elasticstack 0.12.1 published on Thursday, Oct 23, 2025 by elastic
elasticstack.KibanaSecurityDetectionRule
elasticstack 0.12.1 published on Thursday, Oct 23, 2025 by elastic
Creates or updates a Kibana security detection rule. See the rules API documentation for more details.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as elasticstack from "@pulumi/elasticstack";
// Basic security detection rule
const example = new elasticstack.KibanaSecurityDetectionRule("example", {
authors: ["Security Team"],
description: "Detects suspicious admin logon activities",
enabled: true,
falsePositives: ["Legitimate admin access during maintenance windows"],
from: "now-6m",
interval: "5m",
language: "kuery",
license: "Elastic License v2",
note: "Investigate the source IP and verify if the admin access is legitimate.",
query: "event.action:logon AND user.name:admin",
references: [
"https://example.com/security-docs",
"https://example.com/admin-access-policy",
],
riskScore: 75,
setup: "Ensure that authentication logs are being collected and indexed.",
severity: "high",
tags: [
"security",
"authentication",
"admin",
],
to: "now",
type: "query",
});
// Advanced security detection rule with custom settings
const advanced = new elasticstack.KibanaSecurityDetectionRule("advanced", {
authors: [
"Threat Intelligence Team",
"SOC Analysts",
],
description: "Detects encoded PowerShell commands which may indicate malicious activity",
enabled: true,
falsePositives: [
"Legitimate encoded PowerShell scripts used by automation",
"Software installation scripts",
],
from: "now-10m",
indices: [
"winlogbeat-*",
"logs-windows-*",
],
interval: "2m",
language: "kuery",
license: "Elastic License v2",
maxSignals: 200,
note: ` ## Investigation Steps
1. Examine the full PowerShell command line
2. Decode any base64 encoded content
3. Check the parent process that spawned PowerShell
4. Review network connections made during execution
5. Check for file system modifications
`,
query: "process.name:powershell.exe AND process.args:*encoded*",
references: [
"https://attack.mitre.org/techniques/T1059/001/",
"https://example.com/powershell-security-guide",
],
riskScore: 90,
setup: ` ## Prerequisites
- Windows endpoint monitoring must be enabled
- PowerShell logging should be configured
- Sysmon or equivalent process monitoring required
`,
severity: "critical",
tags: [
"windows",
"powershell",
"encoded",
"malware",
"critical",
],
to: "now",
type: "query",
version: 1,
});
import pulumi
import pulumi_elasticstack as elasticstack
# Basic security detection rule
example = elasticstack.KibanaSecurityDetectionRule("example",
authors=["Security Team"],
description="Detects suspicious admin logon activities",
enabled=True,
false_positives=["Legitimate admin access during maintenance windows"],
from_="now-6m",
interval="5m",
language="kuery",
license="Elastic License v2",
note="Investigate the source IP and verify if the admin access is legitimate.",
query="event.action:logon AND user.name:admin",
references=[
"https://example.com/security-docs",
"https://example.com/admin-access-policy",
],
risk_score=75,
setup="Ensure that authentication logs are being collected and indexed.",
severity="high",
tags=[
"security",
"authentication",
"admin",
],
to="now",
type="query")
# Advanced security detection rule with custom settings
advanced = elasticstack.KibanaSecurityDetectionRule("advanced",
authors=[
"Threat Intelligence Team",
"SOC Analysts",
],
description="Detects encoded PowerShell commands which may indicate malicious activity",
enabled=True,
false_positives=[
"Legitimate encoded PowerShell scripts used by automation",
"Software installation scripts",
],
from_="now-10m",
indices=[
"winlogbeat-*",
"logs-windows-*",
],
interval="2m",
language="kuery",
license="Elastic License v2",
max_signals=200,
note=""" ## Investigation Steps
1. Examine the full PowerShell command line
2. Decode any base64 encoded content
3. Check the parent process that spawned PowerShell
4. Review network connections made during execution
5. Check for file system modifications
""",
query="process.name:powershell.exe AND process.args:*encoded*",
references=[
"https://attack.mitre.org/techniques/T1059/001/",
"https://example.com/powershell-security-guide",
],
risk_score=90,
setup=""" ## Prerequisites
- Windows endpoint monitoring must be enabled
- PowerShell logging should be configured
- Sysmon or equivalent process monitoring required
""",
severity="critical",
tags=[
"windows",
"powershell",
"encoded",
"malware",
"critical",
],
to="now",
type="query",
version=1)
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/elasticstack/elasticstack"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Basic security detection rule
_, err := elasticstack.NewKibanaSecurityDetectionRule(ctx, "example", &elasticstack.KibanaSecurityDetectionRuleArgs{
Authors: pulumi.StringArray{
pulumi.String("Security Team"),
},
Description: pulumi.String("Detects suspicious admin logon activities"),
Enabled: pulumi.Bool(true),
FalsePositives: pulumi.StringArray{
pulumi.String("Legitimate admin access during maintenance windows"),
},
From: pulumi.String("now-6m"),
Interval: pulumi.String("5m"),
Language: pulumi.String("kuery"),
License: pulumi.String("Elastic License v2"),
Note: pulumi.String("Investigate the source IP and verify if the admin access is legitimate."),
Query: pulumi.String("event.action:logon AND user.name:admin"),
References: pulumi.StringArray{
pulumi.String("https://example.com/security-docs"),
pulumi.String("https://example.com/admin-access-policy"),
},
RiskScore: pulumi.Float64(75),
Setup: pulumi.String("Ensure that authentication logs are being collected and indexed."),
Severity: pulumi.String("high"),
Tags: pulumi.StringArray{
pulumi.String("security"),
pulumi.String("authentication"),
pulumi.String("admin"),
},
To: pulumi.String("now"),
Type: pulumi.String("query"),
})
if err != nil {
return err
}
// Advanced security detection rule with custom settings
_, err = elasticstack.NewKibanaSecurityDetectionRule(ctx, "advanced", &elasticstack.KibanaSecurityDetectionRuleArgs{
Authors: pulumi.StringArray{
pulumi.String("Threat Intelligence Team"),
pulumi.String("SOC Analysts"),
},
Description: pulumi.String("Detects encoded PowerShell commands which may indicate malicious activity"),
Enabled: pulumi.Bool(true),
FalsePositives: pulumi.StringArray{
pulumi.String("Legitimate encoded PowerShell scripts used by automation"),
pulumi.String("Software installation scripts"),
},
From: pulumi.String("now-10m"),
Indices: pulumi.StringArray{
pulumi.String("winlogbeat-*"),
pulumi.String("logs-windows-*"),
},
Interval: pulumi.String("2m"),
Language: pulumi.String("kuery"),
License: pulumi.String("Elastic License v2"),
MaxSignals: pulumi.Float64(200),
Note: pulumi.String(` ## Investigation Steps
1. Examine the full PowerShell command line
2. Decode any base64 encoded content
3. Check the parent process that spawned PowerShell
4. Review network connections made during execution
5. Check for file system modifications
`),
Query: pulumi.String("process.name:powershell.exe AND process.args:*encoded*"),
References: pulumi.StringArray{
pulumi.String("https://attack.mitre.org/techniques/T1059/001/"),
pulumi.String("https://example.com/powershell-security-guide"),
},
RiskScore: pulumi.Float64(90),
Setup: pulumi.String(` ## Prerequisites
- Windows endpoint monitoring must be enabled
- PowerShell logging should be configured
- Sysmon or equivalent process monitoring required
`),
Severity: pulumi.String("critical"),
Tags: pulumi.StringArray{
pulumi.String("windows"),
pulumi.String("powershell"),
pulumi.String("encoded"),
pulumi.String("malware"),
pulumi.String("critical"),
},
To: pulumi.String("now"),
Type: pulumi.String("query"),
Version: pulumi.Float64(1),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Elasticstack = Pulumi.Elasticstack;
return await Deployment.RunAsync(() =>
{
// Basic security detection rule
var example = new Elasticstack.KibanaSecurityDetectionRule("example", new()
{
Authors = new[]
{
"Security Team",
},
Description = "Detects suspicious admin logon activities",
Enabled = true,
FalsePositives = new[]
{
"Legitimate admin access during maintenance windows",
},
From = "now-6m",
Interval = "5m",
Language = "kuery",
License = "Elastic License v2",
Note = "Investigate the source IP and verify if the admin access is legitimate.",
Query = "event.action:logon AND user.name:admin",
References = new[]
{
"https://example.com/security-docs",
"https://example.com/admin-access-policy",
},
RiskScore = 75,
Setup = "Ensure that authentication logs are being collected and indexed.",
Severity = "high",
Tags = new[]
{
"security",
"authentication",
"admin",
},
To = "now",
Type = "query",
});
// Advanced security detection rule with custom settings
var advanced = new Elasticstack.KibanaSecurityDetectionRule("advanced", new()
{
Authors = new[]
{
"Threat Intelligence Team",
"SOC Analysts",
},
Description = "Detects encoded PowerShell commands which may indicate malicious activity",
Enabled = true,
FalsePositives = new[]
{
"Legitimate encoded PowerShell scripts used by automation",
"Software installation scripts",
},
From = "now-10m",
Indices = new[]
{
"winlogbeat-*",
"logs-windows-*",
},
Interval = "2m",
Language = "kuery",
License = "Elastic License v2",
MaxSignals = 200,
Note = @" ## Investigation Steps
1. Examine the full PowerShell command line
2. Decode any base64 encoded content
3. Check the parent process that spawned PowerShell
4. Review network connections made during execution
5. Check for file system modifications
",
Query = "process.name:powershell.exe AND process.args:*encoded*",
References = new[]
{
"https://attack.mitre.org/techniques/T1059/001/",
"https://example.com/powershell-security-guide",
},
RiskScore = 90,
Setup = @" ## Prerequisites
- Windows endpoint monitoring must be enabled
- PowerShell logging should be configured
- Sysmon or equivalent process monitoring required
",
Severity = "critical",
Tags = new[]
{
"windows",
"powershell",
"encoded",
"malware",
"critical",
},
To = "now",
Type = "query",
Version = 1,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.elasticstack.KibanaSecurityDetectionRule;
import com.pulumi.elasticstack.KibanaSecurityDetectionRuleArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// Basic security detection rule
var example = new KibanaSecurityDetectionRule("example", KibanaSecurityDetectionRuleArgs.builder()
.authors("Security Team")
.description("Detects suspicious admin logon activities")
.enabled(true)
.falsePositives("Legitimate admin access during maintenance windows")
.from("now-6m")
.interval("5m")
.language("kuery")
.license("Elastic License v2")
.note("Investigate the source IP and verify if the admin access is legitimate.")
.query("event.action:logon AND user.name:admin")
.references(
"https://example.com/security-docs",
"https://example.com/admin-access-policy")
.riskScore(75)
.setup("Ensure that authentication logs are being collected and indexed.")
.severity("high")
.tags(
"security",
"authentication",
"admin")
.to("now")
.type("query")
.build());
// Advanced security detection rule with custom settings
var advanced = new KibanaSecurityDetectionRule("advanced", KibanaSecurityDetectionRuleArgs.builder()
.authors(
"Threat Intelligence Team",
"SOC Analysts")
.description("Detects encoded PowerShell commands which may indicate malicious activity")
.enabled(true)
.falsePositives(
"Legitimate encoded PowerShell scripts used by automation",
"Software installation scripts")
.from("now-10m")
.indices(
"winlogbeat-*",
"logs-windows-*")
.interval("2m")
.language("kuery")
.license("Elastic License v2")
.maxSignals(200)
.note("""
## Investigation Steps
1. Examine the full PowerShell command line
2. Decode any base64 encoded content
3. Check the parent process that spawned PowerShell
4. Review network connections made during execution
5. Check for file system modifications
""")
.query("process.name:powershell.exe AND process.args:*encoded*")
.references(
"https://attack.mitre.org/techniques/T1059/001/",
"https://example.com/powershell-security-guide")
.riskScore(90)
.setup("""
## Prerequisites
- Windows endpoint monitoring must be enabled
- PowerShell logging should be configured
- Sysmon or equivalent process monitoring required
""")
.severity("critical")
.tags(
"windows",
"powershell",
"encoded",
"malware",
"critical")
.to("now")
.type("query")
.version(1)
.build());
}
}
resources:
# Basic security detection rule
example:
type: elasticstack:KibanaSecurityDetectionRule
properties:
authors:
- Security Team
description: Detects suspicious admin logon activities
enabled: true
falsePositives:
- Legitimate admin access during maintenance windows
from: now-6m
interval: 5m
language: kuery
license: Elastic License v2
note: Investigate the source IP and verify if the admin access is legitimate.
query: event.action:logon AND user.name:admin
references:
- https://example.com/security-docs
- https://example.com/admin-access-policy
riskScore: 75
setup: Ensure that authentication logs are being collected and indexed.
