data property Modified
    - NewTermsRuleResponseFields alternative Modified

PATCH /api/detection_engine/rules

Body
application/json content type Modified
- NewTermsRulePatchFields alternative Modified
  - history_window_start property Modified
    - Type is now string(nonempty)
Response
200 response Modified
- application/json content type Modified
  - NewTermsRuleResponseFields alternative Modified
    - history_window_start property Modified
      - Type is now string(nonempty)

PATCH /api/detection_engine/rules/_bulk_update

Body
application/json content type Modified
- NewTermsRulePatchFields alternative Modified
  - history_window_start property Modified
    - Type is now string(nonempty)
Response
200 response Modified
- application/json content type Modified
  - NewTermsRuleResponseFields alternative Modified
    - history_window_start property Modified
      - Type is now string(nonempty)

POST /api/detection_engine/rules

Body
application/json content type Modified
- NewTermsRuleCreateFields alternative Modified
  - history_window_start property Modified
    - Type is now string(nonempty)
Response
200 response Modified
- application/json content type Modified
  - NewTermsRuleResponseFields alternative Modified
    - history_window_start property Modified
      - Type is now string(nonempty)

POST /api/detection_engine/rules/_bulk_action

Response
200 response Modified
- application/json content type Modified
  - BulkEditActionResponse alternative Modified
    - attributes property Modified

POST /api/detection_engine/rules/_bulk_create

Body
application/json content type Modified
- NewTermsRuleCreateFields alternative Modified
  - history_window_start property Modified
    - Type is now string(nonempty)
Response
200 response Modified
- application/json content type Modified
  - NewTermsRuleResponseFields alternative Modified
    - history_window_start property Modified
      - Type is now string(nonempty)

POST /api/detection_engine/rules/_bulk_delete

Response
200 response Modified
- application/json content type Modified
  - NewTermsRuleResponseFields alternative Modified
    - history_window_start property Modified
      - Type is now string(nonempty)

POST /api/detection_engine/rules/preview

Body
application/json content type Modified
- RulePreviewParams alternative Modified
  - data_view_id, event_category_override, filters, index, tiebreaker_field, timestamp_field properties Added
- RulePreviewParams alternative Modified
  - language, query properties Modified
    - Properties are no longer required
  - data_view_id, filters, index, saved_id properties Added
- RulePreviewParams alternative Modified
  - query, language properties Modified
    - Properties are no longer required
  - saved_id, data_view_id, filters, index properties Added
- RulePreviewParams alternative Modified
  - alert_suppression property Modified
    - duration property Modified
      - Property is now required
        Breaking
    - group_by, missing_fields_strategy properties Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - language property Modified
    - Property is no longer required
  - threshold, data_view_id, filters, index, saved_id properties Added
- RulePreviewParams alternative Modified
  - language property Modified
    - Property is no longer required
  - threat_index, threat_mapping, threat_query, concurrent_searches, data_view_id, filters, index, items_per_search, saved_id, threat_filters, threat_indicator_path, threat_language properties Added
- RulePreviewParams alternative Modified
  - language, query properties Removed
    - Removing a resource is always breaking unless it was deprecated before
      Breaking
  - anomaly_threshold property Added
  - machine_learning_job_id property Added
    - string-1, array-2 properties Added
- RulePreviewParams alternative Modified
  - language property Modified
    - Property is no longer required
  - history_window_start, new_terms_fields, data_view_id, filters, index properties Added

PUT /api/detection_engine/rules

Body
application/json content type Modified
- NewTermsRuleCreateFields alternative Modified
  - history_window_start property Modified
    - Type is now string(nonempty)
Response
200 response Modified
- application/json content type Modified
  - NewTermsRuleResponseFields alternative Modified
    - history_window_start property Modified
      - Type is now string(nonempty)

PUT /api/detection_engine/rules/_bulk_update

Body
application/json content type Modified
- NewTermsRuleCreateFields alternative Modified
  - history_window_start property Modified
    - Type is now string(nonempty)
Response
200 response Modified
- application/json content type Modified
  - NewTermsRuleResponseFields alternative Modified
    - history_window_start property Modified
      - Type is now string(nonempty)

Mar 11, 2025

Change #42abcb07

2023-10-31

Breaking

Compare

13 structure changes including:

