Hello,
Is it possible to get alerts from Kibana SIEM through an api?
it seems like
<kibana host>:<port>/api/detection_engine/signals
could be a way but there's no example with individual alerts, just an aggregation.
Failing that, I guess the following could be used?
1 Like
I hadn't .
Thanks for pointing me in that direction because it's exactly what I'm after.
Do you know if
1\ signals have a unique identifier ?
2\ how that api endpoint handles pagination (if the results are too much for one response)?
1\ signals have a unique identifier ?
I believe the document _id
or kibana.alert.uuid
represents the signal ID.
2\ how that api endpoint handles pagination (if the results are too much for one response)?
The signal search API is just an Elasticsearch query DSL targeting security alerts indices. You can refer to Paginate search results | Elasticsearch Guide [8.11] | Elastic on how to paginate your search results.
Thanks again Hendry. Really appreciate the accurate responses!
system
(system)
Closed
January 18, 2023, 7:14pm
6
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.