severity: high
tags:
- security
- authentication
- admin
to: now
type: query
# Advanced security detection rule with custom settings
advanced:
type: elasticstack:KibanaSecurityDetectionRule
properties:
authors:
- Threat Intelligence Team
- SOC Analysts
description: Detects encoded PowerShell commands which may indicate malicious activity
enabled: true
falsePositives:
- Legitimate encoded PowerShell scripts used by automation
- Software installation scripts
from: now-10m
indices:
- winlogbeat-*
- logs-windows-*
interval: 2m
language: kuery
license: Elastic License v2
maxSignals: 200
note: |2+
## Investigation Steps
1. Examine the full PowerShell command line
2. Decode any base64 encoded content
3. Check the parent process that spawned PowerShell
4. Review network connections made during execution
5. Check for file system modifications
query: process.name:powershell.exe AND process.args:*encoded*
references:
- https://attack.mitre.org/techniques/T1059/001/
- https://example.com/powershell-security-guide
riskScore: 90
setup: |2+
## Prerequisites
- Windows endpoint monitoring must be enabled
- PowerShell logging should be configured
- Sysmon or equivalent process monitoring required
severity: critical
tags:
- windows
- powershell
- encoded
- malware
- critical
to: now
type: query
version: 1
Create KibanaSecurityDetectionRule Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new KibanaSecurityDetectionRule(name: string, args: KibanaSecurityDetectionRuleArgs, opts?: CustomResourceOptions);@overload
def KibanaSecurityDetectionRule(resource_name: str,
args: KibanaSecurityDetectionRuleArgs,
opts: Optional[ResourceOptions] = None)
@overload
def KibanaSecurityDetectionRule(resource_name: str,
opts: Optional[ResourceOptions] = None,
description: Optional[str] = None,
type: Optional[str] = None,
actions: Optional[Sequence[KibanaSecurityDetectionRuleActionArgs]] = None,
alert_suppression: Optional[KibanaSecurityDetectionRuleAlertSuppressionArgs] = None,
anomaly_threshold: Optional[float] = None,
authors: Optional[Sequence[str]] = None,
building_block_type: Optional[str] = None,
concurrent_searches: Optional[float] = None,
data_view_id: Optional[str] = None,
enabled: Optional[bool] = None,
exceptions_lists: Optional[Sequence[KibanaSecurityDetectionRuleExceptionsListArgs]] = None,
false_positives: Optional[Sequence[str]] = None,
filters: Optional[str] = None,
from_: Optional[str] = None,
history_window_start: Optional[str] = None,
indices: Optional[Sequence[str]] = None,
interval: Optional[str] = None,
investigation_fields: Optional[Sequence[str]] = None,
items_per_search: Optional[float] = None,
language: Optional[str] = None,
license: Optional[str] = None,
machine_learning_job_ids: Optional[Sequence[str]] = None,
max_signals: Optional[float] = None,
name: Optional[str] = None,
namespace: Optional[str] = None,
new_terms_fields: Optional[Sequence[str]] = None,
note: Optional[str] = None,
query: Optional[str] = None,
references: Optional[Sequence[str]] = None,
related_integrations: Optional[Sequence[KibanaSecurityDetectionRuleRelatedIntegrationArgs]] = None,
required_fields: Optional[Sequence[KibanaSecurityDetectionRuleRequiredFieldArgs]] = None,
response_actions: Optional[Sequence[KibanaSecurityDetectionRuleResponseActionArgs]] = None,
risk_score: Optional[float] = None,
risk_score_mappings: Optional[Sequence[KibanaSecurityDetectionRuleRiskScoreMappingArgs]] = None,
rule_id: Optional[str] = None,
rule_name_override: Optional[str] = None,
saved_id: Optional[str] = None,
setup: Optional[str] = None,
severity: Optional[str] = None,
severity_mappings: Optional[Sequence[KibanaSecurityDetectionRuleSeverityMappingArgs]] = None,
space_id: Optional[str] = None,
tags: Optional[Sequence[str]] = None,
threat_filters: Optional[Sequence[str]] = None,
threat_indicator_path: Optional[str] = None,
threat_indices: Optional[Sequence[str]] = None,
threat_mappings: Optional[Sequence[KibanaSecurityDetectionRuleThreatMappingArgs]] = None,
threat_query: Optional[str] = None,
threats: Optional[Sequence[KibanaSecurityDetectionRuleThreatArgs]] = None,
threshold: Optional[KibanaSecurityDetectionRuleThresholdArgs] = None,
tiebreaker_field: Optional[str] = None,
timeline_id: Optional[str] = None,
timeline_title: Optional[str] = None,
timestamp_override: Optional[str] = None,
timestamp_override_fallback_disabled: Optional[bool] = None,
to: Optional[str] = None,
version: Optional[float] = None)func NewKibanaSecurityDetectionRule(ctx *Context, name string, args KibanaSecurityDetectionRuleArgs, opts ...ResourceOption) (*KibanaSecurityDetectionRule, error)public KibanaSecurityDetectionRule(string name, KibanaSecurityDetectionRuleArgs args, CustomResourceOptions? opts = null)
public KibanaSecurityDetectionRule(String name, KibanaSecurityDetectionRuleArgs args)
public KibanaSecurityDetectionRule(String name, KibanaSecurityDetectionRuleArgs args, CustomResourceOptions options)
type: elasticstack:KibanaSecurityDetectionRule
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args KibanaSecurityDetectionRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args KibanaSecurityDetectionRuleArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args KibanaSecurityDetectionRuleArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args KibanaSecurityDetectionRuleArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args KibanaSecurityDetectionRuleArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var kibanaSecurityDetectionRuleResource = new Elasticstack.KibanaSecurityDetectionRule("kibanaSecurityDetectionRuleResource", new()
{
Description = "string",
Type = "string",
Actions = new[]
{
new Elasticstack.Inputs.KibanaSecurityDetectionRuleActionArgs
{
ActionTypeId = "string",
Id = "string",
Params =
{
{ "string", "string" },
},
AlertsFilter =
{
{ "string", "string" },
},
Frequency = new Elasticstack.Inputs.KibanaSecurityDetectionRuleActionFrequencyArgs
{
NotifyWhen = "string",
Summary = false,
Throttle = "string",
},
Group = "string",
Uuid = "string",
},
},
AlertSuppression = new Elasticstack.Inputs.KibanaSecurityDetectionRuleAlertSuppressionArgs
{
Duration = "string",
GroupBies = new[]
{
"string",
},
MissingFieldsStrategy = "string",
},
AnomalyThreshold = 0,
Authors = new[]
{
"string",
},
BuildingBlockType = "string",
ConcurrentSearches = 0,
DataViewId = "string",
Enabled = false,
ExceptionsLists = new[]
{
new Elasticstack.Inputs.KibanaSecurityDetectionRuleExceptionsListArgs
{
Id = "string",
ListId = "string",
NamespaceType = "string",
Type = "string",
},
},
FalsePositives = new[]
{
"string",
},
Filters = "string",
From = "string",
HistoryWindowStart = "string",
Indices = new[]
{
"string",
},
Interval = "string",
InvestigationFields = new[]
{
"string",
},
ItemsPerSearch = 0,
Language = "string",
License = "string",
MachineLearningJobIds = new[]
{
"string",
},
MaxSignals = 0,
Name = "string",
Namespace = "string",
NewTermsFields = new[]
{
"string",
},
Note = "string",
Query = "string",
References = new[]
{
"string",
},
RelatedIntegrations = new[]
{
new Elasticstack.Inputs.KibanaSecurityDetectionRuleRelatedIntegrationArgs
{
Package = "string",
Version = "string",
Integration = "string",
},
},
RequiredFields = new[]
{
new Elasticstack.Inputs.KibanaSecurityDetectionRuleRequiredFieldArgs
{
Name = "string",
Type = "string",
Ecs = false,
},
},
ResponseActions = new[]
{
new Elasticstack.Inputs.KibanaSecurityDetectionRuleResponseActionArgs
{
ActionTypeId = "string",
Params = new Elasticstack.Inputs.KibanaSecurityDetectionRuleResponseActionParamsArgs
{
Command = "string",
Comment = "string",
Config = new Elasticstack.Inputs.KibanaSecurityDetectionRuleResponseActionParamsConfigArgs
{
Field = "string",
Overwrite = false,
},
EcsMapping =
{
{ "string", "string" },
},
PackId = "string",
Queries = new[]
{
new Elasticstack.Inputs.KibanaSecurityDetectionRuleResponseActionParamsQueryArgs
{
Id = "string",
Query = "string",
EcsMapping =
{
{ "string", "string" },
},
Platform = "string",
Removed = false,
Snapshot = false,
Version = "string",
},
},
Query = "string",
SavedQueryId = "string",
Timeout = 0,
},
},
},
RiskScore = 0,
RiskScoreMappings = new[]
{
new Elasticstack.Inputs.KibanaSecurityDetectionRuleRiskScoreMappingArgs
{
Field = "string",
Operator = "string",
Value = "string",
RiskScore = 0,
},
},
RuleId = "string",
RuleNameOverride = "string",
SavedId = "string",
Setup = "string",
Severity = "string",
SeverityMappings = new[]
{
new Elasticstack.Inputs.KibanaSecurityDetectionRuleSeverityMappingArgs
{
Field = "string",
Operator = "string",
Severity = "string",
Value = "string",
},
},
SpaceId = "string",
Tags = new[]
{
"string",
},
ThreatFilters = new[]
{
"string",
},
ThreatIndicatorPath = "string",
ThreatIndices = new[]
{
"string",
},
ThreatMappings = new[]
{
new Elasticstack.Inputs.KibanaSecurityDetectionRuleThreatMappingArgs
{
Entries = new[]
{
new Elasticstack.Inputs.KibanaSecurityDetectionRuleThreatMappingEntryArgs
{
Field = "string",
Type = "string",
Value = "string",
},
},
},
},
ThreatQuery = "string",
Threats = new[]
{
new Elasticstack.Inputs.KibanaSecurityDetectionRuleThreatArgs
{
Framework = "string",
Tactic = new Elasticstack.Inputs.KibanaSecurityDetectionRuleThreatTacticArgs
{
Id = "string",
Name = "string",
Reference = "string",
},
Techniques = new[]
{
new Elasticstack.Inputs.KibanaSecurityDetectionRuleThreatTechniqueArgs
{
Id = "string",
Name = "string",
Reference = "string",
Subtechniques = new[]
{
new Elasticstack.Inputs.KibanaSecurityDetectionRuleThreatTechniqueSubtechniqueArgs
{
Id = "string",
Name = "string",
Reference = "string",
},
},
},
},
},
},
Threshold = new Elasticstack.Inputs.KibanaSecurityDetectionRuleThresholdArgs
{
Value = 0,
Cardinalities = new[]
{
new Elasticstack.Inputs.KibanaSecurityDetectionRuleThresholdCardinalityArgs
{
Field = "string",
Value = 0,
},
},
Fields = new[]
{
"string",
},
},
TiebreakerField = "string",
TimelineId = "string",
TimelineTitle = "string",
TimestampOverride = "string",
TimestampOverrideFallbackDisabled = false,
To = "string",
Version = 0,
});
example, err := elasticstack.NewKibanaSecurityDetectionRule(ctx, "kibanaSecurityDetectionRuleResource", &elasticstack.KibanaSecurityDetectionRuleArgs{
Description: pulumi.String("string"),
Type: pulumi.String("string"),
Actions: elasticstack.KibanaSecurityDetectionRuleActionArray{
&elasticstack.KibanaSecurityDetectionRuleActionArgs{
ActionTypeId: pulumi.String("string"),
Id: pulumi.String("string"),
Params: pulumi.StringMap{
"string": pulumi.String("string"),
},
AlertsFilter: pulumi.StringMap{
"string": pulumi.String("string"),
},
Frequency: &elasticstack.KibanaSecurityDetectionRuleActionFrequencyArgs{
NotifyWhen: pulumi.String("string"),
Summary: pulumi.Bool(false),
Throttle: pulumi.String("string"),
},
Group: pulumi.String("string"),
Uuid: pulumi.String("string"),
},
},
AlertSuppression: &elasticstack.KibanaSecurityDetectionRuleAlertSuppressionArgs{
Duration: pulumi.String("string"),
GroupBies: pulumi.StringArray{
pulumi.String("string"),
},
MissingFieldsStrategy: pulumi.String("string"),
},
AnomalyThreshold: pulumi.Float64(0),
Authors: pulumi.StringArray{
pulumi.String("string"),
},
BuildingBlockType: pulumi.String("string"),
ConcurrentSearches: pulumi.Float64(0),
DataViewId: pulumi.String("string"),
Enabled: pulumi.Bool(false),
ExceptionsLists: elasticstack.KibanaSecurityDetectionRuleExceptionsListArray{
&elasticstack.KibanaSecurityDetectionRuleExceptionsListArgs{
Id: pulumi.String("string"),
ListId: pulumi.String("string"),
NamespaceType: pulumi.String("string"),
Type: pulumi.String("string"),
},
},
FalsePositives: pulumi.StringArray{
pulumi.String("string"),
},
Filters: pulumi.String("string"),
From: pulumi.String("string"),
HistoryWindowStart: pulumi.String("string"),
Indices: pulumi.StringArray{
pulumi.String("string"),
},
Interval: pulumi.String("string"),
InvestigationFields: pulumi.StringArray{
pulumi.String("string"),
},
ItemsPerSearch: pulumi.Float64(0),
Language: pulumi.String("string"),
License: pulumi.String("string"),
MachineLearningJobIds: pulumi.StringArray{
pulumi.String("string"),
},
MaxSignals: pulumi.Float64(0),
Name: pulumi.String("string"),
Namespace: pulumi.String("string"),
NewTermsFields: pulumi.StringArray{
pulumi.String("string"),
},
Note: pulumi.String("string"),
Query: pulumi.String("string"),
References: pulumi.StringArray{
pulumi.String("string"),
},
RelatedIntegrations: elasticstack.KibanaSecurityDetectionRuleRelatedIntegrationArray{
&elasticstack.KibanaSecurityDetectionRuleRelatedIntegrationArgs{
Package: pulumi.String("string"),
Version: pulumi.String("string"),
Integration: pulumi.String("string"),
},
},
RequiredFields: elasticstack.KibanaSecurityDetectionRuleRequiredFieldArray{
&elasticstack.KibanaSecurityDetectionRuleRequiredFieldArgs{
Name: pulumi.String("string"),
Type: pulumi.String("string"),
Ecs: pulumi.Bool(false),
},
},
ResponseActions: elasticstack.KibanaSecurityDetectionRuleResponseActionArray{
&elasticstack.KibanaSecurityDetectionRuleResponseActionArgs{
ActionTypeId: pulumi.String("string"),
Params: &elasticstack.KibanaSecurityDetectionRuleResponseActionParamsArgs{
Command: pulumi.String("string"),
Comment: pulumi.String("string"),
Config: &elasticstack.KibanaSecurityDetectionRuleResponseActionParamsConfigArgs{
Field: pulumi.String("string"),
Overwrite: pulumi.Bool(false),
},
EcsMapping: pulumi.StringMap{
"string": pulumi.String("string"),
},
PackId: pulumi.String("string"),
Queries: elasticstack.KibanaSecurityDetectionRuleResponseActionParamsQueryArray{
&elasticstack.KibanaSecurityDetectionRuleResponseActionParamsQueryArgs{
Id: pulumi.String("string"),
Query: pulumi.String("string"),
EcsMapping: pulumi.StringMap{
"string": pulumi.String("string"),
},
Platform: pulumi.String("string"),
Removed: pulumi.Bool(false),
Snapshot: pulumi.Bool(false),
Version: pulumi.String("string"),
},
},
Query: pulumi.String("string"),
SavedQueryId: pulumi.String("string"),
Timeout: pulumi.Float64(0),
},
},
},
RiskScore: pulumi.Float64(0),
RiskScoreMappings: elasticstack.KibanaSecurityDetectionRuleRiskScoreMappingArray{
&elasticstack.KibanaSecurityDetectionRuleRiskScoreMappingArgs{
Field: pulumi.String("string"),
Operator: pulumi.String("string"),
Value: pulumi.String("string"),
RiskScore: pulumi.Float64(0),
},
},
RuleId: pulumi.String("string"),
RuleNameOverride: pulumi.String("string"),
SavedId: pulumi.String("string"),
Setup: pulumi.String("string"),
Severity: pulumi.String("string"),
SeverityMappings: elasticstack.KibanaSecurityDetectionRuleSeverityMappingArray{
&elasticstack.KibanaSecurityDetectionRuleSeverityMappingArgs{
Field: pulumi.String("string"),
Operator: pulumi.String("string"),
Severity: pulumi.String("string"),
Value: pulumi.String("string"),
},
},
SpaceId: pulumi.String("string"),
Tags: pulumi.StringArray{
pulumi.String("string"),
},
ThreatFilters: pulumi.StringArray{
pulumi.String("string"),
},
ThreatIndicatorPath: pulumi.String("string"),
ThreatIndices: pulumi.StringArray{
pulumi.String("string"),
},
ThreatMappings: elasticstack.KibanaSecurityDetectionRuleThreatMappingArray{
&elasticstack.KibanaSecurityDetectionRuleThreatMappingArgs{
Entries: elasticstack.KibanaSecurityDetectionRuleThreatMappingEntryArray{
&elasticstack.KibanaSecurityDetectionRuleThreatMappingEntryArgs{
Field: pulumi.String("string"),
Type: pulumi.String("string"),
Value: pulumi.String("string"),
},
},
},
},
ThreatQuery: pulumi.String("string"),
Threats: elasticstack.KibanaSecurityDetectionRuleThreatArray{
&elasticstack.KibanaSecurityDetectionRuleThreatArgs{
Framework: pulumi.String("string"),
Tactic: &elasticstack.KibanaSecurityDetectionRuleThreatTacticArgs{
Id: pulumi.String("string"),
Name: pulumi.String("string"),
Reference: pulumi.String("string"),
},
Techniques: elasticstack.KibanaSecurityDetectionRuleThreatTechniqueArray{
&elasticstack.KibanaSecurityDetectionRuleThreatTechniqueArgs{
Id: pulumi.String("string"),
Name: pulumi.String("string"),
Reference: pulumi.String("string"),
Subtechniques: elasticstack.KibanaSecurityDetectionRuleThreatTechniqueSubtechniqueArray{
&elasticstack.KibanaSecurityDetectionRuleThreatTechniqueSubtechniqueArgs{
Id: pulumi.String("string"),
Name: pulumi.String("string"),
Reference: pulumi.String("string"),
},
},
},
},
},
},
Threshold: &elasticstack.KibanaSecurityDetectionRuleThresholdArgs{
Value: pulumi.Float64(0),
Cardinalities: elasticstack.KibanaSecurityDetectionRuleThresholdCardinalityArray{
&elasticstack.KibanaSecurityDetectionRuleThresholdCardinalityArgs{
Field: pulumi.String("string"),
Value: pulumi.Float64(0),
},
},
Fields: pulumi.StringArray{
pulumi.String("string"),
},
},
TiebreakerField: pulumi.String("string"),
TimelineId: pulumi.String("string"),
TimelineTitle: pulumi.String("string"),
TimestampOverride: pulumi.String("string"),
TimestampOverrideFallbackDisabled: pulumi.Bool(false),
To: pulumi.String("string"),
Version: pulumi.Float64(0),
})
var kibanaSecurityDetectionRuleResource = new KibanaSecurityDetectionRule("kibanaSecurityDetectionRuleResource", KibanaSecurityDetectionRuleArgs.builder()
.description("string")
.type("string")
.actions(KibanaSecurityDetectionRuleActionArgs.builder()
.actionTypeId("string")
.id("string")
.params(Map.of("string", "string"))
.alertsFilter(Map.of("string", "string"))
.frequency(KibanaSecurityDetectionRuleActionFrequencyArgs.builder()
.notifyWhen("string")
.summary(false)
.throttle("string")
.build())
.group("string")
.uuid("string")
.build())
.alertSuppression(KibanaSecurityDetectionRuleAlertSuppressionArgs.builder()
.duration("string")
.groupBies("string")
.missingFieldsStrategy("string")
.build())
.anomalyThreshold(0.0)
.authors("string")
.buildingBlockType("string")
.concurrentSearches(0.0)
.dataViewId("string")
.enabled(false)
.exceptionsLists(KibanaSecurityDetectionRuleExceptionsListArgs.builder()
