Apply a bulk action to detection rules
Apply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs.
The edit action allows you to add, delete, or set tags, index patterns, investigation fields, rule actions, and schedules for multiple rules at once.
The edit action is idempotent, meaning that if you add a tag to a rule that already has that tag, no changes are made. The same is true for other edit actions, for example removing an index pattern that is not specified in a rule will not result in any changes.
When used with API key authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.
If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.
Query parameters
-
Enables dry run mode for the request call.
Enable dry run mode to verify that bulk actions can be applied to specified rules. Certain rules, such as prebuilt Elastic rules, can’t be edited and will return errors in the request response. Error details will contain an explanation, the rule name and/or ID, and additional troubleshooting information.
To enable dry run mode on a request, add the query parameter
dry_run=trueto the end of the request URL. Rules specified in the request will be temporarily updated. These updates won’t be written to Elasticsearch.Dry run mode is not supported for the
exportbulk action. A 400 error will be returned in the request response.
Body
object
-
Value is
duplicate. -
Duplicate object that describes applying an update action.
-
Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined.
At least
1element. -
Query to filter rules.
-
Value is
run. -
Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined.
At least
1element. -
Query to filter rules.
-
Object that describes applying a manual rule run action.
-
Value is
edit. -
Array of objects containing the edit operations
At least
1element.Any of: Edits tags of rules.
add_tagsadds tags to rules. If a tag already exists for a rule, no changes are made.delete_tagsremoves tags from rules. If a tag does not exist for a rule, no changes are made.set_tagssets tags for rules, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made.
Edits index patterns of rulesClient.
add_index_patternsadds index patterns to rules. If an index pattern already exists for a rule, no changes are made.delete_index_patternsremoves index patterns from rules. If an index pattern does not exist for a rule, no changes are made.set_index_patternssets index patterns for rules, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made.
Hide attributes Show attributes
-
Resets the data view for the rule.
-
Values are
add_index_patterns,delete_index_patterns, orset_index_patterns. -
Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).
This field is not supported for ES|QL rules.
Edits investigation fields of rules.
add_investigation_fieldsadds investigation fields to rules. If an investigation field already exists for a rule, no changes are made.delete_investigation_fieldsremoves investigation fields from rules. If an investigation field does not exist for a rule, no changes are made.set_investigation_fieldssets investigation fields for rules. If the set of investigation fields is the same as the existing investigation fields, no changes are made.
Hide attributes Show attributes
-
Values are
add_investigation_fields,delete_investigation_fields, orset_investigation_fields. -
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
Edits timeline of rules.
set_timelinesets a timeline for rules. If the same timeline already exists for a rule, no changes are made.
Edits rule actions of rules.
add_rule_actionsadds rule actions to rules. If a rule action already exists for a rule, no changes are made.set_rule_actionssets rule actions for rules. If the set of rule actions is the same as the existing rule actions, no changes are made.
Hide attributes Show attributes
-
Values are
add_rule_actionsorset_rule_actions. -
Hide value attributes Show value attributes object
-
Hide actions attributes Show actions attributes object
-
Object containing an action’s conditional filters.
Hide alerts_filter attributes Show alerts_filter attributes object
-
Object containing a query filter which gets applied to an action and determines whether the action should run.
-
Object containing the time frame for when this action can be run.
Hide timeframe attributes Show timeframe attributes object
-
List of days of the week on which this action can be run. Days of the week are expressed as numbers between
1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array. -
The hours of the day during which this action can run. Hours of the day are expressed as two strings in the format
hh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day. -
An ISO timezone name, such as
Europe/MadridorAmerica/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
-
-
-
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
Optionally groups actions by use cases. Use
defaultfor alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
- message (string, required): The notification message.
For email:
- to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
- subject (string, optional): Email subject line.
For Webhook:
- body (string, required): JSON payload.
For PagerDuty:
- severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
- eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
- dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
- timestamp (DateTime, optional): ISO-8601 format timestamp.
- component (string, optional): Source machine component responsible for the event, for example security-solution.
- group (string, optional): Enables logical grouping of service components.
- source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
- summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
- class (string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
-
Defines the maximum interval in which a rule’s actions are executed.
The rule level
throttlefield is deprecated in Elastic Security 8.8 and will remain active for at least the next 12 months. In Elastic Security 8.8 and later, you can use thefrequencyfield to define frequencies for individual actions. Actions without frequencies will acquire a converted version of the rule’sthrottlefield. In the response, the convertedthrottlesetting appears in the individual actions'frequencyfield.Values are
rule,1h,1d, or7d.
-
Overwrites schedule of rules.
set_schedulesets a schedule for rules. If the same schedule already exists for a rule, no changes are made.
Both interval and lookback have a format of "{integer}{time_unit}", where accepted time units are s for seconds, m for minutes, and h for hours. The integer must be positive and larger than 0. Examples: "45s", "30m", "6h"
Hide attributes Show attributes
-
Value is
set_schedule. -
Hide value attributes Show value attributes object
-
Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined.
At least
1element. -
Query to filter rules.
Responses
-
OK
One of: Hide attributes Show attributes
-
Hide attributes attributes Show attributes attributes object
-
Hide errors attributes Show errors attributes object
-
Values are
IMMUTABLE,PREBUILT_CUSTOMIZATION_LICENSE,MACHINE_LEARNING_AUTH,MACHINE_LEARNING_INDEX_PATTERN,ESQL_INDEX_PATTERN,MANUAL_RULE_RUN_FEATURE, orMANUAL_RULE_RUN_DISABLED_RULE.
-
-
Hide results attributes Show results attributes object
-
Any of: Hide attributes Show attributes
-
Array defining the automated actions (notifications) taken when alerts are generated.
Array defining the automated actions (notifications) taken when alerts are generated
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications, can be:
- .slack
- .slack_api
- .index
- .pagerduty
- .swimlane
- .webhook
- .servicenow
- .servicenow-itom
- .servicenow-sir
- .jira
- .resilient
- .opsgenie
- .teams
- .torq
- .tines
- .d3security
-
Object containing an action’s conditional filters.
Hide alerts_filter attributes Show alerts_filter attributes object
-
Object containing a query filter which gets applied to an action and determines whether the action should run.
-
Object containing the time frame for when this action can be run.
Hide timeframe attributes Show timeframe attributes object
-
List of days of the week on which this action can be run. Days of the week are expressed as numbers between
1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array. -
The hours of the day during which this action can run. Hours of the day are expressed as two strings in the format
hh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day. -
An ISO timezone name, such as
Europe/MadridorAmerica/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
-
-
-
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
Optionally groups actions by use cases. Use
defaultfor alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
- message (string, required): The notification message.
For email:
- to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
- subject (string, optional): Email subject line.
For Webhook:
- body (string, required): JSON payload.
For PagerDuty:
- severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
- eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
- dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
- timestamp (DateTime, optional): ISO-8601 format timestamp.
- component (string, optional): Source machine component responsible for the event, for example security-solution.
- group (string, optional): Enables logical grouping of service components.
- source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
- summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
- class (string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
A string that does not contain only whitespace characters
Minimum length is
1.
-
-
Values are
savedObjectConversionorsavedObjectImport. -
The rule’s author.
-
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
The rule’s description.
Minimum length is
1. -
Determines whether the rule is enabled. Defaults to true.
-
Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
ID of the exception container
Minimum length is
1. -
List ID of the exception container
Minimum length is
1. -
Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
-
The rule's license.
-
Maximum number of alerts the rule can create during a single run. Defaults to 100.
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. -
Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
The rule’s name.
Minimum length is
1. -
Has no effect.
-
Notes to help investigate alerts produced by the rule.
-
Values are
exactMatch,aliasMatch, orconflict. -
(deprecated) Has no effect.
-
Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1.
-
Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
One of: Hide attributes Show attributes
-
Value is
.osquery. -
Hide params attributes Show params attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
Hide queries attributes Show queries attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
-
Query ID
-
Query to run
-
Query version
-
-
To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
-
-
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals. -
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100.
-
Sets the source field for the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.
-
Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
Value is
equals. -
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical.
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Object containing information on the attack type
-
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
Array containing more specific information on the attack technique.
Only threats described using the MITRE ATT&CKTM framework are displayed in the UI (Rules → Detection rules (SIEM) → Rule name).
-
-
-
Timeline template ID
-
Timeline template title
-
Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1. -
Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Hide metrics attributes Show metrics attributes object
-
Duration in seconds of execution gap
Minimum value is
0. -
Range of the execution gap
-
Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded.
-
-
-
The unique identifier for the rule object.
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
Minimum value is
0. -
A unique identifier for the rule, which could be any string, not necessarily a UUID.
rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
-
Query language to use
Value is
eql. -
The query to execute
-
Rule type
Value is
eql. -
Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
At least
1but not more than3elements. -
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).
This field is not supported for ES|QL rules.
-
Sets a secondary field for sorting events
-
Contains the event timestamp used for sorting a sequence of events. This is different from timestamp_override, which is used for querying events within a range. Defaults to the @timestamp ECS field.
Hide attributes Show attributes
-
Array defining the automated actions (notifications) taken when alerts are generated.
Array defining the automated actions (notifications) taken when alerts are generated
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications, can be:
- .slack
- .slack_api
- .index
- .pagerduty
- .swimlane
- .webhook
- .servicenow
- .servicenow-itom
- .servicenow-sir
- .jira
- .resilient
- .opsgenie
- .teams
- .torq
- .tines
- .d3security
-
Object containing an action’s conditional filters.
Hide alerts_filter attributes Show alerts_filter attributes object
-
Object containing a query filter which gets applied to an action and determines whether the action should run.
-
Object containing the time frame for when this action can be run.
Hide timeframe attributes Show timeframe attributes object
-
List of days of the week on which this action can be run. Days of the week are expressed as numbers between
1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array. -
The hours of the day during which this action can run. Hours of the day are expressed as two strings in the format
hh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day. -
An ISO timezone name, such as
Europe/MadridorAmerica/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
-
-
-
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
Optionally groups actions by use cases. Use
defaultfor alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
- message (string, required): The notification message.
For email:
- to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
- subject (string, optional): Email subject line.
For Webhook:
- body (string, required): JSON payload.
For PagerDuty:
- severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
- eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
- dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
- timestamp (DateTime, optional): ISO-8601 format timestamp.
- component (string, optional): Source machine component responsible for the event, for example security-solution.
- group (string, optional): Enables logical grouping of service components.
- source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
- summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
- class (string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
A string that does not contain only whitespace characters
Minimum length is
1.
-
-
Values are
savedObjectConversionorsavedObjectImport. -
The rule’s author.
-
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
The rule’s description.
Minimum length is
1. -
Determines whether the rule is enabled. Defaults to true.
-
Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
ID of the exception container
Minimum length is
1. -
List ID of the exception container
Minimum length is
1. -
Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
-
The rule's license.
-
Maximum number of alerts the rule can create during a single run. Defaults to 100.
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. -
Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
The rule’s name.
Minimum length is
1. -
Has no effect.
-
Notes to help investigate alerts produced by the rule.
-
Values are
exactMatch,aliasMatch, orconflict. -
(deprecated) Has no effect.
-
Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1.
-
Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
One of: Hide attributes Show attributes
-
Value is
.osquery. -
Hide params attributes Show params attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
Hide queries attributes Show queries attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
-
Query ID
-
Query to run
-
Query version
-
-
To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
-
-
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals. -
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100.
-
Sets the source field for the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.
-
Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
Value is
equals. -
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical.
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Object containing information on the attack type
-
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
Array containing more specific information on the attack technique.
Only threats described using the MITRE ATT&CKTM framework are displayed in the UI (Rules → Detection rules (SIEM) → Rule name).
-
-
-
Timeline template ID
-
Timeline template title
-
Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1. -
Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Hide metrics attributes Show metrics attributes object
-
Duration in seconds of execution gap
Minimum value is
0. -
Range of the execution gap
-
Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded.
-
-
-
The unique identifier for the rule object.
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
Minimum value is
0. -
A unique identifier for the rule, which could be any string, not necessarily a UUID.
rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
-
Rule type
Value is
query. -
Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
At least
1but not more than3elements. -
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).
This field is not supported for ES|QL rules.
-
Kibana saved search used by the rule to create alerts.
-
Values are
kueryorlucene. -
The query to execute
Hide attributes Show attributes
-
Array defining the automated actions (notifications) taken when alerts are generated.
Array defining the automated actions (notifications) taken when alerts are generated
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications, can be:
- .slack
- .slack_api
- .index
- .pagerduty
- .swimlane
- .webhook
- .servicenow
- .servicenow-itom
- .servicenow-sir
- .jira
- .resilient
- .opsgenie
- .teams
- .torq
- .tines
- .d3security
-
Object containing an action’s conditional filters.
Hide alerts_filter attributes Show alerts_filter attributes object
-
Object containing a query filter which gets applied to an action and determines whether the action should run.
-
Object containing the time frame for when this action can be run.
Hide timeframe attributes Show timeframe attributes object
-
List of days of the week on which this action can be run. Days of the week are expressed as numbers between
1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array. -
The hours of the day during which this action can run. Hours of the day are expressed as two strings in the format
hh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day. -
An ISO timezone name, such as
Europe/MadridorAmerica/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
-
-
-
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
Optionally groups actions by use cases. Use
defaultfor alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
- message (string, required): The notification message.
