openapi: 3.0.3
info:
contact:
name: Kibana Team
description: |
The Kibana REST APIs enable you to manage resources such as connectors, data views, and saved objects.
The API calls are stateless.
Each request that you make happens in isolation from other calls and must include all of the necessary information for Kibana to fulfill the
request.
API requests return JSON output, which is a format that is machine-readable and works well for automation.
To interact with Kibana APIs, use the following operations:
- GET: Fetches the information.
- PATCH: Applies partial modifications to the existing information.
- POST: Adds new information.
- PUT: Updates the existing information.
- DELETE: Removes the information.
You can prepend any Kibana API endpoint with `kbn:` and run the request in **Dev Tools → Console**.
For example:
```
GET kbn:/api/data_views
```
For more information about the console, refer to [Run API requests](https://www.elastic.co/docs/explore-analyze/query-filter/tools/console).
NOTE: Access to internal Kibana API endpoints will be restricted in Kibana version 9.0. Please move any integrations to publicly documented APIs.
## Documentation source and versions
This documentation is derived from the `main` branch of the [kibana](https://github.com/elastic/kibana) repository.
It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 International](https://creativecommons.org/licenses/by-nc-nd/4.0/).
This documentation contains work-in-progress information for future Elastic Stack releases.
title: Kibana APIs
version: ''
x-doc-license:
name: Attribution-NonCommercial-NoDerivatives 4.0 International
url: https://creativecommons.org/licenses/by-nc-nd/4.0/
x-feedbackLink:
label: Feedback
url: https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+
servers:
- url: https://{kibana_url}
variables:
kibana_url:
default: localhost:5601
security:
- apiKeyAuth: []
- basicAuth: []
tags:
- name: agent builder
description: |
Agent Builder is a set of AI-powered capabilities for developing and interacting with agents that work with your Elasticsearch data.
Most users will probably want to integrate with Agent Builder using MCP or A2A, but you can also work programmatically with tools, agents, and conversations using these Kibana APIs.
**Elastic Agent Builder requires an Enterprise subscription.**
externalDocs:
description: Agent Builder docs
url: https://www.elastic.co/docs/solutions/search/agent-builder/programmatic-access
x-displayName: Agent Builder
- name: alerting
description: |
Alerting enables you to define rules, which detect complex conditions within your data. When a condition is met, the rule tracks it as an alert and runs the actions that are defined in the rule. Actions typically involve the use of connectors to interact with Kibana services or third party integrations.
externalDocs:
description: Alerting documentation
url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts
x-displayName: Alerting
- description: |
Adjust APM agent configuration without need to redeploy your application.
name: APM agent configuration
- description: |
Configure APM agent keys to authorize requests from APM agents to the APM Server.
name: APM agent keys
- description: |
Annotate visualizations in the APM app with significant events. Annotations enable you to easily see how events are impacting the performance of your applications.
name: APM annotations
- description: Create APM fleet server schema.
name: APM server schema
- description: |
Configure APM source maps. A source map allows minified files to be mapped back to original source code--allowing you to maintain the speed advantage of minified code, without losing the ability to quickly and easily debug your application.
For best results, uploading source maps should become a part of your deployment procedure, and not something you only do when you see unhelpful errors. That's because uploading source maps after errors happen won't make old errors magically readable--errors must occur again for source mapping to occur.
name: APM sourcemaps
- description: |
Cases are used to open and track issues. You can add assignees and tags to your cases, set their severity and status, and add alerts, comments, and visualizations. You can also send cases to external incident management systems by configuring connectors.
name: cases
externalDocs:
description: Cases documentation
url: https://www.elastic.co/docs/explore-analyze/alerts-cases/cases
x-displayName: Cases
- name: connectors
description: |
Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met.
externalDocs:
description: Connector documentation
url: https://www.elastic.co/docs/reference/kibana/connectors-kibana
x-displayName: Connectors
- name: Data streams
description: |
Data stream APIs enable you to manage data streams, which are collections of indices that share the same index template and are managed as a single unit for time-series data.
x-displayName: Data streams
- description: Data view APIs enable you to manage data views, formerly known as Kibana index patterns.
name: data views
x-displayName: Data views
- name: Elastic Agent actions
description: |
Elastic Agent actions APIs enable you to manage actions performed on Elastic Agents, including agent reassignment, diagnostics collection, enrollment management, upgrades, and bulk operations for agent lifecycle management.
x-displayName: Elastic Agent actions
- name: Elastic Agent binary download sources
description: |
Elastic Agent binary download sources APIs enable you to manage download sources for Elastic Agent binaries, including creating, updating, and deleting custom download sources for agent binaries.
x-displayName: Elastic Agent binary download sources
- name: Elastic Agent policies
description: |
Elastic Agent policies APIs enable you to manage agent policies, including creating, updating, and deleting policies, as well as to retrieve agent policy outputs, manifests, and auto-upgrade status information.
x-displayName: Elastic Agent policies
- name: Elastic Agent status
description: |
Enables you to retrieve status information about Elastic Agents, including health summaries and operational status.
x-displayName: Elastic Agent status
- name: Elastic Agents
description: |
Elastic Agents APIs enable you to manage Elastic Agents, including retrieving agent information, managing agent lifecycle, handling file uploads, and initiating agent setup.
x-displayName: Elastic Agents
- name: Elastic Package Manager (EPM)
description: |
Elastic Package Manager (EPM) APIs enable you to manage packages and integrations, including installing, updating, and uninstalling packages, managing custom integrations, and handling package assets.
x-displayName: Elastic Package Manager (EPM)
- name: Fleet agentless policies
- name: Fleet cloud connectors
description: |
Fleet cloud connectors APIs enable you to manage Fleet cloud connectors, including creating, updating, and deleting cloud connector configurations for Fleet integrations.
x-displayName: Fleet cloud connectors
- name: Fleet enrollment API keys
description: |
Fleet enrollment API keys APIs enable you to manage enrollment API keys for Fleet, including creating, retrieving, and revoking API keys used for agent enrollment.
x-displayName: Fleet enrollment API keys
- name: Fleet internals
description: |
Fleet internals APIs enable you to manage Fleet internal operations, including checking permissions, monitoring Fleet Server health, managing settings, and initiating Fleet setup.
x-displayName: Fleet internals
- name: Fleet outputs
description: |
Fleet outputs APIs enable you to manage Fleet outputs, including creating, updating, and deleting output configurations, generating Logstash API keys, and monitoring output health.
x-displayName: Fleet outputs
- name: Fleet package policies
description: |
Fleet package policies APIs enable you to manage Fleet package policies, including creating, updating, and deleting policies, performing bulk operations, and managing policy upgrades.
x-displayName: Fleet package policies
- name: Fleet proxies
description: |
Fleet proxies APIs enable you to manage Fleet proxies, including creating, updating, and deleting proxy configurations for Fleet agent communication.
x-displayName: Fleet proxies
- name: Fleet remote synced integrations
description: |
Use the Fleet remote synced integrations API to check the status of the automatic integrations synchronization on a remote cluster:
* Use the `/api/fleet/remote_synced_integrations/{outputId}/remote_status` endpoint on the management cluster to query the synchronization status of the integrations installed on the remote cluster by the ID of the configured remote Elasticsearch output.
