The following APIs can be used for a number of tasks related to detectors, from creating detectors to updating and searching for detectors. Many API calls use the detector ID in the request, which can be retrieved using the [Search Detector API](#search-detector-api).
You can specify the following fields when creating a detector.
Field | Type | Description
:--- | :--- |:--- |
`enabled` | Boolean | Sets the detector as either active (true) or inactive (false). Default is `true` when a new detector is created. Required.
`name` | String | Name of the detector. Name should only consist of upper and lowercase letters, numbers 0-9, hyphens, spaces, and underscores. Use between 5 and 50 characters. Required.
`detector_type` | String | The log type that defines the detector. Options are `linux`, `network` ,`windows`, `ad_ldap`, `apache_access`, `cloudtrail`, `dns`, and `s3`. Required.
`schedule` | Object | The schedule that determines how often the detector runs. For information about specifying fixed intervals in the API, see the [Cron expression reference]({{site.url}}{{site.baseurl}}/monitoring-plugins/alerting/cron/).
`schedule.period` | Object | Details for the frequency of the schedule.
`schedule.period.interval` | Integer | The interval at which the detector runs.
`schedule.period.unit` | String | The interval's unit of time.
`inputs` | Object | Detector inputs.
`inputs.detector_input` | Array | An array that contains the index and definition used to create the detector. Currently, only one log data source is allowed for the detector.
`inputs.detector_input.description` | String | Description of the detector. Optional.
`inputs.detector_input.custom_rules` | Array | Detector inputs for custom rules. At least one rule must be specified for a detector. Optional if pre-packaged rules are specified.
`inputs.detector_input.custom_rules.id` | String | A valid rule ID for the custom rule generated by the user. Valid rules are formatted as a globally, or, universally unique identifier (UUID) See [Universally unique identifier](https://en.wikipedia.org/wiki/Universally_unique_identifier) for more information.
`inputs.detector_input.indices` | Array | The log data source used for the detector, which can be either an index name or index pattern. Currently, only one entry is supported with plans to support multiple indexes in a future release. Required.
`inputs.detector_input.pre_packaged_rules` | Array | Detector inputs for pre-packaged rules (as opposed to custom rules). At least one rule must be specified for a detector. Optional if custom rules are specified.
`inputs.detector_input.pre_packaged_rules.id` | String | The rule ID for pre-packaged rules. See [Search Pre-Packaged Rules]({{site.url}}{{site.baseurl}}/security-analytics/api-tools/rule-api/#search-pre-packaged-rules) for information on how to use the API to search for rules and obtain rule IDs in results.
`triggers` | Array | Trigger settings for alerts.
`triggers.ids` | Array | A list of rule IDs that become part of the trigger condition.
`triggers.tags` | Array | Tags are specified in a security rule. Tags can then be selected and applied to the alert trigger to focus the trigger conditions for alerts. See an example of how tags are used in a Sigma rule in Sigma's [Rule Creation Guide](https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#tags).
`triggers.id` | String | The unique ID for the trigger.
`triggers.sev_levels` | Array | Sigma rule severity levels: `informational`; `low`; `medium`; `high`; `criticial`. See [Level](https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#level) in the Sigma Rule Creation Guide.
`triggers.name` | String | The name of the trigger. Name should only consist of upper and lowercase letters, numbers 0-9, hyphens, spaces, and underscores. Use between 5 and 50 characters. Required.
`triggers.severity` | Integer | Severity level for the trigger expressed as an integer: 1 = highest; 2 = high; 3 = medium; 4 = low; 5 = lowest. Trigger severity is part of the alert definition.
`triggers.actions` | Object | Actions send notifications when trigger conditions are met. Optional, as a notification message is not required as part of an alert.
`triggers.actions.id` | String | Unique ID for the action. User generated.
`triggers.actions.destination_id` | String | Unique ID for the notification destination. User generated.
`triggers.actions.subject_template` | Object | Contains the information for the subject field of the notification message. Optional.
`triggers.actions.subject_template.source` | String | The subject for the notification message.
`triggers.actions.subject_template.lang` | String | The scripting language used to define the subject. Must be Mustache. See the [Mustache Manual](https://mustache.github.io/mustache.5.html) for more information about templates.
`triggers.actions.name` | String | Name for the trigger alert. Name should only consist of upper and lowercase letters, numbers 0-9, hyphens, spaces, and underscores. Use between 5 and 50 characters.
`triggers.actions.message_template` | String | Contains the information for the body of the notification message. Optional.
`triggers.actions.message_template.source` | String | The body of the notification message.
`triggers.actions.message_template.lang` | String | The scripting language used to define the message. Must be `Mustache`.
`triggers.actions.throttle_enabled` | Boolean | Enables throttling for alert notifications. Optional. Default is `false`.
`triggers.actions.throttle` | Object | Throttling limits the number of notifications you receive within a given span of time.
`triggers.actions.throttle.unit` | String | Unit of time for throttling.
`triggers.actions.throttle.value` | Integer | The value for the unit of time.
You can specify the following fields when updating a detector.
Field | Type | Description
:--- | :--- |:--- |
`detector_type` | String | The log type that defines the detector. Options are `linux`, `network` ,`windows`, `ad_ldap`, `apache_access`, `cloudtrail`, `dns`, and `s3`.
`name` | String | The name of the detector. Name should only consist of upper and lowercase letters, numbers 0-9, hyphens, spaces, and underscores. Use between 5 and 50 characters. Required.
`enabled` | Boolean | Sets the detector as either Active (true) or Inactive (false).
`schedule.period.interval` | Integer | The interval at which the detector runs.
`schedule.period.unit` | String | The interval's unit of time.
`inputs.input.description` | String | Description of the detector.
`inputs.input.indices` | Array | The log data source used for the detector. Only one source is allowed at this time.
`inputs.input.rules.id` | Array | A list of security rules for the detector definition.
`triggers.sev_levels` | Array | Sigma rule severity levels: `informational`; `low`; `medium`; `high`; `criticial`. See [Level](https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#level) in the Sigma Rule Creation Guide.
`triggers.tags` | Array | Tags are specified in a security rule. Tags can then be selected and applied to the alert trigger to focus the trigger conditions for alerts. See an example of how tags are used in a Sigma rule in Sigma's [Rule Creation Guide](https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#tags).
`triggers.actions` | Object | Actions send notifications when trigger conditions are met. See trigger actions for [Create Detector API]({{site.url}}{{site.baseurl}}/security-analytics/api-tools/detector-api/#create-detector-api).
`detector_type` | String | The log type for the detector. Options are `linux`, `network` ,`windows`, `ad_ldap`, `apache_access`, `cloudtrail`, `dns`, and `s3`.
