naftiko: 1.0.0-alpha2 info: label: Kibana APIs — Security Attack discovery API description: 'Kibana APIs — Security Attack discovery API. 13 operations. Lead operation: Bulk update Attack discoveries. Self-contained Naftiko capability covering one Kibana business surface.' tags: - Kibana - Security Attack discovery API created: '2026-05-19' modified: '2026-05-19' binds: - namespace: env keys: KIBANA_API_KEY: KIBANA_API_KEY capability: consumes: - type: http namespace: kibana-security-attack-discovery-api baseUri: https://{kibana_url} description: Kibana APIs — Security Attack discovery API business capability. Self-contained, no shared references. resources: - name: api-attack_discovery-_bulk path: /api/attack_discovery/_bulk operations: - name: postattackdiscoverybulk method: POST description: Bulk update Attack discoveries outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: true - name: api-attack_discovery-_find path: /api/attack_discovery/_find operations: - name: attackdiscoveryfind method: GET description: Find Attack discoveries that match the search criteria outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: alert_ids in: query type: array description: Filter results to Attack discoveries that include any of the provided alert IDs - name: connector_names in: query type: array description: Filter results to Attack discoveries created by any of the provided human readable connector names. Note that values must match the human readable `connector_na - name: enable_field_rendering in: query type: boolean description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This i - name: end in: query type: string description: End of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). - name: ids in: query type: array description: Filter results to the Attack discoveries with the specified IDs - name: include_unique_alert_ids in: query type: boolean description: If `true`, the response will include `unique_alert_ids` and `unique_alert_ids_count` aggregated across the matched Attack discoveries - name: page in: query type: integer description: Page number to return (used for pagination). Defaults to 1. - name: per_page in: query type: integer description: Number of Attack discoveries to return per page (used for pagination). Defaults to 10. - name: search in: query type: string description: Free-text search query applied to relevant text fields of Attack discoveries (title, description, tags, etc.) - name: shared in: query type: boolean description: Whether to filter by shared visibility. If omitted, both shared and privately visible Attack discoveries are returned. Use `true` to return only shared discover - name: scheduled in: query type: boolean description: Whether to filter by scheduled or ad-hoc attack discoveries. If omitted, both types of attack discoveries are returned. Use `true` to return only scheduled disc - name: sort_field in: query type: string description: Field used to sort results. See `AttackDiscoveryFindSortField` for allowed values. - name: sort_order in: query type: string description: Sort order direction `asc` for ascending or `desc` for descending. Defaults to `desc`. - name: start in: query type: string description: Start of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now-7d"). - name: status in: query type: array description: Filter by alert workflow status. Provide one or more of the allowed workflow states. - name: with_replacements in: query type: boolean description: When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields - name: api-attack_discovery-_generate path: /api/attack_discovery/_generate operations: - name: postattackdiscoverygenerate method: POST description: Generate attack discoveries from alerts outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: true - name: api-attack_discovery-generations path: /api/attack_discovery/generations operations: - name: getattackdiscoverygenerations method: GET description: Get the latest Attack Discovery generations metadata for the current user outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: end in: query type: string description: End of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). - name: size in: query type: number description: The maximum number of generations to retrieve - name: start in: query type: string description: Start of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now-7d"). - name: api-attack_discovery-generations-execution_uuid path: /api/attack_discovery/generations/{execution_uuid} operations: - name: getattackdiscoverygeneration method: GET description: Get a single Attack Discovery generation, including its discoveries and (optional) generation metadata outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: execution_uuid in: path type: string description: The unique identifier for the Attack Discovery generation execution. This UUID is returned at the start of an Attack Discovery generation. required: true - name: enable_field_rendering in: query type: boolean description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This