13 Modifications

Modified 13 Breaking

DELETE /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - NewTermsRuleResponseFields alternative Modified
    - HistoryWindowStart property Modified
      - Type is no longer string(nonempty)
        Breaking

DELETE /api/detection_engine/rules/_bulk_delete

Response
200 response Modified
- application/json content type Modified
  - NewTermsRuleResponseFields alternative Modified
    - HistoryWindowStart property Modified
      - Type is no longer string(nonempty)

GET /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - NewTermsRuleResponseFields alternative Modified
    - HistoryWindowStart property Modified
      - Type is no longer string(nonempty)
        Breaking

GET /api/detection_engine/rules/_find

Response
200 response Modified
- application/json content type Modified
  - data property Modified
    - NewTermsRuleResponseFields alternative Modified

PATCH /api/detection_engine/rules

Body
application/json content type Modified
- NewTermsRulePatchFields alternative Modified
  - HistoryWindowStart property Modified
    - Type is no longer string(nonempty)
      Breaking
Response
200 response Modified
- application/json content type Modified
  - NewTermsRuleResponseFields alternative Modified
    - HistoryWindowStart property Modified
      - Type is no longer string(nonempty)
        Breaking

PATCH /api/detection_engine/rules/_bulk_update

Body
application/json content type Modified
- NewTermsRulePatchFields alternative Modified
  - HistoryWindowStart property Modified
    - Type is no longer string(nonempty)
Response
200 response Modified
- application/json content type Modified
  - NewTermsRuleResponseFields alternative Modified
    - HistoryWindowStart property Modified
      - Type is no longer string(nonempty)

POST /api/detection_engine/rules

Body
application/json content type Modified
- NewTermsRuleCreateFields alternative Modified
  - HistoryWindowStart property Modified
    - Type is no longer string(nonempty)
      Breaking
Response
200 response Modified
- application/json content type Modified
  - NewTermsRuleResponseFields alternative Modified
    - HistoryWindowStart property Modified
      - Type is no longer string(nonempty)
        Breaking

POST /api/detection_engine/rules/_bulk_action

Response
200 response Modified
- application/json content type Modified
  - BulkEditActionResponse alternative Modified
    - attributes property Modified

POST /api/detection_engine/rules/_bulk_create

Body
application/json content type Modified
- NewTermsRuleCreateFields alternative Modified
  - HistoryWindowStart property Modified
    - Type is no longer string(nonempty)
Response
200 response Modified
- application/json content type Modified
  - NewTermsRuleResponseFields alternative Modified
    - HistoryWindowStart property Modified
      - Type is no longer string(nonempty)

POST /api/detection_engine/rules/_bulk_delete

Response
200 response Modified
- application/json content type Modified
  - NewTermsRuleResponseFields alternative Modified
    - HistoryWindowStart property Modified
      - Type is no longer string(nonempty)

POST /api/detection_engine/rules/preview

Body
application/json content type Modified
- RulePreviewParams alternative Modified
  - data_view_id, event_category_override, filters, index, tiebreaker_field, timestamp_field properties Added
- RulePreviewParams alternative Modified
  - language, query properties Modified
    - Properties are no longer required
  - data_view_id, filters, index, saved_id properties Added
- RulePreviewParams alternative Modified
  - query, language properties Modified
    - Properties are no longer required
  - saved_id, data_view_id, filters, index properties Added
- RulePreviewParams alternative Modified
  - alert_suppression property Modified
    - duration property Modified
      - Property is now required
        Breaking
    - group_by, missing_fields_strategy properties Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - language property Modified
    - Property is no longer required
  - threshold, data_view_id, filters, index, saved_id properties Added
- RulePreviewParams alternative Modified
  - language property Modified
    - Property is no longer required
  - threat_index, threat_mapping, threat_query, concurrent_searches, data_view_id, filters, index, items_per_search, saved_id, threat_filters, threat_indicator_path, threat_language properties Added
- RulePreviewParams alternative Modified
  - language, query properties Removed
    - Removing a resource is always breaking unless it was deprecated before
      Breaking
  - anomaly_threshold property Added
  - machine_learning_job_id property Added
    - string-1, array-2 properties Added
- RulePreviewParams alternative Modified
  - language property Modified
    - Property is no longer required
  - HistoryWindowStart, new_terms_fields, data_view_id, filters, index properties Added

