查找规则

编辑

检索检测规则的分页子集。默认情况下,返回第一页,每页包含 20 个结果。

请求 URL

编辑

GET <kibana host>:<port>/api/detection_engine/rules/_find

URL 查询参数

编辑

所有参数都是可选的

名称 类型 描述

page

整数

要返回的页码。

per_page

整数

每页返回的规则数量。

sort_field

字符串

确定用于对结果进行排序的字段。

sort_order

字符串

确定排序顺序,可以是 descasc

filter

字符串

使用 alert.attributes.<field name>:<field value> 语法,根据指定字段的值筛选返回的结果,其中 <field name> 可以是

  • name
  • enabled
  • tags
  • createdBy
  • interval
  • updatedBy

即使 JSON 规则对象使用 created_byupdated_by 字段,您也必须在筛选器中使用 createdByupdatedBy 字段。

示例请求

编辑

检索名称中包含单词 windows 的前五个规则,并按升序排序

GET api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows

响应代码

编辑
200
表示成功调用。

响应负载

编辑

一个包含摘要和返回规则的 JSON 对象。

示例响应

{
  "page": 1,
  "perPage": 5,
  "total": 4,
  "data": [
    {
      "created_at": "2020-02-02T10:05:19.613Z",
      "updated_at": "2020-02-02T10:05:19.830Z",
      "created_by": "elastic",
      "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.",
      "enabled": false,
      "false_positives": [],
      "from": "now-6m",
      "id": "89761517-fdb0-4223-b67b-7621acc48f9e",
      "immutable": true,
      "index": [
        "winlogbeat-*"
      ],
      "interval": "5m",
      "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc",
      "language": "kuery",
      "max_signals": 33,
      "risk_score": 21,
      "name": "Windows Script Executing PowerShell",
      "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"wscript.exe\" or \"cscript.exe\") and process.name:\"powershell.exe\"",
      "references": [],
      "severity": "low",
      "updated_by": "elastic",
      "tags": [
        "Elastic",
        "Windows"
      ],
      "to": "now",
      "related_integrations": [
        { "package": "o365", "version": "^2.3.2"}
      ],
      "required_fields": [
        { "name": "event.action", "type": "keyword", "ecs": true },
        { "name": "process.name", "type": "keyword", "ecs": true },
        { "name": "process.parent.name", "type": "keyword", "ecs": true }
      ],
      "setup": "",
      "type": "query",
      "threat": [
        {
          "framework": "MITRE ATT&CK",
          "tactic": {
            "id": "TA0002",
            "name": "Execution",
            "reference": "https://attack.mitre.org/tactics/TA0002/"
          },
          "technique": [
            {
              "id": "T1193",
              "name": "Spearphishing Attachment",
              "reference": "https://attack.mitre.org/techniques/T1193/"
            }
          ]
        }
      ],
      "execution_summary": {                      
        "last_execution": {
          "date": "2022-03-23T16:06:12.787Z",
          "status": "partial failure",
          "status_order": 20,
          "message": "This rule attempted to query data from Elasticsearch indices listed in the \"Index pattern\" section of the rule definition, but no matching index was found.",
          "metrics": {
              "total_search_duration_ms": 135,
              "total_indexing_duration_ms": 15,
              "execution_gap_duration_s": 0,
          }
        }
      },
      "version": 1
    },
    ...
  ]
}

[开发] 此功能正在开发中,可能会在未来的版本中更改或完全删除。这些功能不受支持,也不受官方 GA 功能的支持 SLA 的约束。 这些字段正在开发中,它们的使用或模式可能会更改: execution_summary