.id("string")
.listId("string")
.namespaceType("string")
.type("string")
.build())
.falsePositives("string")
.filters("string")
.from("string")
.historyWindowStart("string")
.indices("string")
.interval("string")
.investigationFields("string")
.itemsPerSearch(0.0)
.language("string")
.license("string")
.machineLearningJobIds("string")
.maxSignals(0.0)
.name("string")
.namespace("string")
.newTermsFields("string")
.note("string")
.query("string")
.references("string")
.relatedIntegrations(KibanaSecurityDetectionRuleRelatedIntegrationArgs.builder()
.package_("string")
.version("string")
.integration("string")
.build())
.requiredFields(KibanaSecurityDetectionRuleRequiredFieldArgs.builder()
.name("string")
.type("string")
.ecs(false)
.build())
.responseActions(KibanaSecurityDetectionRuleResponseActionArgs.builder()
.actionTypeId("string")
.params(KibanaSecurityDetectionRuleResponseActionParamsArgs.builder()
.command("string")
.comment("string")
.config(KibanaSecurityDetectionRuleResponseActionParamsConfigArgs.builder()
.field("string")
.overwrite(false)
.build())
.ecsMapping(Map.of("string", "string"))
.packId("string")
.queries(KibanaSecurityDetectionRuleResponseActionParamsQueryArgs.builder()
.id("string")
.query("string")
.ecsMapping(Map.of("string", "string"))
.platform("string")
.removed(false)
.snapshot(false)
.version("string")
.build())
.query("string")
.savedQueryId("string")
.timeout(0.0)
.build())
.build())
.riskScore(0.0)
.riskScoreMappings(KibanaSecurityDetectionRuleRiskScoreMappingArgs.builder()
.field("string")
.operator("string")
.value("string")
.riskScore(0.0)
.build())
.ruleId("string")
.ruleNameOverride("string")
.savedId("string")
.setup("string")
.severity("string")
.severityMappings(KibanaSecurityDetectionRuleSeverityMappingArgs.builder()
.field("string")
.operator("string")
.severity("string")
.value("string")
.build())
.spaceId("string")
.tags("string")
.threatFilters("string")
.threatIndicatorPath("string")
.threatIndices("string")
.threatMappings(KibanaSecurityDetectionRuleThreatMappingArgs.builder()
.entries(KibanaSecurityDetectionRuleThreatMappingEntryArgs.builder()
.field("string")
.type("string")
.value("string")
.build())
.build())
.threatQuery("string")
.threats(KibanaSecurityDetectionRuleThreatArgs.builder()
.framework("string")
.tactic(KibanaSecurityDetectionRuleThreatTacticArgs.builder()
.id("string")
.name("string")
.reference("string")
.build())
.techniques(KibanaSecurityDetectionRuleThreatTechniqueArgs.builder()
.id("string")
.name("string")
.reference("string")
.subtechniques(KibanaSecurityDetectionRuleThreatTechniqueSubtechniqueArgs.builder()
.id("string")
.name("string")
.reference("string")
.build())
.build())
.build())
.threshold(KibanaSecurityDetectionRuleThresholdArgs.builder()
.value(0.0)
.cardinalities(KibanaSecurityDetectionRuleThresholdCardinalityArgs.builder()
.field("string")
.value(0.0)
.build())
.fields("string")
.build())
.tiebreakerField("string")
.timelineId("string")
.timelineTitle("string")
.timestampOverride("string")
.timestampOverrideFallbackDisabled(false)
.to("string")
.version(0.0)
.build());
kibana_security_detection_rule_resource = elasticstack.KibanaSecurityDetectionRule("kibanaSecurityDetectionRuleResource",
description="string",
type="string",
actions=[{
"action_type_id": "string",
"id": "string",
"params": {
"string": "string",
},
"alerts_filter": {
"string": "string",
},
"frequency": {
"notify_when": "string",
"summary": False,
"throttle": "string",
},
"group": "string",
"uuid": "string",
}],
alert_suppression={
"duration": "string",
"group_bies": ["string"],
"missing_fields_strategy": "string",
},
anomaly_threshold=0,
authors=["string"],
building_block_type="string",
concurrent_searches=0,
data_view_id="string",
enabled=False,
exceptions_lists=[{
"id": "string",
"list_id": "string",
"namespace_type": "string",
"type": "string",
}],
false_positives=["string"],
filters="string",
from_="string",
history_window_start="string",
indices=["string"],
interval="string",
investigation_fields=["string"],
items_per_search=0,
language="string",
license="string",
machine_learning_job_ids=["string"],
max_signals=0,
name="string",
namespace="string",
new_terms_fields=["string"],
note="string",
query="string",
references=["string"],
related_integrations=[{
"package": "string",
"version": "string",
"integration": "string",
}],
required_fields=[{
"name": "string",
"type": "string",
"ecs": False,
}],
response_actions=[{
"action_type_id": "string",
"params": {
"command": "string",
"comment": "string",
"config": {
"field": "string",
"overwrite": False,
},
"ecs_mapping": {
"string": "string",
},
"pack_id": "string",
"queries": [{
"id": "string",
"query": "string",
"ecs_mapping": {
"string": "string",
},
"platform": "string",
"removed": False,
"snapshot": False,
"version": "string",
}],
"query": "string",
"saved_query_id": "string",
"timeout": 0,
},
}],
risk_score=0,
risk_score_mappings=[{
"field": "string",
"operator": "string",
"value": "string",
"risk_score": 0,
}],
rule_id="string",
rule_name_override="string",
saved_id="string",
setup="string",
severity="string",
severity_mappings=[{
"field": "string",
"operator": "string",
"severity": "string",
"value": "string",
}],
space_id="string",
tags=["string"],
threat_filters=["string"],
threat_indicator_path="string",
threat_indices=["string"],
threat_mappings=[{
"entries": [{
"field": "string",
"type": "string",
"value": "string",
}],
}],
threat_query="string",
threats=[{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string",
},
"techniques": [{
"id": "string",
"name": "string",
"reference": "string",
"subtechniques": [{
"id": "string",
"name": "string",
"reference": "string",
}],
}],
}],
threshold={
"value": 0,
"cardinalities": [{
"field": "string",
"value": 0,
}],
"fields": ["string"],
},
tiebreaker_field="string",
timeline_id="string",
timeline_title="string",
timestamp_override="string",
timestamp_override_fallback_disabled=False,
to="string",
version=0)
const kibanaSecurityDetectionRuleResource = new elasticstack.KibanaSecurityDetectionRule("kibanaSecurityDetectionRuleResource", {
description: "string",
type: "string",
actions: [{
actionTypeId: "string",
id: "string",
params: {
string: "string",
},
alertsFilter: {
string: "string",
},
frequency: {
notifyWhen: "string",
summary: false,
throttle: "string",
},
group: "string",
uuid: "string",
}],
alertSuppression: {
duration: "string",
groupBies: ["string"],
missingFieldsStrategy: "string",
},
anomalyThreshold: 0,
authors: ["string"],
buildingBlockType: "string",
concurrentSearches: 0,
dataViewId: "string",
enabled: false,
exceptionsLists: [{
id: "string",
listId: "string",
namespaceType: "string",
type: "string",
}],
falsePositives: ["string"],
filters: "string",
from: "string",
historyWindowStart: "string",
indices: ["string"],
interval: "string",
investigationFields: ["string"],
itemsPerSearch: 0,
language: "string",
license: "string",
machineLearningJobIds: ["string"],
maxSignals: 0,
name: "string",
namespace: "string",
newTermsFields: ["string"],
note: "string",
query: "string",
references: ["string"],
relatedIntegrations: [{
"package": "string",
version: "string",
integration: "string",
}],
requiredFields: [{
name: "string",
type: "string",
ecs: false,
}],
responseActions: [{
actionTypeId: "string",
params: {
command: "string",
comment: "string",
config: {
field: "string",
overwrite: false,
},
ecsMapping: {
string: "string",
},
packId: "string",
queries: [{
id: "string",
query: "string",
ecsMapping: {
string: "string",
},
platform: "string",
removed: false,
snapshot: false,
version: "string",
}],
query: "string",
savedQueryId: "string",
timeout: 0,
},
}],
riskScore: 0,
riskScoreMappings: [{
field: "string",
operator: "string",
value: "string",
riskScore: 0,
}],
ruleId: "string",
ruleNameOverride: "string",
savedId: "string",
setup: "string",
severity: "string",
severityMappings: [{
field: "string",
operator: "string",
severity: "string",
value: "string",
}],
spaceId: "string",
tags: ["string"],
threatFilters: ["string"],
threatIndicatorPath: "string",
threatIndices: ["string"],
threatMappings: [{
entries: [{
field: "string",
type: "string",
value: "string",
}],
}],
threatQuery: "string",
threats: [{
framework: "string",
tactic: {
id: "string",
name: "string",
reference: "string",
},
techniques: [{
id: "string",
name: "string",
reference: "string",
subtechniques: [{
id: "string",
name: "string",
reference: "string",
}],
}],
}],
threshold: {
value: 0,
cardinalities: [{
field: "string",
value: 0,
}],
fields: ["string"],
},
tiebreakerField: "string",
timelineId: "string",
timelineTitle: "string",
timestampOverride: "string",
timestampOverrideFallbackDisabled: false,
to: "string",
version: 0,
});
type: elasticstack:KibanaSecurityDetectionRule
properties:
actions:
- actionTypeId: string
alertsFilter:
string: string
frequency:
notifyWhen: string
summary: false
throttle: string
group: string
id: string
params:
string: string
uuid: string
alertSuppression:
duration: string
groupBies:
- string
missingFieldsStrategy: string
anomalyThreshold: 0
authors:
- string
buildingBlockType: string
concurrentSearches: 0
dataViewId: string
description: string
enabled: false
exceptionsLists:
- id: string
listId: string
namespaceType: string
type: string
falsePositives:
- string
filters: string
from: string
historyWindowStart: string
indices:
- string
interval: string
investigationFields:
- string
itemsPerSearch: 0
language: string
license: string
machineLearningJobIds:
- string
maxSignals: 0
name: string
namespace: string
newTermsFields:
- string
note: string
query: string
references:
- string
relatedIntegrations:
- integration: string
package: string
version: string
requiredFields:
- ecs: false
name: string
type: string
responseActions:
- actionTypeId: string
params:
command: string
comment: string
config:
field: string
overwrite: false
ecsMapping:
string: string
packId: string
queries:
- ecsMapping:
string: string
id: string
platform: string
query: string
removed: false
snapshot: false
version: string
query: string
savedQueryId: string
timeout: 0
riskScore: 0
riskScoreMappings:
- field: string
operator: string
riskScore: 0
value: string
ruleId: string
ruleNameOverride: string
savedId: string
setup: string
severity: string
severityMappings:
- field: string
operator: string
severity: string
value: string
spaceId: string
tags:
- string
threatFilters:
- string
threatIndicatorPath: string
threatIndices:
- string
threatMappings:
- entries:
- field: string
type: string
value: string
threatQuery: string
threats:
- framework: string
tactic:
id: string
name: string
reference: string
techniques:
- id: string
name: string
reference: string
subtechniques:
- id: string
name: string
reference: string
threshold:
cardinalities:
- field: string
value: 0
fields:
- string
value: 0
tiebreakerField: string
timelineId: string
timelineTitle: string
timestampOverride: string
timestampOverrideFallbackDisabled: false
to: string
type: string
version: 0
KibanaSecurityDetectionRule Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The KibanaSecurityDetectionRule resource accepts the following input properties:
- Description string
- The rule's description.
- Type string
- Rule type. Supported types: query, eql, esql, machinelearning, newterms, savedquery, threatmatch, threshold.
- Actions
List<Kibana
Security Detection Rule Action> - Array of automated actions taken when alerts are generated by the rule.
- Alert
Suppression KibanaSecurity Detection Rule Alert Suppression - Defines alert suppression configuration to reduce duplicate alerts.
- Anomaly
Threshold double - Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100. Required for machine_learning rules.
- List<string>
- The rule's author.
- Building
Block stringType - Determines if the rule acts as a building block. If set, value must be
default. Building-block alerts are not displayed in the UI by default and are used as a foundation for other rules. - Concurrent
Searches double - Number of concurrent searches for threat intelligence. Optional for threat_match rules.
- Data
View stringId - Data view ID for the rule. Not supported for esql and machine_learning rule types.
- Enabled bool
- Determines whether the rule is enabled.
- Exceptions
Lists List<KibanaSecurity Detection Rule Exceptions List> - Array of exception containers to prevent the rule from generating alerts.
- False
Positives List<string> - String array used to describe common reasons why the rule may issue false-positive alerts.
- Filters string
- Query and filter context array to define alert conditions as JSON. Supports complex filter structures including bool queries, term filters, range filters, etc. Available for all rule types.
- From string
- Time from which data is analyzed each time the rule runs, using a date math range.
- History
Window stringStart - Start date to use when checking if a term has been seen before. Supports relative dates like 'now-30d'. Required for new_terms rules.
- Indices List<string>
- Indices on which the rule functions.
- Interval string
- Frequency of rule execution, using a date math range.
- Investigation
Fields List<string> - Array of field names to include in alert investigation. Available for all rule types.
- Items
Per doubleSearch - Number of items to search for in each concurrent search. Optional for threat_match rules.
- Language string
- The query language (KQL or Lucene).
- License string
- The rule's license.
- Machine
Learning List<string>Job Ids - Machine learning job ID(s) the rule monitors for anomaly scores. Required for machine_learning rules.
- Max
Signals double - Maximum number of alerts the rule can create during a single run.
- Name string
- A human-readable name for the rule.
- Namespace string
- Alerts index namespace. Available for all rule types.
- New
Terms List<string>Fields - Field names containing the new terms. Required for new_terms rules.
- Note string
- Notes to help investigate alerts produced by the rule.
- Query string
- The query language definition.
- References List<string>
- String array containing references and URLs to sources of additional information.
-
List<Kibana
Security Detection Rule Related Integration> - Array of related integrations that provide additional context for the rule.
- Required
Fields List<KibanaSecurity Detection Rule Required Field> - Array of Elasticsearch fields and types that must be present in source indices for the rule to function properly.
- Response
Actions List<KibanaSecurity Detection Rule Response Action> - Array of response actions to take when alerts are generated by the rule.
- Risk
Score double - A numerical representation of the alert's severity from 0 to 100.
- Risk
Score List<KibanaMappings Security Detection Rule Risk Score Mapping> - Array of risk score mappings to override the default risk score based on source event field values.
- Rule
Id string - A stable unique identifier for the rule object. If omitted, a UUID is generated.
- Rule
Name stringOverride - Override the rule name in Kibana. Available for all rule types.
- Saved
Id string - Identifier of the saved query used for the rule. Required for saved_query rules.
- Setup string
- Setup guide with instructions on rule prerequisites.
- Severity string
- Severity level of alerts produced by the rule.
- Severity
Mappings List<KibanaSecurity Detection Rule Severity Mapping> - Array of severity mappings to override the default severity based on source event field values.
- Space
Id string - An identifier for the space. If space_id is not provided, the default space is used.
- List<string>
- String array containing words and phrases to help categorize, filter, and search rules.
- Threat
Filters List<string> - Additional filters for threat intelligence data. Optional for threat_match rules.
- Threat
Indicator stringPath - Path to the threat indicator in the indicator documents. Optional for threat_match rules.
- Threat
Indices List<string> - Array of index patterns for the threat intelligence indices. Required for threat_match rules.
- Threat
Mappings List<KibanaSecurity Detection Rule Threat Mapping> - Array of threat mappings that specify how to match events with threat intelligence. Required for threat*match rules.
- Threat
Query string - Query used to filter threat intelligence data. Optional for threat_match rules.
- Threats
List<Kibana
Security Detection Rule Threat> - MITRE ATT&CK framework threat information.
- Threshold
Kibana
Security Detection Rule Threshold - Threshold settings for the rule. Required for threshold rules.
- Tiebreaker
Field string - Sets the tiebreaker field. Required for EQL rules when event.dataset is not provided.
- Timeline
Id string - Timeline template ID for the rule.
- Timeline
Title string - Timeline template title for the rule.
- Timestamp
Override string - Field name to use for timestamp override. Available for all rule types.
- Timestamp
Override boolFallback Disabled - Disables timestamp override fallback. Available for all rule types.
- To string
- Time to which data is analyzed each time the rule runs, using a date math range.
- Version double
- The rule's version number.
- Description string
- The rule's description.
- Type string
- Rule type. Supported types: query, eql, esql, machinelearning, newterms, savedquery, threatmatch, threshold.
- Actions
[]Kibana
Security Detection Rule Action Args - Array of automated actions taken when alerts are generated by the rule.
- Alert
Suppression KibanaSecurity Detection Rule Alert Suppression Args - Defines alert suppression configuration to reduce duplicate alerts.
- Anomaly
Threshold float64 - Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100. Required for machine_learning rules.
- []string
- The rule's author.
