« 创建规则 查找规则 »
Elastic 文档 Elastic 安全解决方案 [8.14] Elastic 安全 API 检测 API

获取规则

编辑

获取规则编辑

使用 rule_idid 字段检索单个规则。

请求 URL编辑

GET <kibana 主机>:<端口>/api/detection_engine/rules

URL 查询参数编辑

URL 查询必须包含以下之一

  • id - GET /api/detection_engine/rules?id=<id>
  • rule_id - GET /api/detection_engine/rules?rule_id=<rule_id>

示例请求编辑

检索 id 值为 c41d170b-8ba6-4de6-b8ec-76440a35ace3 的规则。

GET api/detection_engine/rules?id=c41d170b-8ba6-4de6-b8ec-76440a35ace3

响应代码编辑

200
表示调用成功。

响应负载编辑

返回规则的 JSON 对象。

示例响应

{
  "created_at": "2020-02-03T11:19:04.259Z",
  "updated_at": "2020-02-03T11:19:04.462Z",
  "created_by": "elastic",
  "description": "Process started by MS Office program in user folder",
  "enabled": false,
  "false_positives": [],
  "filters": [
    {
      "query": {
        "match": {
          "event.action": {
            "query": "Process Create (rule: ProcessCreate)",
            "type": "phrase"
          }
        }
      }
    }
  ],
  "from": "now-4200s",
  "id": "c41d170b-8ba6-4de6-b8ec-76440a35ace3",
  "immutable": false,
  "interval": "1h",
  "rule_id": "process_started_by_ms_office_user_folder",
  "related_integrations": [],       
  "required_fields": [],            
  "setup": "",
  "language": "kuery",
  "max_signals": 100,
  "risk_score": 21,
  "name": "MS Office child process",
  "query": "process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE",
  "references": [],
  "severity": "low",
  "updated_by": "elastic",
  "tags": [
    "child process",
    "ms office"
  ],
  "to": "now-300s",
  "type": "query",
  "threat": [
    {
      "framework": "MITRE ATT&CK",
      "tactic": {
        "id": "TA0001",
        "reference": "https://attack.mitre.org/tactics/TA0001",
        "name": "Initial Access"
      },
      "technique": [
        {
          "id": "T1193",
          "name": "Spearphishing Attachment",
          "reference": "https://attack.mitre.org/techniques/T1193"
        }
      ]
    }
  ],
  "execution_summary": {                      
    "last_execution": {
      "date": "2022-03-23T16:06:12.787Z",
      "status": "partial failure",
      "status_order": 20,
      "message": "This rule attempted to query data from Elasticsearch indices listed in the \"Index pattern\" section of the rule definition, but no matching index was found.",
      "metrics": {
          "total_search_duration_ms": 135,
          "total_indexing_duration_ms": 15,
          "execution_gap_duration_s": 0,
      }
    }
  },
  "version": 1
}

[dev] 此功能正在开发中,可能会在未来的版本中更改或完全删除。这些功能不受支持,也不受官方 GA 功能的支持 SLA 的约束。 这些字段正在开发中,它们的用法或模式可能会更改:related_integrationsrequired_fieldsexecution_summary
« 创建规则 查找规则 »