* Use the `/api/fleet/remote_synced_integrations/status` endpoint on the remote cluster to query the synchronization status of the installed integrations.
externalDocs:
description: Automatic integrations synchronization documentation
url: https://www.elastic.co/docs/reference/fleet/automatic-integrations-synchronization
- name: Fleet Server hosts
description: |
Fleet Server hosts APIs enable you to manage Fleet Server hosts, including creating, updating, and deleting Fleet Server host configurations.
x-displayName: Fleet Server hosts
- name: Fleet service tokens
description: |
Enables you to create tokens for Fleet service authentication and authorization.
x-displayName: Fleet service tokens
- name: Fleet uninstall tokens
description: |
Fleet uninstall tokens APIs enable you to manage Fleet uninstall tokens, including retrieving metadata and decrypted tokens for agent uninstallation.
x-displayName: Fleet uninstall tokens
- description: |
Programmatically integrate with Logstash configuration management.
> warn
> Do not directly access the `.logstash` index. The structure of the `.logstash` index is subject to change, which could cause your integration to break. Instead, use the Logstash configuration management APIs.
externalDocs:
description: Centralized pipeline management
url: https://www.elastic.co/docs/reference/logstash/logstash-centralized-pipeline-management
name: logstash
x-displayName: Logstash configuration management
- name: maintenance-window
description: |
You can schedule single or recurring maintenance windows to temporarily reduce rule notifications. For example, a maintenance window prevents false alarms during planned outages.
externalDocs:
description: Maintenance window documentation
url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts/maintenance-windows
x-displayName: Maintenance windows
- name: Message Signing Service
description: |
Enables you to rotate message signing key pairs for secure Fleet communication.
x-displayName: Fleet Message Signing Service
- description: |
Enables you to synchronize machine learning saved objects.
name: ml
x-displayName: Machine learning
- description: Interact with the Observability AI Assistant resources.
externalDocs:
description: Observability AI Assistant
url: https://www.elastic.co/docs/solutions/observability/observability-ai-assistant
name: observability_ai_assistant
x-displayName: Observability AI Assistant
- name: roles
x-displayName: Roles
description: Manage the roles that grant Elasticsearch and Kibana privileges.
externalDocs:
description: Kibana role management
url: https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles
- name: saved objects
x-displayName: Saved objects
description: |
Export sets of saved objects that you want to import into Kibana, resolve import errors, and rotate an encryption key for encrypted saved objects with the saved objects APIs.
To manage a specific type of saved object, use the corresponding APIs.
For example, use:
* [Data views](../group/endpoint-data-views)
* [Spaces](../group/endpoint-spaces)
* [Short URLs](../group/endpoint-short-url)
Warning: Do not write documents directly to the `.kibana` index. When you write directly to the `.kibana` index, the data becomes corrupted and permanently breaks future Kibana versions.
- description: Manage and interact with Security Assistant resources.
name: Security AI Assistant API
x-displayName: Security AI assistant
- description: Use the Attack discovery APIs to generate and manage Attack discoveries. Attack Discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible.
name: Security Attack discovery API
x-displayName: Security Attack discovery
- description: |
Use the detections APIs to create and manage detection rules. Detection rules search events and external alerts sent to Elastic Security and generate detection alerts from any hits. Alerts are displayed on the **Alerts** page and can be assigned and triaged, using the alert status to mark them as open, closed, or acknowledged.
This API supports both key-based authentication and basic authentication.
To use key-based authentication, create an API key, then specify the key in the header of your API calls.
To use basic authentication, provide a username and password; this automatically creates an API key that matches the current user’s privileges.
In both cases, the API key is subsequently used for authorization when the rule runs.
> warn
> If the API key used for authorization has different privileges than the key that created or most recently updated a rule, the rule behavior might change.
> If the API key that created a rule is deleted, or the user that created the rule becomes inactive, the rule will stop running.
To create and run rules, the user must meet specific requirements for the Kibana space. Refer to the [Detections requirements](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html) for a complete list of requirements.
name: Security Detections API
x-displayName: Security detections
- description: Endpoint Exceptions API allows you to manage detection rule endpoint exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met.
name: Security Endpoint Exceptions API
x-displayName: Security Elastic Endpoint exceptions
- description: Interact with and manage endpoints running the Elastic Defend integration.
name: Security Endpoint Management API
x-displayName: Security endpoint management
- description: |
Use the Security entity analytics APIs to manage entity analytics and risk scoring, including asset criticality, privileged user monitoring, and entity engines.
name: Security Entity Analytics API
x-displayName: Security entity analytics
- name: Security entity store
- description: |
Exceptions are associated with detection and endpoint rules, and are used to prevent a rule from generating an alert from incoming events, even when the rule's other criteria are met. They can help reduce the number of false positives and prevent trusted processes and network activity from generating unnecessary alerts.
Exceptions are made up of:
* **Exception containers**: A container for related exceptions. Generally, a single exception container contains all the exception items relevant for a subset of rules. For example, a container can be used to group together network-related exceptions that are relevant for a large number of network rules. The container can then be associated with all the relevant rules.
* **Exception items**: The query (fields, values, and logic) used to prevent rules from generating alerts. When an exception item's query evaluates to `true`, the rule does not generate an alert.
For detection rules, you can also use lists to define rule exceptions. A list holds multiple values of the same Elasticsearch data type, such as IP addresses. These values are used to determine when an exception prevents an alert from being generated.
> info
> You cannot use lists with endpoint rule exceptions.
> info
> Only exception containers can be associated with rules. You cannot directly associate an exception item or a list container with a rule. To use list exceptions, create an exception item that references the relevant list container.