i - name: with_replacements in: query type: boolean description: When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields - name: api-attack_discovery-generations-execution_uuid-_dismiss path: /api/attack_discovery/generations/{execution_uuid}/_dismiss operations: - name: postattackdiscoverygenerationsdismiss method: POST description: Dismiss an Attack Discovery generation outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: execution_uuid in: path type: string description: The unique identifier for the Attack Discovery generation execution. This UUID is returned when an Attack Discovery generation is created and can be found in ge required: true - name: api-attack_discovery-schedules path: /api/attack_discovery/schedules operations: - name: createattackdiscoveryschedules method: POST description: Create Attack Discovery schedule outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: body in: body type: object description: Request body (JSON). required: true - name: api-attack_discovery-schedules-_find path: /api/attack_discovery/schedules/_find operations: - name: findattackdiscoveryschedules method: GET description: Find Attack Discovery schedules that match the search criteria outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: page in: query type: number description: Page number to return (used for pagination). Defaults to 1. - name: per_page in: query type: number description: Number of Attack Discovery schedules to return per page (used for pagination). Defaults to 10. - name: sort_field in: query type: string description: Field used to sort results. Common fields include 'name', 'created_at', 'updated_at', and 'enabled'. - name: sort_direction in: query type: string description: Sort order direction. Use 'asc' for ascending or 'desc' for descending. Defaults to 'asc'. - name: api-attack_discovery-schedules-id path: /api/attack_discovery/schedules/{id} operations: - name: deleteattackdiscoveryschedules method: DELETE description: Delete Attack Discovery schedule outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: id in: path type: string description: The unique identifier (UUID) of the Attack Discovery schedule to delete. This ID is returned when creating a schedule and can be found in schedule listings. required: true - name: getattackdiscoveryschedules method: GET description: Get Attack Discovery schedule by ID outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: id in: path type: string description: The unique identifier (UUID) of the Attack Discovery schedule to retrieve. This ID is returned when creating a schedule and can be found in schedule listings. required: true - name: updateattackdiscoveryschedules method: PUT description: Update Attack Discovery schedule outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: id in: path type: string description: The unique identifier (UUID) of the Attack Discovery schedule to update. This ID is returned when creating a schedule and can be found in schedule listings. required: true - name: body in: body type: object description: Request body (JSON). required: true - name: api-attack_discovery-schedules-id-_disable path: /api/attack_discovery/schedules/{id}/_disable operations: - name: disableattackdiscoveryschedules method: POST description: Disable Attack Discovery schedule outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: id in: path type: string description: The unique identifier (UUID) of the Attack Discovery schedule to disable. This ID is returned when creating a schedule and can be found in schedule listings. required: true - name: api-attack_discovery-schedules-id-_enable path: /api/attack_discovery/schedules/{id}/_enable operations: - name: enableattackdiscoveryschedules method: POST description: Enable Attack Discovery schedule outputRawFormat: json outputParameters: - name: result type: object value: $. inputParameters: - name: id in: path type: string description: The unique identifier (UUID) of the Attack Discovery schedule to enable. This ID is returned when creating a schedule and can be found in schedule listings. required: true authentication: type: apikey key: Authorization value: '{{env.KIBANA_API_KEY}}' placement: header exposes: - type: rest namespace: kibana-security-attack-discovery-api-rest port: 8080 description: REST adapter for Kibana APIs — Security Attack discovery API. One Spectral-compliant resource per consumed operation, prefixed with /v1. resources: - path: /v1/api/attack-discovery/bulk name: api-attack-discovery-bulk description: REST surface for api-attack_discovery-_bulk. operations: - method: POST name: postattackdiscoverybulk description: Bulk update Attack discoveries call: kibana-security-attack-discovery-api.postattackdiscoverybulk with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/api/attack-discovery/find name: api-attack-discovery-find description: REST surface for api-attack_discovery-_find. operations: - method: GET name: attackdiscoveryfind description: Find Attack discoveries