Finds Attack discoveries that match the search criteria

GET /api/attack_discovery/_find
Api key auth

Finds Attack discoveries that match the search criteria. Supports free text search, filtering, pagination, and sorting.

Query parameters

  • alert_ids array[string]

    Filter results to Attack discoveries that include any of the provided alert IDs

  • connector_names array[string]

    Filter results to Attack discoveries created by any of the provided human readable connector names. Note that values must match the human readable connector_name property of an Attack discovery, e.g. "GPT-5 Chat", which are distinct from connector_id values used to generate Attack discoveries.

  • enable_field_rendering boolean

    Enables a markdown syntax used to render pivot fields, for example {{ user.name james }}. When disabled, the same example would be rendered as james. This is primarily used for Attack discovery views within Kibana. Defaults to false.

    Default value is false.

  • end string

    End of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h").

  • ids array[string]

    Filter results to the Attack discoveries with the specified IDs

  • include_unique_alert_ids boolean

    If true, the response will include unique_alert_ids and unique_alert_ids_count aggregated across the matched Attack discoveries

  • page integer

    Page number to return (used for pagination). Defaults to 1.

    Minimum value is 1. Default value is 1.

  • per_page integer

    Number of Attack discoveries to return per page (used for pagination). Defaults to 10.

    Minimum value is 1. Default value is 10.

  • shared boolean

    Whether to filter by shared visibility. If omitted, both shared and privately visible Attack discoveries are returned. Use true to return only shared discoveries, false to return only those visible to the current user.

  • sort_field string

    Field used to sort results. See AttackDiscoveryFindSortField for allowed values.

    Value is @timestamp.

  • sort_order string

    Sort order direction asc for ascending or desc for descending. Defaults to desc.

    Values are asc or desc.

  • start string

    Start of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now-7d").

  • status array[string]

    Filter by alert workflow status. Provide one or more of the allowed workflow states.

    Values are acknowledged, closed, or open.

  • with_replacements boolean

    When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to true.

    Default value is true.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • connector_names array[string] Required

      List of human readable connector names that are present in the matched Attack discoveries. Useful for building client filters or summaries.

    • data array[object] Required

      Array of matched Attack discovery objects. Each item follows the AttackDiscoveryApiAlert schema.

      An attack discovery that's also an alert (Public API with snake_case)

      Hide data attributes Show data attributes object
      • alert_ids array[string] Required

        The alert IDs that the attack discovery is based on

      • alert_rule_uuid string

        The optional kibana.alert.rule.uuid of the rule that generated this attack discovery (not applicable to ad hock runs)

      • alert_start string

        The optional time the attack discovery alert was created

      • alert_updated_at string

        The optional time the attack discovery alert was last updated

      • alert_updated_by_user_id string

        The optional id of the user who last updated the attack discovery alert

      • alert_updated_by_user_name string

        The optional username of the user who updated the attack discovery alert

      • alert_workflow_status string

        The optional kibana.alert.workflow_status of this attack discovery

      • alert_workflow_status_updated_at string

        The optional time the attack discovery alert workflow status was last updated

      • connector_id string Required

        The ID of the connector that generated the attack discovery

      • connector_name string Required

        The (human readable) name of the connector that generated the attack discovery

      • details_markdown string Required

        Details of the attack with bulleted markdown that always uses special syntax for field names and values from the source data.

      • entity_summary_markdown string

        An optional, short (no more than a sentence) summary of the attack discovery featuring only the host.name and user.name fields (when they are applicable), using the same syntax

      • generation_uuid string Required

        The generation ID of the run that created the attack discovery

      • id string Required

        The unique ID of the attack discovery

      • mitre_attack_tactics array[string]

        An optional array of MITRE ATT&CK tactic for the attack discovery

      • replacements object

        Replacements object used to anonymize/deanonymize messages

        Hide replacements attribute Show replacements attribute object
        • * string Additional properties
      • risk_score integer

        The optional, (but typically populated after generation) risk score of the alert

      • summary_markdown string Required

        A markdown summary of attack discovery, using the same syntax

      • timestamp string(nonempty) Required

        A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters.

        Minimum length is 1.

      • title string Required

        A title for the attack discovery, in plain text

      • user_id string

        The optional id of the user who generated the attack discovery

      • user_name string

        The optional username of the user who generated the attack discovery, (not applicable to attack discoveries generated by rules)

      • users array[object]

        The optional array of users who may view the attack discovery. When empty, (or not present), all users may view the attack discovery.

        Could be any string, not necessarily a UUID.

        Hide users attributes Show users attributes object
        • id string

          User id.

        • name string

          User name.

    • page integer Required

      Current page number of the paginated result set.

    • per_page integer Required

      Number of items requested per page.

    • total integer Required

      Total number of Attack discoveries matching the query (across all pages).

    • unique_alert_ids array[string]

      List of unique alert IDs aggregated from the matched Attack discoveries. Only present if include_unique_alert_ids=true in the request.

    • unique_alert_ids_count integer Required

      Number of unique alert IDs across all matched Attack discoveries. Only present if include_unique_alert_ids=true in the request.
  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
    • error string

      Error type

    • message string

      Human-readable error message

    • status_code number

      HTTP status code
GET /api/attack_discovery/_find 
curl \ --request GET 'http://localhost:5601/api/attack_discovery/_find?end=now&include_unique_alert_ids=false&page=1&per_page=10&search=&sort_field=%40timestamp&sort_order=desc&start=now-24h&status=open&status=acknowledged' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json"