PUT /api/detection_engine/rules

Body
application/json content type Modified
- NewTermsRuleCreateFields alternative Modified
  - HistoryWindowStart property Modified
    - Type is no longer string(nonempty)
      Breaking
Response
200 response Modified
- application/json content type Modified
  - NewTermsRuleResponseFields alternative Modified
    - HistoryWindowStart property Modified
      - Type is no longer string(nonempty)
        Breaking

PUT /api/detection_engine/rules/_bulk_update

Body
application/json content type Modified
- NewTermsRuleCreateFields alternative Modified
  - HistoryWindowStart property Modified
    - Type is no longer string(nonempty)
Response
200 response Modified
- application/json content type Modified
  - NewTermsRuleResponseFields alternative Modified
    - HistoryWindowStart property Modified
      - Type is no longer string(nonempty)

Mar 5, 2025

Change #247f2cf1

2023-10-31

Compare

5 structure changes including:

5 Additions

Added 5

DELETE /api/detection_engine/rules/_bulk_delete

PATCH /api/detection_engine/rules/_bulk_update

POST /api/detection_engine/rules/_bulk_create

POST /api/detection_engine/rules/_bulk_delete

PUT /api/detection_engine/rules/_bulk_update

Mar 4, 2025

Change #a0471700

2023-10-31

Compare

5 structure changes including:

5 Removals

Removed 5

DELETE /api/detection_engine/rules/_bulk_delete

PATCH /api/detection_engine/rules/_bulk_update

POST /api/detection_engine/rules/_bulk_create

POST /api/detection_engine/rules/_bulk_delete

PUT /api/detection_engine/rules/_bulk_update

Feb 25, 2025

Change #d745141b

2023-10-31

Compare

1 structure change including:

1 Modification

Modified 1

POST /api/detection_engine/rules/_bulk_create

Operation is no longer In v9.0.0, this API will be deprecated. Use the POST /api/detection_engine/rules/_create API instead.

Feb 25, 2025

Change #fe48a2cd

2023-10-31

Compare

1 structure change including:

1 Modification

Modified 1

POST /api/detection_engine/rules/_bulk_create

Operation is now In v9.0.0, this API will be deprecated. Use the POST /api/detection_engine/rules/_create API instead.
Operation is no longer In v9.0.0, this API will be deprecated. Use the POST /api/detection_engine/rules/_create API instead.

Feb 25, 2025

Change #55f531f0

2023-10-31

Compare

2 structure changes including:

2 Modifications

Modified 2

POST /api/detection_engine/rules

Operation is no longer Jacek In v9.0.0, this API will be deprecated. Use the POST /api/detection_engine/rules/_create API instead.

POST /api/detection_engine/rules/_bulk_create

Operation is now In v9.0.0, this API will be deprecated. Use the POST /api/detection_engine/rules/_create API instead.

Feb 25, 2025

Change #af5951b3

2023-10-31

Compare

1 structure change including:

1 Modification

Modified 1

POST /api/detection_engine/rules

Operation is now Jacek In v9.0.0, this API will be deprecated. Use the POST /api/detection_engine/rules/_create API instead.

Feb 17, 2025

Change #d5a71805

2023-10-31

Breaking

Compare

13 structure changes including:

13 Modifications

Modified 13 Breaking

DELETE /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - actions property Modified
  - QueryRuleResponseFields alternative Modified
    - actions property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - actions property Modified
  - ThresholdRuleResponseFields alternative Modified
    - actions property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - actions property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - actions property Modified
  - NewTermsRuleResponseFields alternative Modified
    - actions property Modified
  - EsqlRuleResponseFields alternative Modified
    - actions property Modified

DELETE /api/detection_engine/rules/_bulk_delete

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - actions property Modified
  - QueryRuleResponseFields alternative Modified
    - actions property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - actions property Modified
  - ThresholdRuleResponseFields alternative Modified
    - actions property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - actions property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - actions property Modified
  - NewTermsRuleResponseFields alternative Modified
    - actions property Modified
  - EsqlRuleResponseFields alternative Modified
    - actions property Modified