that match the search criteria call: kibana-security-attack-discovery-api.attackdiscoveryfind with: alert_ids: rest.alert_ids connector_names: rest.connector_names enable_field_rendering: rest.enable_field_rendering end: rest.end ids: rest.ids include_unique_alert_ids: rest.include_unique_alert_ids page: rest.page per_page: rest.per_page search: rest.search shared: rest.shared scheduled: rest.scheduled sort_field: rest.sort_field sort_order: rest.sort_order start: rest.start status: rest.status with_replacements: rest.with_replacements outputParameters: - type: object mapping: $. - path: /v1/api/attack-discovery/generate name: api-attack-discovery-generate description: REST surface for api-attack_discovery-_generate. operations: - method: POST name: postattackdiscoverygenerate description: Generate attack discoveries from alerts call: kibana-security-attack-discovery-api.postattackdiscoverygenerate with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/api/attack-discovery/generations name: api-attack-discovery-generations description: REST surface for api-attack_discovery-generations. operations: - method: GET name: getattackdiscoverygenerations description: Get the latest Attack Discovery generations metadata for the current user call: kibana-security-attack-discovery-api.getattackdiscoverygenerations with: end: rest.end size: rest.size start: rest.start outputParameters: - type: object mapping: $. - path: /v1/api/attack-discovery/generations/{execution-uuid} name: api-attack-discovery-generations-execution-uuid description: REST surface for api-attack_discovery-generations-execution_uuid. operations: - method: GET name: getattackdiscoverygeneration description: Get a single Attack Discovery generation, including its discoveries and (optional) generation metadata call: kibana-security-attack-discovery-api.getattackdiscoverygeneration with: execution_uuid: rest.execution_uuid enable_field_rendering: rest.enable_field_rendering with_replacements: rest.with_replacements outputParameters: - type: object mapping: $. - path: /v1/api/attack-discovery/generations/{execution-uuid}/dismiss name: api-attack-discovery-generations-execution-uuid-dismiss description: REST surface for api-attack_discovery-generations-execution_uuid-_dismiss. operations: - method: POST name: postattackdiscoverygenerationsdismiss description: Dismiss an Attack Discovery generation call: kibana-security-attack-discovery-api.postattackdiscoverygenerationsdismiss with: execution_uuid: rest.execution_uuid outputParameters: - type: object mapping: $. - path: /v1/api/attack-discovery/schedules name: api-attack-discovery-schedules description: REST surface for api-attack_discovery-schedules. operations: - method: POST name: createattackdiscoveryschedules description: Create Attack Discovery schedule call: kibana-security-attack-discovery-api.createattackdiscoveryschedules with: body: rest.body outputParameters: - type: object mapping: $. - path: /v1/api/attack-discovery/schedules/find name: api-attack-discovery-schedules-find description: REST surface for api-attack_discovery-schedules-_find. operations: - method: GET name: findattackdiscoveryschedules description: Find Attack Discovery schedules that match the search criteria call: kibana-security-attack-discovery-api.findattackdiscoveryschedules with: page: rest.page per_page: rest.per_page sort_field: rest.sort_field sort_direction: rest.sort_direction outputParameters: - type: object mapping: $. - path: /v1/api/attack-discovery/schedules/{id} name: api-attack-discovery-schedules-id description: REST surface for api-attack_discovery-schedules-id. operations: - method: DELETE name: deleteattackdiscoveryschedules description: Delete Attack Discovery schedule call: kibana-security-attack-discovery-api.deleteattackdiscoveryschedules with: id: rest.id outputParameters: - type: object mapping: $. - method: GET name: getattackdiscoveryschedules description: Get Attack Discovery schedule by ID call: kibana-security-attack-discovery-api.getattackdiscoveryschedules with: id: rest.id outputParameters: - type: object mapping: $. - method: PUT name: updateattackdiscoveryschedules description: Update Attack Discovery schedule call: kibana-security-attack-discovery-api.updateattackdiscoveryschedules with: id: rest.id body: rest.body outputParameters: - type: object mapping: $. - path: /v1/api/attack-discovery/schedules/{id}/disable name: api-attack-discovery-schedules-id-disable description: REST surface for api-attack_discovery-schedules-id-_disable. operations: - method: POST name: disableattackdiscoveryschedules description: Disable Attack Discovery schedule call: kibana-security-attack-discovery-api.disableattackdiscoveryschedules with: id: rest.id outputParameters: - type: object mapping: $. - path: /v1/api/attack-discovery/schedules/{id}/enable name: api-attack-discovery-schedules-id-enable description: REST surface for api-attack_discovery-schedules-id-_enable. operations: - method: POST name: enableattackdiscoveryschedules description: Enable