For email:
- to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
- subject (string, optional): Email subject line.
For Webhook:
- body (string, required): JSON payload.
For PagerDuty:
- severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
- eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
- dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
- timestamp (DateTime, optional): ISO-8601 format timestamp.
- component (string, optional): Source machine component responsible for the event, for example security-solution.
- group (string, optional): Enables logical grouping of service components.
- source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
- summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
- class (string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
A string that does not contain only whitespace characters
Minimum length is
1.
-
-
Values are
savedObjectConversionorsavedObjectImport. -
The rule’s author.
-
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
The rule’s description.
Minimum length is
1. -
Determines whether the rule is enabled. Defaults to true.
-
Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
ID of the exception container
Minimum length is
1. -
List ID of the exception container
Minimum length is
1. -
Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
-
The rule's license.
-
Maximum number of alerts the rule can create during a single run. Defaults to 100.
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. -
Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
The rule’s name.
Minimum length is
1. -
Has no effect.
-
Notes to help investigate alerts produced by the rule.
-
Values are
exactMatch,aliasMatch, orconflict. -
(deprecated) Has no effect.
-
Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1.
-
Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
One of: Hide attributes Show attributes
-
Value is
.osquery. -
Hide params attributes Show params attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
Hide queries attributes Show queries attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
-
Query ID
-
Query to run
-
Query version
-
-
To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
-
-
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals. -
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100.
-
Sets the source field for the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.
-
Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
Value is
equals. -
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical.
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Object containing information on the attack type
-
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
Array containing more specific information on the attack technique.
Only threats described using the MITRE ATT&CKTM framework are displayed in the UI (Rules → Detection rules (SIEM) → Rule name).
-
-
-
Timeline template ID
-
Timeline template title
-
Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1. -
Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Hide metrics attributes Show metrics attributes object
-
Duration in seconds of execution gap
Minimum value is
0. -
Range of the execution gap
-
Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded.
-
-
-
The unique identifier for the rule object.
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
Minimum value is
0. -
A unique identifier for the rule, which could be any string, not necessarily a UUID.
rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
-
Kibana saved search used by the rule to create alerts.
-
Rule type
Value is
saved_query. -
Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
At least
1but not more than3elements. -
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).
This field is not supported for ES|QL rules.
-
The query to execute
-
Values are
kueryorlucene.
Hide attributes Show attributes
-
Array defining the automated actions (notifications) taken when alerts are generated.
Array defining the automated actions (notifications) taken when alerts are generated
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications, can be:
- .slack
- .slack_api
- .index
- .pagerduty
- .swimlane
- .webhook
- .servicenow
- .servicenow-itom
- .servicenow-sir
- .jira
- .resilient
- .opsgenie
- .teams
- .torq
- .tines
- .d3security
-
Object containing an action’s conditional filters.
Hide alerts_filter attributes Show alerts_filter attributes object
-
Object containing a query filter which gets applied to an action and determines whether the action should run.
-
Object containing the time frame for when this action can be run.
Hide timeframe attributes Show timeframe attributes object
-
List of days of the week on which this action can be run. Days of the week are expressed as numbers between
1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array. -
The hours of the day during which this action can run. Hours of the day are expressed as two strings in the format
hh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day. -
An ISO timezone name, such as
Europe/MadridorAmerica/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
-
-
-
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
Optionally groups actions by use cases. Use
defaultfor alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
- message (string, required): The notification message.
For email:
- to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
- subject (string, optional): Email subject line.
For Webhook:
- body (string, required): JSON payload.
For PagerDuty:
- severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
- eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
- dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
- timestamp (DateTime, optional): ISO-8601 format timestamp.
- component (string, optional): Source machine component responsible for the event, for example security-solution.
- group (string, optional): Enables logical grouping of service components.
- source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
- summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
- class (string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
A string that does not contain only whitespace characters
Minimum length is
1.
-
-
Values are
savedObjectConversionorsavedObjectImport. -
The rule’s author.
-
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
The rule’s description.
Minimum length is
1. -
Determines whether the rule is enabled. Defaults to true.
-
Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
ID of the exception container
Minimum length is
1. -
List ID of the exception container
Minimum length is
1. -
Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
-
The rule's license.
-
Maximum number of alerts the rule can create during a single run. Defaults to 100.
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. -
Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
The rule’s name.
Minimum length is
1. -
Has no effect.
-
Notes to help investigate alerts produced by the rule.
-
Values are
exactMatch,aliasMatch, orconflict. -
(deprecated) Has no effect.
-
Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1.
-
Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
One of: Hide attributes Show attributes
-
Value is
.osquery. -
Hide params attributes Show params attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
Hide queries attributes Show queries attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
-
Query ID
-
Query to run
-
Query version
-
-
To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
-
-
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals. -
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100.
-
Sets the source field for the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.
-
Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
Value is
equals. -
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical.
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Object containing information on the attack type
-
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
Array containing more specific information on the attack technique.
Only threats described using the MITRE ATT&CKTM framework are displayed in the UI (Rules → Detection rules (SIEM) → Rule name).
-
-
-
Timeline template ID
-
Timeline template title
-
Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1. -
Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Hide metrics attributes Show metrics attributes object
-
Duration in seconds of execution gap
Minimum value is
0. -
Range of the execution gap
-
Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded.
-
-
-
The unique identifier for the rule object.
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
Minimum value is
0. -
A unique identifier for the rule, which could be any string, not necessarily a UUID.
rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
-
The query to execute
-
Hide threshold attributes Show threshold attributes object
-
The field on which the cardinality is applied.
-
The threshold value from which an alert is generated.
Minimum value is
1.
-
-
Rule type
Value is
threshold. -
Defines alert suppression configuration.
-
The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).
This field is not supported for ES|QL rules.
-
Kibana saved search used by the rule to create alerts.
-
Values are
kueryorlucene.
Hide attributes Show attributes
-
Array defining the automated actions (notifications) taken when alerts are generated.
Array defining the automated actions (notifications) taken when alerts are generated
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications, can be:
- .slack
- .slack_api
- .index
- .pagerduty
- .swimlane
- .webhook
- .servicenow
- .servicenow-itom
- .servicenow-sir
- .jira
- .resilient
- .opsgenie
- .teams
- .torq
- .tines
- .d3security
-
Object containing an action’s conditional filters.
Hide alerts_filter attributes Show alerts_filter attributes object
-
Object containing a query filter which gets applied to an action and determines whether the action should run.
-
Object containing the time frame for when this action can be run.
Hide timeframe attributes Show timeframe attributes object
-
List of days of the week on which this action can be run. Days of the week are expressed as numbers between
1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array. -
The hours of the day during which this action can run. Hours of the day are expressed as two strings in the format
hh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day. -
An ISO timezone name, such as
Europe/MadridorAmerica/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
-
-
-
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
Optionally groups actions by use cases. Use
defaultfor alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
- message (string, required): The notification message.
For email:
- to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
- subject (string, optional): Email subject line.
For Webhook:
- body (string, required): JSON payload.
For PagerDuty:
- severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
- eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
- dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
- timestamp (DateTime, optional): ISO-8601 format timestamp.
- component (string, optional): Source machine component responsible for the event, for example security-solution.
- group (string, optional): Enables logical grouping of service components.
- source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
- summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
- class (string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
A string that does not contain only whitespace characters
Minimum length is
1.
-
-
Values are
savedObjectConversionorsavedObjectImport. -
The rule’s author.
-
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
The rule’s description.
Minimum length is
1. -
Determines whether the rule is enabled. Defaults to true.
-
Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
ID of the exception container
Minimum length is
1. -
List ID of the exception container
Minimum length is
1. -
Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
-
The rule's license.
-
Maximum number of alerts the rule can create during a single run. Defaults to 100.
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. -
Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
The rule’s name.
Minimum length is
1. -
Has no effect.
-
Notes to help investigate alerts produced by the rule.
-
Values are
exactMatch,aliasMatch, orconflict. -
(deprecated) Has no effect.
-
Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1.
-
Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
One of: Hide attributes Show attributes
-
Value is
.osquery. -
Hide params attributes Show params attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
Hide queries attributes Show queries attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
-
Query ID
-
Query to run
-
Query version
-
-
To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
-
-
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals. -
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100.
-
Sets the source field for the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.
-
Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
Value is
equals. -
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical.
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Object containing information on the attack type
-
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
Array containing more specific information on the attack technique.
Only threats described using the MITRE ATT&CKTM framework are displayed in the UI (Rules → Detection rules (SIEM) → Rule name).
-
-
-
Timeline template ID
-
Timeline template title
-
Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1. -
Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Hide metrics attributes Show metrics attributes object
-
Duration in seconds of execution gap
Minimum value is
0. -
Range of the execution gap
-
Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded.
-
-
-
The unique identifier for the rule object.
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
Minimum value is
0. -
A unique identifier for the rule, which could be any string, not necessarily a UUID.
rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
-
The query to execute
-
Elasticsearch indices used to check which field values generate alerts.
-
Array of entries objects that define mappings between the source event fields and the values in the Elasticsearch threat index. Each entries object must contain these fields:
- field: field from the event indices on which the rule runs
- type: must be mapping
- value: field from the Elasticsearch threat index
You can use Boolean and and or logic to define the conditions for when matching fields and values generate alerts. Sibling entries objects are evaluated using or logic, whereas multiple entries in a single entries object use and logic. See Example of Threat Match rule which uses both
andandorlogic.At least
1element.Hide threat_mapping attribute Show threat_mapping attribute object
-
Hide entries attributes Show entries attributes object
-
Query used to determine which fields in the Elasticsearch index are used for generating alerts.
-
Rule type
Value is
threat_match. -
Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
At least
1but not more than3elements. -
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
Minimum value is
1. -
The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).
This field is not supported for ES|QL rules.
-
Minimum value is
1. -
Kibana saved search used by the rule to create alerts.
-
Query and filter context array used to filter documents from the Elasticsearch index containing the threat values
-
Defines the path to the threat indicator in the indicator documents (optional)
-
Values are
kueryorlucene. -
Values are
kueryorlucene.
Hide attributes Show attributes
-
Array defining the automated actions (notifications) taken when alerts are generated.
Array defining the automated actions (notifications) taken when alerts are generated
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications, can be:
- .slack
- .slack_api
- .index
- .pagerduty
- .swimlane
- .webhook
- .servicenow
- .servicenow-itom
- .servicenow-sir
- .jira
- .resilient
- .opsgenie
- .teams
- .torq
- .tines
- .d3security
-
Object containing an action’s conditional filters.
Hide alerts_filter attributes Show alerts_filter attributes object
-
Object containing a query filter which gets applied to an action and determines whether the action should run.
-
Object containing the time frame for when this action can be run.
Hide timeframe attributes Show timeframe attributes object
-
List of days of the week on which this action can be run. Days of the week are expressed as numbers between
1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array. -
The hours of the day during which this action can run. Hours of the day are expressed as two strings in the format
hh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day. -
An ISO timezone name, such as
Europe/MadridorAmerica/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
-
-
-
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
Optionally groups actions by use cases. Use
defaultfor alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
- message (string, required): The notification message.
For email:
- to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
- subject (string, optional): Email subject line.
For Webhook:
- body (string, required): JSON payload.
For PagerDuty:
- severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
- eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
- dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
- timestamp (DateTime, optional): ISO-8601 format timestamp.
- component (string, optional): Source machine component responsible for the event, for example security-solution.
- group (string, optional): Enables logical grouping of service components.
- source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
- summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
- class (string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
A string that does not contain only whitespace characters
Minimum length is
1.
-
-
Values are
savedObjectConversionorsavedObjectImport. -
The rule’s author.
-
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
The rule’s description.
Minimum length is
1. -
Determines whether the rule is enabled. Defaults to true.
-
Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
ID of the exception container
Minimum length is
1. -
List ID of the exception container
Minimum length is
1. -
Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
-
The rule's license.
-
Maximum number of alerts the rule can create during a single run. Defaults to 100.
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. -
Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
The rule’s name.
Minimum length is
1. -
Has no effect.
-
Notes to help investigate alerts produced by the rule.
-
Values are
exactMatch,aliasMatch, orconflict. -
(deprecated) Has no effect.
-
Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1.
-
Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
One of: Hide attributes Show attributes
-
Value is
.osquery. -
Hide params attributes Show params attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
Hide queries attributes Show queries attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
-
Query ID
-
Query to run
-
Query version
-
-
To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
-
-
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals. -
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100.
-
Sets the source field for the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.
-
Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
Value is
equals. -
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical.
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Object containing information on the attack type
-
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
Array containing more specific information on the attack technique.
Only threats described using the MITRE ATT&CKTM framework are displayed in the UI (Rules → Detection rules (SIEM) → Rule name).
-
-
-
Timeline template ID
-
Timeline template title
-
Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1. -
Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Hide metrics attributes Show metrics attributes object
-
Duration in seconds of execution gap
Minimum value is
0. -
Range of the execution gap
-
Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded.
-
-
-
The unique identifier for the rule object.
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
Minimum value is
0. -
A unique identifier for the rule, which could be any string, not necessarily a UUID.
rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
-
Anomaly score threshold above which the rule creates an alert.
Minimum value is
0, maximum value is100. -
Rule type
Value is
machine_learning. -
Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
At least
1but not more than3elements. -
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
Hide attributes Show attributes
-
Array defining the automated actions (notifications) taken when alerts are generated.