## Exceptions requirements
Before you can start working with exceptions that use value lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. For a complete list of requirements, refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui).
name: Security Exceptions API
x-displayName: Security exceptions
- description: |
Lists can be used with detection rule exceptions to define values that prevent a rule from generating alerts.
Lists are made up of:
* **List containers**: A container for values of the same Elasticsearch data type. The following data types can be used:
* `boolean`
* `byte`
* `date`
* `date_nanos`
* `date_range`
* `double`
* `double_range`
* `float`
* `float_range`
* `half_float`
* `integer`
* `integer_range`
* `ip`
* `ip_range`
* `keyword`
* `long`
* `long_range`
* `short`
* `text`
* **List items**: The values used to determine whether the exception prevents an alert from being generated.
All list items in the same list container must be of the same data type, and each item defines a single value. For example, an IP list container named `internal-ip-addresses-southport` contains five items, where each item defines one internal IP address:
1. `192.168.1.1`
2. `192.168.1.3`
3. `192.168.1.18`
4. `192.168.1.12`
5. `192.168.1.7`
To use these IP addresses as values for defining rule exceptions, use the Security exceptions API to [create an exception list item](../operation/operation-createexceptionlistitem) that references the `internal-ip-addresses-southport` list.
> info
> Lists cannot be added directly to rules, nor do they define the operators used to determine when exceptions are applied (`is in list`, `is not in list`). Use an exception item to define the operator and associate it with an [exception container](../operation/operation-createexceptionlist). You can then add the exception container to a rule's `exceptions_list` object.
## Lists requirements
Before you can start using lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. Refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui) for a complete list of requirements.
name: Security Lists API
x-displayName: Security lists
- description: Run live queries, manage packs and saved queries.
name: Security Osquery API
x-displayName: Security Osquery
- description: You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file.
name: Security Timeline API
x-displayName: Security timeline
- description: Manage Kibana short URLs.
name: short url
x-displayName: Short URLs
- description: SLO APIs enable you to define, manage and track service-level objectives
name: slo
x-displayName: Service level objectives
- name: spaces
x-displayName: Spaces
description: Manage your Kibana spaces.
externalDocs:
url: https://www.elastic.co/docs/deploy-manage/manage-spaces
description: Space overview
- name: streams
description: |
Streams provide a unified data management layer for ingestion, routing, and processing. There are three stream types:
* **Wired** streams are managed by Kibana. They route documents to child streams based on
field conditions and support custom field mappings and processing steps.
* **Classic** streams map to existing Elasticsearch data streams. You can add processing
steps to classic streams without changing their underlying index template.
* **Query** streams are virtual aggregations backed by an ES|QL expression. They aggregate
data from multiple streams into a single logical view without duplicating documents.
x-displayName: Streams
externalDocs:
description: Streams documentation
url: https://www.elastic.co/docs/solutions/observability/streams
- name: synthetics
x-displayName: Synthetics
description: Synthetics APIs enable you to check the status of your services and applications.
externalDocs:
description: Synthetic monitoring
url: https://www.elastic.co/docs/solutions/observability/synthetics
- name: system
x-displayName: System
description: |
Get information about the system status, resource usage, features, and installed plugins.
- description: Task manager APIs enable you to check the health of the Kibana task manager, which is used by features such as alerting, actions, and reporting to run mission critical work as persistent background tasks.
externalDocs:
description: Task manager
url: https://www.elastic.co/docs/deploy-manage/distributed-architecture/kibana-tasks-management
name: task manager
x-displayName: Task manager
- description: |
The Kibana Upgrade Assistant API helps you prepare for the next major Elasticsearch release.
> warn
> This is a Kibana REST API (not an Elasticsearch API) and requests must target your Kibana URL:
> * Self-managed URL pattern: `https://localhost:5601`
> * Elastic Cloud URL pattern: `https://your-deployment.kb.us-east-1.aws.elastic.cloud:9243`
name: upgrade
x-displayName: Upgrade assistant
- description: Uptime APIs enable you to view and update uptime monitoring settings.
externalDocs:
description: Uptime monitoring
url: https://www.elastic.co/docs/solutions/observability/uptime
name: uptime
x-displayName: Uptime
- name: user session
x-displayName: User session management
description: |
Enables you to invalidate user sessions for security and session management purposes.
- name: workflows
description: |
Workflows enable you to automate multi-step processes directly in Kibana. Define sequences of steps in YAML to transform data insights into automated actions and outcomes, without needing external automation tools.
Use the workflows APIs to create, manage, and run workflows programmatically. You can also search, export, import, and monitor workflow executions.
externalDocs:
description: Workflows documentation
url: https://www.elastic.co/docs/explore-analyze/workflows
x-displayName: Workflows
paths:
/api/actions/connector_types:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/actions/connector_types
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
You do not need any Kibana feature privileges to run this API.
operationId: get-actions-connector-types
parameters:
- description: A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases).
in: query
name: feature_id
required: false
schema:
type: string
responses:
'200':
content:
application/json:
schema:
items:
additionalProperties: false
type: object
properties:
allow_multiple_system_actions:
description: Indicates whether multiple instances of the same system action connector can be used in a single rule.
type: boolean
enabled:
description: Indicates whether the connector is enabled.
type: boolean
enabled_in_config:
description: Indicates whether the connector is enabled in the Kibana configuration.
type: boolean
enabled_in_license:
description: Indicates whether the connector is enabled through the license.
type: boolean
id:
description: The identifier for the connector.
type: string
is_deprecated:
description: Indicates whether the connector type is deprecated.
type: boolean
is_system_action_type:
description: Indicates whether the action is a system action.
type: boolean
minimum_license_required:
description: The minimum license required to enable the connector.
enum:
- basic
- standard
- gold
- platinum
- enterprise
- trial
type: string
name:
description: The name of the connector type.
type: string
source:
description: The source of the connector type definition.
enum:
- yml
- spec
- stack
type: string
sub_feature:
description: Indicates the sub-feature type the connector is grouped under.
enum:
- endpointSecurity
type: string
supported_feature_ids:
description: The list of supported features
items:
type: string
type: array
required:
- id
- name
- enabled
- enabled_in_config
- enabled_in_license
- minimum_license_required
- supported_feature_ids
- is_system_action_type
- is_deprecated
- source
type: array
examples:
getConnectorTypesServerlessResponse:
$ref: '#/components/examples/get_connector_types_generativeai_response'
description: Indicates a successful call.
