Find and/or aggregate detection alerts

POST /api/detection_engine/signals/search

Api key auth

Find and/or aggregate detection alerts that match the given query.

application/json

Body Required

Search and/or aggregation query

_source boolean | string | array[string]

One of:
boolean-1 boolean string-2 string array-3 array[string]
aggs object

Additional properties are allowed.
fields array[string]
query object

Additional properties are allowed.
runtime_mappings object

Additional properties are allowed.
size integer

Minimum value is 0.
sort string | object | array[string | object]

One of:
string-1 string object-2 object array-2 array[string | object]

Additional properties are allowed.

Any of:
string-1 string object-2 object

Additional properties are allowed.
track_total_hits boolean

Responses

200 application/json

Successful response

Elasticsearch search response

Additional properties are allowed.
400 application/json

Invalid input data response
One of:
Security_Detections_API_PlatformErrorResponse object Security_Detections_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

POST /api/detection_engine/signals/search

curl \ --request POST 'https://<KIBANA_URL>/api/detection_engine/signals/search' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" \ --data '{"aggs":{"missingFields":{"missing":{"field":"host.name"}},"alertsByGrouping":{"terms":{"size":10,"field":"host.name"}}},"size":0,"query":{"bool":{"filter":[{"bool":{"must":[],"filter":[{"match_phrase":{"kibana.alert.workflow_status":"open"}}],"should":[],"must_not":[{"exists":{"field":"kibana.alert.building_block_type"}}]}},{"range":{"@timestamp":{"gte":"2025-01-17T08:00:00.000Z","lte":"2025-01-18T07:59:59.999Z"}}}]}},"runtime_mappings":{}}'

Request example

{ "aggs": { "missingFields": { "missing": { "field": "host.name" } }, "alertsByGrouping": { "terms": { "size": 10, "field": "host.name" } } }, "size": 0, "query": { "bool": { "filter": [ { "bool": { "must": [], "filter": [ { "match_phrase": { "kibana.alert.workflow_status": "open" } } ], "should": [], "must_not": [ { "exists": { "field": "kibana.alert.building_block_type" } } ] } }, { "range": { "@timestamp": { "gte": "2025-01-17T08:00:00.000Z", "lte": "2025-01-18T07:59:59.999Z" } } } ] } }, "runtime_mappings": {} }

Response examples (200)

{ "hits": { "hits": [], "total": { "value": 5, "relation": "eq" }, "max_score": null }, "took": 0, "_shards": { "total": 1, "failed": 0, "skipped": 0, "successful": 1 }, "timed_out": false, "aggregations": { "missingFields": { "doc_count": 0 }, "alertsByGrouping": { "buckets": [ { "key": "Host-f43kkddfyc", "doc_count": 5 } ], "sum_other_doc_count": 0, "doc_count_error_upper_bound": 0 } } }

Find and/or aggregate detection alerts

Body Required

_source boolean | string | array[string]

sort string | object | array[string | object]

Responses