Array defining the automated actions (notifications) taken when alerts are generated
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications, can be:
- .slack
- .slack_api
- .index
- .pagerduty
- .swimlane
- .webhook
- .servicenow
- .servicenow-itom
- .servicenow-sir
- .jira
- .resilient
- .opsgenie
- .teams
- .torq
- .tines
- .d3security
-
Object containing an action’s conditional filters.
Hide alerts_filter attributes Show alerts_filter attributes object
-
Object containing a query filter which gets applied to an action and determines whether the action should run.
-
Object containing the time frame for when this action can be run.
Hide timeframe attributes Show timeframe attributes object
-
List of days of the week on which this action can be run. Days of the week are expressed as numbers between
1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array. -
The hours of the day during which this action can run. Hours of the day are expressed as two strings in the format
hh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day. -
An ISO timezone name, such as
Europe/MadridorAmerica/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
-
-
-
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
Optionally groups actions by use cases. Use
defaultfor alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
- message (string, required): The notification message.
For email:
- to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
- subject (string, optional): Email subject line.
For Webhook:
- body (string, required): JSON payload.
For PagerDuty:
- severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
- eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
- dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
- timestamp (DateTime, optional): ISO-8601 format timestamp.
- component (string, optional): Source machine component responsible for the event, for example security-solution.
- group (string, optional): Enables logical grouping of service components.
- source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
- summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
- class (string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
A string that does not contain only whitespace characters
Minimum length is
1.
-
-
Values are
savedObjectConversionorsavedObjectImport. -
The rule’s author.
-
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
The rule’s description.
Minimum length is
1. -
Determines whether the rule is enabled. Defaults to true.
-
Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
ID of the exception container
Minimum length is
1. -
List ID of the exception container
Minimum length is
1. -
Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
-
The rule's license.
-
Maximum number of alerts the rule can create during a single run. Defaults to 100.
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. -
Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
The rule’s name.
Minimum length is
1. -
Has no effect.
-
Notes to help investigate alerts produced by the rule.
-
Values are
exactMatch,aliasMatch, orconflict. -
(deprecated) Has no effect.
-
Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1.
-
Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
One of: Hide attributes Show attributes
-
Value is
.osquery. -
Hide params attributes Show params attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
Hide queries attributes Show queries attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
-
Query ID
-
Query to run
-
Query version
-
-
To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
-
-
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals. -
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100.
-
Sets the source field for the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.
-
Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
Value is
equals. -
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical.
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Object containing information on the attack type
-
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
Array containing more specific information on the attack technique.
Only threats described using the MITRE ATT&CKTM framework are displayed in the UI (Rules → Detection rules (SIEM) → Rule name).
-
-
-
Timeline template ID
-
Timeline template title
-
Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1. -
Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Hide metrics attributes Show metrics attributes object
-
Duration in seconds of execution gap
Minimum value is
0. -
Range of the execution gap
-
Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded.
-
-
-
The unique identifier for the rule object.
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
Minimum value is
0. -
A unique identifier for the rule, which could be any string, not necessarily a UUID.
rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
-
Start date to use when checking if a term has been seen before. Supports relative dates – for example, now-30d will search the last 30 days of data when checking if a term is new. We do not recommend using absolute dates, which can cause issues with rule performance due to querying increasing amounts of data over time.
Minimum length is
1. -
Fields to monitor for new values.
At least
1but not more than3elements. -
The query to execute
-
Rule type
Value is
new_terms. -
Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
At least
1but not more than3elements. -
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).
This field is not supported for ES|QL rules.
-
Values are
kueryorlucene.
Hide attributes Show attributes
-
Array defining the automated actions (notifications) taken when alerts are generated.
Array defining the automated actions (notifications) taken when alerts are generated
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications, can be:
- .slack
- .slack_api
- .index
- .pagerduty
- .swimlane
- .webhook
- .servicenow
- .servicenow-itom
- .servicenow-sir
- .jira
- .resilient
- .opsgenie
- .teams
- .torq
- .tines
- .d3security
-
Object containing an action’s conditional filters.
Hide alerts_filter attributes Show alerts_filter attributes object
-
Object containing a query filter which gets applied to an action and determines whether the action should run.
-
Object containing the time frame for when this action can be run.
Hide timeframe attributes Show timeframe attributes object
-
List of days of the week on which this action can be run. Days of the week are expressed as numbers between
1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array. -
The hours of the day during which this action can run. Hours of the day are expressed as two strings in the format
hh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day. -
An ISO timezone name, such as
Europe/MadridorAmerica/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
-
-
-
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
Optionally groups actions by use cases. Use
defaultfor alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
- message (string, required): The notification message.
For email:
- to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
- subject (string, optional): Email subject line.
For Webhook:
- body (string, required): JSON payload.
For PagerDuty:
- severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
- eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
- dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
- timestamp (DateTime, optional): ISO-8601 format timestamp.
- component (string, optional): Source machine component responsible for the event, for example security-solution.
- group (string, optional): Enables logical grouping of service components.
- source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
- summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
- class (string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
A string that does not contain only whitespace characters
Minimum length is
1.
-
-
Values are
savedObjectConversionorsavedObjectImport. -
The rule’s author.
-
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
The rule’s description.
Minimum length is
1. -
Determines whether the rule is enabled. Defaults to true.
-
Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
ID of the exception container
Minimum length is
1. -
List ID of the exception container
Minimum length is
1. -
Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
-
The rule's license.
-
Maximum number of alerts the rule can create during a single run. Defaults to 100.
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. -
Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
The rule’s name.
Minimum length is
1. -
Has no effect.
-
Notes to help investigate alerts produced by the rule.
-
Values are
exactMatch,aliasMatch, orconflict. -
(deprecated) Has no effect.
-
Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1.
-
Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
One of: Hide attributes Show attributes
-
Value is
.osquery. -
Hide params attributes Show params attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
Hide queries attributes Show queries attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
-
Query ID
-
Query to run
-
Query version
-
-
To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
-
-
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals. -
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100.
-
Sets the source field for the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.
-
Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
Value is
equals. -
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical.
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Object containing information on the attack type
-
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
Array containing more specific information on the attack technique.
Only threats described using the MITRE ATT&CKTM framework are displayed in the UI (Rules → Detection rules (SIEM) → Rule name).
-
-
-
Timeline template ID
-
Timeline template title
-
Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1. -
Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Hide metrics attributes Show metrics attributes object
-
Duration in seconds of execution gap
Minimum value is
0. -
Range of the execution gap
-
Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded.
-
-
-
The unique identifier for the rule object.
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
Minimum value is
0. -
A unique identifier for the rule, which could be any string, not necessarily a UUID.
rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
-
Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
At least
1but not more than3elements. -
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
Value is
esql. -
The query to execute
-
Rule type
Value is
esql.
-
-
Any of: Hide attributes Show attributes
-
Array defining the automated actions (notifications) taken when alerts are generated.
Array defining the automated actions (notifications) taken when alerts are generated
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications, can be:
- .slack
- .slack_api
- .index
- .pagerduty
- .swimlane
- .webhook
- .servicenow
- .servicenow-itom
- .servicenow-sir
- .jira
- .resilient
- .opsgenie
- .teams
- .torq
- .tines
- .d3security
-
Object containing an action’s conditional filters.
Hide alerts_filter attributes Show alerts_filter attributes object
-
Object containing a query filter which gets applied to an action and determines whether the action should run.
-
Object containing the time frame for when this action can be run.
Hide timeframe attributes Show timeframe attributes object
-
List of days of the week on which this action can be run. Days of the week are expressed as numbers between
1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array. -
The hours of the day during which this action can run. Hours of the day are expressed as two strings in the format
hh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day. -
An ISO timezone name, such as
Europe/MadridorAmerica/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
-
-
-
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
Optionally groups actions by use cases. Use
defaultfor alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
- message (string, required): The notification message.
For email:
- to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
- subject (string, optional): Email subject line.
For Webhook:
- body (string, required): JSON payload.
For PagerDuty:
- severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
- eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
- dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
- timestamp (DateTime, optional): ISO-8601 format timestamp.
- component (string, optional): Source machine component responsible for the event, for example security-solution.
- group (string, optional): Enables logical grouping of service components.
- source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
- summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
- class (string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
A string that does not contain only whitespace characters
Minimum length is
1.
-
-
Values are
savedObjectConversionorsavedObjectImport. -
The rule’s author.
-
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
The rule’s description.
Minimum length is
1. -
Determines whether the rule is enabled. Defaults to true.
-
Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
ID of the exception container
Minimum length is
1. -
List ID of the exception container
Minimum length is
1. -
Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
-
The rule's license.
-
Maximum number of alerts the rule can create during a single run. Defaults to 100.
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. -
Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
The rule’s name.
Minimum length is
1. -
Has no effect.
-
Notes to help investigate alerts produced by the rule.
-
Values are
exactMatch,aliasMatch, orconflict. -
(deprecated) Has no effect.
-
Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1.
-
Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
One of: Hide attributes Show attributes
-
Value is
.osquery. -
Hide params attributes Show params attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
Hide queries attributes Show queries attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
-
Query ID
-
Query to run
-
Query version
-
-
To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
-
-
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals. -
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100.
-
Sets the source field for the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.
-
Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
Value is
equals. -
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical.
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Object containing information on the attack type
-
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
Array containing more specific information on the attack technique.
Only threats described using the MITRE ATT&CKTM framework are displayed in the UI (Rules → Detection rules (SIEM) → Rule name).
-
-
-
Timeline template ID
-
Timeline template title
-
Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1. -
Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Hide metrics attributes Show metrics attributes object
-
Duration in seconds of execution gap
Minimum value is
0. -
Range of the execution gap
-
Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded.
-
-
-
The unique identifier for the rule object.
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
Minimum value is
0. -
A unique identifier for the rule, which could be any string, not necessarily a UUID.
rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
-
Query language to use
Value is
eql. -
The query to execute
-
Rule type
Value is
eql. -
Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
At least
1but not more than3elements. -
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).
This field is not supported for ES|QL rules.
-
Sets a secondary field for sorting events
-
Contains the event timestamp used for sorting a sequence of events. This is different from timestamp_override, which is used for querying events within a range. Defaults to the @timestamp ECS field.
Hide attributes Show attributes
-
Array defining the automated actions (notifications) taken when alerts are generated.
Array defining the automated actions (notifications) taken when alerts are generated
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications, can be:
- .slack
- .slack_api
- .index
- .pagerduty
- .swimlane
- .webhook
- .servicenow
- .servicenow-itom
- .servicenow-sir
- .jira
- .resilient
- .opsgenie
- .teams
- .torq
- .tines
- .d3security
-
Object containing an action’s conditional filters.
Hide alerts_filter attributes Show alerts_filter attributes object
-
Object containing a query filter which gets applied to an action and determines whether the action should run.
-
Object containing the time frame for when this action can be run.
Hide timeframe attributes Show timeframe attributes object
-
List of days of the week on which this action can be run. Days of the week are expressed as numbers between
1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array. -
The hours of the day during which this action can run. Hours of the day are expressed as two strings in the format
hh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day. -
An ISO timezone name, such as
Europe/MadridorAmerica/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
-
-
-
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
Optionally groups actions by use cases. Use
defaultfor alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
- message (string, required): The notification message.
For email:
- to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
- subject (string, optional): Email subject line.
For Webhook:
- body (string, required): JSON payload.
For PagerDuty:
- severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
- eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
- dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
- timestamp (DateTime, optional): ISO-8601 format timestamp.
- component (string, optional): Source machine component responsible for the event, for example security-solution.
- group (string, optional): Enables logical grouping of service components.
- source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
- summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
- class (string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
A string that does not contain only whitespace characters
Minimum length is
1.
-
-
Values are
savedObjectConversionorsavedObjectImport. -
The rule’s author.
-
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
The rule’s description.
Minimum length is
1. -
Determines whether the rule is enabled. Defaults to true.
-
Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
ID of the exception container
Minimum length is
1. -
List ID of the exception container
Minimum length is
1. -
Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
-
The rule's license.
-
Maximum number of alerts the rule can create during a single run. Defaults to 100.
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. -
Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
The rule’s name.
Minimum length is
1. -
Has no effect.
-
Notes to help investigate alerts produced by the rule.
-
Values are
exactMatch,aliasMatch, orconflict. -
(deprecated) Has no effect.
-
Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1.
-
Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
One of: Hide attributes Show attributes
-
Value is
.osquery. -
Hide params attributes Show params attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
Hide queries attributes Show queries attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
-
Query ID
-
Query to run
-
Query version
-
-
To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
-
-
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals. -
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100.
-
Sets the source field for the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.
-
Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
Value is
equals. -
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical.
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Object containing information on the attack type
-
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
Array containing more specific information on the attack technique.
Only threats described using the MITRE ATT&CKTM framework are displayed in the UI (Rules → Detection rules (SIEM) → Rule name).
-
-
-
Timeline template ID
-
Timeline template title
-
Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1. -
Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Hide metrics attributes Show metrics attributes object
-
Duration in seconds of execution gap
Minimum value is
0. -
Range of the execution gap
-
Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded.
-
-
-
The unique identifier for the rule object.
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
Minimum value is
0. -
A unique identifier for the rule, which could be any string, not necessarily a UUID.
rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
-
Rule type
Value is
query. -
Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
At least
1but not more than3elements. -
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).