GET /api/detection_engine/rules

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - actions property Modified
  - QueryRuleResponseFields alternative Modified
    - actions property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - actions property Modified
  - ThresholdRuleResponseFields alternative Modified
    - actions property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - actions property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - actions property Modified
  - NewTermsRuleResponseFields alternative Modified
    - actions property Modified
  - EsqlRuleResponseFields alternative Modified
    - actions property Modified

GET /api/detection_engine/rules/_find

Response
200 response Modified
- application/json content type Modified
  - data property Modified
    - EqlRuleResponseFields, QueryRuleResponseFields, SavedQueryRuleResponseFields, ThresholdRuleResponseFields, ThreatMatchRuleResponseFields, MachineLearningRuleResponseFields, NewTermsRuleResponseFields, EsqlRuleResponseFields alternatives Modified

PATCH /api/detection_engine/rules

Body
application/json content type Modified
- EqlRulePatchFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- QueryRulePatchFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- SavedQueryRulePatchFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- ThresholdRulePatchFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- ThreatMatchRulePatchFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- MachineLearningRulePatchFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- NewTermsRulePatchFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- EsqlRulePatchProps alternative Modified
  - actions property Modified
    - alerts_filter property Modified
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - actions property Modified
  - QueryRuleResponseFields alternative Modified
    - actions property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - actions property Modified
  - ThresholdRuleResponseFields alternative Modified
    - actions property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - actions property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - actions property Modified
  - NewTermsRuleResponseFields alternative Modified
    - actions property Modified
  - EsqlRuleResponseFields alternative Modified
    - actions property Modified

PATCH /api/detection_engine/rules/_bulk_update

Body
application/json content type Modified
- EqlRulePatchFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- QueryRulePatchFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- SavedQueryRulePatchFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- ThresholdRulePatchFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- ThreatMatchRulePatchFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- MachineLearningRulePatchFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- NewTermsRulePatchFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- EsqlRulePatchProps alternative Modified
  - actions property Modified
    - alerts_filter property Modified
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - actions property Modified
  - QueryRuleResponseFields alternative Modified
    - actions property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - actions property Modified
  - ThresholdRuleResponseFields alternative Modified
    - actions property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - actions property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - actions property Modified
  - NewTermsRuleResponseFields alternative Modified
    - actions property Modified
  - EsqlRuleResponseFields alternative Modified
    - actions property Modified

POST /api/detection_engine/rules

Body
application/json content type Modified
- EqlRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- QueryRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- SavedQueryRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- ThresholdRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- ThreatMatchRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- MachineLearningRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- NewTermsRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- EsqlRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - actions property Modified
  - QueryRuleResponseFields alternative Modified
    - actions property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - actions property Modified
  - ThresholdRuleResponseFields alternative Modified
    - actions property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - actions property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - actions property Modified
  - NewTermsRuleResponseFields alternative Modified
    - actions property Modified
  - EsqlRuleResponseFields alternative Modified
    - actions property Modified

POST /api/detection_engine/rules/_bulk_action

Body
application/json content type Modified
- BulkEditRules alternative Modified
  - edit property Modified
    - BulkActionEditPayloadRuleActions alternative Modified
Response
200 response Modified
- application/json content type Modified
  - BulkEditActionResponse alternative Modified
    - attributes property Modified

POST /api/detection_engine/rules/_bulk_create

Body
application/json content type Modified
- EqlRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- QueryRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- SavedQueryRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- ThresholdRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- ThreatMatchRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- MachineLearningRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- NewTermsRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- EsqlRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - actions property Modified
  - QueryRuleResponseFields alternative Modified
    - actions property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - actions property Modified
  - ThresholdRuleResponseFields alternative Modified
    - actions property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - actions property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - actions property Modified
  - NewTermsRuleResponseFields alternative Modified
    - actions property Modified
  - EsqlRuleResponseFields alternative Modified
    - actions property Modified

POST /api/detection_engine/rules/_bulk_delete

Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - actions property Modified
  - QueryRuleResponseFields alternative Modified
    - actions property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - actions property Modified
  - ThresholdRuleResponseFields alternative Modified
    - actions property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - actions property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - actions property Modified
  - NewTermsRuleResponseFields alternative Modified
    - actions property Modified
  - EsqlRuleResponseFields alternative Modified
    - actions property Modified