- Building
Block stringType - Determines if the rule acts as a building block. If set, value must be
default. Building-block alerts are not displayed in the UI by default and are used as a foundation for other rules. - Concurrent
Searches float64 - Number of concurrent searches for threat intelligence. Optional for threat_match rules.
- Data
View stringId - Data view ID for the rule. Not supported for esql and machine_learning rule types.
- Enabled bool
- Determines whether the rule is enabled.
- Exceptions
Lists []KibanaSecurity Detection Rule Exceptions List Args - Array of exception containers to prevent the rule from generating alerts.
- False
Positives []string - String array used to describe common reasons why the rule may issue false-positive alerts.
- Filters string
- Query and filter context array to define alert conditions as JSON. Supports complex filter structures including bool queries, term filters, range filters, etc. Available for all rule types.
- From string
- Time from which data is analyzed each time the rule runs, using a date math range.
- History
Window stringStart - Start date to use when checking if a term has been seen before. Supports relative dates like 'now-30d'. Required for new_terms rules.
- Indices []string
- Indices on which the rule functions.
- Interval string
- Frequency of rule execution, using a date math range.
- Investigation
Fields []string - Array of field names to include in alert investigation. Available for all rule types.
- Items
Per float64Search - Number of items to search for in each concurrent search. Optional for threat_match rules.
- Language string
- The query language (KQL or Lucene).
- License string
- The rule's license.
- Machine
Learning []stringJob Ids - Machine learning job ID(s) the rule monitors for anomaly scores. Required for machine_learning rules.
- Max
Signals float64 - Maximum number of alerts the rule can create during a single run.
- Name string
- A human-readable name for the rule.
- Namespace string
- Alerts index namespace. Available for all rule types.
- New
Terms []stringFields - Field names containing the new terms. Required for new_terms rules.
- Note string
- Notes to help investigate alerts produced by the rule.
- Query string
- The query language definition.
- References []string
- String array containing references and URLs to sources of additional information.
-
[]Kibana
Security Detection Rule Related Integration Args - Array of related integrations that provide additional context for the rule.
- Required
Fields []KibanaSecurity Detection Rule Required Field Args - Array of Elasticsearch fields and types that must be present in source indices for the rule to function properly.
- Response
Actions []KibanaSecurity Detection Rule Response Action Args - Array of response actions to take when alerts are generated by the rule.
- Risk
Score float64 - A numerical representation of the alert's severity from 0 to 100.
- Risk
Score []KibanaMappings Security Detection Rule Risk Score Mapping Args - Array of risk score mappings to override the default risk score based on source event field values.
- Rule
Id string - A stable unique identifier for the rule object. If omitted, a UUID is generated.
- Rule
Name stringOverride - Override the rule name in Kibana. Available for all rule types.
- Saved
Id string - Identifier of the saved query used for the rule. Required for saved_query rules.
- Setup string
- Setup guide with instructions on rule prerequisites.
- Severity string
- Severity level of alerts produced by the rule.
- Severity
Mappings []KibanaSecurity Detection Rule Severity Mapping Args - Array of severity mappings to override the default severity based on source event field values.
- Space
Id string - An identifier for the space. If space_id is not provided, the default space is used.
- []string
- String array containing words and phrases to help categorize, filter, and search rules.
- Threat
Filters []string - Additional filters for threat intelligence data. Optional for threat_match rules.
- Threat
Indicator stringPath - Path to the threat indicator in the indicator documents. Optional for threat_match rules.
- Threat
Indices []string - Array of index patterns for the threat intelligence indices. Required for threat_match rules.
- Threat
Mappings []KibanaSecurity Detection Rule Threat Mapping Args - Array of threat mappings that specify how to match events with threat intelligence. Required for threat*match rules.
- Threat
Query string - Query used to filter threat intelligence data. Optional for threat_match rules.
- Threats
[]Kibana
Security Detection Rule Threat Args - MITRE ATT&CK framework threat information.
- Threshold
Kibana
Security Detection Rule Threshold Args - Threshold settings for the rule. Required for threshold rules.
- Tiebreaker
Field string - Sets the tiebreaker field. Required for EQL rules when event.dataset is not provided.
- Timeline
Id string - Timeline template ID for the rule.
- Timeline
Title string - Timeline template title for the rule.
- Timestamp
Override string - Field name to use for timestamp override. Available for all rule types.
- Timestamp
Override boolFallback Disabled - Disables timestamp override fallback. Available for all rule types.
- To string
- Time to which data is analyzed each time the rule runs, using a date math range.
- Version float64
- The rule's version number.
- description String
- The rule's description.
- type String
- Rule type. Supported types: query, eql, esql, machinelearning, newterms, savedquery, threatmatch, threshold.
- actions
List<Kibana
Security Detection Rule Action> - Array of automated actions taken when alerts are generated by the rule.
- alert
Suppression KibanaSecurity Detection Rule Alert Suppression - Defines alert suppression configuration to reduce duplicate alerts.
- anomaly
Threshold Double - Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100. Required for machine_learning rules.
- List<String>
- The rule's author.
- building
Block StringType - Determines if the rule acts as a building block. If set, value must be
default. Building-block alerts are not displayed in the UI by default and are used as a foundation for other rules. - concurrent
Searches Double - Number of concurrent searches for threat intelligence. Optional for threat_match rules.
- data
View StringId - Data view ID for the rule. Not supported for esql and machine_learning rule types.
- enabled Boolean
- Determines whether the rule is enabled.
- exceptions
Lists List<KibanaSecurity Detection Rule Exceptions List> - Array of exception containers to prevent the rule from generating alerts.
- false
Positives List<String> - String array used to describe common reasons why the rule may issue false-positive alerts.
- filters String
- Query and filter context array to define alert conditions as JSON. Supports complex filter structures including bool queries, term filters, range filters, etc. Available for all rule types.
- from String
- Time from which data is analyzed each time the rule runs, using a date math range.
- history
Window StringStart - Start date to use when checking if a term has been seen before. Supports relative dates like 'now-30d'. Required for new_terms rules.
- indices List<String>
- Indices on which the rule functions.
- interval String
- Frequency of rule execution, using a date math range.
- investigation
Fields List<String> - Array of field names to include in alert investigation. Available for all rule types.
- items
Per DoubleSearch - Number of items to search for in each concurrent search. Optional for threat_match rules.
- language String
- The query language (KQL or Lucene).
- license String
- The rule's license.
- machine
Learning List<String>Job Ids - Machine learning job ID(s) the rule monitors for anomaly scores. Required for machine_learning rules.
- max
Signals Double - Maximum number of alerts the rule can create during a single run.
- name String
- A human-readable name for the rule.
- namespace String
- Alerts index namespace. Available for all rule types.
- new
Terms List<String>Fields - Field names containing the new terms. Required for new_terms rules.
- note String
- Notes to help investigate alerts produced by the rule.
- query String
- The query language definition.
- references List<String>
- String array containing references and URLs to sources of additional information.
-
List<Kibana
Security Detection Rule Related Integration> - Array of related integrations that provide additional context for the rule.
- required
Fields List<KibanaSecurity Detection Rule Required Field> - Array of Elasticsearch fields and types that must be present in source indices for the rule to function properly.
- response
Actions List<KibanaSecurity Detection Rule Response Action> - Array of response actions to take when alerts are generated by the rule.
- risk
Score Double - A numerical representation of the alert's severity from 0 to 100.
- risk
Score List<KibanaMappings Security Detection Rule Risk Score Mapping> - Array of risk score mappings to override the default risk score based on source event field values.
- rule
Id String - A stable unique identifier for the rule object. If omitted, a UUID is generated.
- rule
Name StringOverride - Override the rule name in Kibana. Available for all rule types.
- saved
Id String - Identifier of the saved query used for the rule. Required for saved_query rules.
- setup String
- Setup guide with instructions on rule prerequisites.
- severity String
- Severity level of alerts produced by the rule.
- severity
Mappings List<KibanaSecurity Detection Rule Severity Mapping> - Array of severity mappings to override the default severity based on source event field values.
- space
Id String - An identifier for the space. If space_id is not provided, the default space is used.
- List<String>
- String array containing words and phrases to help categorize, filter, and search rules.
- threat
Filters List<String> - Additional filters for threat intelligence data. Optional for threat_match rules.
- threat
Indicator StringPath - Path to the threat indicator in the indicator documents. Optional for threat_match rules.
- threat
Indices List<String> - Array of index patterns for the threat intelligence indices. Required for threat_match rules.
- threat
Mappings List<KibanaSecurity Detection Rule Threat Mapping> - Array of threat mappings that specify how to match events with threat intelligence. Required for threat*match rules.
- threat
Query String - Query used to filter threat intelligence data. Optional for threat_match rules.
- threats
List<Kibana
Security Detection Rule Threat> - MITRE ATT&CK framework threat information.
- threshold
Kibana
Security Detection Rule Threshold - Threshold settings for the rule. Required for threshold rules.
- tiebreaker
Field String - Sets the tiebreaker field. Required for EQL rules when event.dataset is not provided.
- timeline
Id String - Timeline template ID for the rule.
- timeline
Title String - Timeline template title for the rule.
- timestamp
Override String - Field name to use for timestamp override. Available for all rule types.
- timestamp
Override BooleanFallback Disabled - Disables timestamp override fallback. Available for all rule types.
- to String
- Time to which data is analyzed each time the rule runs, using a date math range.
- version Double
- The rule's version number.
- description string
- The rule's description.
- type string
- Rule type. Supported types: query, eql, esql, machinelearning, newterms, savedquery, threatmatch, threshold.
- actions
Kibana
Security Detection Rule Action[] - Array of automated actions taken when alerts are generated by the rule.
- alert
Suppression KibanaSecurity Detection Rule Alert Suppression - Defines alert suppression configuration to reduce duplicate alerts.
- anomaly
Threshold number - Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100. Required for machine_learning rules.
- string[]
- The rule's author.
- building
Block stringType - Determines if the rule acts as a building block. If set, value must be
default. Building-block alerts are not displayed in the UI by default and are used as a foundation for other rules. - concurrent
Searches number - Number of concurrent searches for threat intelligence. Optional for threat_match rules.
- data
View stringId - Data view ID for the rule. Not supported for esql and machine_learning rule types.
- enabled boolean
- Determines whether the rule is enabled.
- exceptions
Lists KibanaSecurity Detection Rule Exceptions List[] - Array of exception containers to prevent the rule from generating alerts.
- false
Positives string[] - String array used to describe common reasons why the rule may issue false-positive alerts.
- filters string
- Query and filter context array to define alert conditions as JSON. Supports complex filter structures including bool queries, term filters, range filters, etc. Available for all rule types.
- from string
- Time from which data is analyzed each time the rule runs, using a date math range.
- history
Window stringStart - Start date to use when checking if a term has been seen before. Supports relative dates like 'now-30d'. Required for new_terms rules.
- indices string[]
- Indices on which the rule functions.
- interval string
- Frequency of rule execution, using a date math range.
- investigation
Fields string[] - Array of field names to include in alert investigation. Available for all rule types.
- items
Per numberSearch - Number of items to search for in each concurrent search. Optional for threat_match rules.
- language string
- The query language (KQL or Lucene).
- license string
- The rule's license.
- machine
Learning string[]Job Ids - Machine learning job ID(s) the rule monitors for anomaly scores. Required for machine_learning rules.
- max
Signals number - Maximum number of alerts the rule can create during a single run.
- name string
- A human-readable name for the rule.
- namespace string
- Alerts index namespace. Available for all rule types.
- new
Terms string[]Fields - Field names containing the new terms. Required for new_terms rules.
- note string
- Notes to help investigate alerts produced by the rule.
- query string
- The query language definition.
- references string[]
- String array containing references and URLs to sources of additional information.
-
Kibana
Security Detection Rule Related Integration[] - Array of related integrations that provide additional context for the rule.
- required
Fields KibanaSecurity Detection Rule Required Field[] - Array of Elasticsearch fields and types that must be present in source indices for the rule to function properly.
- response
Actions KibanaSecurity Detection Rule Response Action[] - Array of response actions to take when alerts are generated by the rule.
- risk
Score number - A numerical representation of the alert's severity from 0 to 100.
- risk
Score KibanaMappings Security Detection Rule Risk Score Mapping[] - Array of risk score mappings to override the default risk score based on source event field values.
- rule
Id string - A stable unique identifier for the rule object. If omitted, a UUID is generated.
- rule
Name stringOverride - Override the rule name in Kibana. Available for all rule types.
- saved
Id string - Identifier of the saved query used for the rule. Required for saved_query rules.
- setup string
- Setup guide with instructions on rule prerequisites.
- severity string
- Severity level of alerts produced by the rule.
- severity
Mappings KibanaSecurity Detection Rule Severity Mapping[] - Array of severity mappings to override the default severity based on source event field values.
- space
Id string - An identifier for the space. If space_id is not provided, the default space is used.
- string[]
- String array containing words and phrases to help categorize, filter, and search rules.
- threat
Filters string[] - Additional filters for threat intelligence data. Optional for threat_match rules.
- threat
Indicator stringPath - Path to the threat indicator in the indicator documents. Optional for threat_match rules.
- threat
Indices string[] - Array of index patterns for the threat intelligence indices. Required for threat_match rules.
- threat
Mappings KibanaSecurity Detection Rule Threat Mapping[] - Array of threat mappings that specify how to match events with threat intelligence. Required for threat*match rules.
- threat
Query string - Query used to filter threat intelligence data. Optional for threat_match rules.
- threats
Kibana
Security Detection Rule Threat[] - MITRE ATT&CK framework threat information.
- threshold
Kibana
Security Detection Rule Threshold - Threshold settings for the rule. Required for threshold rules.
- tiebreaker
Field string - Sets the tiebreaker field. Required for EQL rules when event.dataset is not provided.
- timeline
Id string - Timeline template ID for the rule.
- timeline
Title string - Timeline template title for the rule.
- timestamp
Override string - Field name to use for timestamp override. Available for all rule types.
- timestamp
Override booleanFallback Disabled - Disables timestamp override fallback. Available for all rule types.
- to string
- Time to which data is analyzed each time the rule runs, using a date math range.
- version number
- The rule's version number.
- description str
- The rule's description.
- type str
- Rule type. Supported types: query, eql, esql, machinelearning, newterms, savedquery, threatmatch, threshold.
- actions
Sequence[Kibana
Security Detection Rule Action Args] - Array of automated actions taken when alerts are generated by the rule.
- alert_
suppression KibanaSecurity Detection Rule Alert Suppression Args - Defines alert suppression configuration to reduce duplicate alerts.
- anomaly_
threshold float - Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100. Required for machine_learning rules.
- Sequence[str]
- The rule's author.
- building_
block_ strtype - Determines if the rule acts as a building block. If set, value must be
default. Building-block alerts are not displayed in the UI by default and are used as a foundation for other rules. - concurrent_
searches float - Number of concurrent searches for threat intelligence. Optional for threat_match rules.
- data_
view_ strid - Data view ID for the rule. Not supported for esql and machine_learning rule types.
- enabled bool
- Determines whether the rule is enabled.
- exceptions_
lists Sequence[KibanaSecurity Detection Rule Exceptions List Args] - Array of exception containers to prevent the rule from generating alerts.
- false_
positives Sequence[str] - String array used to describe common reasons why the rule may issue false-positive alerts.
- filters str
- Query and filter context array to define alert conditions as JSON. Supports complex filter structures including bool queries, term filters, range filters, etc. Available for all rule types.
- from_ str
- Time from which data is analyzed each time the rule runs, using a date math range.
- history_
window_ strstart - Start date to use when checking if a term has been seen before. Supports relative dates like 'now-30d'. Required for new_terms rules.
- indices Sequence[str]
- Indices on which the rule functions.
- interval str
- Frequency of rule execution, using a date math range.
- investigation_
fields Sequence[str] - Array of field names to include in alert investigation. Available for all rule types.
- items_
per_ floatsearch - Number of items to search for in each concurrent search. Optional for threat_match rules.
- language str
- The query language (KQL or Lucene).
- license str
- The rule's license.
- machine_
learning_ Sequence[str]job_ ids - Machine learning job ID(s) the rule monitors for anomaly scores. Required for machine_learning rules.
- max_
signals float - Maximum number of alerts the rule can create during a single run.
- name str
- A human-readable name for the rule.
- namespace str
- Alerts index namespace. Available for all rule types.
- new_
terms_ Sequence[str]fields - Field names containing the new terms. Required for new_terms rules.
- note str
- Notes to help investigate alerts produced by the rule.
- query str
- The query language definition.
- references Sequence[str]
- String array containing references and URLs to sources of additional information.
-
Sequence[Kibana
Security Detection Rule Related Integration Args] - Array of related integrations that provide additional context for the rule.