This field is not supported for ES|QL rules.
-
Kibana saved search used by the rule to create alerts.
-
Values are
kueryorlucene. -
The query to execute
Hide attributes Show attributes
-
Array defining the automated actions (notifications) taken when alerts are generated.
Array defining the automated actions (notifications) taken when alerts are generated
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications, can be:
- .slack
- .slack_api
- .index
- .pagerduty
- .swimlane
- .webhook
- .servicenow
- .servicenow-itom
- .servicenow-sir
- .jira
- .resilient
- .opsgenie
- .teams
- .torq
- .tines
- .d3security
-
Object containing an action’s conditional filters.
Hide alerts_filter attributes Show alerts_filter attributes object
-
Object containing a query filter which gets applied to an action and determines whether the action should run.
-
Object containing the time frame for when this action can be run.
Hide timeframe attributes Show timeframe attributes object
-
List of days of the week on which this action can be run. Days of the week are expressed as numbers between
1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array. -
The hours of the day during which this action can run. Hours of the day are expressed as two strings in the format
hh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day. -
An ISO timezone name, such as
Europe/MadridorAmerica/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
-
-
-
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
Optionally groups actions by use cases. Use
defaultfor alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
- message (string, required): The notification message.
For email:
- to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
- subject (string, optional): Email subject line.
For Webhook:
- body (string, required): JSON payload.
For PagerDuty:
- severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
- eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
- dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
- timestamp (DateTime, optional): ISO-8601 format timestamp.
- component (string, optional): Source machine component responsible for the event, for example security-solution.
- group (string, optional): Enables logical grouping of service components.
- source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
- summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
- class (string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
A string that does not contain only whitespace characters
Minimum length is
1.
-
-
Values are
savedObjectConversionorsavedObjectImport. -
The rule’s author.
-
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
The rule’s description.
Minimum length is
1. -
Determines whether the rule is enabled. Defaults to true.
-
Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
ID of the exception container
Minimum length is
1. -
List ID of the exception container
Minimum length is
1. -
Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
-
The rule's license.
-
Maximum number of alerts the rule can create during a single run. Defaults to 100.
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. -
Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
The rule’s name.
Minimum length is
1. -
Has no effect.
-
Notes to help investigate alerts produced by the rule.
-
Values are
exactMatch,aliasMatch, orconflict. -
(deprecated) Has no effect.
-
Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1.
-
Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
One of: Hide attributes Show attributes
-
Value is
.osquery. -
Hide params attributes Show params attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
Hide queries attributes Show queries attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
-
Query ID
-
Query to run
-
Query version
-
-
To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
-
-
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals. -
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100.
-
Sets the source field for the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.
-
Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
Value is
equals. -
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical.
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Object containing information on the attack type
-
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
Array containing more specific information on the attack technique.
Only threats described using the MITRE ATT&CKTM framework are displayed in the UI (Rules → Detection rules (SIEM) → Rule name).
-
-
-
Timeline template ID
-
Timeline template title
-
Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1. -
Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Hide metrics attributes Show metrics attributes object
-
Duration in seconds of execution gap
Minimum value is
0. -
Range of the execution gap
-
Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded.
-
-
-
The unique identifier for the rule object.
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
Minimum value is
0. -
A unique identifier for the rule, which could be any string, not necessarily a UUID.
rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
-
Kibana saved search used by the rule to create alerts.
-
Rule type
Value is
saved_query. -
Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
At least
1but not more than3elements. -
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).
This field is not supported for ES|QL rules.
-
The query to execute
-
Values are
kueryorlucene.
Hide attributes Show attributes
-
Array defining the automated actions (notifications) taken when alerts are generated.
Array defining the automated actions (notifications) taken when alerts are generated
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications, can be:
- .slack
- .slack_api
- .index
- .pagerduty
- .swimlane
- .webhook
- .servicenow
- .servicenow-itom
- .servicenow-sir
- .jira
- .resilient
- .opsgenie
- .teams
- .torq
- .tines
- .d3security
-
Object containing an action’s conditional filters.
Hide alerts_filter attributes Show alerts_filter attributes object
-
Object containing a query filter which gets applied to an action and determines whether the action should run.
-
Object containing the time frame for when this action can be run.
Hide timeframe attributes Show timeframe attributes object
-
List of days of the week on which this action can be run. Days of the week are expressed as numbers between
1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array. -
The hours of the day during which this action can run. Hours of the day are expressed as two strings in the format
hh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day. -
An ISO timezone name, such as
Europe/MadridorAmerica/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
-
-
-
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
Optionally groups actions by use cases. Use
defaultfor alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
- message (string, required): The notification message.
For email:
- to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
- subject (string, optional): Email subject line.
For Webhook:
- body (string, required): JSON payload.
For PagerDuty:
- severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
- eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
- dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
- timestamp (DateTime, optional): ISO-8601 format timestamp.
- component (string, optional): Source machine component responsible for the event, for example security-solution.
- group (string, optional): Enables logical grouping of service components.
- source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
- summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
- class (string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
A string that does not contain only whitespace characters
Minimum length is
1.
-
-
Values are
savedObjectConversionorsavedObjectImport. -
The rule’s author.
-
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
The rule’s description.
Minimum length is
1. -
Determines whether the rule is enabled. Defaults to true.
-
Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
ID of the exception container
Minimum length is
1. -
List ID of the exception container
Minimum length is
1. -
Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
-
The rule's license.
-
Maximum number of alerts the rule can create during a single run. Defaults to 100.
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. -
Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
The rule’s name.
Minimum length is
1. -
Has no effect.
-
Notes to help investigate alerts produced by the rule.
-
Values are
exactMatch,aliasMatch, orconflict. -
(deprecated) Has no effect.
-
Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1.
-
Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
One of: Hide attributes Show attributes
-
Value is
.osquery. -
Hide params attributes Show params attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
Hide queries attributes Show queries attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
-
Query ID
-
Query to run
-
Query version
-
-
To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
-
-
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals. -
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100.
-
Sets the source field for the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.
-
Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
Value is
equals. -
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical.
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Object containing information on the attack type
-
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
Array containing more specific information on the attack technique.
Only threats described using the MITRE ATT&CKTM framework are displayed in the UI (Rules → Detection rules (SIEM) → Rule name).
-
-
-
Timeline template ID
-
Timeline template title
-
Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1. -
Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Hide metrics attributes Show metrics attributes object
-
Duration in seconds of execution gap
Minimum value is
0. -
Range of the execution gap
-
Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded.
-
-
-
The unique identifier for the rule object.
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
Minimum value is
0. -
A unique identifier for the rule, which could be any string, not necessarily a UUID.
rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
-
The query to execute
-
Hide threshold attributes Show threshold attributes object
-
The field on which the cardinality is applied.
-
The threshold value from which an alert is generated.
Minimum value is
1.
-
-
Rule type
Value is
threshold. -
Defines alert suppression configuration.
-
The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).
This field is not supported for ES|QL rules.
-
Kibana saved search used by the rule to create alerts.
-
Values are
kueryorlucene.
Hide attributes Show attributes
-
Array defining the automated actions (notifications) taken when alerts are generated.
Array defining the automated actions (notifications) taken when alerts are generated
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications, can be:
- .slack
- .slack_api
- .index
- .pagerduty
- .swimlane
- .webhook
- .servicenow
- .servicenow-itom
- .servicenow-sir
- .jira
- .resilient
- .opsgenie
- .teams
- .torq
- .tines
- .d3security
-
Object containing an action’s conditional filters.
Hide alerts_filter attributes Show alerts_filter attributes object
-
Object containing a query filter which gets applied to an action and determines whether the action should run.
-
Object containing the time frame for when this action can be run.
Hide timeframe attributes Show timeframe attributes object
-
List of days of the week on which this action can be run. Days of the week are expressed as numbers between
1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array. -
The hours of the day during which this action can run. Hours of the day are expressed as two strings in the format
hh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day. -
An ISO timezone name, such as
Europe/MadridorAmerica/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
-
-
-
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
Optionally groups actions by use cases. Use
defaultfor alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
- message (string, required): The notification message.
For email:
- to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
- subject (string, optional): Email subject line.
For Webhook:
- body (string, required): JSON payload.
For PagerDuty:
- severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
- eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
- dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
- timestamp (DateTime, optional): ISO-8601 format timestamp.
- component (string, optional): Source machine component responsible for the event, for example security-solution.
- group (string, optional): Enables logical grouping of service components.
- source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
- summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
- class (string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
A string that does not contain only whitespace characters
Minimum length is
1.
-
-
Values are
savedObjectConversionorsavedObjectImport. -
The rule’s author.
-
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
The rule’s description.
Minimum length is
1. -
Determines whether the rule is enabled. Defaults to true.
-
Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
ID of the exception container
Minimum length is
1. -
List ID of the exception container
Minimum length is
1. -
Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
-
The rule's license.
-
Maximum number of alerts the rule can create during a single run. Defaults to 100.
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. -
Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
The rule’s name.
Minimum length is
1. -
Has no effect.
-
Notes to help investigate alerts produced by the rule.
-
Values are
exactMatch,aliasMatch, orconflict. -
(deprecated) Has no effect.
-
Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1.
-
Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
One of: Hide attributes Show attributes
-
Value is
.osquery. -
Hide params attributes Show params attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
Hide queries attributes Show queries attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
-
Query ID
-
Query to run
-
Query version
-
-
To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
-
-
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals. -
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100.
-
Sets the source field for the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.
-
Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
Value is
equals. -
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical.
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Object containing information on the attack type
-
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
Array containing more specific information on the attack technique.
Only threats described using the MITRE ATT&CKTM framework are displayed in the UI (Rules → Detection rules (SIEM) → Rule name).
-
-
-
Timeline template ID
-
Timeline template title
-
Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1. -
Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Hide metrics attributes Show metrics attributes object
-
Duration in seconds of execution gap
Minimum value is
0. -
Range of the execution gap
-
Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded.
-
-
-
The unique identifier for the rule object.
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
Minimum value is
0. -
A unique identifier for the rule, which could be any string, not necessarily a UUID.
rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
-
The query to execute
-
Elasticsearch indices used to check which field values generate alerts.
-
Array of entries objects that define mappings between the source event fields and the values in the Elasticsearch threat index. Each entries object must contain these fields:
- field: field from the event indices on which the rule runs
- type: must be mapping
- value: field from the Elasticsearch threat index
You can use Boolean and and or logic to define the conditions for when matching fields and values generate alerts. Sibling entries objects are evaluated using or logic, whereas multiple entries in a single entries object use and logic. See Example of Threat Match rule which uses both
andandorlogic.At least
1element.Hide threat_mapping attribute Show threat_mapping attribute object
-
Hide entries attributes Show entries attributes object
-
Query used to determine which fields in the Elasticsearch index are used for generating alerts.
-
Rule type
Value is
threat_match. -
Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
At least
1but not more than3elements. -
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
Minimum value is
1. -
The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).
This field is not supported for ES|QL rules.
-
Minimum value is
1. -
Kibana saved search used by the rule to create alerts.
-
Query and filter context array used to filter documents from the Elasticsearch index containing the threat values
-
Defines the path to the threat indicator in the indicator documents (optional)
-
Values are
kueryorlucene. -
Values are
kueryorlucene.
Hide attributes Show attributes
-
Array defining the automated actions (notifications) taken when alerts are generated.
Array defining the automated actions (notifications) taken when alerts are generated
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications, can be:
- .slack
- .slack_api
- .index
- .pagerduty
- .swimlane
- .webhook
- .servicenow
- .servicenow-itom
- .servicenow-sir
- .jira
- .resilient
- .opsgenie
- .teams
- .torq
- .tines
- .d3security
-
Object containing an action’s conditional filters.
Hide alerts_filter attributes Show alerts_filter attributes object
-
Object containing a query filter which gets applied to an action and determines whether the action should run.
-
Object containing the time frame for when this action can be run.
Hide timeframe attributes Show timeframe attributes object
-
List of days of the week on which this action can be run. Days of the week are expressed as numbers between
1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array. -
The hours of the day during which this action can run. Hours of the day are expressed as two strings in the format
hh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day. -
An ISO timezone name, such as
Europe/MadridorAmerica/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
-
-
-
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
Optionally groups actions by use cases. Use
defaultfor alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
- message (string, required): The notification message.
For email:
- to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
- subject (string, optional): Email subject line.
For Webhook:
- body (string, required): JSON payload.
For PagerDuty:
- severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
- eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
- dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
- timestamp (DateTime, optional): ISO-8601 format timestamp.
- component (string, optional): Source machine component responsible for the event, for example security-solution.
- group (string, optional): Enables logical grouping of service components.
- source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
- summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
- class (string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
A string that does not contain only whitespace characters
Minimum length is
1.
-
-
Values are
savedObjectConversionorsavedObjectImport. -
The rule’s author.
-
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
The rule’s description.
Minimum length is
1. -
Determines whether the rule is enabled. Defaults to true.
-
Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
ID of the exception container
Minimum length is
1. -
List ID of the exception container
Minimum length is
1. -
Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
-
The rule's license.
-
Maximum number of alerts the rule can create during a single run. Defaults to 100.
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. -
Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
The rule’s name.
Minimum length is
1. -
Has no effect.
-
Notes to help investigate alerts produced by the rule.
