Elastic Security: other versions:
Elastic Security overview
What’s new in 8.17
Upgrade Elastic Security to 8.17.3
- Upgrade from 7.17 to an 8.x version
Post-upgrade steps (optional)
- Migrate detection alerts enriched with threat intelligence
- Index template script
- Update a deprecated ServiceNow connector
Get started with Elastic Security
- Elastic Security requirements
- Elastic Security UI
- Ingest data to Elastic Security
- Spaces and Elastic Security
- Data views in Elastic Security
- Configure advanced settings
AI for Security
- AI Assistant
  - AI Assistant Knowledge Base
- Attack Discovery
- Set up connectors for large language models (LLM)
- Use cases
Detections and alerts
- Detections requirements
- Using logsdb index mode with Elastic Security
- About detection rules
- Create a detection rule
- Install and manage Elastic prebuilt rules
- Manage detection rules
- Monitor and troubleshoot rule executions
- Rule exceptions
- About building block rules
- MITRE ATT&CK® coverage
- Manage detection alerts
- Reduce notifications and alerts
- Query alert indices
- Tune detection rules
- Prebuilt rule reference
- Downloadable rule updates
Configure endpoint protection with Elastic Defend
- Elastic Defend requirements
- Install Elastic Defend
- Elastic Defend feature privileges
- Configure an integration policy for Elastic Defend
- Configure offline endpoints and air-gapped environments
- Uninstall Elastic Agent
Manage Elastic Defend
- Endpoints
- Policies
- Trusted applications
- Event filters
- Host isolation exceptions
- Blocklist
- Optimize Elastic Defend
- Event capture and Elastic Defend
- Endpoint protection rules
- Allowlist Elastic Endpoint in third-party antivirus apps
- Elastic Endpoint self-protection features
- Elastic Endpoint command reference
Endpoint response actions
- Automated response actions
- Isolate a host
- Response actions history
- Third-party response actions
- Configure third-party response actions
Cloud Security
- Security posture management overview
- Cloud security posture management
- Kubernetes security posture management
- Cloud native vulnerability management
- Cloud workload protection for Kubernetes
- Cloud workload protection for VMs
  - Capture environment variables
- Ingest third-party cloud security data
Dashboards
- Overview dashboard
- Detection & Response dashboard
- Kubernetes dashboard
- Cloud Security Posture dashboard
- Entity Analytics dashboard
- Data Quality dashboard
- Cloud Native Vulnerability Management Dashboard
- Detection rule monitoring dashboard
Explore
- Hosts page
- Network page
  - Configure network map data
- Users page
Advanced Entity Analytics
- Entity risk scoring
- Advanced behavioral detections
Investigation tools
- Timeline
  - Timeline templates
- Visual event analyzer
- Session View
- Osquery
- Notes
- Indicators of compromise
- Cases
Elastic Security APIs
- Detections API
- Exceptions API
- Lists API
- Detection Alerts Migration API
- Timeline API
- Cases API
- Actions API (for pushing cases to external systems)
- Endpoint management API
- Elastic AI Assistant API
Elastic Security fields and object schemas
- Create runtime fields in Elastic Security
- Elastic Security ECS field reference
- Timeline schema
- Alert schema
Troubleshooting
- Detection rules
- Elastic Defend
Release notes
- 8.17
- 8.16
- 8.15
- 8.14
- 8.13
- 8.12
- 8.11
- 8.10
- 8.9
- 8.8
- 8.7
- 8.6
- 8.5
- 8.4
- 8.3
- 8.2
- 8.1
- 8.0

› › ›

Signals endpoint

The signals endpoint is for retrieving, aggregating, and updating detection alerts. For detailed information on how to retrieve and aggregate results from the indices, see:

Get alerts

edit

Aggregates and returns alerts.

Request URL

edit

POST <kibana host>:<port>/api/detection_engine/signals/search

Request body

edit

A query DSL that determines which results are returned.

