Getting SIEM alerts through API

Hello,

Is it possible to get alerts from Kibana SIEM through an api?

it seems like

<kibana host>:<port>/api/detection_engine/signals

could be a way but there's no example with individual alerts, just an aggregation.

Failing that, I guess the following could be used?

1 Like

Have you tried the signals search API? Signals endpoint | Elastic Security Solution [8.5] | Elastic

1 Like

I hadn't .

Thanks for pointing me in that direction because it's exactly what I'm after.

Do you know if

1\ signals have a unique identifier ?
2\ how that api endpoint handles pagination (if the results are too much for one response)?

1\ signals have a unique identifier ?

I believe the document _id or kibana.alert.uuid represents the signal ID.

2\ how that api endpoint handles pagination (if the results are too much for one response)?

The signal search API is just an Elasticsearch query DSL targeting security alerts indices. You can refer to Paginate search results | Elasticsearch Guide [8.5] | Elastic on how to paginate your search results.

Thanks again Hendry. Really appreciate the accurate responses!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.