-
Values are
exactMatch,aliasMatch, orconflict. -
(deprecated) Has no effect.
-
Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1.
-
Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
One of: Hide attributes Show attributes
-
Value is
.osquery. -
Hide params attributes Show params attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
Hide queries attributes Show queries attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
-
Query ID
-
Query to run
-
Query version
-
-
To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
-
-
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals. -
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100.
-
Sets the source field for the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.
-
Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
Value is
equals. -
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical.
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Object containing information on the attack type
-
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
Array containing more specific information on the attack technique.
Only threats described using the MITRE ATT&CKTM framework are displayed in the UI (Rules → Detection rules (SIEM) → Rule name).
-
-
-
Timeline template ID
-
Timeline template title
-
Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1. -
Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Hide metrics attributes Show metrics attributes object
-
Duration in seconds of execution gap
Minimum value is
0. -
Range of the execution gap
-
Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded.
-
-
-
The unique identifier for the rule object.
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
Minimum value is
0. -
A unique identifier for the rule, which could be any string, not necessarily a UUID.
rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
-
Anomaly score threshold above which the rule creates an alert.
Minimum value is
0, maximum value is100. -
Rule type
Value is
machine_learning. -
Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
At least
1but not more than3elements. -
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
Hide attributes Show attributes
-
Array defining the automated actions (notifications) taken when alerts are generated.
Array defining the automated actions (notifications) taken when alerts are generated
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications, can be:
- .slack
- .slack_api
- .index
- .pagerduty
- .swimlane
- .webhook
- .servicenow
- .servicenow-itom
- .servicenow-sir
- .jira
- .resilient
- .opsgenie
- .teams
- .torq
- .tines
- .d3security
-
Object containing an action’s conditional filters.
Hide alerts_filter attributes Show alerts_filter attributes object
-
Object containing a query filter which gets applied to an action and determines whether the action should run.
-
Object containing the time frame for when this action can be run.
Hide timeframe attributes Show timeframe attributes object
-
List of days of the week on which this action can be run. Days of the week are expressed as numbers between
1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array. -
The hours of the day during which this action can run. Hours of the day are expressed as two strings in the format
hh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day. -
An ISO timezone name, such as
Europe/MadridorAmerica/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
-
-
-
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
Optionally groups actions by use cases. Use
defaultfor alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
- message (string, required): The notification message.
For email:
- to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
- subject (string, optional): Email subject line.
For Webhook:
- body (string, required): JSON payload.
For PagerDuty:
- severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
- eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
- dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
- timestamp (DateTime, optional): ISO-8601 format timestamp.
- component (string, optional): Source machine component responsible for the event, for example security-solution.
- group (string, optional): Enables logical grouping of service components.
- source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
- summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
- class (string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
A string that does not contain only whitespace characters
Minimum length is
1.
-
-
Values are
savedObjectConversionorsavedObjectImport. -
The rule’s author.
-
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
The rule’s description.
Minimum length is
1. -
Determines whether the rule is enabled. Defaults to true.
-
Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
ID of the exception container
Minimum length is
1. -
List ID of the exception container
Minimum length is
1. -
Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
-
The rule's license.
-
Maximum number of alerts the rule can create during a single run. Defaults to 100.
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. -
Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
The rule’s name.
Minimum length is
1. -
Has no effect.
-
Notes to help investigate alerts produced by the rule.
-
Values are
exactMatch,aliasMatch, orconflict. -
(deprecated) Has no effect.
-
Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1.
-
Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
One of: Hide attributes Show attributes
-
Value is
.osquery. -
Hide params attributes Show params attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
Hide queries attributes Show queries attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
-
Query ID
-
Query to run
-
Query version
-
-
To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
-
-
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals. -
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100.
-
Sets the source field for the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.
-
Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
Value is
equals. -
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical.
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Object containing information on the attack type
-
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
Array containing more specific information on the attack technique.
Only threats described using the MITRE ATT&CKTM framework are displayed in the UI (Rules → Detection rules (SIEM) → Rule name).
-
-
-
Timeline template ID
-
Timeline template title
-
Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1. -
Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Hide metrics attributes Show metrics attributes object
-
Duration in seconds of execution gap
Minimum value is
0. -
Range of the execution gap
-
Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded.
-
-
-
The unique identifier for the rule object.
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
Minimum value is
0. -
A unique identifier for the rule, which could be any string, not necessarily a UUID.
rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
-
Start date to use when checking if a term has been seen before. Supports relative dates – for example, now-30d will search the last 30 days of data when checking if a term is new. We do not recommend using absolute dates, which can cause issues with rule performance due to querying increasing amounts of data over time.
Minimum length is
1. -
Fields to monitor for new values.
At least
1but not more than3elements. -
The query to execute
-
Rule type
Value is
new_terms. -
Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
At least
1but not more than3elements. -
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).
This field is not supported for ES|QL rules.
-
Values are
kueryorlucene.
Hide attributes Show attributes
-
Array defining the automated actions (notifications) taken when alerts are generated.
Array defining the automated actions (notifications) taken when alerts are generated
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications, can be:
- .slack
- .slack_api
- .index
- .pagerduty
- .swimlane
- .webhook
- .servicenow
- .servicenow-itom
- .servicenow-sir
- .jira
- .resilient
- .opsgenie
- .teams
- .torq
- .tines
- .d3security
-
Object containing an action’s conditional filters.
Hide alerts_filter attributes Show alerts_filter attributes object
-
Object containing a query filter which gets applied to an action and determines whether the action should run.
-
Object containing the time frame for when this action can be run.
Hide timeframe attributes Show timeframe attributes object
-
List of days of the week on which this action can be run. Days of the week are expressed as numbers between
1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array. -
The hours of the day during which this action can run. Hours of the day are expressed as two strings in the format
hh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day. -
An ISO timezone name, such as
Europe/MadridorAmerica/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
-
-
-
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
Optionally groups actions by use cases. Use
defaultfor alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
- message (string, required): The notification message.
For email:
- to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
- subject (string, optional): Email subject line.
For Webhook:
- body (string, required): JSON payload.
For PagerDuty:
- severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
- eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
- dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
- timestamp (DateTime, optional): ISO-8601 format timestamp.
- component (string, optional): Source machine component responsible for the event, for example security-solution.
- group (string, optional): Enables logical grouping of service components.
- source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
- summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
- class (string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
A string that does not contain only whitespace characters
Minimum length is
1.
-
-
Values are
savedObjectConversionorsavedObjectImport. -
The rule’s author.
-
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
The rule’s description.
Minimum length is
1. -
Determines whether the rule is enabled. Defaults to true.
-
Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
ID of the exception container
Minimum length is
1. -
List ID of the exception container
Minimum length is
1. -
Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
-
The rule's license.
-
Maximum number of alerts the rule can create during a single run. Defaults to 100.
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. -
Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
The rule’s name.
Minimum length is
1. -
Has no effect.
-
Notes to help investigate alerts produced by the rule.
-
Values are
exactMatch,aliasMatch, orconflict. -
(deprecated) Has no effect.
-
Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1.
-
Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
One of: Hide attributes Show attributes
-
Value is
.osquery. -
Hide params attributes Show params attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
Hide queries attributes Show queries attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
-
Query ID
-
Query to run
-
Query version
-
-
To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
-
-
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals. -
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100.
-
Sets the source field for the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.
-
Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
Value is
equals. -
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical.
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Object containing information on the attack type
-
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
Array containing more specific information on the attack technique.
Only threats described using the MITRE ATT&CKTM framework are displayed in the UI (Rules → Detection rules (SIEM) → Rule name).
-
-
-
Timeline template ID
-
Timeline template title
-
Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1. -
Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Hide metrics attributes Show metrics attributes object
-
Duration in seconds of execution gap
Minimum value is
0. -
Range of the execution gap
-
Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded.
-
-
-
The unique identifier for the rule object.
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
Minimum value is
0. -
A unique identifier for the rule, which could be any string, not necessarily a UUID.
rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
-
Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
At least
1but not more than3elements. -
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
Value is
esql. -
The query to execute
-
Rule type
Value is
esql.
-
-
Any of: Hide attributes Show attributes
-
Array defining the automated actions (notifications) taken when alerts are generated.
Array defining the automated actions (notifications) taken when alerts are generated
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications, can be:
- .slack
- .slack_api
- .index
- .pagerduty
- .swimlane
- .webhook
- .servicenow
- .servicenow-itom
- .servicenow-sir
- .jira
- .resilient
- .opsgenie
- .teams
- .torq
- .tines
- .d3security
-
Object containing an action’s conditional filters.
Hide alerts_filter attributes Show alerts_filter attributes object
-
Object containing a query filter which gets applied to an action and determines whether the action should run.
-
Object containing the time frame for when this action can be run.
Hide timeframe attributes Show timeframe attributes object
-
List of days of the week on which this action can be run. Days of the week are expressed as numbers between
1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array. -
The hours of the day during which this action can run. Hours of the day are expressed as two strings in the format
hh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day. -
An ISO timezone name, such as
Europe/MadridorAmerica/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
-
-
-
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
Optionally groups actions by use cases. Use
defaultfor alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
- message (string, required): The notification message.
For email:
- to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
- subject (string, optional): Email subject line.
For Webhook:
- body (string, required): JSON payload.
For PagerDuty:
- severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
- eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
- dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
- timestamp (DateTime, optional): ISO-8601 format timestamp.
- component (string, optional): Source machine component responsible for the event, for example security-solution.
- group (string, optional): Enables logical grouping of service components.
- source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
- summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
- class (string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
A string that does not contain only whitespace characters
Minimum length is
1.
-
-
Values are
savedObjectConversionorsavedObjectImport. -
The rule’s author.
-
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
The rule’s description.
Minimum length is
1. -
Determines whether the rule is enabled. Defaults to true.
-
Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
ID of the exception container
Minimum length is
1. -
List ID of the exception container
Minimum length is
1. -
Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
-
The rule's license.
-
Maximum number of alerts the rule can create during a single run. Defaults to 100.
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. -
Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
The rule’s name.
Minimum length is
1. -
Has no effect.
-
Notes to help investigate alerts produced by the rule.
-
Values are
exactMatch,aliasMatch, orconflict. -
(deprecated) Has no effect.
-
Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1.
-
Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
One of: Hide attributes Show attributes
-
Value is
.osquery. -
Hide params attributes Show params attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
Hide queries attributes Show queries attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
-
Query ID
-
Query to run
-
Query version
-
-
To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
-
-
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals. -
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100.
-
Sets the source field for the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.
-
Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
Value is
equals. -
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical.
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Object containing information on the attack type
-
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
Array containing more specific information on the attack technique.
Only threats described using the MITRE ATT&CKTM framework are displayed in the UI (Rules → Detection rules (SIEM) → Rule name).
-
-
-
Timeline template ID
-
Timeline template title
-
Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1. -
Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Hide metrics attributes Show metrics attributes object
-
Duration in seconds of execution gap
Minimum value is
0. -
Range of the execution gap
-
Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded.
-
-
-
The unique identifier for the rule object.
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
Minimum value is
0. -
A unique identifier for the rule, which could be any string, not necessarily a UUID.
rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
-
Query language to use
Value is
eql. -
The query to execute
-
Rule type
Value is
eql. -
Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
At least
1but not more than3elements. -
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).
This field is not supported for ES|QL rules.
-
Sets a secondary field for sorting events
-
Contains the event timestamp used for sorting a sequence of events. This is different from timestamp_override, which is used for querying events within a range. Defaults to the @timestamp ECS field.
Hide attributes Show attributes
-
Array defining the automated actions (notifications) taken when alerts are generated.
Array defining the automated actions (notifications) taken when alerts are generated
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications, can be:
- .slack
- .slack_api
- .index
- .pagerduty
- .swimlane
- .webhook
- .servicenow
- .servicenow-itom
- .servicenow-sir
- .jira
- .resilient
- .opsgenie
- .teams
- .torq
- .tines
- .d3security
-
Object containing an action’s conditional filters.
Hide alerts_filter attributes Show alerts_filter attributes object
-
Object containing a query filter which gets applied to an action and determines whether the action should run.
-
Object containing the time frame for when this action can be run.
Hide timeframe attributes Show timeframe attributes object
-
List of days of the week on which this action can be run. Days of the week are expressed as numbers between
1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array. -
The hours of the day during which this action can run. Hours of the day are expressed as two strings in the format
hh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day. -
An ISO timezone name, such as
Europe/MadridorAmerica/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
-
-
-
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
Optionally groups actions by use cases. Use
defaultfor alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
- message (string, required): The notification message.
For email:
- to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
- subject (string, optional): Email subject line.
For Webhook:
- body (string, required): JSON payload.
For PagerDuty:
- severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
- eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
- dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
- timestamp (DateTime, optional): ISO-8601 format timestamp.
- component (string, optional): Source machine component responsible for the event, for example security-solution.
- group (string, optional): Enables logical grouping of service components.
- source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
- summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
- class (string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
A string that does not contain only whitespace characters
Minimum length is
1.
-
-
Values are
savedObjectConversionorsavedObjectImport. -
The rule’s author.
-
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
The rule’s description.
Minimum length is
1. -
Determines whether the rule is enabled. Defaults to true.
-
Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
ID of the exception container
Minimum length is
1. -
List ID of the exception container
Minimum length is
1. -
Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
-
The rule's license.