'403':
description: Indicates that this call is forbidden.
summary: Get connector types
tags:
- connectors
x-metaTags:
- content: Kibana
name: product_name
/api/actions/connector/_oauth_callback:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Handles the OAuth 2.0 authorization code callback from external providers. Exchanges the authorization code for access and refresh tokens.
[Required authorization] Route required privileges: actions:oauth.
operationId: get-actions-connector-oauth-callback
parameters:
- description: The authorization code returned by the OAuth provider.
in: query
name: code
required: false
schema:
type: string
- description: The state parameter for CSRF protection.
in: query
name: state
required: false
schema:
type: string
- description: Error code if the authorization failed.
in: query
name: error
required: false
schema:
type: string
- description: Human-readable error description.
in: query
name: error_description
required: false
schema:
type: string
- description: Session state from the OAuth provider (e.g., Microsoft).
in: query
name: session_state
required: false
schema:
type: string
responses:
'200':
description: Returns an HTML callback page.
'302':
description: Redirects to the return URL with authorization result query parameters.
'401':
description: User is not authenticated.
summary: Handle OAuth callback
tags:
- connectors
x-state: Added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/actions/connector/_oauth_callback_script:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Returns the OAuth callback script
operationId: get-actions-connector-oauth-callback-script
parameters: []
responses:
'200':
description: Returns the OAuth callback script
summary: ''
tags: []
x-state: Added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/actions/connector/{id}:
delete:
description: |-
**Spaces method and path for this operation:**
delete/s/{space_id}/api/actions/connector/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
WARNING: When you delete a connector, it cannot be recovered.
operationId: delete-actions-connector-id
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: An identifier for the connector.
in: path
name: id
required: true
schema:
type: string
responses:
'204':
description: Indicates a successful call.
'403':
description: Indicates that this call is forbidden.
summary: Delete a connector
tags:
- connectors
x-metaTags:
- content: Kibana
name: product_name
get:
operationId: get-actions-connector-id
parameters:
- description: An identifier for the connector.
in: path
name: id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
schema:
additionalProperties: false
type: object
properties:
auth_mode:
description: The authentication mode used for the connector.
enum:
- shared
- per-user
type: string
config:
additionalProperties:
nullable: true
type: object
connector_type_id:
description: The connector type identifier.
type: string
id:
description: The identifier for the connector.
type: string
is_connector_type_deprecated:
description: Indicates whether the connector type is deprecated.
type: boolean
is_deprecated:
description: Indicates whether the connector is deprecated.
type: boolean
is_missing_secrets:
description: Indicates whether the connector is missing secrets.
type: boolean
is_preconfigured:
description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. '
type: boolean
is_system_action:
description: Indicates whether the connector is used for system actions.
type: boolean
name:
description: ' The name of the connector.'
type: string
required:
- id
- name
- connector_type_id
- is_preconfigured
- is_deprecated
- is_system_action
- is_connector_type_deprecated
examples:
getConnectorResponse:
$ref: '#/components/examples/get_connector_response'
description: Indicates a successful call.
'403':
description: Indicates that this call is forbidden.
summary: Get connector information
tags:
- connectors
x-metaTags:
- content: Kibana
name: product_name
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/actions/connector/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
post:
operationId: post-actions-connector-id
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: An identifier for the connector.
in: path
name: id
required: true
schema:
maxLength: 36
minLength: 1
type: string
requestBody:
content:
application/json:
schema:
additionalProperties: false
type: object
properties:
connector_type_id:
description: The type of connector.
type: string
name:
description: The display name for the connector.
type: string
config:
additionalProperties: {}
default: {}
description: The connector configuration details.
oneOf:
- $ref: '#/components/schemas/bedrock_config'
- $ref: '#/components/schemas/crowdstrike_config'
- $ref: '#/components/schemas/d3security_config'
- $ref: '#/components/schemas/email_config'
- $ref: '#/components/schemas/gemini_config'
- $ref: '#/components/schemas/resilient_config'
- $ref: '#/components/schemas/index_config'
- $ref: '#/components/schemas/jira_config'
- $ref: '#/components/schemas/genai_azure_config'
- $ref: '#/components/schemas/genai_openai_config'
- $ref: '#/components/schemas/genai_openai_other_config'
- $ref: '#/components/schemas/opsgenie_config'
- $ref: '#/components/schemas/pagerduty_config'
- $ref: '#/components/schemas/sentinelone_config'
- $ref: '#/components/schemas/servicenow_config'
- $ref: '#/components/schemas/servicenow_itom_config'
- $ref: '#/components/schemas/slack_api_config'
- $ref: '#/components/schemas/swimlane_config'
- $ref: '#/components/schemas/thehive_config'
- $ref: '#/components/schemas/tines_config'
- $ref: '#/components/schemas/torq_config'
- $ref: '#/components/schemas/webhook_config'
- $ref: '#/components/schemas/cases_webhook_config'
- $ref: '#/components/schemas/xmatters_config'
secrets:
additionalProperties: {}
default: {}
oneOf:
- $ref: '#/components/schemas/bedrock_secrets'
- $ref: '#/components/schemas/crowdstrike_secrets'
- $ref: '#/components/schemas/d3security_secrets'
- $ref: '#/components/schemas/email_secrets'
- $ref: '#/components/schemas/gemini_secrets'
- $ref: '#/components/schemas/resilient_secrets'
- $ref: '#/components/schemas/jira_secrets'
- $ref: '#/components/schemas/defender_secrets'
- $ref: '#/components/schemas/teams_secrets'
- $ref: '#/components/schemas/genai_secrets'
- $ref: '#/components/schemas/opsgenie_secrets'
- $ref: '#/components/schemas/pagerduty_secrets'
- $ref: '#/components/schemas/sentinelone_secrets'
- $ref: '#/components/schemas/servicenow_secrets'
- $ref: '#/components/schemas/slack_api_secrets'
- $ref: '#/components/schemas/swimlane_secrets'
- $ref: '#/components/schemas/thehive_secrets'
- $ref: '#/components/schemas/tines_secrets'
- $ref: '#/components/schemas/torq_secrets'
- $ref: '#/components/schemas/webhook_secrets'
- $ref: '#/components/schemas/cases_webhook_secrets'
- $ref: '#/components/schemas/xmatters_secrets'
required:
- name
- connector_type_id
examples:
createEmailConnectorRequest:
$ref: '#/components/examples/create_email_connector_request'
createIndexConnectorRequest:
$ref: '#/components/examples/create_index_connector_request'
createWebhookConnectorRequest:
$ref: '#/components/examples/create_webhook_connector_request'
createXmattersConnectorRequest:
$ref: '#/components/examples/create_xmatters_connector_request'
responses:
'200':
content:
application/json:
schema:
additionalProperties: false
type: object
properties:
auth_mode:
description: The authentication mode used for the connector.
