« 获取规则 更新规则 »
Elastic 文档 Elastic 安全解决方案 [8.14] Elastic 安全 API 检测 API

查找规则

编辑

查找规则编辑

检索检测规则的分页子集。默认情况下,将返回第一页,每页 20 个结果。

请求 URL编辑

GET <kibana 主机>:<端口>/api/detection_engine/rules/_find

URL 查询参数编辑

所有参数都是可选的

名称 类型 描述

page

整数

要返回的页码。

per_page

整数

每页要返回的规则数量。

sort_field

字符串

确定用于排序结果的字段。

sort_order

字符串

确定排序顺序,可以是 descasc

filter

字符串

根据指定字段的值过滤返回的结果,使用 alert.attributes.<字段名称>:<字段值> 语法,其中 <字段名称> 可以是

  • name
  • enabled
  • tags
  • createdBy
  • interval
  • updatedBy

尽管 JSON 规则对象使用 created_byupdated_by 字段,但您必须在过滤器中使用 createdByupdatedBy 字段。

示例请求编辑

检索前五个名称中包含 windows 的规则,按升序排列

GET api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows

响应代码编辑

200
表示调用成功。

响应有效负载编辑

包含摘要和返回规则的 JSON 对象。

示例响应

{
  "page": 1,
  "perPage": 5,
  "total": 4,
  "data": [
    {
      "created_at": "2020-02-02T10:05:19.613Z",
      "updated_at": "2020-02-02T10:05:19.830Z",
      "created_by": "elastic",
      "description": "Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.",
      "enabled": false,
      "false_positives": [],
      "from": "now-6m",
      "id": "89761517-fdb0-4223-b67b-7621acc48f9e",
      "immutable": true,
      "index": [
        "winlogbeat-*"
      ],
      "interval": "5m",
      "rule_id": "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc",
      "language": "kuery",
      "max_signals": 33,
      "risk_score": 21,
      "name": "Windows Script Executing PowerShell",
      "query": "event.action:\"Process Create (rule: ProcessCreate)\" and process.parent.name:(\"wscript.exe\" or \"cscript.exe\") and process.name:\"powershell.exe\"",
      "references": [],
      "severity": "low",
      "updated_by": "elastic",
      "tags": [
        "Elastic",
        "Windows"
      ],
      "to": "now",
      "related_integrations": [],       
      "required_fields": [],            
      "setup": "",
      "type": "query",
      "threat": [
        {
          "framework": "MITRE ATT&CK",
          "tactic": {
            "id": "TA0002",
            "name": "Execution",
            "reference": "https://attack.mitre.org/tactics/TA0002/"
          },
          "technique": [
            {
              "id": "T1193",
              "name": "Spearphishing Attachment",
              "reference": "https://attack.mitre.org/techniques/T1193/"
            }
          ]
        }
      ],
      "execution_summary": {                      
        "last_execution": {
          "date": "2022-03-23T16:06:12.787Z",
          "status": "partial failure",
          "status_order": 20,
          "message": "This rule attempted to query data from Elasticsearch indices listed in the \"Index pattern\" section of the rule definition, but no matching index was found.",
          "metrics": {
              "total_search_duration_ms": 135,
              "total_indexing_duration_ms": 15,
              "execution_gap_duration_s": 0,
          }
        }
      },
      "version": 1
    },
    ...
  ]
}

[开发] 此功能正在开发中,可能在将来的版本中发生更改或完全删除。这些功能不受支持,并且不属于官方 GA 功能的支持 SLA。 这些字段正在开发中,其用法或模式可能会更改:related_integrationsrequired_fieldsexecution_summary
« 获取规则 更新规则 »