-
Maximum number of alerts the rule can create during a single run. Defaults to 100.
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. -
Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
The rule’s name.
Minimum length is
1. -
Has no effect.
-
Notes to help investigate alerts produced by the rule.
-
Values are
exactMatch,aliasMatch, orconflict. -
(deprecated) Has no effect.
-
Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1.
-
Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
One of: Hide attributes Show attributes
-
Value is
.osquery. -
Hide params attributes Show params attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
Hide queries attributes Show queries attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
-
Query ID
-
Query to run
-
Query version
-
-
To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
-
-
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals. -
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100.
-
Sets the source field for the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.
-
Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
Value is
equals. -
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical.
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Object containing information on the attack type
-
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
Array containing more specific information on the attack technique.
Only threats described using the MITRE ATT&CKTM framework are displayed in the UI (Rules → Detection rules (SIEM) → Rule name).
-
-
-
Timeline template ID
-
Timeline template title
-
Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1. -
Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Hide metrics attributes Show metrics attributes object
-
Duration in seconds of execution gap
Minimum value is
0. -
Range of the execution gap
-
Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded.
-
-
-
The unique identifier for the rule object.
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
Minimum value is
0. -
A unique identifier for the rule, which could be any string, not necessarily a UUID.
rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
-
Rule type
Value is
query. -
Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
At least
1but not more than3elements. -
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).
This field is not supported for ES|QL rules.
-
Kibana saved search used by the rule to create alerts.
-
Values are
kueryorlucene. -
The query to execute
Hide attributes Show attributes
-
Array defining the automated actions (notifications) taken when alerts are generated.
Array defining the automated actions (notifications) taken when alerts are generated
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications, can be:
- .slack
- .slack_api
- .index
- .pagerduty
- .swimlane
- .webhook
- .servicenow
- .servicenow-itom
- .servicenow-sir
- .jira
- .resilient
- .opsgenie
- .teams
- .torq
- .tines
- .d3security
-
Object containing an action’s conditional filters.
Hide alerts_filter attributes Show alerts_filter attributes object
-
Object containing a query filter which gets applied to an action and determines whether the action should run.
-
Object containing the time frame for when this action can be run.
Hide timeframe attributes Show timeframe attributes object
-
List of days of the week on which this action can be run. Days of the week are expressed as numbers between
1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array. -
The hours of the day during which this action can run. Hours of the day are expressed as two strings in the format
hh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day. -
An ISO timezone name, such as
Europe/MadridorAmerica/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
-
-
-
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
Optionally groups actions by use cases. Use
defaultfor alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
- message (string, required): The notification message.
For email:
- to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
- subject (string, optional): Email subject line.
For Webhook:
- body (string, required): JSON payload.
For PagerDuty:
- severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
- eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
- dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
- timestamp (DateTime, optional): ISO-8601 format timestamp.
- component (string, optional): Source machine component responsible for the event, for example security-solution.
- group (string, optional): Enables logical grouping of service components.
- source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
- summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
- class (string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
A string that does not contain only whitespace characters
Minimum length is
1.
-
-
Values are
savedObjectConversionorsavedObjectImport. -
The rule’s author.
-
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
The rule’s description.
Minimum length is
1. -
Determines whether the rule is enabled. Defaults to true.
-
Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
ID of the exception container
Minimum length is
1. -
List ID of the exception container
Minimum length is
1. -
Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
-
The rule's license.
-
Maximum number of alerts the rule can create during a single run. Defaults to 100.
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. -
Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
The rule’s name.
Minimum length is
1. -
Has no effect.
-
Notes to help investigate alerts produced by the rule.
-
Values are
exactMatch,aliasMatch, orconflict. -
(deprecated) Has no effect.
-
Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1.
-
Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
One of: Hide attributes Show attributes
-
Value is
.osquery. -
Hide params attributes Show params attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
Hide queries attributes Show queries attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
-
Query ID
-
Query to run
-
Query version
-
-
To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
-
-
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals. -
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100.
-
Sets the source field for the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.
-
Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
Value is
equals. -
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical.
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Object containing information on the attack type
-
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
Array containing more specific information on the attack technique.
Only threats described using the MITRE ATT&CKTM framework are displayed in the UI (Rules → Detection rules (SIEM) → Rule name).
-
-
-
Timeline template ID
-
Timeline template title
-
Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1. -
Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Hide metrics attributes Show metrics attributes object
-
Duration in seconds of execution gap
Minimum value is
0. -
Range of the execution gap
-
Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded.
-
-
-
The unique identifier for the rule object.
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
Minimum value is
0. -
A unique identifier for the rule, which could be any string, not necessarily a UUID.
rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
-
Kibana saved search used by the rule to create alerts.
-
Rule type
Value is
saved_query. -
Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
At least
1but not more than3elements. -
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).
This field is not supported for ES|QL rules.
-
The query to execute
-
Values are
kueryorlucene.
Hide attributes Show attributes
-
Array defining the automated actions (notifications) taken when alerts are generated.
Array defining the automated actions (notifications) taken when alerts are generated
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications, can be:
- .slack
- .slack_api
- .index
- .pagerduty
- .swimlane
- .webhook
- .servicenow
- .servicenow-itom
- .servicenow-sir
- .jira
- .resilient
- .opsgenie
- .teams
- .torq
- .tines
- .d3security
-
Object containing an action’s conditional filters.
Hide alerts_filter attributes Show alerts_filter attributes object
-
Object containing a query filter which gets applied to an action and determines whether the action should run.
-
Object containing the time frame for when this action can be run.
Hide timeframe attributes Show timeframe attributes object
-
List of days of the week on which this action can be run. Days of the week are expressed as numbers between
1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array. -
The hours of the day during which this action can run. Hours of the day are expressed as two strings in the format
hh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day. -
An ISO timezone name, such as
Europe/MadridorAmerica/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
-
-
-
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
Optionally groups actions by use cases. Use
defaultfor alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
- message (string, required): The notification message.
For email:
- to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
- subject (string, optional): Email subject line.
For Webhook:
- body (string, required): JSON payload.
For PagerDuty:
- severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
- eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
- dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
- timestamp (DateTime, optional): ISO-8601 format timestamp.
- component (string, optional): Source machine component responsible for the event, for example security-solution.
- group (string, optional): Enables logical grouping of service components.
- source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
- summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
- class (string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
A string that does not contain only whitespace characters
Minimum length is
1.
-
-
Values are
savedObjectConversionorsavedObjectImport. -
The rule’s author.
-
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
The rule’s description.
Minimum length is
1. -
Determines whether the rule is enabled. Defaults to true.
-
Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
ID of the exception container
Minimum length is
1. -
List ID of the exception container
Minimum length is
1. -
Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
-
The rule's license.
-
Maximum number of alerts the rule can create during a single run. Defaults to 100.
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. -
Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
The rule’s name.
Minimum length is
1. -
Has no effect.
-
Notes to help investigate alerts produced by the rule.
-
Values are
exactMatch,aliasMatch, orconflict. -
(deprecated) Has no effect.
-
Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1.
-
Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
One of: Hide attributes Show attributes
-
Value is
.osquery. -
Hide params attributes Show params attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
Hide queries attributes Show queries attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
-
Query ID
-
Query to run
-
Query version
-
-
To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
-
-
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals. -
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100.
-
Sets the source field for the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.
-
Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
Value is
equals. -
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical.
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Object containing information on the attack type
-
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
Array containing more specific information on the attack technique.
Only threats described using the MITRE ATT&CKTM framework are displayed in the UI (Rules → Detection rules (SIEM) → Rule name).
-
-
-
Timeline template ID
-
Timeline template title
-
Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1. -
Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Hide metrics attributes Show metrics attributes object
-
Duration in seconds of execution gap
Minimum value is
0. -
Range of the execution gap
-
Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded.
-
-
-
The unique identifier for the rule object.
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
Minimum value is
0. -
A unique identifier for the rule, which could be any string, not necessarily a UUID.
rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
-
The query to execute
-
Hide threshold attributes Show threshold attributes object
-
The field on which the cardinality is applied.
-
The threshold value from which an alert is generated.
Minimum value is
1.
-
-
Rule type
Value is
threshold. -
Defines alert suppression configuration.
-
The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).
This field is not supported for ES|QL rules.
-
Kibana saved search used by the rule to create alerts.
-
Values are
kueryorlucene.
Hide attributes Show attributes
-
Array defining the automated actions (notifications) taken when alerts are generated.
Array defining the automated actions (notifications) taken when alerts are generated
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications, can be:
- .slack
- .slack_api
- .index
- .pagerduty
- .swimlane
- .webhook
- .servicenow
- .servicenow-itom
- .servicenow-sir
- .jira
- .resilient
- .opsgenie
- .teams
- .torq
- .tines
- .d3security
-
Object containing an action’s conditional filters.
Hide alerts_filter attributes Show alerts_filter attributes object
-
Object containing a query filter which gets applied to an action and determines whether the action should run.
-
Object containing the time frame for when this action can be run.
Hide timeframe attributes Show timeframe attributes object
-
List of days of the week on which this action can be run. Days of the week are expressed as numbers between
1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array. -
The hours of the day during which this action can run. Hours of the day are expressed as two strings in the format
hh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day. -
An ISO timezone name, such as
Europe/MadridorAmerica/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
-
-
-
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
Optionally groups actions by use cases. Use
defaultfor alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
- message (string, required): The notification message.
For email:
- to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
- subject (string, optional): Email subject line.
For Webhook:
- body (string, required): JSON payload.
For PagerDuty:
- severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
- eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
- dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
- timestamp (DateTime, optional): ISO-8601 format timestamp.
- component (string, optional): Source machine component responsible for the event, for example security-solution.
- group (string, optional): Enables logical grouping of service components.
- source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
- summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
- class (string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
A string that does not contain only whitespace characters
Minimum length is
1.
-
-
Values are
savedObjectConversionorsavedObjectImport. -
The rule’s author.
-
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
The rule’s description.
Minimum length is
1. -
Determines whether the rule is enabled. Defaults to true.
-
Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
ID of the exception container
Minimum length is
1. -
List ID of the exception container
Minimum length is
1. -
Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
-
The rule's license.
-
Maximum number of alerts the rule can create during a single run. Defaults to 100.
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. -
Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
The rule’s name.
Minimum length is
1. -
Has no effect.
-
Notes to help investigate alerts produced by the rule.
-
Values are
exactMatch,aliasMatch, orconflict. -
(deprecated) Has no effect.
-
Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1.
-
Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
One of: Hide attributes Show attributes
-
Value is
.osquery. -
Hide params attributes Show params attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
Hide queries attributes Show queries attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
-
Query ID
-
Query to run
-
Query version
-
-
To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
-
-
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals. -
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100.
-
Sets the source field for the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.
-
Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
Value is
equals. -
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical.
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Object containing information on the attack type
-
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
Array containing more specific information on the attack technique.
Only threats described using the MITRE ATT&CKTM framework are displayed in the UI (Rules → Detection rules (SIEM) → Rule name).
-
-
-
Timeline template ID
-
Timeline template title
-
Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1. -
Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Hide metrics attributes Show metrics attributes object
-
Duration in seconds of execution gap
Minimum value is
0. -
Range of the execution gap
-
Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded.
-
-
-
The unique identifier for the rule object.
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
Minimum value is
0. -
A unique identifier for the rule, which could be any string, not necessarily a UUID.
rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
-
The query to execute
-
Elasticsearch indices used to check which field values generate alerts.
-
Array of entries objects that define mappings between the source event fields and the values in the Elasticsearch threat index. Each entries object must contain these fields:
- field: field from the event indices on which the rule runs
- type: must be mapping
- value: field from the Elasticsearch threat index
You can use Boolean and and or logic to define the conditions for when matching fields and values generate alerts. Sibling entries objects are evaluated using or logic, whereas multiple entries in a single entries object use and logic. See Example of Threat Match rule which uses both
andandorlogic.At least
1element.Hide threat_mapping attribute Show threat_mapping attribute object
-
Hide entries attributes Show entries attributes object
-
Query used to determine which fields in the Elasticsearch index are used for generating alerts.
-
Rule type
Value is
threat_match. -
Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
At least
1but not more than3elements. -
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
Minimum value is
1. -
The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).
This field is not supported for ES|QL rules.
-
Minimum value is
1. -
Kibana saved search used by the rule to create alerts.
-
Query and filter context array used to filter documents from the Elasticsearch index containing the threat values
-
Defines the path to the threat indicator in the indicator documents (optional)
-
Values are
kueryorlucene. -
Values are
kueryorlucene.
Hide attributes Show attributes
-
Array defining the automated actions (notifications) taken when alerts are generated.
Array defining the automated actions (notifications) taken when alerts are generated
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications, can be:
- .slack
- .slack_api
- .index
- .pagerduty
- .swimlane
- .webhook
- .servicenow
- .servicenow-itom
- .servicenow-sir
- .jira
- .resilient
- .opsgenie
- .teams
- .torq
- .tines
- .d3security
-
Object containing an action’s conditional filters.
Hide alerts_filter attributes Show alerts_filter attributes object
-
Object containing a query filter which gets applied to an action and determines whether the action should run.
-
Object containing the time frame for when this action can be run.