- required_
fields Sequence[KibanaSecurity Detection Rule Required Field Args] - Array of Elasticsearch fields and types that must be present in source indices for the rule to function properly.
- response_
actions Sequence[KibanaSecurity Detection Rule Response Action Args] - Array of response actions to take when alerts are generated by the rule.
- risk_
score float - A numerical representation of the alert's severity from 0 to 100.
- risk_
score_ Sequence[Kibanamappings Security Detection Rule Risk Score Mapping Args] - Array of risk score mappings to override the default risk score based on source event field values.
- rule_
id str - A stable unique identifier for the rule object. If omitted, a UUID is generated.
- rule_
name_ stroverride - Override the rule name in Kibana. Available for all rule types.
- saved_
id str - Identifier of the saved query used for the rule. Required for saved_query rules.
- setup str
- Setup guide with instructions on rule prerequisites.
- severity str
- Severity level of alerts produced by the rule.
- severity_
mappings Sequence[KibanaSecurity Detection Rule Severity Mapping Args] - Array of severity mappings to override the default severity based on source event field values.
- space_
id str - An identifier for the space. If space_id is not provided, the default space is used.
- Sequence[str]
- String array containing words and phrases to help categorize, filter, and search rules.
- threat_
filters Sequence[str] - Additional filters for threat intelligence data. Optional for threat_match rules.
- threat_
indicator_ strpath - Path to the threat indicator in the indicator documents. Optional for threat_match rules.
- threat_
indices Sequence[str] - Array of index patterns for the threat intelligence indices. Required for threat_match rules.
- threat_
mappings Sequence[KibanaSecurity Detection Rule Threat Mapping Args] - Array of threat mappings that specify how to match events with threat intelligence. Required for threat*match rules.
- threat_
query str - Query used to filter threat intelligence data. Optional for threat_match rules.
- threats
Sequence[Kibana
Security Detection Rule Threat Args] - MITRE ATT&CK framework threat information.
- threshold
Kibana
Security Detection Rule Threshold Args - Threshold settings for the rule. Required for threshold rules.
- tiebreaker_
field str - Sets the tiebreaker field. Required for EQL rules when event.dataset is not provided.
- timeline_
id str - Timeline template ID for the rule.
- timeline_
title str - Timeline template title for the rule.
- timestamp_
override str - Field name to use for timestamp override. Available for all rule types.
- timestamp_
override_ boolfallback_ disabled - Disables timestamp override fallback. Available for all rule types.
- to str
- Time to which data is analyzed each time the rule runs, using a date math range.
- version float
- The rule's version number.
- description String
- The rule's description.
- type String
- Rule type. Supported types: query, eql, esql, machinelearning, newterms, savedquery, threatmatch, threshold.
- actions List<Property Map>
- Array of automated actions taken when alerts are generated by the rule.
- alert
Suppression Property Map - Defines alert suppression configuration to reduce duplicate alerts.
- anomaly
Threshold Number - Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100. Required for machine_learning rules.
- List<String>
- The rule's author.
- building
Block StringType - Determines if the rule acts as a building block. If set, value must be
default. Building-block alerts are not displayed in the UI by default and are used as a foundation for other rules. - concurrent
Searches Number - Number of concurrent searches for threat intelligence. Optional for threat_match rules.
- data
View StringId - Data view ID for the rule. Not supported for esql and machine_learning rule types.
- enabled Boolean
- Determines whether the rule is enabled.
- exceptions
Lists List<Property Map> - Array of exception containers to prevent the rule from generating alerts.
- false
Positives List<String> - String array used to describe common reasons why the rule may issue false-positive alerts.
- filters String
- Query and filter context array to define alert conditions as JSON. Supports complex filter structures including bool queries, term filters, range filters, etc. Available for all rule types.
- from String
- Time from which data is analyzed each time the rule runs, using a date math range.
- history
Window StringStart - Start date to use when checking if a term has been seen before. Supports relative dates like 'now-30d'. Required for new_terms rules.
- indices List<String>
- Indices on which the rule functions.
- interval String
- Frequency of rule execution, using a date math range.
- investigation
Fields List<String> - Array of field names to include in alert investigation. Available for all rule types.
- items
Per NumberSearch - Number of items to search for in each concurrent search. Optional for threat_match rules.
- language String
- The query language (KQL or Lucene).
- license String
- The rule's license.
- machine
Learning List<String>Job Ids - Machine learning job ID(s) the rule monitors for anomaly scores. Required for machine_learning rules.
- max
Signals Number - Maximum number of alerts the rule can create during a single run.
- name String
- A human-readable name for the rule.
- namespace String
- Alerts index namespace. Available for all rule types.
- new
Terms List<String>Fields - Field names containing the new terms. Required for new_terms rules.
- note String
- Notes to help investigate alerts produced by the rule.
- query String
- The query language definition.
- references List<String>
- String array containing references and URLs to sources of additional information.
- List<Property Map>
- Array of related integrations that provide additional context for the rule.
- required
Fields List<Property Map> - Array of Elasticsearch fields and types that must be present in source indices for the rule to function properly.
- response
Actions List<Property Map> - Array of response actions to take when alerts are generated by the rule.
- risk
Score Number - A numerical representation of the alert's severity from 0 to 100.
- risk
Score List<Property Map>Mappings - Array of risk score mappings to override the default risk score based on source event field values.
- rule
Id String - A stable unique identifier for the rule object. If omitted, a UUID is generated.
- rule
Name StringOverride - Override the rule name in Kibana. Available for all rule types.
- saved
Id String - Identifier of the saved query used for the rule. Required for saved_query rules.
- setup String
- Setup guide with instructions on rule prerequisites.
- severity String
- Severity level of alerts produced by the rule.
- severity
Mappings List<Property Map> - Array of severity mappings to override the default severity based on source event field values.
- space
Id String - An identifier for the space. If space_id is not provided, the default space is used.
- List<String>
- String array containing words and phrases to help categorize, filter, and search rules.
- threat
Filters List<String> - Additional filters for threat intelligence data. Optional for threat_match rules.
- threat
Indicator StringPath - Path to the threat indicator in the indicator documents. Optional for threat_match rules.
- threat
Indices List<String> - Array of index patterns for the threat intelligence indices. Required for threat_match rules.
- threat
Mappings List<Property Map> - Array of threat mappings that specify how to match events with threat intelligence. Required for threat*match rules.
- threat
Query String - Query used to filter threat intelligence data. Optional for threat_match rules.
- threats List<Property Map>
- MITRE ATT&CK framework threat information.
- threshold Property Map
- Threshold settings for the rule. Required for threshold rules.
- tiebreaker
Field String - Sets the tiebreaker field. Required for EQL rules when event.dataset is not provided.
- timeline
Id String - Timeline template ID for the rule.
- timeline
Title String - Timeline template title for the rule.
- timestamp
Override String - Field name to use for timestamp override. Available for all rule types.
- timestamp
Override BooleanFallback Disabled - Disables timestamp override fallback. Available for all rule types.
- to String
- Time to which data is analyzed each time the rule runs, using a date math range.
- version Number
- The rule's version number.
Outputs
All input properties are implicitly available as output properties. Additionally, the KibanaSecurityDetectionRule resource produces the following output properties:
- Created
At string - The time the rule was created.
- Created
By string - The user who created the rule.
- Id string
- The provider-assigned unique ID for this managed resource.
- Revision double
- The rule's revision number.
- Updated
At string - The time the rule was last updated.
- Updated
By string - The user who last updated the rule.
- Created
At string - The time the rule was created.
- Created
By string - The user who created the rule.
- Id string
- The provider-assigned unique ID for this managed resource.
- Revision float64
- The rule's revision number.
- Updated
At string - The time the rule was last updated.
- Updated
By string - The user who last updated the rule.
- created
At String - The time the rule was created.
- created
By String - The user who created the rule.
- id String
- The provider-assigned unique ID for this managed resource.
- revision Double
- The rule's revision number.
- updated
At String - The time the rule was last updated.
- updated
By String - The user who last updated the rule.
- created
At string - The time the rule was created.
- created
By string - The user who created the rule.
- id string
- The provider-assigned unique ID for this managed resource.
- revision number
- The rule's revision number.
- updated
At string - The time the rule was last updated.
- updated
By string - The user who last updated the rule.
- created_
at str - The time the rule was created.
- created_
by str - The user who created the rule.
- id str
- The provider-assigned unique ID for this managed resource.
- revision float
- The rule's revision number.
- updated_
at str - The time the rule was last updated.
- updated_
by str - The user who last updated the rule.
- created
At String - The time the rule was created.
- created
By String - The user who created the rule.
- id String
- The provider-assigned unique ID for this managed resource.
- revision Number
- The rule's revision number.
- updated
At String - The time the rule was last updated.
- updated
By String - The user who last updated the rule.
Look up Existing KibanaSecurityDetectionRule Resource
Get an existing KibanaSecurityDetectionRule resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: KibanaSecurityDetectionRuleState, opts?: CustomResourceOptions): KibanaSecurityDetectionRule@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
actions: Optional[Sequence[KibanaSecurityDetectionRuleActionArgs]] = None,
alert_suppression: Optional[KibanaSecurityDetectionRuleAlertSuppressionArgs] = None,
anomaly_threshold: Optional[float] = None,
authors: Optional[Sequence[str]] = None,
building_block_type: Optional[str] = None,
concurrent_searches: Optional[float] = None,
created_at: Optional[str] = None,
created_by: Optional[str] = None,
data_view_id: Optional[str] = None,
description: Optional[str] = None,
enabled: Optional[bool] = None,
exceptions_lists: Optional[Sequence[KibanaSecurityDetectionRuleExceptionsListArgs]] = None,
false_positives: Optional[Sequence[str]] = None,
filters: Optional[str] = None,
from_: Optional[str] = None,
history_window_start: Optional[str] = None,
indices: Optional[Sequence[str]] = None,
interval: Optional[str] = None,
investigation_fields: Optional[Sequence[str]] = None,
items_per_search: Optional[float] = None,
language: Optional[str] = None,
license: Optional[str] = None,
machine_learning_job_ids: Optional[Sequence[str]] = None,
max_signals: Optional[float] = None,
name: Optional[str] = None,
namespace: Optional[str] = None,
new_terms_fields: Optional[Sequence[str]] = None,
note: Optional[str] = None,
query: Optional[str] = None,
references: Optional[Sequence[str]] = None,
related_integrations: Optional[Sequence[KibanaSecurityDetectionRuleRelatedIntegrationArgs]] = None,
required_fields: Optional[Sequence[KibanaSecurityDetectionRuleRequiredFieldArgs]] = None,
response_actions: Optional[Sequence[KibanaSecurityDetectionRuleResponseActionArgs]] = None,
revision: Optional[float] = None,
risk_score: Optional[float] = None,
risk_score_mappings: Optional[Sequence[KibanaSecurityDetectionRuleRiskScoreMappingArgs]] = None,
rule_id: Optional[str] = None,
rule_name_override: Optional[str] = None,
saved_id: Optional[str] = None,
setup: Optional[str] = None,
severity: Optional[str] = None,
severity_mappings: Optional[Sequence[KibanaSecurityDetectionRuleSeverityMappingArgs]] = None,
space_id: Optional[str] = None,
tags: Optional[Sequence[str]] = None,
threat_filters: Optional[Sequence[str]] = None,
threat_indicator_path: Optional[str] = None,
threat_indices: Optional[Sequence[str]] = None,
threat_mappings: Optional[Sequence[KibanaSecurityDetectionRuleThreatMappingArgs]] = None,
threat_query: Optional[str] = None,
threats: Optional[Sequence[KibanaSecurityDetectionRuleThreatArgs]] = None,
threshold: Optional[KibanaSecurityDetectionRuleThresholdArgs] = None,
tiebreaker_field: Optional[str] = None,
timeline_id: Optional[str] = None,
timeline_title: Optional[str] = None,
timestamp_override: Optional[str] = None,
timestamp_override_fallback_disabled: Optional[bool] = None,
to: Optional[str] = None,
type: Optional[str] = None,
updated_at: Optional[str] = None,
updated_by: Optional[str] = None,
version: Optional[float] = None) -> KibanaSecurityDetectionRulefunc GetKibanaSecurityDetectionRule(ctx *Context, name string, id IDInput, state *KibanaSecurityDetectionRuleState, opts ...ResourceOption) (*KibanaSecurityDetectionRule, error)public static KibanaSecurityDetectionRule Get(string name, Input<string> id, KibanaSecurityDetectionRuleState? state, CustomResourceOptions? opts = null)public static KibanaSecurityDetectionRule get(String name, Output<String> id, KibanaSecurityDetectionRuleState state, CustomResourceOptions options)resources: _: type: elasticstack:KibanaSecurityDetectionRule get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Actions
List<Kibana
Security Detection Rule Action> - Array of automated actions taken when alerts are generated by the rule.
- Alert
Suppression KibanaSecurity Detection Rule Alert Suppression - Defines alert suppression configuration to reduce duplicate alerts.
- Anomaly
Threshold double - Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100. Required for machine_learning rules.
- List<string>
- The rule's author.
- Building
Block stringType - Determines if the rule acts as a building block. If set, value must be
default. Building-block alerts are not displayed in the UI by default and are used as a foundation for other rules. - Concurrent
Searches double - Number of concurrent searches for threat intelligence. Optional for threat_match rules.
- Created
At string - The time the rule was created.
- Created
By string - The user who created the rule.
- Data
View stringId - Data view ID for the rule. Not supported for esql and machine_learning rule types.
- Description string
- The rule's description.
- Enabled bool
- Determines whether the rule is enabled.
- Exceptions
Lists List<KibanaSecurity Detection Rule Exceptions List> - Array of exception containers to prevent the rule from generating alerts.
- False
Positives List<string> - String array used to describe common reasons why the rule may issue false-positive alerts.
- Filters string
- Query and filter context array to define alert conditions as JSON. Supports complex filter structures including bool queries, term filters, range filters, etc. Available for all rule types.
- From string
- Time from which data is analyzed each time the rule runs, using a date math range.
- History
Window stringStart - Start date to use when checking if a term has been seen before. Supports relative dates like 'now-30d'. Required for new_terms rules.
- Indices List<string>
- Indices on which the rule functions.
- Interval string
- Frequency of rule execution, using a date math range.
- Investigation
Fields List<string> - Array of field names to include in alert investigation. Available for all rule types.
- Items
Per doubleSearch - Number of items to search for in each concurrent search. Optional for threat_match rules.
- Language string
- The query language (KQL or Lucene).
- License string
- The rule's license.
- Machine
Learning List<string>Job Ids - Machine learning job ID(s) the rule monitors for anomaly scores. Required for machine_learning rules.
- Max
Signals double - Maximum number of alerts the rule can create during a single run.
- Name string
- A human-readable name for the rule.
- Namespace string
- Alerts index namespace. Available for all rule types.
- New
Terms List<string>Fields - Field names containing the new terms. Required for new_terms rules.
- Note string
- Notes to help investigate alerts produced by the rule.
- Query string
- The query language definition.
- References List<string>
- String array containing references and URLs to sources of additional information.
-
List<Kibana
Security Detection Rule Related Integration> - Array of related integrations that provide additional context for the rule.
- Required
Fields List<KibanaSecurity Detection Rule Required Field> - Array of Elasticsearch fields and types that must be present in source indices for the rule to function properly.
- Response
Actions List<KibanaSecurity Detection Rule Response Action> - Array of response actions to take when alerts are generated by the rule.
- Revision double
- The rule's revision number.
- Risk
Score double - A numerical representation of the alert's severity from 0 to 100.
- Risk
Score List<KibanaMappings Security Detection Rule Risk Score Mapping> - Array of risk score mappings to override the default risk score based on source event field values.
- Rule
Id string - A stable unique identifier for the rule object. If omitted, a UUID is generated.
- Rule
Name stringOverride - Override the rule name in Kibana. Available for all rule types.
- Saved
Id string - Identifier of the saved query used for the rule. Required for saved_query rules.
- Setup string
- Setup guide with instructions on rule prerequisites.
- Severity string
- Severity level of alerts produced by the rule.
- Severity
Mappings List<KibanaSecurity Detection Rule Severity Mapping> - Array of severity mappings to override the default severity based on source event field values.
- Space
Id string - An identifier for the space. If space_id is not provided, the default space is used.
- List<string>
- String array containing words and phrases to help categorize, filter, and search rules.
- Threat
Filters List<string> - Additional filters for threat intelligence data. Optional for threat_match rules.
- Threat
Indicator stringPath - Path to the threat indicator in the indicator documents. Optional for threat_match rules.
- Threat
Indices List<string> - Array of index patterns for the threat intelligence indices. Required for threat_match rules.
- Threat
Mappings List<KibanaSecurity Detection Rule Threat Mapping> - Array of threat mappings that specify how to match events with threat intelligence. Required for threat*match rules.