enum:
- shared
- per-user
type: string
config:
additionalProperties:
nullable: true
type: object
connector_type_id:
description: The connector type identifier.
type: string
id:
description: The identifier for the connector.
type: string
is_connector_type_deprecated:
description: Indicates whether the connector type is deprecated.
type: boolean
is_deprecated:
description: Indicates whether the connector is deprecated.
type: boolean
is_missing_secrets:
description: Indicates whether the connector is missing secrets.
type: boolean
is_preconfigured:
description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. '
type: boolean
is_system_action:
description: Indicates whether the connector is used for system actions.
type: boolean
name:
description: ' The name of the connector.'
type: string
required:
- id
- name
- connector_type_id
- is_preconfigured
- is_deprecated
- is_system_action
- is_connector_type_deprecated
examples:
createEmailConnectorResponse:
$ref: '#/components/examples/create_email_connector_response'
createIndexConnectorResponse:
$ref: '#/components/examples/create_index_connector_response'
createWebhookConnectorResponse:
$ref: '#/components/examples/create_webhook_connector_response'
createXmattersConnectorResponse:
$ref: '#/components/examples/get_connector_response'
description: Indicates a successful call.
'403':
description: Indicates that this call is forbidden.
summary: Create a connector
tags:
- connectors
x-metaTags:
- content: Kibana
name: product_name
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/actions/connector/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
put:
operationId: put-actions-connector-id
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: An identifier for the connector.
in: path
name: id
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
additionalProperties: false
type: object
properties:
name:
description: The display name for the connector.
type: string
config:
additionalProperties: {}
default: {}
description: The connector configuration details.
oneOf:
- $ref: '#/components/schemas/bedrock_config'
- $ref: '#/components/schemas/crowdstrike_config'
- $ref: '#/components/schemas/d3security_config'
- $ref: '#/components/schemas/email_config'
- $ref: '#/components/schemas/gemini_config'
- $ref: '#/components/schemas/resilient_config'
- $ref: '#/components/schemas/index_config'
- $ref: '#/components/schemas/jira_config'
- $ref: '#/components/schemas/defender_config'
- $ref: '#/components/schemas/genai_azure_config'
- $ref: '#/components/schemas/genai_openai_config'
- $ref: '#/components/schemas/opsgenie_config'
- $ref: '#/components/schemas/pagerduty_config'
- $ref: '#/components/schemas/sentinelone_config'
- $ref: '#/components/schemas/servicenow_config'
- $ref: '#/components/schemas/servicenow_itom_config'
- $ref: '#/components/schemas/slack_api_config'
- $ref: '#/components/schemas/swimlane_config'
- $ref: '#/components/schemas/thehive_config'
- $ref: '#/components/schemas/tines_config'
- $ref: '#/components/schemas/torq_config'
- $ref: '#/components/schemas/webhook_config'
- $ref: '#/components/schemas/cases_webhook_config'
- $ref: '#/components/schemas/xmatters_config'
secrets:
additionalProperties: {}
default: {}
oneOf:
- $ref: '#/components/schemas/bedrock_secrets'
- $ref: '#/components/schemas/crowdstrike_secrets'
- $ref: '#/components/schemas/d3security_secrets'
- $ref: '#/components/schemas/email_secrets'
- $ref: '#/components/schemas/gemini_secrets'
- $ref: '#/components/schemas/resilient_secrets'
- $ref: '#/components/schemas/jira_secrets'
- $ref: '#/components/schemas/teams_secrets'
- $ref: '#/components/schemas/genai_secrets'
- $ref: '#/components/schemas/opsgenie_secrets'
- $ref: '#/components/schemas/pagerduty_secrets'
- $ref: '#/components/schemas/sentinelone_secrets'
- $ref: '#/components/schemas/servicenow_secrets'
- $ref: '#/components/schemas/slack_api_secrets'
- $ref: '#/components/schemas/swimlane_secrets'
- $ref: '#/components/schemas/thehive_secrets'
- $ref: '#/components/schemas/tines_secrets'
- $ref: '#/components/schemas/torq_secrets'
- $ref: '#/components/schemas/webhook_secrets'
- $ref: '#/components/schemas/cases_webhook_secrets'
- $ref: '#/components/schemas/xmatters_secrets'
required:
- name
examples:
updateIndexConnectorRequest:
$ref: '#/components/examples/update_index_connector_request'
responses:
'200':
content:
application/json:
schema:
additionalProperties: false
type: object
properties:
auth_mode:
description: The authentication mode used for the connector.
enum:
- shared
- per-user
type: string
config:
additionalProperties:
nullable: true
type: object
connector_type_id:
description: The connector type identifier.
type: string
id:
description: The identifier for the connector.
type: string
is_connector_type_deprecated:
description: Indicates whether the connector type is deprecated.
type: boolean
is_deprecated:
description: Indicates whether the connector is deprecated.
type: boolean
is_missing_secrets:
description: Indicates whether the connector is missing secrets.
type: boolean
is_preconfigured:
description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. '
type: boolean
is_system_action:
description: Indicates whether the connector is used for system actions.
type: boolean
name:
description: ' The name of the connector.'
type: string
required:
- id
- name
- connector_type_id
- is_preconfigured
- is_deprecated
- is_system_action
- is_connector_type_deprecated
description: Indicates a successful call.
