# Retrieve a detection rule **GET /api/detection_engine/rules** Retrieve a detection rule using the `rule_id` or `id` field. The URL query must include one of the following: * `id` - `GET /api/detection_engine/rules?id=` * `rule_id` - `GET /api/detection_engine/rules?rule_id=` The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. ## Servers - http://localhost:5601: http://localhost:5601 () ## Authentication methods - Basic auth ## Parameters ### Query parameters - **id** (string(uuid)) The rule's `id` value. - **rule_id** (string) The rule's `rule_id` value. ## Responses ### 200 Indicates a successful call. > info > These fields are under development and their usage or schema may change: execution_summary. #### Body: application/json (object) - **actions** (array[object]) Array defining the automated actions (notifications) taken when alerts are generated. - **alias_purpose** (string) - **alias_target_id** (string) - **author** (array[string]) The rule’s author. - **building_block_type** (string) Determines if the rule acts as a building block. If yes, the value must be `default`. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to [About building block rules](https://www.elastic.co/guide/en/security/current/building-block-rule.html). - **description** (string) The rule’s description. - **enabled** (boolean) Determines whether the rule is enabled. Defaults to true. - **exceptions_list** (array[object]) - **false_positives** (array[string]) String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array. - **from** (string(date-math)) Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time). - **interval** (string) Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes). - **investigation_fields** (object) Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. - **license** (string) The rule's license. - **max_signals** (integer) Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run [advanced setting](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#rule-ui-advanced-params) value). > info > This setting can be superseded by the [Kibana configuration setting](https://www.elastic.co/guide/en/kibana/current/alert-action-settings-kb.html#alert-settings) `xpack.alerting.rules.run.alerts.max`, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, the rule can generate no more than 1000 alerts even if `max_signals` is set higher. - **meta** (object) Placeholder for metadata about the rule. > info > This field is overwritten when you save changes to the rule’s settings. - **name** (string) A human-readable name for the rule. - **namespace** (string) Has no effect. - **note** (string) Notes to help investigate alerts produced by the rule. - **outcome** (string) - **output_index** (string) (deprecated) Has no effect. - **references** (array[string]) Array containing notes about or references to relevant information about the rule. Defaults to an empty array. - **related_integrations** (array[object]) - **required_fields** (array[object]) Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. - **response_actions** (array[object]) - **risk_score** (integer) A numerical representation of the alert's severity from 0 to 100, where: * `0` - `21` represents low severity * `22` - `47` represents medium severity * `48` - `73` represents high severity * `74` - `100` represents critical severity - **risk_score_mapping** (array[object]) Overrides generated alerts' risk_score with a value from the source event - **rule_name_override** (string) Sets which field in the source event is used to populate the alert's `signal.rule.name` value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s `name` value is used. The source field must be a string data type. - **setup** (string) Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly. - **severity** (string) Severity level of alerts produced by the rule, which must be one of the following: * `low`: Alerts that are of interest but generally not considered to be security incidents * `medium`: Alerts that require investigation * `high`: Alerts that require immediate investigation * `critical`: Alerts that indicate it is highly likely a security incident has occurred - **severity_mapping** (array[object]) Overrides generated alerts' severity with values from the source event - **tags** (array[string]) String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array. - **threat** (array[object]) - **throttle** (string | null) Defines how often rule actions are taken. - **timeline_id** (string) Timeline template ID - **timeline_title** (string) Timeline template title - **timestamp_override** (string) Sets the time field used to query indices. When unspecified, rules query the `@timestamp` field. The source field must be an Elasticsearch date data type. - **timestamp_override_fallback_disabled** (boolean) Disables the fallback to the event's @timestamp field - **to** (string) - **version** (integer) The rule's version number. - **created_at** (string(date-time)) - **created_by** (string) - **execution_summary** (object) Summary of the last execution of a rule. > info > This field is under development and its usage or schema may change - **id** (string(uuid)) A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object `id`s. - **immutable** (boolean) This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the `rule_source` field. - **revision** (integer) - **rule_id** (string) A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same `rule_id`s. - **rule_source** (object) Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo. - **updated_at** (string(date-time)) - **updated_by** (string) - **language** (string) Query language to use - **query** (string) [Query](https://www.elastic.co/guide/en/kibana/8.17/search.html) used by the rule to create alerts. - For indicator match rules, only the query’s results are used to determine whether an alert is generated. - ES|QL rules have additional query requirements. Refer to [Create ES|QL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule) rules for more information. - **type** (string) Rule type - **alert_suppression** (object) Defines alert suppression configuration. - **data_view_id** (string) - **event_category_override** (string) - **filters** (array) The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array. > info > This field is not supported for ES|QL rules. - **index** (array[string]) Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → `securitySolution:defaultIndex`). > info > This field is not supported for ES|QL rules. - **tiebreaker_field** (string) Sets a secondary field for sorting events - **timestamp_field** (string) Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with `timestamp_override`, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field. [Powered by Bump.sh](https://bump.sh)