- Threat
Query string - Query used to filter threat intelligence data. Optional for threat_match rules.
- Threats
List<Kibana
Security Detection Rule Threat> - MITRE ATT&CK framework threat information.
- Threshold
Kibana
Security Detection Rule Threshold - Threshold settings for the rule. Required for threshold rules.
- Tiebreaker
Field string - Sets the tiebreaker field. Required for EQL rules when event.dataset is not provided.
- Timeline
Id string - Timeline template ID for the rule.
- Timeline
Title string - Timeline template title for the rule.
- Timestamp
Override string - Field name to use for timestamp override. Available for all rule types.
- Timestamp
Override boolFallback Disabled - Disables timestamp override fallback. Available for all rule types.
- To string
- Time to which data is analyzed each time the rule runs, using a date math range.
- Type string
- Rule type. Supported types: query, eql, esql, machinelearning, newterms, savedquery, threatmatch, threshold.
- Updated
At string - The time the rule was last updated.
- Updated
By string - The user who last updated the rule.
- Version double
- The rule's version number.
- Actions
[]Kibana
Security Detection Rule Action Args - Array of automated actions taken when alerts are generated by the rule.
- Alert
Suppression KibanaSecurity Detection Rule Alert Suppression Args - Defines alert suppression configuration to reduce duplicate alerts.
- Anomaly
Threshold float64 - Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100. Required for machine_learning rules.
- []string
- The rule's author.
- Building
Block stringType - Determines if the rule acts as a building block. If set, value must be
default. Building-block alerts are not displayed in the UI by default and are used as a foundation for other rules. - Concurrent
Searches float64 - Number of concurrent searches for threat intelligence. Optional for threat_match rules.
- Created
At string - The time the rule was created.
- Created
By string - The user who created the rule.
- Data
View stringId - Data view ID for the rule. Not supported for esql and machine_learning rule types.
- Description string
- The rule's description.
- Enabled bool
- Determines whether the rule is enabled.
- Exceptions
Lists []KibanaSecurity Detection Rule Exceptions List Args - Array of exception containers to prevent the rule from generating alerts.
- False
Positives []string - String array used to describe common reasons why the rule may issue false-positive alerts.
- Filters string
- Query and filter context array to define alert conditions as JSON. Supports complex filter structures including bool queries, term filters, range filters, etc. Available for all rule types.
- From string
- Time from which data is analyzed each time the rule runs, using a date math range.
- History
Window stringStart - Start date to use when checking if a term has been seen before. Supports relative dates like 'now-30d'. Required for new_terms rules.
- Indices []string
- Indices on which the rule functions.
- Interval string
- Frequency of rule execution, using a date math range.
- Investigation
Fields []string - Array of field names to include in alert investigation. Available for all rule types.
- Items
Per float64Search - Number of items to search for in each concurrent search. Optional for threat_match rules.
- Language string
- The query language (KQL or Lucene).
- License string
- The rule's license.
- Machine
Learning []stringJob Ids - Machine learning job ID(s) the rule monitors for anomaly scores. Required for machine_learning rules.
- Max
Signals float64 - Maximum number of alerts the rule can create during a single run.
- Name string
- A human-readable name for the rule.
- Namespace string
- Alerts index namespace. Available for all rule types.
- New
Terms []stringFields - Field names containing the new terms. Required for new_terms rules.
- Note string
- Notes to help investigate alerts produced by the rule.
- Query string
- The query language definition.
- References []string
- String array containing references and URLs to sources of additional information.
-
[]Kibana
Security Detection Rule Related Integration Args - Array of related integrations that provide additional context for the rule.
- Required
Fields []KibanaSecurity Detection Rule Required Field Args - Array of Elasticsearch fields and types that must be present in source indices for the rule to function properly.
- Response
Actions []KibanaSecurity Detection Rule Response Action Args - Array of response actions to take when alerts are generated by the rule.
- Revision float64
- The rule's revision number.
- Risk
Score float64 - A numerical representation of the alert's severity from 0 to 100.
- Risk
Score []KibanaMappings Security Detection Rule Risk Score Mapping Args - Array of risk score mappings to override the default risk score based on source event field values.
- Rule
Id string - A stable unique identifier for the rule object. If omitted, a UUID is generated.
- Rule
Name stringOverride - Override the rule name in Kibana. Available for all rule types.
- Saved
Id string - Identifier of the saved query used for the rule. Required for saved_query rules.
- Setup string
- Setup guide with instructions on rule prerequisites.
- Severity string
- Severity level of alerts produced by the rule.
- Severity
Mappings []KibanaSecurity Detection Rule Severity Mapping Args - Array of severity mappings to override the default severity based on source event field values.
- Space
Id string - An identifier for the space. If space_id is not provided, the default space is used.
- []string
- String array containing words and phrases to help categorize, filter, and search rules.
- Threat
Filters []string - Additional filters for threat intelligence data. Optional for threat_match rules.
- Threat
Indicator stringPath - Path to the threat indicator in the indicator documents. Optional for threat_match rules.
- Threat
Indices []string - Array of index patterns for the threat intelligence indices. Required for threat_match rules.
- Threat
Mappings []KibanaSecurity Detection Rule Threat Mapping Args - Array of threat mappings that specify how to match events with threat intelligence. Required for threat*match rules.
- Threat
Query string - Query used to filter threat intelligence data. Optional for threat_match rules.
- Threats
[]Kibana
Security Detection Rule Threat Args - MITRE ATT&CK framework threat information.
- Threshold
Kibana
Security Detection Rule Threshold Args - Threshold settings for the rule. Required for threshold rules.
- Tiebreaker
Field string - Sets the tiebreaker field. Required for EQL rules when event.dataset is not provided.
- Timeline
Id string - Timeline template ID for the rule.
- Timeline
Title string - Timeline template title for the rule.
- Timestamp
Override string - Field name to use for timestamp override. Available for all rule types.
- Timestamp
Override boolFallback Disabled - Disables timestamp override fallback. Available for all rule types.
- To string
- Time to which data is analyzed each time the rule runs, using a date math range.
- Type string
- Rule type. Supported types: query, eql, esql, machinelearning, newterms, savedquery, threatmatch, threshold.
- Updated
At string - The time the rule was last updated.
- Updated
By string - The user who last updated the rule.
- Version float64
- The rule's version number.
- actions
List<Kibana
Security Detection Rule Action> - Array of automated actions taken when alerts are generated by the rule.
- alert
Suppression KibanaSecurity Detection Rule Alert Suppression - Defines alert suppression configuration to reduce duplicate alerts.
- anomaly
Threshold Double - Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100. Required for machine_learning rules.
- List<String>
- The rule's author.
- building
Block StringType - Determines if the rule acts as a building block. If set, value must be
default. Building-block alerts are not displayed in the UI by default and are used as a foundation for other rules. - concurrent
Searches Double - Number of concurrent searches for threat intelligence. Optional for threat_match rules.
- created
At String - The time the rule was created.
- created
By String - The user who created the rule.
- data
View StringId - Data view ID for the rule. Not supported for esql and machine_learning rule types.
- description String
- The rule's description.
- enabled Boolean
- Determines whether the rule is enabled.
- exceptions
Lists List<KibanaSecurity Detection Rule Exceptions List> - Array of exception containers to prevent the rule from generating alerts.
- false
Positives List<String> - String array used to describe common reasons why the rule may issue false-positive alerts.
- filters String
- Query and filter context array to define alert conditions as JSON. Supports complex filter structures including bool queries, term filters, range filters, etc. Available for all rule types.
- from String
- Time from which data is analyzed each time the rule runs, using a date math range.
- history
Window StringStart - Start date to use when checking if a term has been seen before. Supports relative dates like 'now-30d'. Required for new_terms rules.
- indices List<String>
- Indices on which the rule functions.
- interval String
- Frequency of rule execution, using a date math range.
- investigation
Fields List<String> - Array of field names to include in alert investigation. Available for all rule types.
- items
Per DoubleSearch - Number of items to search for in each concurrent search. Optional for threat_match rules.
- language String
- The query language (KQL or Lucene).
- license String
- The rule's license.
- machine
Learning List<String>Job Ids - Machine learning job ID(s) the rule monitors for anomaly scores. Required for machine_learning rules.
- max
Signals Double - Maximum number of alerts the rule can create during a single run.
- name String
- A human-readable name for the rule.
- namespace String
- Alerts index namespace. Available for all rule types.
- new
Terms List<String>Fields - Field names containing the new terms. Required for new_terms rules.
- note String
- Notes to help investigate alerts produced by the rule.
- query String
- The query language definition.
- references List<String>
- String array containing references and URLs to sources of additional information.
-
List<Kibana
Security Detection Rule Related Integration> - Array of related integrations that provide additional context for the rule.
- required
Fields List<KibanaSecurity Detection Rule Required Field> - Array of Elasticsearch fields and types that must be present in source indices for the rule to function properly.
- response
Actions List<KibanaSecurity Detection Rule Response Action> - Array of response actions to take when alerts are generated by the rule.
- revision Double
- The rule's revision number.
- risk
Score Double - A numerical representation of the alert's severity from 0 to 100.
- risk
Score List<KibanaMappings Security Detection Rule Risk Score Mapping> - Array of risk score mappings to override the default risk score based on source event field values.
- rule
Id String - A stable unique identifier for the rule object. If omitted, a UUID is generated.
- rule
Name StringOverride - Override the rule name in Kibana. Available for all rule types.
- saved
Id String - Identifier of the saved query used for the rule. Required for saved_query rules.
- setup String
- Setup guide with instructions on rule prerequisites.
- severity String
- Severity level of alerts produced by the rule.
- severity
Mappings List<KibanaSecurity Detection Rule Severity Mapping> - Array of severity mappings to override the default severity based on source event field values.
- space
Id String - An identifier for the space. If space_id is not provided, the default space is used.
- List<String>
- String array containing words and phrases to help categorize, filter, and search rules.
- threat
Filters List<String> - Additional filters for threat intelligence data. Optional for threat_match rules.
- threat
Indicator StringPath - Path to the threat indicator in the indicator documents. Optional for threat_match rules.
- threat
Indices List<String> - Array of index patterns for the threat intelligence indices. Required for threat_match rules.
- threat
Mappings List<KibanaSecurity Detection Rule Threat Mapping> - Array of threat mappings that specify how to match events with threat intelligence. Required for threat*match rules.
- threat
Query String - Query used to filter threat intelligence data. Optional for threat_match rules.
- threats
List<Kibana
Security Detection Rule Threat> - MITRE ATT&CK framework threat information.
- threshold
Kibana
Security Detection Rule Threshold - Threshold settings for the rule. Required for threshold rules.
- tiebreaker
Field String - Sets the tiebreaker field. Required for EQL rules when event.dataset is not provided.
- timeline
Id String - Timeline template ID for the rule.
- timeline
Title String - Timeline template title for the rule.
- timestamp
Override String - Field name to use for timestamp override. Available for all rule types.
- timestamp
Override BooleanFallback Disabled - Disables timestamp override fallback. Available for all rule types.
- to String
- Time to which data is analyzed each time the rule runs, using a date math range.
- type String
- Rule type. Supported types: query, eql, esql, machinelearning, newterms, savedquery, threatmatch, threshold.
- updated
At String - The time the rule was last updated.
- updated
By String - The user who last updated the rule.
- version Double
- The rule's version number.
- actions
Kibana
Security Detection Rule Action[] - Array of automated actions taken when alerts are generated by the rule.
- alert
Suppression KibanaSecurity Detection Rule Alert Suppression - Defines alert suppression configuration to reduce duplicate alerts.
- anomaly
Threshold number - Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100. Required for machine_learning rules.
- string[]
- The rule's author.
- building
Block stringType - Determines if the rule acts as a building block. If set, value must be
default. Building-block alerts are not displayed in the UI by default and are used as a foundation for other rules. - concurrent
Searches number - Number of concurrent searches for threat intelligence. Optional for threat_match rules.
- created
At string - The time the rule was created.
- created
By string - The user who created the rule.
- data
View stringId - Data view ID for the rule. Not supported for esql and machine_learning rule types.
- description string
- The rule's description.
- enabled boolean
- Determines whether the rule is enabled.
- exceptions
Lists KibanaSecurity Detection Rule Exceptions List[] - Array of exception containers to prevent the rule from generating alerts.
- false
Positives string[] - String array used to describe common reasons why the rule may issue false-positive alerts.
- filters string
- Query and filter context array to define alert conditions as JSON. Supports complex filter structures including bool queries, term filters, range filters, etc. Available for all rule types.
- from string
- Time from which data is analyzed each time the rule runs, using a date math range.
- history
Window stringStart - Start date to use when checking if a term has been seen before. Supports relative dates like 'now-30d'. Required for new_terms rules.
- indices string[]
- Indices on which the rule functions.
- interval string
- Frequency of rule execution, using a date math range.
- investigation
Fields string[] - Array of field names to include in alert investigation. Available for all rule types.
- items
Per numberSearch - Number of items to search for in each concurrent search. Optional for threat_match rules.
- language string
- The query language (KQL or Lucene).
- license string
- The rule's license.
- machine
Learning string[]Job Ids - Machine learning job ID(s) the rule monitors for anomaly scores. Required for machine_learning rules.
- max
Signals number - Maximum number of alerts the rule can create during a single run.
- name string
- A human-readable name for the rule.
- namespace string
- Alerts index namespace. Available for all rule types.
- new
Terms string[]Fields - Field names containing the new terms. Required for new_terms rules.
- note string
- Notes to help investigate alerts produced by the rule.
- query string
- The query language definition.
- references string[]
- String array containing references and URLs to sources of additional information.
-
Kibana
Security Detection Rule Related Integration[] - Array of related integrations that provide additional context for the rule.
- required
Fields KibanaSecurity Detection Rule Required Field[] - Array of Elasticsearch fields and types that must be present in source indices for the rule to function properly.
- response
Actions KibanaSecurity Detection Rule Response Action[] - Array of response actions to take when alerts are generated by the rule.
- revision number
- The rule's revision number.
- risk
Score number - A numerical representation of the alert's severity from 0 to 100.
- risk
Score KibanaMappings Security Detection Rule Risk Score Mapping[] - Array of risk score mappings to override the default risk score based on source event field values.
- rule
Id string - A stable unique identifier for the rule object. If omitted, a UUID is generated.
- rule
Name stringOverride - Override the rule name in Kibana. Available for all rule types.
- saved
Id string - Identifier of the saved query used for the rule. Required for saved_query rules.
- setup string
- Setup guide with instructions on rule prerequisites.
- severity string
- Severity level of alerts produced by the rule.
- severity
Mappings KibanaSecurity Detection Rule Severity Mapping[] - Array of severity mappings to override the default severity based on source event field values.
- space
Id string - An identifier for the space. If space_id is not provided, the default space is used.
- string[]
- String array containing words and phrases to help categorize, filter, and search rules.
- threat
Filters string[] - Additional filters for threat intelligence data. Optional for threat_match rules.
- threat
Indicator stringPath - Path to the threat indicator in the indicator documents. Optional for threat_match rules.
- threat
Indices string[] - Array of index patterns for the threat intelligence indices. Required for threat_match rules.
- threat
Mappings KibanaSecurity Detection Rule Threat Mapping[] - Array of threat mappings that specify how to match events with threat intelligence. Required for threat*match rules.
- threat
Query string - Query used to filter threat intelligence data. Optional for threat_match rules.
- threats
Kibana
Security Detection Rule Threat[] - MITRE ATT&CK framework threat information.
- threshold
Kibana
Security Detection Rule Threshold - Threshold settings for the rule. Required for threshold rules.
- tiebreaker
Field string - Sets the tiebreaker field. Required for EQL rules when event.dataset is not provided.
- timeline
Id string - Timeline template ID for the rule.
- timeline
Title string - Timeline template title for the rule.
- timestamp
Override string - Field name to use for timestamp override. Available for all rule types.
- timestamp
Override booleanFallback Disabled - Disables timestamp override fallback. Available for all rule types.
- to string
- Time to which data is analyzed each time the rule runs, using a date math range.
- type string
- Rule type. Supported types: query, eql, esql, machinelearning, newterms, savedquery, threatmatch, threshold.
- updated
At string - The time the rule was last updated.
- updated
By string - The user who last updated the rule.
- version number
- The rule's version number.
- actions
Sequence[Kibana
Security Detection Rule Action Args] - Array of automated actions taken when alerts are generated by the rule.
- alert_
suppression KibanaSecurity Detection Rule Alert Suppression Args - Defines alert suppression configuration to reduce duplicate alerts.
- anomaly_
threshold float - Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100. Required for machine_learning rules.
- Sequence[str]
- The rule's author.