POST /api/detection_engine/rules/preview

Body
application/json content type Modified
- RulePreviewParams alternative Modified
  - actions property Modified
    - alerts_filter property Modified
  - data_view_id, event_category_override, filters, index, tiebreaker_field, timestamp_field properties Added
- RulePreviewParams alternative Modified
  - actions property Modified
    - alerts_filter property Modified
  - language, query properties Modified
    - Properties are no longer required
  - data_view_id, filters, index, saved_id properties Added
- RulePreviewParams alternative Modified
  - actions property Modified
    - alerts_filter property Modified
  - query, language properties Modified
    - Properties are no longer required
  - saved_id, data_view_id, filters, index properties Added
- RulePreviewParams alternative Modified
  - actions property Modified
    - alerts_filter property Modified
  - alert_suppression property Modified
    - duration property Modified
      - Property is now required
        Breaking
    - group_by, missing_fields_strategy properties Removed
      - Removing a resource is always breaking unless it was deprecated before
        Breaking
  - language property Modified
    - Property is no longer required
  - threshold, data_view_id, filters, index, saved_id properties Added
- RulePreviewParams alternative Modified
  - actions property Modified
    - alerts_filter property Modified
  - language property Modified
    - Property is no longer required
  - threat_index, threat_mapping, threat_query, concurrent_searches, data_view_id, filters, index, items_per_search, saved_id, threat_filters, threat_indicator_path, threat_language properties Added
- RulePreviewParams alternative Modified
  - actions property Modified
    - alerts_filter property Modified
  - language, query properties Removed
    - Removing a resource is always breaking unless it was deprecated before
      Breaking
  - anomaly_threshold property Added
  - machine_learning_job_id property Added
    - string-1, array-2 properties Added
- RulePreviewParams alternative Modified
  - actions property Modified
    - alerts_filter property Modified
  - language property Modified
    - Property is no longer required
  - history_window_start, new_terms_fields, data_view_id, filters, index properties Added
- RulePreviewParams alternative Modified
  - actions property Modified
    - alerts_filter property Modified

PUT /api/detection_engine/rules

Body
application/json content type Modified
- EqlRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- QueryRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- SavedQueryRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- ThresholdRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- ThreatMatchRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- MachineLearningRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- NewTermsRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- EsqlRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - actions property Modified
  - QueryRuleResponseFields alternative Modified
    - actions property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - actions property Modified
  - ThresholdRuleResponseFields alternative Modified
    - actions property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - actions property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - actions property Modified
  - NewTermsRuleResponseFields alternative Modified
    - actions property Modified
  - EsqlRuleResponseFields alternative Modified
    - actions property Modified

PUT /api/detection_engine/rules/_bulk_update

Body
application/json content type Modified
- EqlRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- QueryRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- SavedQueryRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- ThresholdRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- ThreatMatchRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- MachineLearningRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- NewTermsRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
- EsqlRuleCreateFields alternative Modified
  - actions property Modified
    - alerts_filter property Modified
Response
200 response Modified
- application/json content type Modified
  - EqlRuleResponseFields alternative Modified
    - actions property Modified
  - QueryRuleResponseFields alternative Modified
    - actions property Modified
  - SavedQueryRuleResponseFields alternative Modified
    - actions property Modified
  - ThresholdRuleResponseFields alternative Modified
    - actions property Modified
  - ThreatMatchRuleResponseFields alternative Modified
    - actions property Modified
  - MachineLearningRuleResponseFields alternative Modified
    - actions property Modified
  - NewTermsRuleResponseFields alternative Modified
    - actions property Modified
  - EsqlRuleResponseFields alternative Modified
    - actions property Modified

Do not miss any kibana_wip API changes, ever again

Changelog

API structure has changed

API structure has changed

API structure has changed

API structure has changed

API structure has changed

API structure has changed

API structure has changed

API structure has changed

API structure has changed

API structure has changed

API structure has changed

API structure has changed

API structure has changed

API structure has changed

API structure has changed

API structure has changed

API structure has changed

API structure has changed

API structure has changed

API structure has changed