'403':
description: Indicates that this call is forbidden.
summary: Update a connector
tags:
- connectors
x-metaTags:
- content: Kibana
name: product_name
description: |-
**Spaces method and path for this operation:**
put/s/{space_id}/api/actions/connector/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
/api/actions/connector/{id}/_execute:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems.
operationId: post-actions-connector-id-execute
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: An identifier for the connector.
in: path
name: id
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
additionalProperties: false
type: object
properties:
params:
additionalProperties: {}
oneOf:
- $ref: '#/components/schemas/run_acknowledge_resolve_pagerduty'
- $ref: '#/components/schemas/run_documents'
- $ref: '#/components/schemas/run_message_email'
- $ref: '#/components/schemas/run_message_serverlog'
- $ref: '#/components/schemas/run_message_slack'
- $ref: '#/components/schemas/run_trigger_pagerduty'
- $ref: '#/components/schemas/run_addevent'
- $ref: '#/components/schemas/run_closealert'
- $ref: '#/components/schemas/run_closeincident'
- $ref: '#/components/schemas/run_createalert'
- $ref: '#/components/schemas/run_fieldsbyissuetype'
- $ref: '#/components/schemas/run_getagentdetails'
- $ref: '#/components/schemas/run_getagents'
- $ref: '#/components/schemas/run_getchoices'
- $ref: '#/components/schemas/run_getfields'
- $ref: '#/components/schemas/run_getincident'
- $ref: '#/components/schemas/run_issue'
- $ref: '#/components/schemas/run_issues'
- $ref: '#/components/schemas/run_issuetypes'
- $ref: '#/components/schemas/run_postmessage'
- $ref: '#/components/schemas/run_pushtoservice'
- $ref: '#/components/schemas/run_validchannelid'
required:
- params
examples:
runIndexConnectorRequest:
$ref: '#/components/examples/run_index_connector_request'
runJiraConnectorRequest:
$ref: '#/components/examples/run_jira_connector_request'
runServerLogConnectorRequest:
$ref: '#/components/examples/run_servicenow_itom_connector_request'
runSlackConnectorRequest:
$ref: '#/components/examples/run_slack_api_connector_request'
runSwimlaneConnectorRequest:
$ref: '#/components/examples/run_swimlane_connector_request'
responses:
'200':
content:
application/json:
schema:
additionalProperties: false
type: object
properties:
auth_mode:
description: The authentication mode used for the connector.
enum:
- shared
- per-user
type: string
config:
additionalProperties:
nullable: true
type: object
connector_type_id:
description: The connector type identifier.
type: string
id:
description: The identifier for the connector.
type: string
is_connector_type_deprecated:
description: Indicates whether the connector type is deprecated.
type: boolean
is_deprecated:
description: Indicates whether the connector is deprecated.
type: boolean
is_missing_secrets:
description: Indicates whether the connector is missing secrets.
type: boolean
is_preconfigured:
description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. '
type: boolean
is_system_action:
description: Indicates whether the connector is used for system actions.
type: boolean
name:
description: ' The name of the connector.'
type: string
required:
- id
- name
- connector_type_id
- is_preconfigured
- is_deprecated
- is_system_action
- is_connector_type_deprecated
examples:
runIndexConnectorResponse:
$ref: '#/components/examples/run_index_connector_response'
runJiraConnectorResponse:
$ref: '#/components/examples/run_jira_connector_response'
runServerLogConnectorResponse:
$ref: '#/components/examples/run_server_log_connector_response'
runServiceNowITOMConnectorResponse:
$ref: '#/components/examples/run_servicenow_itom_connector_response'
runSlackConnectorResponse:
$ref: '#/components/examples/run_slack_api_connector_response'
runSwimlaneConnectorResponse:
$ref: '#/components/examples/run_swimlane_connector_response'
description: Indicates a successful call.
'403':
description: Indicates that this call is forbidden.
summary: Run a connector
tags:
- connectors
x-metaTags:
- content: Kibana
name: product_name
/api/actions/connectors:
get:
operationId: get-actions-connectors
parameters: []
responses:
'200':
content:
application/json:
schema:
items:
additionalProperties: false
type: object
properties:
auth_mode:
description: The authentication mode used for the connector.
enum:
- shared
- per-user
type: string
config:
additionalProperties:
nullable: true
type: object
connector_type_id:
description: The connector type identifier.
type: string
id:
description: The identifier for the connector.
type: string
is_connector_type_deprecated:
description: Indicates whether the connector type is deprecated.
type: boolean
is_deprecated:
description: Indicates whether the connector is deprecated.
type: boolean
is_missing_secrets:
description: Indicates whether the connector is missing secrets.
type: boolean
is_preconfigured:
description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. '
type: boolean
is_system_action:
description: Indicates whether the connector is used for system actions.
type: boolean
name:
description: ' The name of the connector.'
type: string
referenced_by_count:
description: The number of saved objects that reference the connector. If is_preconfigured is true, this value is not calculated.
type: number
required:
- id
- name
- connector_type_id
- is_preconfigured
- is_deprecated
- is_system_action
- is_connector_type_deprecated
- referenced_by_count
type: array
examples:
getConnectorsResponse:
$ref: '#/components/examples/get_connectors_response'
description: Indicates a successful call.
'403':
description: Indicates that this call is forbidden.
summary: Get all connectors
tags:
- connectors
x-metaTags:
- content: Kibana
name: product_name
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/actions/connectors
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
/api/agent_builder/a2a/{agentId}:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/agent_builder/a2a/{agentId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
> warn
> This endpoint is designed for A2A protocol clients and should not be used directly via REST APIs. Use an A2A SDK or A2A Inspector instead.
[Required authorization] Route required privileges: agentBuilder:read.
operationId: post-agent-builder-a2a-agentid
parameters:
- description: The unique identifier of the agent to send the A2A task to.
in: path
name: agentId
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
a2aTaskRequestExample:
description: 'WARNING: DO NOT USE THIS ENDPOINT VIA REST API. These examples are auto-generated and should not be run. Integrate with A2A using an A2A SDK or A2A Inspector instead.'
value:
id: task-123
jsonrpc: '2.0'
method: complete
params:
messages:
- content: Hello from A2A protocol
role: user
schema: {}
responses:
'200':
content:
application/json:
examples:
a2aTaskResponseExample:
description: Example response from A2A Task Endpoint with results of task execution
value:
id: task-123
jsonrpc: '2.0'
result:
conversation_id: conv-456
response:
message: Hello! How can I help you today?
type: response
description: Indicates a successful response
summary: Send A2A task
tags:
- agent builder
x-state: Technical Preview; added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
/api/agent_builder/a2a/{agentId}.json:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get agent discovery metadata in JSON format. Use this endpoint to provide agent information for A2A protocol integration and discovery.
