查找规则
编辑查找规则
编辑检索检测规则的分页子集。默认情况下,返回第一页,每页包含 20 个结果。
请求 URL
编辑GET <kibana host>:<port>/api/detection_engine/rules/_find
URL 查询参数
编辑所有参数都是可选的
名称 | 类型 | 描述 |
---|---|---|
|
整数 |
要返回的页码。 |
|
整数 |
每页返回的规则数量。 |
|
字符串 |
确定用于对结果进行排序的字段。 |
|
字符串 |
确定排序顺序,可以是 |
|
字符串 |
使用
即使 JSON 规则对象使用 |
示例请求
编辑检索名称中包含单词 windows
的前五个规则,并按升序排序
GET api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows
响应代码
编辑-
200
- 表示成功调用。
响应负载
编辑一个包含摘要和返回规则的 JSON 对象。
示例响应
{ "page": 1, "perPage": 5, "total": 4, "data": [ { "created_at": "2020-02-02T10:05:19.613Z", "updated_at": "2020-02-02T10:05:19.830Z", "created_by": "elastic", "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.", "enabled": false, "false_positives": [], "from": "now-6m", "id": "89761517-fdb0-4223-b67b-7621acc48f9e", "immutable": true, "index": [ "winlogbeat-*" ], "interval": "5m", "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc", "language": "kuery", "max_signals": 33, "risk_score": 21, "name": "Windows Script Executing PowerShell", "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"wscript.exe\" or \"cscript.exe\") and process.name:\"powershell.exe\"", "references": [], "severity": "low", "updated_by": "elastic", "tags": [ "Elastic", "Windows" ], "to": "now", "related_integrations": [ { "package": "o365", "version": "^2.3.2"} ], "required_fields": [ { "name": "event.action", "type": "keyword", "ecs": true }, { "name": "process.name", "type": "keyword", "ecs": true }, { "name": "process.parent.name", "type": "keyword", "ecs": true } ], "setup": "", "type": "query", "threat": [ { "framework": "MITRE ATT&CK", "tactic": { "id": "TA0002", "name": "Execution", "reference": "https://attack.mitre.org/tactics/TA0002/" }, "technique": [ { "id": "T1193", "name": "Spearphishing Attachment", "reference": "https://attack.mitre.org/techniques/T1193/" } ] } ], "execution_summary": { "last_execution": { "date": "2022-03-23T16:06:12.787Z", "status": "partial failure", "status_order": 20, "message": "This rule attempted to query data from Elasticsearch indices listed in the \"Index pattern\" section of the rule definition, but no matching index was found.", "metrics": { "total_search_duration_ms": 135, "total_indexing_duration_ms": 15, "execution_gap_duration_s": 0, } } }, "version": 1 }, ... ] }