Hide timeframe attributes Show timeframe attributes object
-
List of days of the week on which this action can be run. Days of the week are expressed as numbers between
1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array. -
The hours of the day during which this action can run. Hours of the day are expressed as two strings in the format
hh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day. -
An ISO timezone name, such as
Europe/MadridorAmerica/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
-
-
-
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
Optionally groups actions by use cases. Use
defaultfor alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
- message (string, required): The notification message.
For email:
- to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
- subject (string, optional): Email subject line.
For Webhook:
- body (string, required): JSON payload.
For PagerDuty:
- severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
- eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
- dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
- timestamp (DateTime, optional): ISO-8601 format timestamp.
- component (string, optional): Source machine component responsible for the event, for example security-solution.
- group (string, optional): Enables logical grouping of service components.
- source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
- summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
- class (string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
A string that does not contain only whitespace characters
Minimum length is
1.
-
-
Values are
savedObjectConversionorsavedObjectImport. -
The rule’s author.
-
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
The rule’s description.
Minimum length is
1. -
Determines whether the rule is enabled. Defaults to true.
-
Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
ID of the exception container
Minimum length is
1. -
List ID of the exception container
Minimum length is
1. -
Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
-
The rule's license.
-
Maximum number of alerts the rule can create during a single run. Defaults to 100.
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. -
Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
The rule’s name.
Minimum length is
1. -
Has no effect.
-
Notes to help investigate alerts produced by the rule.
-
Values are
exactMatch,aliasMatch, orconflict. -
(deprecated) Has no effect.
-
Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1.
-
Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
One of: Hide attributes Show attributes
-
Value is
.osquery. -
Hide params attributes Show params attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
Hide queries attributes Show queries attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
-
Query ID
-
Query to run
-
Query version
-
-
To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
-
-
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals. -
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100.
-
Sets the source field for the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.
-
Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
Value is
equals. -
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical.
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Object containing information on the attack type
-
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
Array containing more specific information on the attack technique.
Only threats described using the MITRE ATT&CKTM framework are displayed in the UI (Rules → Detection rules (SIEM) → Rule name).
-
-
-
Timeline template ID
-
Timeline template title
-
Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1. -
Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Hide metrics attributes Show metrics attributes object
-
Duration in seconds of execution gap
Minimum value is
0. -
Range of the execution gap
-
Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded.
-
-
-
The unique identifier for the rule object.
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
Minimum value is
0. -
A unique identifier for the rule, which could be any string, not necessarily a UUID.
rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
-
Anomaly score threshold above which the rule creates an alert.
Minimum value is
0, maximum value is100. -
Rule type
Value is
machine_learning. -
Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
At least
1but not more than3elements. -
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
Hide attributes Show attributes
-
Array defining the automated actions (notifications) taken when alerts are generated.
Array defining the automated actions (notifications) taken when alerts are generated
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications, can be:
- .slack
- .slack_api
- .index
- .pagerduty
- .swimlane
- .webhook
- .servicenow
- .servicenow-itom
- .servicenow-sir
- .jira
- .resilient
- .opsgenie
- .teams
- .torq
- .tines
- .d3security
-
Object containing an action’s conditional filters.
Hide alerts_filter attributes Show alerts_filter attributes object
-
Object containing a query filter which gets applied to an action and determines whether the action should run.
-
Object containing the time frame for when this action can be run.
Hide timeframe attributes Show timeframe attributes object
-
List of days of the week on which this action can be run. Days of the week are expressed as numbers between
1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array. -
The hours of the day during which this action can run. Hours of the day are expressed as two strings in the format
hh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day. -
An ISO timezone name, such as
Europe/MadridorAmerica/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
-
-
-
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
Optionally groups actions by use cases. Use
defaultfor alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
- message (string, required): The notification message.
For email:
- to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
- subject (string, optional): Email subject line.
For Webhook:
- body (string, required): JSON payload.
For PagerDuty:
- severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
- eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
- dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
- timestamp (DateTime, optional): ISO-8601 format timestamp.
- component (string, optional): Source machine component responsible for the event, for example security-solution.
- group (string, optional): Enables logical grouping of service components.
- source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
- summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
- class (string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
A string that does not contain only whitespace characters
Minimum length is
1.
-
-
Values are
savedObjectConversionorsavedObjectImport. -
The rule’s author.
-
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
The rule’s description.
Minimum length is
1. -
Determines whether the rule is enabled. Defaults to true.
-
Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
ID of the exception container
Minimum length is
1. -
List ID of the exception container
Minimum length is
1. -
Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
-
The rule's license.
-
Maximum number of alerts the rule can create during a single run. Defaults to 100.
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. -
Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
The rule’s name.
Minimum length is
1. -
Has no effect.
-
Notes to help investigate alerts produced by the rule.
-
Values are
exactMatch,aliasMatch, orconflict. -
(deprecated) Has no effect.
-
Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1.
-
Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
One of: Hide attributes Show attributes
-
Value is
.osquery. -
Hide params attributes Show params attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
Hide queries attributes Show queries attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
-
Query ID
-
Query to run
-
Query version
-
-
To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
-
-
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals. -
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100.
-
Sets the source field for the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.
-
Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
Value is
equals. -
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical.
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Object containing information on the attack type
-
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
Array containing more specific information on the attack technique.
Only threats described using the MITRE ATT&CKTM framework are displayed in the UI (Rules → Detection rules (SIEM) → Rule name).
-
-
-
Timeline template ID
-
Timeline template title
-
Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1. -
Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Hide metrics attributes Show metrics attributes object
-
Duration in seconds of execution gap
Minimum value is
0. -
Range of the execution gap
-
Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded.
-
-
-
The unique identifier for the rule object.
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
Minimum value is
0. -
A unique identifier for the rule, which could be any string, not necessarily a UUID.
rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
-
Start date to use when checking if a term has been seen before. Supports relative dates – for example, now-30d will search the last 30 days of data when checking if a term is new. We do not recommend using absolute dates, which can cause issues with rule performance due to querying increasing amounts of data over time.
Minimum length is
1. -
Fields to monitor for new values.
At least
1but not more than3elements. -
The query to execute
-
Rule type
Value is
new_terms. -
Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
At least
1but not more than3elements. -
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
This field is not supported for ES|QL rules.
-
Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → securitySolution:defaultIndex).
This field is not supported for ES|QL rules.
-
Values are
kueryorlucene.
Hide attributes Show attributes
-
Array defining the automated actions (notifications) taken when alerts are generated.
Array defining the automated actions (notifications) taken when alerts are generated
Hide actions attributes Show actions attributes object
-
The action type used for sending notifications, can be:
- .slack
- .slack_api
- .index
- .pagerduty
- .swimlane
- .webhook
- .servicenow
- .servicenow-itom
- .servicenow-sir
- .jira
- .resilient
- .opsgenie
- .teams
- .torq
- .tines
- .d3security
-
Object containing an action’s conditional filters.
Hide alerts_filter attributes Show alerts_filter attributes object
-
Object containing a query filter which gets applied to an action and determines whether the action should run.
-
Object containing the time frame for when this action can be run.
Hide timeframe attributes Show timeframe attributes object
-
List of days of the week on which this action can be run. Days of the week are expressed as numbers between
1-7, where1is Monday and7is Sunday. To select all days of the week, enter an empty array. -
The hours of the day during which this action can run. Hours of the day are expressed as two strings in the format
hh:mmin24hour time. A start of00:00and an end of24:00means the action can run all day. -
An ISO timezone name, such as
Europe/MadridorAmerica/New_York. Specific offsets such as UTC or UTC+1 will also work, but lack built-in DST.
-
-
-
The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
Hide frequency attributes Show frequency attributes object
-
Defines how often rules run actions.
Values are
onActiveAlert,onThrottleInterval, oronActionGroupChange. -
Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
-
-
Optionally groups actions by use cases. Use
defaultfor alert notifications. -
The connector ID.
-
Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
- message (string, required): The notification message.
For email:
- to, cc, bcc (string): Email addresses to which the notifications are sent. At least one field must have a value.
- subject (string, optional): Email subject line.
For Webhook:
- body (string, required): JSON payload.
For PagerDuty:
- severity (string, required): Severity of on the alert notification, can be: Critical, Error, Warning or Info.
- eventAction (string, required): Event action type, which can be trigger, resolve, or acknowledge.
- dedupKey (string, optional): Groups alert notifications with the same PagerDuty alert.
- timestamp (DateTime, optional): ISO-8601 format timestamp.
- component (string, optional): Source machine component responsible for the event, for example security-solution.
- group (string, optional): Enables logical grouping of service components.
- source (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
- summary (string, options): Summary of the event. Defaults to No summary provided. Maximum length is 1024 characters.
- class (string, optional): Value indicating the class/type of the event.
Additional properties are allowed.
-
A string that does not contain only whitespace characters
Minimum length is
1.
-
-
Values are
savedObjectConversionorsavedObjectImport. -
The rule’s author.
-
Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
-
The rule’s description.
Minimum length is
1. -
Determines whether the rule is enabled. Defaults to true.
-
Array of exception containers, which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
Hide exceptions_list attributes Show exceptions_list attributes object
-
ID of the exception container
Minimum length is
1. -
List ID of the exception container
Minimum length is
1. -
Determines the exceptions validity in rule's Kibana space
Values are
agnosticorsingle. -
The exception type
Values are
detection,rule_default,endpoint,endpoint_trusted_apps,endpoint_events,endpoint_host_isolation_exceptions, orendpoint_blocklists.
-
-
String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
-
Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
-
Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
-
Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert.
-
The rule's license.
-
Maximum number of alerts the rule can create during a single run. Defaults to 100.
This setting can be superseded by the Kibana configuration setting
xpack.alerting.rules.run.alerts.max, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, ifxpack.alerting.rules.run.alerts.maxis set to 1000, the rule can generate no more than 1000 alerts even ifmax_signalsis set higher.Minimum value is
1. -
Placeholder for metadata about the rule.
This field is overwritten when you save changes to the rule’s settings.
Additional properties are allowed.
-
The rule’s name.
Minimum length is
1. -
Has no effect.
-
Notes to help investigate alerts produced by the rule.
-
Values are
exactMatch,aliasMatch, orconflict. -
(deprecated) Has no effect.
-
Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
-
Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties:
package: name of the package (required, unique id)version: version of the package (required, semver-compatible)integration: name of the integration of this package (optional, id within the package)
There are Fleet packages like
windowsthat contain only one integration; in this case,integrationshould be unspecified. There are also packages likeawsandazurethat contain several integrations; in this case,integrationshould be specified.Hide related_integrations attributes Show related_integrations attributes object
-
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1. -
A string that does not contain only whitespace characters
Minimum length is
1.
-
Elasticsearch fields and their types that need to be present for the rule to function.
The value of
required_fieldsdoes not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Userequired_fieldsas an informational property to document the fields that the rule expects to be present in the data.Input parameters to create a RequiredField. Does not include the
ecsfield, becauseecsis calculated on the backend based on the field name and type. -
One of: Hide attributes Show attributes
-
Value is
.osquery. -
Hide params attributes Show params attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
Hide ecs_mapping attribute Show ecs_mapping attribute object
-
To specify a query pack, use the packId field. Example: "packId": "processes_elastic"
-
Hide queries attributes Show queries attributes object
-
Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}
-
Query ID
-
Query to run
-
Query version
-
-
To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"
-
To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"
-
A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.
-
Hide attributes Show attributes
-
Value is
.endpoint. params
object Required One of: Hide attributes Show attributes
-
To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"
Values are
kill-processorsuspend-process. -
Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"
-
-
-
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100. -
Overrides generated alerts' risk_score with a value from the source event
Hide risk_score_mapping attributes Show risk_score_mapping attributes object
-
Value is
equals. -
A numerical representation of the alert's severity from 0 to 100, where:
0-21represents low severity22-47represents medium severity48-73represents high severity74-100represents critical severity
Minimum value is
0, maximum value is100.
-
Sets the source field for the alert's signal.rule.name value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s name value is used. The source field must be a string data type.
-
Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
-
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical. -
Overrides generated alerts' severity with values from the source event
Hide severity_mapping attributes Show severity_mapping attributes object
-
Value is
equals. -
Severity level of alerts produced by the rule, which must be one of the following:
low: Alerts that are of interest but generally not considered to be security incidentsmedium: Alerts that require investigationhigh: Alerts that require immediate investigationcritical: Alerts that indicate it is highly likely a security incident has occurred
Values are
low,medium,high, orcritical.
-
String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
-
Hide threat attributes Show threat attributes object
-
Relevant attack framework
-
Object containing information on the attack type
-
Array containing information on the attack techniques (optional)
Hide technique attributes Show technique attributes object
-
Technique ID
-
Technique name
-
Technique reference
-
Array containing more specific information on the attack technique.
Only threats described using the MITRE ATT&CKTM framework are displayed in the UI (Rules → Detection rules (SIEM) → Rule name).
-
-
-
Timeline template ID
-
Timeline template title
-
Sets the time field used to query indices. When unspecified, rules query the @timestamp field. The source field must be an Elasticsearch date data type.
-
Disables the fallback to the event's @timestamp field
-
The rule's version number.
Minimum value is
1. -
Summary of the last execution of a rule.
This field is under development and its usage or schema may change
Hide execution_summary attribute Show execution_summary attribute object
-
Hide last_execution attributes Show last_execution attributes object
-
Date of the last execution
-
Hide metrics attributes Show metrics attributes object
-
Duration in seconds of execution gap
Minimum value is
0. -
Range of the execution gap
-
Total time spent enriching documents during current rule execution cycle
Minimum value is
0. -
Total time spent indexing documents during current rule execution cycle
Minimum value is
0. -
Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
Minimum value is
0.