[Required authorization] Route required privileges: agentBuilder:read.
operationId: get-agent-builder-a2a-agentid.json
parameters:
- description: The unique identifier of the agent to get A2A metadata for.
in: path
name: agentId
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
a2aAgentCardResponseExample:
description: Example response card of Elastic AI Agent
value:
capabilities:
pushNotifications: false
stateTransitionHistory: false
streaming: false
defaultInputModes:
- text/plain
defaultOutputModes:
- text/plain
description: Elastic AI Agent
name: Elastic AI Agent
protocolVersion: 0.3.0
provider:
organization: Elastic
url: https://elastic.co
securitySchemes:
authorization:
description: Authentication token
in: header
name: Authorization
type: apiKey
skills:
- description: A powerful tool for searching and analyzing data within your Elasticsearch cluster.
examples: []
id: platform.core.search
inputModes:
- text/plain
- application/json
name: platform.core.search
outputModes:
- text/plain
- application/json
tags:
- tool
supportsAuthenticatedExtendedCard: false
url: http://localhost:5601/api/agent_builder/a2a/elastic-ai-agent
version: 0.1.0
description: Indicates a successful response
summary: Get A2A agent card
tags:
- agent builder
x-codeSamples:
- lang: curl
source: |
curl \
-X GET "${KIBANA_URL}/api/agent_builder/a2a/{agentId}.json" \
-H "Authorization: ApiKey ${API_KEY}"
- lang: Console
source: |
GET kbn://api/agent_builder/a2a/{agentId}.json
x-state: Technical Preview; added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
/api/agent_builder/agents:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/agent_builder/agents
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
List all available agents. Use this endpoint to retrieve complete agent information including their current configuration and assigned tools. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).
[Required authorization] Route required privileges: agentBuilder:read.
operationId: get-agent-builder-agents
parameters: []
responses:
'200':
content:
application/json:
examples:
listAgentsResponseExample:
description: Example response that returns one built-in Elastic agent and one created by the user
value:
results:
- configuration:
tools:
- tool_ids:
- platform.core.search
- platform.core.list_indices
- platform.core.get_index_mapping
- platform.core.get_document_by_id
description: Elastic AI Agent
id: elastic-ai-agent
name: Elastic AI Agent
type: chat
- avatar_color: '#BFDBFF'
avatar_symbol: SI
configuration:
instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-".
tools:
- tool_ids:
- platform.core.search
- platform.core.list_indices
- platform.core.get_index_mapping
- platform.core.get_document_by_id
description: Hi! I can help you search the data within the indices starting with "content-" prefix.
id: created-agent-id
labels:
- custom-indices
- department-search
name: Search Index Helper
type: chat
description: Indicates a successful response
summary: List agents
tags:
- agent builder
x-codeSamples:
- lang: curl
source: |
curl \
-X GET "${KIBANA_URL}/api/agent_builder/agents" \
-H "Authorization: ApiKey ${API_KEY}"
- lang: Console
source: |
GET kbn://api/agent_builder/agents
x-state: Added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/agent_builder/agents
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create a new agent. Use this endpoint to define the agent's behavior, appearance, and capabilities through comprehensive configuration options. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).
[Required authorization] Route required privileges: agentBuilder:manageAgents.
operationId: post-agent-builder-agents
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
createAgentRequestExample:
description: Example request for creating a custom agent with special prompt and tools
value:
avatar_color: '#BFDBFF'
avatar_symbol: SI
configuration:
instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-".
tools:
- tool_ids:
- platform.core.search
- platform.core.list_indices
- platform.core.get_index_mapping
- platform.core.get_document_by_id
description: Hi! I can help you search the data within the indices starting with "content-" prefix.
id: created-agent-id
labels:
- custom-indices
- department-search
name: Search Index Helper
schema:
additionalProperties: false
type: object
properties:
avatar_color:
description: Optional hex color code for the agent avatar.
type: string
avatar_symbol:
description: Optional symbol/initials for the agent avatar.
type: string
configuration:
additionalProperties: false
description: Configuration settings for the agent.
type: object
properties:
enable_elastic_capabilities:
description: When true, enables built-in Elastic capabilities for the agent.
type: boolean
instructions:
description: Optional system instructions that define the agent behavior.
type: string
plugin_ids:
description: Array of plugin IDs to assign to the agent.
items:
description: Plugin ID to assign to the agent.
type: string
maxItems: 100
type: array
skill_ids:
description: Array of skill IDs to be available to the agent.
items:
description: Skill ID to be available to the agent.
type: string
maxItems: 100
type: array
tools:
items:
additionalProperties: false
description: Tool selection configuration for the agent.
type: object
properties:
tool_ids:
description: Array of tool IDs that the agent can use.
items:
description: Tool ID to be available to the agent.
type: string
type: array
required:
- tool_ids
type: array
workflow_ids:
items:
description: Optional list of workflow IDs. When set, these workflows run before every agent execution, in order.
type: string
maxItems: 100
type: array
required:
- tools
description:
description: Description of what the agent does.
type: string
id:
description: Unique identifier for the agent.
type: string
labels:
description: Optional labels for categorizing and organizing agents.
items:
description: Label for categorizing the agent.
type: string
type: array
name:
description: Display name for the agent.
type: string
visibility:
description: '**Technical Preview; added in 9.4.0.** Optional visibility setting: `public` (any privileged user can read/write), `shared` (any privileged user can read, only owner can write), `private` (only owner can read/write).'
enum:
- public
- shared
- private
type: string
required:
- id
- name
- description
- configuration
responses:
'200':
content:
application/json:
examples:
createAgentResponseExample:
description: Example response returning the definition of an agent created as a result of the request
value:
avatar_color: '#BFDBFF'
avatar_symbol: SI
configuration:
instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-".
tools:
- tool_ids:
- platform.core.search
- platform.core.list_indices
- platform.core.get_index_mapping
- platform.core.get_document_by_id
description: Hi! I can help you search the data within the indices starting with "content-" prefix.
id: created-agent-id
labels:
- custom-indices
- department-search
name: Search Index Helper
type: chat
description: Indicates a successful response
summary: Create an agent
tags:
- agent builder
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/agent_builder/agents" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{
"id": "new-agent-id",
"name": "Search Index Helper",
"description": "Hi! I can help you search the data within the indices starting with \"content-\" prefix.",
"labels": ["custom-indices", "department-search"],
"avatar_color": "#BFDBFF",
"avatar_symbol": "SI",
"configuration": {
"instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".",
"tools": [
{
"tool_ids": [
"platform.core.search",
"platform.core.list_indices",
"platform.core.get_index_mapping",
"platform.core.get_document_by_id"
]
}
]
}
}'
- lang: Console
source: |
POST kbn://api/agent_builder/agents
{
"id": "new-agent-id",
"name": "Search Index Helper",
"description": "Hi! I can help you search the data within the indices starting with \"content-\" prefix.",
"labels": ["custom-indices", "department-search"],
"avatar_color": "#BFDBFF",
"avatar_symbol": "SI",
"configuration": {
"instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".",
"tools": [
{
"tool_ids": [
"platform.core.search",
"platform.core.list_indices",
"platform.core.get_index_mapping",
"platform.core.get_document_by_id"
]
}
]
}
}
x-state: Added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
/api/agent_builder/agents/{agent_id}/consumption:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Returns paginated, per-conversation token consumption data for a given agent. Includes input/output token counts, round counts, LLM call counts, and warnings for conversations with high token usage. Requires the manageAgents privilege.