Example request

edit

Gets aggregated results of all open alerts with a risk score equal to or greater than 70. It also returns the timestamps of the oldest and newest alerts that meet the query’s criteria.

POST api/detection_engine/signals/search
{
  "aggs": {
    "latest": {
      "max": {
        "field": "@timestamp"
      }
    },
    "oldest": {
      "min": {
        "field": "@timestamp"
      }
    }
  },
  "query": {
    "bool": {
      "filter": [
        {
          "match": {
            "signal.status": "open"
          }
        },
        {
          "range": {
            "signal.rule.risk_score": {
              "gte": 70
            }
          }
        }
      ]
    }
  }
}

Copy as curl Try in Elastic

Gets all in-progress alerts with a risk score equal to or greater than 70.

POST api/detection_engine/signals/search
{
  "query": {
    "bool": {
      "filter": [
        {
          "match": {
            "signal.status": "in-progress"
          }
        },
        {
          "range": {
            "signal.rule.risk_score": {
              "gte": 70
            }
          }
        }
      ]
    }
  }
}

Copy as curl

Response code

edit

200: Indicates a successful call.

Response payload

edit

A JSON object with the aggregated values and requested alerts.

Example response:

{
  "took": 3,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 8794,
      "relation": "eq"
    },
    "max_score": null,
    "hits": []
  },
  "aggregations": {
    "oldest": {
      "value": 1576601119930,
      "value_as_string": "2019-12-17T16:45:19.930Z"
    },
    "latest": {
      "value": 1576634706400,
      "value_as_string": "2019-12-18T02:05:06.400Z"
    }
  }
}

Set alert status

edit

Sets the status of one or more alert.

Request URL

edit

POST <kibana host>:<port>/api/detection_engine/signals/status

Request body

edit

A JSON object with either a query or signals_id field:

Name	Type	Description	Required
`signal_ids`	String[]	Array of alert IDs.	Yes, when the `query` field is not used.
`query`	Query DSL	Query that determines which alerts are updated.	Yes, when the `signal_ids` field is not used.
`status`	String	The new status, which can be `open`, `acknowledged`, or `closed`.	Yes.

Example requests

edit

Closes alerts with signal_ids:

POST api/detection_engine/signals/status
{
  "signal_ids": [
    "694156bbe6a487e06d049bd6019bd49fec4172cfb33f5d81c3b4a977f0026fba",
    "f4d1c62c4e8946c835cb497329127803c09b955de49a8fa186be3899522667b0"
  ],
  "status": "closed"
}

Copy as curl

Closes alerts that are over a month old and have a risk score less than or equal to 20:

POST api/detection_engine/signals/status
{
  "query": {
    "bool": {
      "filter": [
        {
          "range": {
            "signal.rule.risk_score": {
              "lte": 20
            }
          }
        },
        {
          "range": {
            "@timestamp": {
              "lte": "now-M"
            }
          }
        }
      ]
    }
  },
  "status": "closed"
}

Copy as curl

Response code

edit

200: Indicates a successful call.

Response payload

edit

A JSON object containing the number of updated alerts.

Example response:

{
  "took": 9594,
  "timed_out": false,
  "total": 8794,
  "updated": 8794,
  "deleted": 0,
  "batches": 9,
  "version_conflicts": 0,
  "noops": 0,
  "retries": {
    "bulk": 0,
    "search": 0
  },
  "throttled_millis": 0,
  "requests_per_second": -1,
  "throttled_until_millis": 0,
  "failures": []
}

Apply alert tags

edit

Add and remove alert tags.

Request URL

edit

POST <kibana host>:<port>/api/detection_engine/signals/tags

Request body

edit

A JSON object with the tags and ids fields:

Name Type Description Required

Name	Type	Description	Required
`tags`	Object	Object containing alert tags. Alert tags are the words and phrases that help categorize alerts. Properties of the `tags` object: `tags_to_add`: (Required, string[]) Array of tags you want to add. `tags_to_remove`: (Required, string[]) Array of tags you want to remove. You cannot add and remove the same alert tag.	No
`ids`	String[]	Array of alert IDs.	Yes

tags

Object

Object containing alert tags. Alert tags are the words and phrases that help categorize alerts.