-
-
Status of the last execution
Values are
going to run,running,partial failure,failed, orsucceeded.
-
-
-
The unique identifier for the rule object.
-
This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the
rule_sourcefield. -
Minimum value is
0. -
A unique identifier for the rule, which could be any string, not necessarily a UUID.
rule_source
object Required Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
-
Defines alert suppression configuration.
Hide alert_suppression attributes Show alert_suppression attributes object
-
At least
1but not more than3elements. -
Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket
Values are
doNotSuppressorsuppress.
-
Value is
esql. -
The query to execute
-
Rule type
Value is
esql.
-
-
-
A rule can only be skipped when the bulk action to be performed on it results in nothing being done. For example, if the
editaction is used to add a tag to a rule that already has that tag, or to delete an index pattern that is not specified in a rule. Objects returned inattributes.results.skippedwill only include rules'id,name, andskip_reason.
-
-
curl \
--request POST 'http://localhost:5601/api/detection_engine/rules/_bulk_action' \
--user "username:password" \
--header "Content-Type: application/json" \
--data '{"query":"alert.attributes.tags: \"test\"","action":"enable"}'- Enable all rules with the test tag
- Edit - Add two tags to rules (idempotent)
- Edit - Remove a tag from rules (idempotent)
- Edit - Set (overwrite existing) tags for rules (idempotent)
- Edit - Add index patterns to rules (idempotent)
- Edit - Remove index patterns from rules (idempotent)
- Edit - Set (overwrite existing) index patterns for rules patterns (idempotent)
- Edit - Add investigation field to rules
- Delete investigation fields from rules
- Set investigation fields for rules
- Set timeline for rules
- Enable a specific rule by ID.
- Set schedule for rules
- Add rule actions to rules (idempotent)
- Set rule actions for rules
- Disable a specific rule by ID
- Edit - dry run - Validate add_index_patterns bulk action
- Duplicate rules with specific IDs
- Delete a specific rule by ID
- Run a specific rule by ID
- Export specific rules by ID
- Edit - Add a tag to rules (idempotent)
{
"query": "alert.attributes.tags: \"test\"",
"action": "enable"
}{
"ids": [
"8bc7dad0-9320-11ec-9265-8b772383a08d",
"8e5c1a40-9320-11ec-9265-8b772383a08d"
],
"edit": [
{
"type": "add_tags",
"value": [
"tag-1",
"tag-2"
]
}
],
"action": "edit"
}{
"ids": [
"8bc7dad0-9320-11ec-9265-8b772383a08d",
"8e5c1a40-9320-11ec-9265-8b772383a08d"
],
"edit": [
{
"type": "delete_tags",
"value": [
"tag-1"
]
}
],
"action": "edit"
}{
"ids": [
"8bc7dad0-9320-11ec-9265-8b772383a08d",
"8e5c1a40-9320-11ec-9265-8b772383a08d"
],
"edit": [
{
"type": "set_tags",
"value": [
"tag-1",
"tag-2"
]
}
],
"action": "edit"
}{
"ids": [
"81aa0480-06af-11ed-94fb-dd1a0597d8d2",
"dc015d10-0831-11ed-ac8b-05a222bd8d4a"
],
"edit": [
{
"type": "add_index_patterns",
"value": [
"test-*"
]
}
],
"action": "edit"
}{
"ids": [
"81aa0480-06af-11ed-94fb-dd1a0597d8d2",
"dc015d10-0831-11ed-ac8b-05a222bd8d4a"
],
"edit": [
{
"type": "delete_index_patterns",
"value": [
"test-*"
]
}
],
"action": "edit"
}{
"ids": [
"81aa0480-06af-11ed-94fb-dd1a0597d8d2",
"dc015d10-0831-11ed-ac8b-05a222bd8d4a"
],
"edit": [
{
"type": "set_index_patterns",
"value": [
"test-*"
]
}
],
"action": "edit"
}{
"ids": [
"12345678-1234-1234-1234-1234567890ab",
"87654321-4321-4321-4321-0987654321ba"
],
"edit": [
{
"type": "add_investigation_fields",
"value": {
"field_names": [
"alert.status"
]
}
}
],
"action": "edit"
}{
"ids": [
"12345678-1234-1234-1234-1234567890ab",
"87654321-4321-4321-4321-0987654321ba"
],
"edit": [
{
"type": "delete_investigation_fields"
}
],
"value": [
"field1",
"field2"
],
"action": "edit"
}{
"ids": [
"12345678-1234-1234-1234-1234567890ab",
"87654321-4321-4321-4321-0987654321ba"
],
"edit": [
{
"type": "set_investigation_fields",
"value": [
"field1",
"field2"
]
}
],
"action": "edit"
}{
"ids": [
"11223344-5566-7788-99aa-bbccddeeff00"
],
"edit": [
{
"type": "set_timeline",
"value": null,
"timeline_id": "timeline-123",
"timeline_title": "Investigation Timeline"
}
],
"action": "edit"
}{
"ids": [
"748694f0-6977-4ea5-8384-cd2e39730779"
],
"action": "enable"
}{
"ids": [
"99887766-5544-3322-1100-aabbccddeeff"
],
"edit": [
{
"type": "set_schedule",
"value": {
"interval": "1h",
"lookback": "30m"
}
}
],
"action": "edit"
}{
"ids": [
"aabbccdd-eeff-0011-2233-445566778899"
],
"edit": [
{
"type": "add_rule_actions",
"value": null,
"actions": [
{
"id": "action-123",
"group": "default",
"params": {
"key": "value"
}
}
],
"throttle": "1h"
}
],
"action": "edit"
}{
"ids": [
"ffeeddcc-bbaa-9988-7766-554433221100"
],
"edit": [
{
"type": "set_rule_actions",
"value": null,
"actions": [
{
"id": "action-456",
"group": "notification",
"params": {
"key": "another-value"
}
}
],
"throttle": "rule"
}
],
"action": "edit"
}{
"ids": [
"748694f0-6977-4ea5-8384-cd2e39730779"
],
"action": "disable"
}{
"ids": [
"81aa0480-06af-11ed-94fb-dd1a0597d8d2",
"dc015d10-0831-11ed-ac8b-05a222bd8d4a",
"de8f5af0-0831-11ed-ac8b-05a222bd8d4a"
],
"edit": [
{
"type": "add_index_patterns",
"value": [
"test-*"
]
}
],
"action": "edit"
}{
"ids": [
"748694f0-6977-4ea5-8384-cd2e39730779",
"461a4c22-416e-4009-a9a7-cf79656454bf"
],
"action": "duplicate",
"duplicate": {
"include_exceptions": true,
"include_expired_exceptions": false
}
}{
"ids": [
"cf4abfd1-7c37-4519-ab0f-5ea5c75fac60"
],
"action": "delete"
}{
"ids": [
"748694f0-6977-4ea5-8384-cd2e39730779"
],
"run": {
"end_date": "2025-03-10T23:59:59.999Z",
"start_date": "2025-03-01T00:00:00.000Z"
},
"action": "run"
}{
"ids": [
"748694f0-6977-4ea5-8384-cd2e39730779"
],
"action": "export"
}{
"ids": [
"8bc7dad0-9320-11ec-9265-8b772383a08d",
"8e5c1a40-9320-11ec-9265-8b772383a08d"
],
"edit": [
{
"type": "add_tags",
"value": [
"tag-1"
]
}
],
"action": "edit"
}{
"success": true,
"attributes": {
"results": {
"created": [],
"deleted": [],
"skipped": [
{
"id": "51658332-a15e-4c9e-912a-67214e2e2359",
"name": "Skipped rule",
"skip_reason": "RULE_NOT_MODIFIED"
}
],
"updated": [
{
"id": "8bc7dad0-9320-11ec-9265-8b772383a08d",
"to": "now",
"from": "now-45m",
"name": "DNS Tunneling [Duplicate]",
"tags": [
"Elastic",
"Network",
"Threat Detection",
"ML"
],
"type": "machine_learning",
"setup": "",
"author": [
"Elastic"
],
"threat": [],
"enabled": true,
"license": "Elastic License v2",
"rule_id": "7289bf08-4e91-4c70-bf01-e04c4c5d7756",
"version": 6,
"interval": "15m",
"severity": "low",
"immutable": false,
"created_at": "2022-02-21T14:14:13.801Z",
"created_by": "elastic",
"references": [
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"
],
"risk_score": 21,
"updated_at": "2022-02-21T17:05:50.883Z",
"updated_by": "elastic",
"description": "A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.",
"max_signals": 100,
"exceptions_list": [],
"false_positives": [
"DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded."
],
"required_fields": [],
"severity_mapping": [],
"anomaly_threshold": 50,
"execution_summary": {
"last_execution": {
"date": "2022-03-23T16:06:12.787Z",
"status": "partial failure",
"message": "This rule attempted to query data from Elasticsearch indices listed in the \"Index pattern\" section of the rule definition, but no matching index was found.",
"metrics": {
"execution_gap_duration_s": 0,
"total_search_duration_ms": 135,
"total_indexing_duration_ms": 15
},
"status_order": 20
}
},
"risk_score_mapping": [],
"related_integrations": [],
"machine_learning_job_id": [
"packetbeat_dns_tunneling"
]
}
]
},
"summary": {
"total": 2,
"failed": 0,
"skipped": 1,
"succeeded": 1
}
},
"rules_count": 1
}{
"value": {
"message": "Bulk edit partially failed",
"success": false,
"attributes": {
"errors": [
{
"rules": [
{
"id": "8bc7dad0-9320-11ec-9265-8b772383a08d",
"name": "DNS Tunneling [Duplicate]"
}
],
"message": "Index patterns can't be added. Machine learning rule doesn't have index patterns property",
"status_code": 500
}
],
"results": {
"created": [],
"deleted": [],
"skipped": [],
"updated": [
{
"id": "8e5c1a40-9320-11ec-9265-8b772383a08d",
"to": "now",
"from": "now-6m",
"name": "External Alerts [Duplicate]",
"tags": [
"Elastic",
"Network",
"Windows",
"APM",
"macOS",
"Linux"
],
"type": "query",
"index": [
"apm-*-transaction*",
"traces-apm*",
"auditbeat-*",
"filebeat-*",
"logs-*",
"packetbeat-*",
"winlogbeat-*",
"added-by-id-*"
],
"query": "event.kind:alert and not event.module:(endgame or endpoint)\n",
"setup": "",
"author": [
"Elastic"
],
"threat": [],
"actions": [],
"enabled": true,
"license": "Elastic License v2",
"rule_id": "941faf98-0cdc-4569-b16d-4af962914d61",
"version": 5,
"interval": "5m",
"language": "kuery",
"severity": "medium",
"immutable": false,
"created_at": "2022-02-21T14:14:17.883Z",
"created_by": "elastic",
"references": [],
"risk_score": 47,
"updated_at": "2022-02-21T16:56:22.818Z",
"updated_by": "elastic",
"description": "Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app.",
"max_signals": 10000,
"exceptions_list": [],
"false_positives": [],
"required_fields": [],
"severity_mapping": [
{
"field": "event.severity",
"value": "21",
"operator": "equals",
"severity": "low"
},
{
"field": "event.severity",
"value": "47",
"operator": "equals",
"severity": "medium"
},
{
"field": "event.severity",
"value": "73",
"operator": "equals",
"severity": "high"
},
{
"field": "event.severity",
"value": "99",
"operator": "equals",
"severity": "critical"
}
],
"execution_summary": {
"last_execution": {
"date": "2022-03-23T16:06:12.787Z",
"status": "partial failure",
"message": "This rule attempted to query data from Elasticsearch indices listed in the \"Index pattern\" section of the rule definition, but no matching index was found.",
"metrics": {
"execution_gap_duration_s": 0,
"total_search_duration_ms": 135,
"total_indexing_duration_ms": 15
},
"status_order": 20
}
},
"risk_score_mapping": [
{
"field": "event.risk_score",
"value": "",
"operator": "equals"
}
],
"rule_name_override": "message",
"timestamp_override": "event.ingested",
"related_integrations": []
}
]
},
"summary": {
"total": 2,
"failed": 1,
"skipped": 0,
"succeeded": 1
}
},
"rules_count": 2,
"status_code": 500
}
}{
"message": "Bulk edit partially failed",
"attributes": {
"errors": [
{
"rules": [
{
"id": "81aa0480-06af-11ed-94fb-dd1a0597d8d2",
"name": "Unusual AWS Command for a User"
}
],
"message": "Elastic rule can't be edited",
"err_code": "IMMUTABLE",
"status_code": 500
},
{
"rules": [
{
"id": "dc015d10-0831-11ed-ac8b-05a222bd8d4a",
"name": "Suspicious Powershell Script [Duplicate]"
}
],
"message": "Machine learning rule doesn't have index patterns",
"err_code": "MACHINE_LEARNING_INDEX_PATTERN",
"status_code": 500
}
],
"results": {
"created": [],
"deleted": [],
"skipped": [],
"updated": []
},
"summary": {
"total": 3,
"failed": 2,
"skipped": 0,
"succeeded": 1
}
},
"status_code": 500
}