Attack Discovery schedule call: kibana-security-attack-discovery-api.enableattackdiscoveryschedules with: id: rest.id outputParameters: - type: object mapping: $. - type: mcp namespace: kibana-security-attack-discovery-api-mcp port: 9090 transport: http description: MCP adapter for Kibana APIs — Security Attack discovery API. One tool per consumed operation, routed inline through this capability's consumes block. tools: - name: bulk-update-attack-discoveries description: Bulk update Attack discoveries hints: readOnly: false destructive: false idempotent: false call: kibana-security-attack-discovery-api.postattackdiscoverybulk with: body: tools.body outputParameters: - type: object mapping: $. - name: find-attack-discoveries-that-match description: Find Attack discoveries that match the search criteria hints: readOnly: true destructive: false idempotent: true call: kibana-security-attack-discovery-api.attackdiscoveryfind with: alert_ids: tools.alert_ids connector_names: tools.connector_names enable_field_rendering: tools.enable_field_rendering end: tools.end ids: tools.ids include_unique_alert_ids: tools.include_unique_alert_ids page: tools.page per_page: tools.per_page search: tools.search shared: tools.shared scheduled: tools.scheduled sort_field: tools.sort_field sort_order: tools.sort_order start: tools.start status: tools.status with_replacements: tools.with_replacements outputParameters: - type: object mapping: $. - name: generate-attack-discoveries-alerts description: Generate attack discoveries from alerts hints: readOnly: false destructive: false idempotent: false call: kibana-security-attack-discovery-api.postattackdiscoverygenerate with: body: tools.body outputParameters: - type: object mapping: $. - name: get-latest-attack-discovery-generations description: Get the latest Attack Discovery generations metadata for the current user hints: readOnly: true destructive: false idempotent: true call: kibana-security-attack-discovery-api.getattackdiscoverygenerations with: end: tools.end size: tools.size start: tools.start outputParameters: - type: object mapping: $. - name: get-single-attack-discovery-generation description: Get a single Attack Discovery generation, including its discoveries and (optional) generation metadata hints: readOnly: true destructive: false idempotent: true call: kibana-security-attack-discovery-api.getattackdiscoverygeneration with: execution_uuid: tools.execution_uuid enable_field_rendering: tools.enable_field_rendering with_replacements: tools.with_replacements outputParameters: - type: object mapping: $. - name: dismiss-attack-discovery-generation description: Dismiss an Attack Discovery generation hints: readOnly: false destructive: false idempotent: false call: kibana-security-attack-discovery-api.postattackdiscoverygenerationsdismiss with: execution_uuid: tools.execution_uuid outputParameters: - type: object mapping: $. - name: create-attack-discovery-schedule description: Create Attack Discovery schedule hints: readOnly: false destructive: false idempotent: false call: kibana-security-attack-discovery-api.createattackdiscoveryschedules with: body: tools.body outputParameters: - type: object mapping: $. - name: find-attack-discovery-schedules-that description: Find Attack Discovery schedules that match the search criteria hints: readOnly: true destructive: false idempotent: true call: kibana-security-attack-discovery-api.findattackdiscoveryschedules with: page: tools.page per_page: tools.per_page sort_field: tools.sort_field sort_direction: tools.sort_direction outputParameters: - type: object mapping: $. - name: delete-attack-discovery-schedule description: Delete Attack Discovery schedule hints: readOnly: false destructive: true idempotent: true call: kibana-security-attack-discovery-api.deleteattackdiscoveryschedules with: id: tools.id outputParameters: - type: object mapping: $. - name: get-attack-discovery-schedule-id description: Get Attack Discovery schedule by ID hints: readOnly: true destructive: false idempotent: true call: kibana-security-attack-discovery-api.getattackdiscoveryschedules with: id: tools.id outputParameters: - type: object mapping: $. - name: update-attack-discovery-schedule description: Update Attack Discovery schedule hints: readOnly: false destructive: false idempotent: true call: kibana-security-attack-discovery-api.updateattackdiscoveryschedules with: id: tools.id body: tools.body outputParameters: - type: object mapping: $. - name: disable-attack-discovery-schedule description: Disable Attack Discovery schedule hints: readOnly: false destructive: false idempotent: false call: kibana-security-attack-discovery-api.disableattackdiscoveryschedules with: id: tools.id outputParameters: - type: object mapping: $. - name: enable-attack-discovery-schedule description: Enable Attack Discovery schedule hints: readOnly: false destructive: false idempotent: false call: kibana-security-attack-discovery-api.enableattackdiscoveryschedules with: id: tools.id outputParameters: - type: object mapping: $.