- building_
block_ strtype - Determines if the rule acts as a building block. If set, value must be
default. Building-block alerts are not displayed in the UI by default and are used as a foundation for other rules. - concurrent_
searches float - Number of concurrent searches for threat intelligence. Optional for threat_match rules.
- created_
at str - The time the rule was created.
- created_
by str - The user who created the rule.
- data_
view_ strid - Data view ID for the rule. Not supported for esql and machine_learning rule types.
- description str
- The rule's description.
- enabled bool
- Determines whether the rule is enabled.
- exceptions_
lists Sequence[KibanaSecurity Detection Rule Exceptions List Args] - Array of exception containers to prevent the rule from generating alerts.
- false_
positives Sequence[str] - String array used to describe common reasons why the rule may issue false-positive alerts.
- filters str
- Query and filter context array to define alert conditions as JSON. Supports complex filter structures including bool queries, term filters, range filters, etc. Available for all rule types.
- from_ str
- Time from which data is analyzed each time the rule runs, using a date math range.
- history_
window_ strstart - Start date to use when checking if a term has been seen before. Supports relative dates like 'now-30d'. Required for new_terms rules.
- indices Sequence[str]
- Indices on which the rule functions.
- interval str
- Frequency of rule execution, using a date math range.
- investigation_
fields Sequence[str] - Array of field names to include in alert investigation. Available for all rule types.
- items_
per_ floatsearch - Number of items to search for in each concurrent search. Optional for threat_match rules.
- language str
- The query language (KQL or Lucene).
- license str
- The rule's license.
- machine_
learning_ Sequence[str]job_ ids - Machine learning job ID(s) the rule monitors for anomaly scores. Required for machine_learning rules.
- max_
signals float - Maximum number of alerts the rule can create during a single run.
- name str
- A human-readable name for the rule.
- namespace str
- Alerts index namespace. Available for all rule types.
- new_
terms_ Sequence[str]fields - Field names containing the new terms. Required for new_terms rules.
- note str
- Notes to help investigate alerts produced by the rule.
- query str
- The query language definition.
- references Sequence[str]
- String array containing references and URLs to sources of additional information.
-
Sequence[Kibana
Security Detection Rule Related Integration Args] - Array of related integrations that provide additional context for the rule.
- required_
fields Sequence[KibanaSecurity Detection Rule Required Field Args] - Array of Elasticsearch fields and types that must be present in source indices for the rule to function properly.
- response_
actions Sequence[KibanaSecurity Detection Rule Response Action Args] - Array of response actions to take when alerts are generated by the rule.
- revision float
- The rule's revision number.
- risk_
score float - A numerical representation of the alert's severity from 0 to 100.
- risk_
score_ Sequence[Kibanamappings Security Detection Rule Risk Score Mapping Args] - Array of risk score mappings to override the default risk score based on source event field values.
- rule_
id str - A stable unique identifier for the rule object. If omitted, a UUID is generated.
- rule_
name_ stroverride - Override the rule name in Kibana. Available for all rule types.
- saved_
id str - Identifier of the saved query used for the rule. Required for saved_query rules.
- setup str
- Setup guide with instructions on rule prerequisites.
- severity str
- Severity level of alerts produced by the rule.
- severity_
mappings Sequence[KibanaSecurity Detection Rule Severity Mapping Args] - Array of severity mappings to override the default severity based on source event field values.
- space_
id str - An identifier for the space. If space_id is not provided, the default space is used.
- Sequence[str]
- String array containing words and phrases to help categorize, filter, and search rules.
- threat_
filters Sequence[str] - Additional filters for threat intelligence data. Optional for threat_match rules.
- threat_
indicator_ strpath - Path to the threat indicator in the indicator documents. Optional for threat_match rules.
- threat_
indices Sequence[str] - Array of index patterns for the threat intelligence indices. Required for threat_match rules.
- threat_
mappings Sequence[KibanaSecurity Detection Rule Threat Mapping Args] - Array of threat mappings that specify how to match events with threat intelligence. Required for threat*match rules.
- threat_
query str - Query used to filter threat intelligence data. Optional for threat_match rules.
- threats
Sequence[Kibana
Security Detection Rule Threat Args] - MITRE ATT&CK framework threat information.
- threshold
Kibana
Security Detection Rule Threshold Args - Threshold settings for the rule. Required for threshold rules.
- tiebreaker_
field str - Sets the tiebreaker field. Required for EQL rules when event.dataset is not provided.
- timeline_
id str - Timeline template ID for the rule.
- timeline_
title str - Timeline template title for the rule.
- timestamp_
override str - Field name to use for timestamp override. Available for all rule types.
- timestamp_
override_ boolfallback_ disabled - Disables timestamp override fallback. Available for all rule types.
- to str
- Time to which data is analyzed each time the rule runs, using a date math range.
- type str
- Rule type. Supported types: query, eql, esql, machinelearning, newterms, savedquery, threatmatch, threshold.
- updated_
at str - The time the rule was last updated.
- updated_
by str - The user who last updated the rule.
- version float
- The rule's version number.
- actions List<Property Map>
- Array of automated actions taken when alerts are generated by the rule.
- alert
Suppression Property Map - Defines alert suppression configuration to reduce duplicate alerts.
- anomaly
Threshold Number - Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100. Required for machine_learning rules.
- List<String>
- The rule's author.
- building
Block StringType - Determines if the rule acts as a building block. If set, value must be
default. Building-block alerts are not displayed in the UI by default and are used as a foundation for other rules. - concurrent
Searches Number - Number of concurrent searches for threat intelligence. Optional for threat_match rules.
- created
At String - The time the rule was created.
- created
By String - The user who created the rule.
- data
View StringId - Data view ID for the rule. Not supported for esql and machine_learning rule types.
- description String
- The rule's description.
- enabled Boolean
- Determines whether the rule is enabled.
- exceptions
Lists List<Property Map> - Array of exception containers to prevent the rule from generating alerts.
- false
Positives List<String> - String array used to describe common reasons why the rule may issue false-positive alerts.
- filters String
- Query and filter context array to define alert conditions as JSON. Supports complex filter structures including bool queries, term filters, range filters, etc. Available for all rule types.
- from String
- Time from which data is analyzed each time the rule runs, using a date math range.
- history
Window StringStart - Start date to use when checking if a term has been seen before. Supports relative dates like 'now-30d'. Required for new_terms rules.
- indices List<String>
- Indices on which the rule functions.
- interval String
- Frequency of rule execution, using a date math range.
- investigation
Fields List<String> - Array of field names to include in alert investigation. Available for all rule types.
- items
Per NumberSearch - Number of items to search for in each concurrent search. Optional for threat_match rules.
- language String
- The query language (KQL or Lucene).
- license String
- The rule's license.
- machine
Learning List<String>Job Ids - Machine learning job ID(s) the rule monitors for anomaly scores. Required for machine_learning rules.
- max
Signals Number - Maximum number of alerts the rule can create during a single run.
- name String
- A human-readable name for the rule.
- namespace String
- Alerts index namespace. Available for all rule types.
- new
Terms List<String>Fields - Field names containing the new terms. Required for new_terms rules.
- note String
- Notes to help investigate alerts produced by the rule.
- query String
- The query language definition.
- references List<String>
- String array containing references and URLs to sources of additional information.
- List<Property Map>
- Array of related integrations that provide additional context for the rule.
- required
Fields List<Property Map> - Array of Elasticsearch fields and types that must be present in source indices for the rule to function properly.
- response
Actions List<Property Map> - Array of response actions to take when alerts are generated by the rule.
- revision Number
- The rule's revision number.
- risk
Score Number - A numerical representation of the alert's severity from 0 to 100.
- risk
Score List<Property Map>Mappings - Array of risk score mappings to override the default risk score based on source event field values.
- rule
Id String - A stable unique identifier for the rule object. If omitted, a UUID is generated.
- rule
Name StringOverride - Override the rule name in Kibana. Available for all rule types.
- saved
Id String - Identifier of the saved query used for the rule. Required for saved_query rules.
- setup String
- Setup guide with instructions on rule prerequisites.
- severity String
- Severity level of alerts produced by the rule.
- severity
Mappings List<Property Map> - Array of severity mappings to override the default severity based on source event field values.
- space
Id String - An identifier for the space. If space_id is not provided, the default space is used.
- List<String>
- String array containing words and phrases to help categorize, filter, and search rules.
- threat
Filters List<String> - Additional filters for threat intelligence data. Optional for threat_match rules.
- threat
Indicator StringPath - Path to the threat indicator in the indicator documents. Optional for threat_match rules.
- threat
Indices List<String> - Array of index patterns for the threat intelligence indices. Required for threat_match rules.
- threat
Mappings List<Property Map> - Array of threat mappings that specify how to match events with threat intelligence. Required for threat*match rules.
- threat
Query String - Query used to filter threat intelligence data. Optional for threat_match rules.
- threats List<Property Map>
- MITRE ATT&CK framework threat information.
- threshold Property Map
- Threshold settings for the rule. Required for threshold rules.
- tiebreaker
Field String - Sets the tiebreaker field. Required for EQL rules when event.dataset is not provided.
- timeline
Id String - Timeline template ID for the rule.
- timeline
Title String - Timeline template title for the rule.
- timestamp
Override String - Field name to use for timestamp override. Available for all rule types.
- timestamp
Override BooleanFallback Disabled - Disables timestamp override fallback. Available for all rule types.
- to String
- Time to which data is analyzed each time the rule runs, using a date math range.
- type String
- Rule type. Supported types: query, eql, esql, machinelearning, newterms, savedquery, threatmatch, threshold.
- updated
At String - The time the rule was last updated.
- updated
By String - The user who last updated the rule.
- version Number
- The rule's version number.
Supporting Types
KibanaSecurityDetectionRuleAction, KibanaSecurityDetectionRuleActionArgs
- Action
Type stringId - The action type used for sending notifications (e.g., .slack, .email, .webhook, .pagerduty, etc.).
- Id string
- The connector ID.
- Params Dictionary<string, string>
- Object containing the allowed connector fields, which varies according to the connector type.
- Alerts
Filter Dictionary<string, string> - Object containing an action's conditional filters.
- Frequency
Kibana
Security Detection Rule Action Frequency - The action frequency defines when the action runs.
- Group string
- Optionally groups actions by use cases. Use 'default' for alert notifications.
- Uuid string
- A unique identifier for the action.
- Action
Type stringId - The action type used for sending notifications (e.g., .slack, .email, .webhook, .pagerduty, etc.).
- Id string
- The connector ID.
- Params map[string]string
- Object containing the allowed connector fields, which varies according to the connector type.
- Alerts
Filter map[string]string - Object containing an action's conditional filters.
- Frequency
Kibana
Security Detection Rule Action Frequency - The action frequency defines when the action runs.
- Group string
- Optionally groups actions by use cases. Use 'default' for alert notifications.
- Uuid string
- A unique identifier for the action.
- action
Type StringId - The action type used for sending notifications (e.g., .slack, .email, .webhook, .pagerduty, etc.).
- id String
- The connector ID.
- params Map<String,String>
- Object containing the allowed connector fields, which varies according to the connector type.
- alerts
Filter Map<String,String> - Object containing an action's conditional filters.
- frequency
Kibana
Security Detection Rule Action Frequency - The action frequency defines when the action runs.
- group String
- Optionally groups actions by use cases. Use 'default' for alert notifications.
- uuid String
- A unique identifier for the action.
- action
Type stringId - The action type used for sending notifications (e.g., .slack, .email, .webhook, .pagerduty, etc.).
- id string
- The connector ID.
- params {[key: string]: string}
- Object containing the allowed connector fields, which varies according to the connector type.
- alerts
Filter {[key: string]: string} - Object containing an action's conditional filters.
- frequency
Kibana
Security Detection Rule Action Frequency - The action frequency defines when the action runs.
- group string
- Optionally groups actions by use cases. Use 'default' for alert notifications.
- uuid string
- A unique identifier for the action.
- action_
type_ strid - The action type used for sending notifications (e.g., .slack, .email, .webhook, .pagerduty, etc.).
- id str
- The connector ID.
- params Mapping[str, str]
- Object containing the allowed connector fields, which varies according to the connector type.
- alerts_
filter Mapping[str, str] - Object containing an action's conditional filters.
- frequency
Kibana
Security Detection Rule Action Frequency - The action frequency defines when the action runs.
- group str
- Optionally groups actions by use cases. Use 'default' for alert notifications.
- uuid str
- A unique identifier for the action.
- action
Type StringId - The action type used for sending notifications (e.g., .slack, .email, .webhook, .pagerduty, etc.).
- id String
- The connector ID.
- params Map<String>
- Object containing the allowed connector fields, which varies according to the connector type.
- alerts
Filter Map<String> - Object containing an action's conditional filters.
- frequency Property Map
- The action frequency defines when the action runs.
- group String
- Optionally groups actions by use cases. Use 'default' for alert notifications.
- uuid String
- A unique identifier for the action.
KibanaSecurityDetectionRuleActionFrequency, KibanaSecurityDetectionRuleActionFrequencyArgs
- Notify
When string - Defines how often rules run actions. Valid values: onActionGroupChange, onActiveAlert, onThrottleInterval.
- Summary bool
- Action summary indicates whether we will send a summary notification about all the generated alerts or notification per individual alert.
- Throttle string
- Time interval for throttling actions (e.g., '1h', '30m', 'no_actions', 'rule').
- Notify
When string - Defines how often rules run actions. Valid values: onActionGroupChange, onActiveAlert, onThrottleInterval.
- Summary bool
- Action summary indicates whether we will send a summary notification about all the generated alerts or notification per individual alert.
- Throttle string
- Time interval for throttling actions (e.g., '1h', '30m', 'no_actions', 'rule').
- notify
When String - Defines how often rules run actions. Valid values: onActionGroupChange, onActiveAlert, onThrottleInterval.
- summary Boolean
- Action summary indicates whether we will send a summary notification about all the generated alerts or notification per individual alert.
- throttle String
- Time interval for throttling actions (e.g., '1h', '30m', 'no_actions', 'rule').
- notify
When string - Defines how often rules run actions. Valid values: onActionGroupChange, onActiveAlert, onThrottleInterval.
- summary boolean
- Action summary indicates whether we will send a summary notification about all the generated alerts or notification per individual alert.
- throttle string
- Time interval for throttling actions (e.g., '1h', '30m', 'no_actions', 'rule').
- notify_
when str - Defines how often rules run actions. Valid values: onActionGroupChange, onActiveAlert, onThrottleInterval.
- summary bool
- Action summary indicates whether we will send a summary notification about all the generated alerts or notification per individual alert.
- throttle str
- Time interval for throttling actions (e.g., '1h', '30m', 'no_actions', 'rule').
- notify
When String - Defines how often rules run actions. Valid values: onActionGroupChange, onActiveAlert, onThrottleInterval.
- summary Boolean
- Action summary indicates whether we will send a summary notification about all the generated alerts or notification per individual alert.
- throttle String
- Time interval for throttling actions (e.g., '1h', '30m', 'no_actions', 'rule').
KibanaSecurityDetectionRuleAlertSuppression, KibanaSecurityDetectionRuleAlertSuppressionArgs
- Duration string
- Duration for which alerts are suppressed.
- Group
Bies List<string> - Array of field names to group alerts by for suppression.
- Missing
Fields stringStrategy - Strategy for handling missing fields in suppression grouping: 'suppress' - only one alert will be created per suppress by bucket, 'doNotSuppress' - per each document a separate alert will be created.
- Duration string
- Duration for which alerts are suppressed.
- Group
Bies []string - Array of field names to group alerts by for suppression.
- Missing
Fields stringStrategy - Strategy for handling missing fields in suppression grouping: 'suppress' - only one alert will be created per suppress by bucket, 'doNotSuppress' - per each document a separate alert will be created.
- duration String
- Duration for which alerts are suppressed.
- group
Bies List<String> - Array of field names to group alerts by for suppression.
- missing
Fields StringStrategy - Strategy for handling missing fields in suppression grouping: 'suppress' - only one alert will be created per suppress by bucket, 'doNotSuppress' - per each document a separate alert will be created.
- duration string
- Duration for which alerts are suppressed.
- group
Bies string[] - Array of field names to group alerts by for suppression.
- missing
Fields stringStrategy - Strategy for handling missing fields in suppression grouping: 'suppress' - only one alert will be created per suppress by bucket, 'doNotSuppress' - per each document a separate alert will be created.
- duration str
- Duration for which alerts are suppressed.
- group_
bies Sequence[str] - Array of field names to group alerts by for suppression.
- missing_
fields_ strstrategy - Strategy for handling missing fields in suppression grouping: 'suppress' - only one alert will be created per suppress by bucket, 'doNotSuppress' - per each document a separate alert will be created.
- duration String
- Duration for which alerts are suppressed.