Properties of the tags object:

tags_to_add: (Required, string[]) Array of tags you want to add.
tags_to_remove: (Required, string[]) Array of tags you want to remove.

You cannot add and remove the same alert tag.

ids

String[]

Array of alert IDs.

Yes

Example requests

edit

Adds and remove tags to alerts:

POST api/detection_engine/signals/tags
{
  "tags": {
    "tags_to_add": ["False Positive"],
    "tags_to_remove": ["Further Investigation Required"]
  },
  "ids": [
    "694156bbe6a487e06d049bd6019bd49fec4172cfb33f5d81c3b4a977f0026fba",
    "f4d1c62c4e8946c835cb497329127803c09b955de49a8fa186be3899522667b0"
  ]
}

Copy as curl Try in Elastic

Response code

edit

200: Indicates a successful call.

Response payload

edit

A JSON object containing alerts with newly added or removed alert tags.

Example response:

{
    "took": 699,
    "errors": false,
    "items": [
        {
            "update": {
                "_index": ".internal.alerts-security.alerts-default-000001",
                "_id": "694156bbe6a487e06d049bd6019bd49fec4172cfb33f5d81c3b4a977f0026fba",
                "_version": 2,
                "result": "updated",
                "_shards": {
                    "total": 1,
                    "successful": 1,
                    "failed": 0
                },
                "_seq_no": 137,
                "_primary_term": 1,
                "status": 200
            }
        },
        {
            "update": {
                "_index": ".internal.alerts-security.alerts-default-000001",
                "_id": "f4d1c62c4e8946c835cb497329127803c09b955de49a8fa186be3899522667b0",
                "_version": 2,
                "result": "updated",
                "_shards": {
                    "total": 1,
                    "successful": 1,
                    "failed": 0
                },
                "_seq_no": 138,
                "_primary_term": 1,
                "status": 200
            }
        }
    ]
}

Assign or unassign users from alerts

edit

Allows you to assign and unassign users from alerts.

Request URL

edit

POST <kibana host>:<port>/api/detection_engine/signals/assignees

Request body

edit

A JSON object with the assignees and ids fields:

Name	Type	Description	Required
`assignees`	Object[]	An array of unique identifiers (UIDs) for user profiles. Properties of the `assignees` object: `add`: (Required, string[]) An array of assignees you want to add. `remove`: (Required, string[]) An array of assignees you want to unassign. You cannot add and remove the same assignee.	Yes
`ids`	String[]	An array of alert IDs.	Yes

Example request

edit

Assigns and unassigns users to alerts:

POST api/detection_engine/signals/assignees

{
  "assignees": {
    "add": ["u_o4kzon2tUP0u189YjKVT0rTR_HBOED3JmyLLE6MrulY_0"],
    "remove": ["u_P4HW8xg4_xRVI7Oa-i6Ys1Gxe7k3jqZteAeZe6ZctEc_0"]
  },
  "ids": [
    "854f5eceeec1b4cd5495ad18c4259d6e5631a6677bc10c033edb318397d45459",
    "00968e97805854d0aa356968cad971d5184cdf91ebd458720c5b4099f4a5229a"
  ]
}

Copy as curl

Response code

edit

200: Indicates a successful call.

Response payload

edit

A JSON object containing the number of updated alerts.

Example response:

{
  "took": 67,
  "timed_out": false,
  "total": 2,
  "updated": 2,
  "deleted": 0,
  "batches": 1,
  "version_conflicts": 0,
  "noops": 0,
  "retries": {
    "bulk": 0,
    "search": 0
  },
  "throttled_millis": 0,
  "requests_per_second": -1,
  "throttled_until_millis": 0,
  "failures": []
}

« Privileges endpoint Prebuilt rules »

Was this helpful?

Feedback

The Search AI Company

Generative AI

Search

Security

Observability

By solution

Industries

Signals endpoint