- group
Bies List<String> - Array of field names to group alerts by for suppression.
- missing
Fields StringStrategy - Strategy for handling missing fields in suppression grouping: 'suppress' - only one alert will be created per suppress by bucket, 'doNotSuppress' - per each document a separate alert will be created.
KibanaSecurityDetectionRuleExceptionsList, KibanaSecurityDetectionRuleExceptionsListArgs
- Id string
- The exception container ID.
- List
Id string - The exception container's list ID.
- Namespace
Type string - The namespace type for the exception container.
- Type string
- The type of exception container.
- Id string
- The exception container ID.
- List
Id string - The exception container's list ID.
- Namespace
Type string - The namespace type for the exception container.
- Type string
- The type of exception container.
- id String
- The exception container ID.
- list
Id String - The exception container's list ID.
- namespace
Type String - The namespace type for the exception container.
- type String
- The type of exception container.
- id string
- The exception container ID.
- list
Id string - The exception container's list ID.
- namespace
Type string - The namespace type for the exception container.
- type string
- The type of exception container.
- id str
- The exception container ID.
- list_
id str - The exception container's list ID.
- namespace_
type str - The namespace type for the exception container.
- type str
- The type of exception container.
- id String
- The exception container ID.
- list
Id String - The exception container's list ID.
- namespace
Type String - The namespace type for the exception container.
- type String
- The type of exception container.
KibanaSecurityDetectionRuleRelatedIntegration, KibanaSecurityDetectionRuleRelatedIntegrationArgs
- Package string
- Name of the integration package.
- Version string
- Version of the integration package.
- Integration string
- Name of the specific integration.
- Package string
- Name of the integration package.
- Version string
- Version of the integration package.
- Integration string
- Name of the specific integration.
- package_ String
- Name of the integration package.
- version String
- Version of the integration package.
- integration String
- Name of the specific integration.
- package string
- Name of the integration package.
- version string
- Version of the integration package.
- integration string
- Name of the specific integration.
- package str
- Name of the integration package.
- version str
- Version of the integration package.
- integration str
- Name of the specific integration.
- package String
- Name of the integration package.
- version String
- Version of the integration package.
- integration String
- Name of the specific integration.
KibanaSecurityDetectionRuleRequiredField, KibanaSecurityDetectionRuleRequiredFieldArgs
KibanaSecurityDetectionRuleResponseAction, KibanaSecurityDetectionRuleResponseActionArgs
- Action
Type stringId - The action type used for response actions (.osquery, .endpoint).
- Params
Kibana
Security Detection Rule Response Action Params - Parameters for the response action. Structure varies based on actiontypeid.
- Action
Type stringId - The action type used for response actions (.osquery, .endpoint).
- Params
Kibana
Security Detection Rule Response Action Params - Parameters for the response action. Structure varies based on actiontypeid.
- action
Type StringId - The action type used for response actions (.osquery, .endpoint).
- params
Kibana
Security Detection Rule Response Action Params - Parameters for the response action. Structure varies based on actiontypeid.
- action
Type stringId - The action type used for response actions (.osquery, .endpoint).
- params
Kibana
Security Detection Rule Response Action Params - Parameters for the response action. Structure varies based on actiontypeid.
- action_
type_ strid - The action type used for response actions (.osquery, .endpoint).
- params
Kibana
Security Detection Rule Response Action Params - Parameters for the response action. Structure varies based on actiontypeid.
- action
Type StringId - The action type used for response actions (.osquery, .endpoint).
- params Property Map
- Parameters for the response action. Structure varies based on actiontypeid.
KibanaSecurityDetectionRuleResponseActionParams, KibanaSecurityDetectionRuleResponseActionParamsArgs
- Command string
- Command to run (endpoint only). Valid values: isolate, kill-process, suspend-process.
- Comment string
- Comment describing the action (endpoint only).
- Config
Kibana
Security Detection Rule Response Action Params Config - Configuration for process commands (endpoint only).
- Ecs
Mapping Dictionary<string, string> - Map Osquery results columns to ECS fields (osquery only).
- Pack
Id string - Query pack identifier (osquery only).
- Queries
List<Kibana
Security Detection Rule Response Action Params Query> - Array of queries to run (osquery only).
- Query string
- SQL query to run (osquery only). Example: 'SELECT * FROM processes;'
- Saved
Query stringId - Saved query identifier (osquery only).
- Timeout double
- Timeout period in seconds (osquery only). Min: 60, Max: 900.
- Command string
- Command to run (endpoint only). Valid values: isolate, kill-process, suspend-process.
- Comment string
- Comment describing the action (endpoint only).
- Config
Kibana
Security Detection Rule Response Action Params Config - Configuration for process commands (endpoint only).
- Ecs
Mapping map[string]string - Map Osquery results columns to ECS fields (osquery only).
- Pack
Id string - Query pack identifier (osquery only).
- Queries
[]Kibana
Security Detection Rule Response Action Params Query - Array of queries to run (osquery only).
- Query string
- SQL query to run (osquery only). Example: 'SELECT * FROM processes;'
- Saved
Query stringId - Saved query identifier (osquery only).
- Timeout float64
- Timeout period in seconds (osquery only). Min: 60, Max: 900.
- command String
- Command to run (endpoint only). Valid values: isolate, kill-process, suspend-process.
- comment String
- Comment describing the action (endpoint only).
- config
Kibana
Security Detection Rule Response Action Params Config - Configuration for process commands (endpoint only).
- ecs
Mapping Map<String,String> - Map Osquery results columns to ECS fields (osquery only).
- pack
Id String - Query pack identifier (osquery only).
- queries
List<Kibana
Security Detection Rule Response Action Params Query> - Array of queries to run (osquery only).
- query String
- SQL query to run (osquery only). Example: 'SELECT * FROM processes;'
- saved
Query StringId - Saved query identifier (osquery only).
- timeout Double
- Timeout period in seconds (osquery only). Min: 60, Max: 900.
- command string
- Command to run (endpoint only). Valid values: isolate, kill-process, suspend-process.
- comment string
- Comment describing the action (endpoint only).
- config
Kibana
Security Detection Rule Response Action Params Config - Configuration for process commands (endpoint only).
- ecs
Mapping {[key: string]: string} - Map Osquery results columns to ECS fields (osquery only).
- pack
Id string - Query pack identifier (osquery only).
- queries
Kibana
Security Detection Rule Response Action Params Query[] - Array of queries to run (osquery only).
- query string
- SQL query to run (osquery only). Example: 'SELECT * FROM processes;'
- saved
Query stringId - Saved query identifier (osquery only).
- timeout number
- Timeout period in seconds (osquery only). Min: 60, Max: 900.
- command str
- Command to run (endpoint only). Valid values: isolate, kill-process, suspend-process.
- comment str
- Comment describing the action (endpoint only).
- config
Kibana
Security Detection Rule Response Action Params Config - Configuration for process commands (endpoint only).
- ecs_
mapping Mapping[str, str] - Map Osquery results columns to ECS fields (osquery only).
- pack_
id str - Query pack identifier (osquery only).
- queries
Sequence[Kibana
Security Detection Rule Response Action Params Query] - Array of queries to run (osquery only).
- query str
- SQL query to run (osquery only). Example: 'SELECT * FROM processes;'
- saved_
query_ strid - Saved query identifier (osquery only).
- timeout float
- Timeout period in seconds (osquery only). Min: 60, Max: 900.
- command String
- Command to run (endpoint only). Valid values: isolate, kill-process, suspend-process.
- comment String
- Comment describing the action (endpoint only).
- config Property Map
- Configuration for process commands (endpoint only).
- ecs
Mapping Map<String> - Map Osquery results columns to ECS fields (osquery only).
- pack
Id String - Query pack identifier (osquery only).
- queries List<Property Map>
- Array of queries to run (osquery only).
- query String
- SQL query to run (osquery only). Example: 'SELECT * FROM processes;'
- saved
Query StringId - Saved query identifier (osquery only).
- timeout Number
- Timeout period in seconds (osquery only). Min: 60, Max: 900.
KibanaSecurityDetectionRuleResponseActionParamsConfig, KibanaSecurityDetectionRuleResponseActionParamsConfigArgs
KibanaSecurityDetectionRuleResponseActionParamsQuery, KibanaSecurityDetectionRuleResponseActionParamsQueryArgs
KibanaSecurityDetectionRuleRiskScoreMapping, KibanaSecurityDetectionRuleRiskScoreMappingArgs
- Field string
- Source event field used to override the default risk_score.
- Operator string
- Operator to use for field value matching. Currently only 'equals' is supported.
- Value string
- Value to match against the field.
- Risk
Score double - Risk score to use when the field matches the value (0-100). If omitted, uses the rule's default risk_score.
- Field string
- Source event field used to override the default risk_score.
- Operator string
- Operator to use for field value matching. Currently only 'equals' is supported.
- Value string
- Value to match against the field.
- Risk
Score float64 - Risk score to use when the field matches the value (0-100). If omitted, uses the rule's default risk_score.
- field String
- Source event field used to override the default risk_score.
- operator String
- Operator to use for field value matching. Currently only 'equals' is supported.
- value String
- Value to match against the field.
- risk
Score Double - Risk score to use when the field matches the value (0-100). If omitted, uses the rule's default risk_score.
- field string
- Source event field used to override the default risk_score.
- operator string
- Operator to use for field value matching. Currently only 'equals' is supported.
- value string
- Value to match against the field.
- risk
Score number - Risk score to use when the field matches the value (0-100). If omitted, uses the rule's default risk_score.
- field str
- Source event field used to override the default risk_score.
- operator str
- Operator to use for field value matching. Currently only 'equals' is supported.
- value str
- Value to match against the field.
- risk_
score float - Risk score to use when the field matches the value (0-100). If omitted, uses the rule's default risk_score.
- field String
- Source event field used to override the default risk_score.
- operator String
- Operator to use for field value matching. Currently only 'equals' is supported.
- value String
- Value to match against the field.
- risk
Score Number - Risk score to use when the field matches the value (0-100). If omitted, uses the rule's default risk_score.
KibanaSecurityDetectionRuleSeverityMapping, KibanaSecurityDetectionRuleSeverityMappingArgs
KibanaSecurityDetectionRuleThreat, KibanaSecurityDetectionRuleThreatArgs
- Framework string
- Threat framework (typically 'MITRE ATT&CK').
- Tactic
Kibana
Security Detection Rule Threat Tactic - MITRE ATT&CK tactic information.
- Techniques
List<Kibana
Security Detection Rule Threat Technique> - MITRE ATT&CK technique information.
- Framework string
- Threat framework (typically 'MITRE ATT&CK').
- Tactic
Kibana
Security Detection Rule Threat Tactic - MITRE ATT&CK tactic information.
- Techniques
[]Kibana
Security Detection Rule Threat Technique - MITRE ATT&CK technique information.
- framework String
- Threat framework (typically 'MITRE ATT&CK').
- tactic
Kibana
Security Detection Rule Threat Tactic - MITRE ATT&CK tactic information.
- techniques
List<Kibana
Security Detection Rule Threat Technique> - MITRE ATT&CK technique information.
- framework string
- Threat framework (typically 'MITRE ATT&CK').
- tactic
Kibana
Security Detection Rule Threat Tactic - MITRE ATT&CK tactic information.
- techniques
Kibana
Security Detection Rule Threat Technique[] - MITRE ATT&CK technique information.
- framework str
- Threat framework (typically 'MITRE ATT&CK').
- tactic
Kibana
Security Detection Rule Threat Tactic - MITRE ATT&CK tactic information.
- techniques
Sequence[Kibana
Security Detection Rule Threat Technique] - MITRE ATT&CK technique information.
- framework String
- Threat framework (typically 'MITRE ATT&CK').
- tactic Property Map
- MITRE ATT&CK tactic information.
- techniques List<Property Map>
- MITRE ATT&CK technique information.
KibanaSecurityDetectionRuleThreatMapping, KibanaSecurityDetectionRuleThreatMappingArgs
- Entries
List<Kibana
Security Detection Rule Threat Mapping Entry> - Array of mapping entries.
- Entries
[]Kibana
Security Detection Rule Threat Mapping Entry - Array of mapping entries.
- entries
List<Kibana
Security Detection Rule Threat Mapping Entry> - Array of mapping entries.
- entries
Kibana
Security Detection Rule Threat Mapping Entry[] - Array of mapping entries.
- entries
Sequence[Kibana
Security Detection Rule Threat Mapping Entry] - Array of mapping entries.
- entries List<Property Map>
- Array of mapping entries.
KibanaSecurityDetectionRuleThreatMappingEntry, KibanaSecurityDetectionRuleThreatMappingEntryArgs
KibanaSecurityDetectionRuleThreatTactic, KibanaSecurityDetectionRuleThreatTacticArgs
KibanaSecurityDetectionRuleThreatTechnique, KibanaSecurityDetectionRuleThreatTechniqueArgs
- Id string
- MITRE ATT&CK technique ID.
- Name string
- MITRE ATT&CK technique name.
- Reference string
- MITRE ATT&CK technique reference URL.
- Subtechniques
List<Kibana
Security Detection Rule Threat Technique Subtechnique> - MITRE ATT&CK sub-technique information.
- Id string
- MITRE ATT&CK technique ID.
- Name string
- MITRE ATT&CK technique name.
- Reference string
- MITRE ATT&CK technique reference URL.
- Subtechniques
[]Kibana
Security Detection Rule Threat Technique Subtechnique - MITRE ATT&CK sub-technique information.
- id String
- MITRE ATT&CK technique ID.
- name String
- MITRE ATT&CK technique name.
- reference String
- MITRE ATT&CK technique reference URL.
- subtechniques
List<Kibana
Security Detection Rule Threat Technique Subtechnique> - MITRE ATT&CK sub-technique information.
- id string
- MITRE ATT&CK technique ID.
- name string
- MITRE ATT&CK technique name.
- reference string
- MITRE ATT&CK technique reference URL.
- subtechniques
Kibana
Security Detection Rule Threat Technique Subtechnique[] - MITRE ATT&CK sub-technique information.
- id str
- MITRE ATT&CK technique ID.
- name str
- MITRE ATT&CK technique name.
- reference str
- MITRE ATT&CK technique reference URL.
- subtechniques
Sequence[Kibana
Security Detection Rule Threat Technique Subtechnique] - MITRE ATT&CK sub-technique information.
- id String
- MITRE ATT&CK technique ID.
- name String
- MITRE ATT&CK technique name.
- reference String
- MITRE ATT&CK technique reference URL.
- subtechniques List<Property Map>
- MITRE ATT&CK sub-technique information.
KibanaSecurityDetectionRuleThreatTechniqueSubtechnique, KibanaSecurityDetectionRuleThreatTechniqueSubtechniqueArgs
KibanaSecurityDetectionRuleThreshold, KibanaSecurityDetectionRuleThresholdArgs
- Value double
- The threshold value from which an alert is generated.
- Cardinalities
List<Kibana
Security Detection Rule Threshold Cardinality> - Cardinality settings for threshold rule.
- Fields List<string>
- Field(s) to use for threshold aggregation.
- Value float64
- The threshold value from which an alert is generated.
- Cardinalities
[]Kibana
Security Detection Rule Threshold Cardinality - Cardinality settings for threshold rule.
- Fields []string
- Field(s) to use for threshold aggregation.
- value Double
- The threshold value from which an alert is generated.
- cardinalities
List<Kibana
Security Detection Rule Threshold Cardinality> - Cardinality settings for threshold rule.
- fields List<String>
- Field(s) to use for threshold aggregation.
- value number
- The threshold value from which an alert is generated.
- cardinalities
Kibana
Security Detection Rule Threshold Cardinality[] - Cardinality settings for threshold rule.
- fields string[]
- Field(s) to use for threshold aggregation.
- value float
- The threshold value from which an alert is generated.
- cardinalities
Sequence[Kibana
Security Detection Rule Threshold Cardinality] - Cardinality settings for threshold rule.
- fields Sequence[str]
- Field(s) to use for threshold aggregation.
- value Number
- The threshold value from which an alert is generated.
- cardinalities List<Property Map>
- Cardinality settings for threshold rule.
- fields List<String>
- Field(s) to use for threshold aggregation.
KibanaSecurityDetectionRuleThresholdCardinality, KibanaSecurityDetectionRuleThresholdCardinalityArgs
Import
The pulumi import command can be used, for example:
$ pulumi import elasticstack:index/kibanaSecurityDetectionRule:KibanaSecurityDetectionRule example default/12345678-1234-1234-1234-123456789abc
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- elasticstack elastic/terraform-provider-elasticstack
- License
- Notes
- This Pulumi package is based on the
elasticstackTerraform Provider.
elasticstack 0.12.1 published on Thursday, Oct 23, 2025 by elastic