[Required authorization] Route required privileges: agentBuilder:manageAgents.
operationId: post-agent-builder-agents-agent-id-consumption
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The unique identifier of the agent.
in: path
name: agent_id
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
consumptionDefaultExample:
description: Get consumption data for an agent with default pagination
value:
size: 25
sort_field: updated_at
sort_order: desc
consumptionFilteredExample:
description: Get consumption data filtered by username with warnings
value:
has_warnings: true
size: 10
sort_field: total_tokens
sort_order: desc
usernames:
- elastic
- admin
schema:
additionalProperties: false
type: object
properties:
has_warnings:
description: Filter to conversations with or without high-token warnings.
type: boolean
search:
description: Free-text search filter on conversation title.
type: string
search_after:
description: Cursor for pagination. Pass the search_after value from the previous response.
items:
nullable: true
maxItems: 10000
type: array
size:
default: 25
description: Number of results per page.
maximum: 100
minimum: 1
type: number
sort_field:
default: updated_at
description: Field to sort results by.
enum:
- updated_at
- total_tokens
- round_count
type: string
sort_order:
default: desc
description: Sort direction.
enum:
- asc
- desc
type: string
usernames:
description: Filter results to conversations by these usernames.
items:
type: string
maxItems: 10000
type: array
responses:
'200':
content:
application/json:
examples:
consumptionResponseExample:
description: Example response with per-conversation token usage data
value:
aggregations:
total_with_warnings: 0
usernames:
- elastic
- admin
results:
- conversation_id: conv-abc123
created_at: '2025-03-01T10:00:00Z'
llm_calls: 8
round_count: 5
title: Help me search my data
token_usage:
input_tokens: 15000
output_tokens: 3000
total_tokens: 18000
updated_at: '2025-03-01T10:15:00Z'
user:
id: uid-1
username: elastic
warnings: []
- conversation_id: conv-def456
created_at: '2025-03-02T14:00:00Z'
llm_calls: 20
round_count: 12
title: Analyze server logs
token_usage:
input_tokens: 250000
output_tokens: 8000
total_tokens: 258000
updated_at: '2025-03-02T14:30:00Z'
user:
id: uid-2
username: admin
warnings:
- input_tokens: 250000
round_id: round-7
type: high_input_tokens
search_after:
- 1709391000000
- '2025-03-02T14:30:00Z'
total: 2
description: Indicates a successful response
summary: Get agent consumption data
tags:
- agent builder
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/agent_builder/agents/elastic-ai-agent/consumption" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "Content-Type: application/json" \
-H "elastic-api-version: 2023-10-31" \
-d '{"size": 25, "sort_field": "updated_at", "sort_order": "desc"}'
- lang: Console
source: |
POST kbn://api/agent_builder/agents/elastic-ai-agent/consumption
{"size": 25, "sort_field": "updated_at", "sort_order": "desc"}
x-state: Technical Preview; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/agent_builder/agents/{id}:
delete:
description: |-
**Spaces method and path for this operation:**
delete/s/{space_id}/api/agent_builder/agents/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete an agent by ID. This action cannot be undone. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).
[Required authorization] Route required privileges: agentBuilder:manageAgents.
operationId: delete-agent-builder-agents-id
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The unique identifier of the agent to delete.
in: path
name: id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
deleteAgentResponseExample:
description: Example response showing that deletion of the agent has been successful
value:
success: true
description: Indicates a successful response
summary: Delete an agent
tags:
- agent builder
x-codeSamples:
- lang: curl
source: |
curl \
-X DELETE "${KIBANA_URL}/api/agent_builder/agents/{id}" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true"
- lang: Console
source: |
DELETE kbn://api/agent_builder/agents/{id}
x-state: Added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/agent_builder/agents/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a specific agent by ID. Use this endpoint to retrieve the complete agent definition including all configuration details and tool assignments. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).
[Required authorization] Route required privileges: agentBuilder:read.
operationId: get-agent-builder-agents-id
parameters:
- description: The unique identifier of the agent to retrieve.
in: path
name: id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getAgentByIdResponseExample:
description: Example response that an agent created by the user that will query elasticsearch indices starting with 'content-' prefix to answer the questions.
value:
avatar_color: '#BFDBFF'
avatar_symbol: SI
configuration:
instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-".
tools:
- tool_ids:
- platform.core.search
- platform.core.list_indices
- platform.core.get_index_mapping
- platform.core.get_document_by_id
description: Hi! I can help you search the data within the indices starting with "content-" prefix.
id: created-agent-id
labels:
- custom-indices
- department-search
name: Search Index Helper
type: chat
description: Indicates a successful response
summary: Get an agent by ID
tags:
- agent builder
x-codeSamples:
- lang: curl
source: |
curl \
-X GET "${KIBANA_URL}/api/agent_builder/agents/{id}" \
-H "Authorization: ApiKey ${API_KEY}"
- lang: Console
source: |
GET kbn://api/agent_builder/agents/{id}
x-state: Added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
put:
description: |-
**Spaces method and path for this operation:**
put/s/{space_id}/api/agent_builder/agents/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update an existing agent configuration. Use this endpoint to modify any aspect of the agent's behavior, appearance, or capabilities. To learn more, refer to the [agents documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/agent-builder-agents).
[Required authorization] Route required privileges: agentBuilder:manageAgents.
operationId: put-agent-builder-agents-id
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The unique identifier of the agent to update.
in: path
name: id
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
createAgentRequestExample:
description: Example request for updating custom agent
value:
avatar_color: '#BFDBFF'
avatar_symbol: SI
configuration:
instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-".
tools:
- tool_ids:
- platform.core.search
- platform.core.list_indices
- platform.core.get_index_mapping
- platform.core.get_document_by_id
description: Updated description - Search for anything in "content-*" indices!
id: created-agent-id
labels:
- custom-indices
- department-search
- elastic-employees
name: Search Index Helper
schema:
additionalProperties: false
type: object
properties:
avatar_color:
description: Updated hex color code for the agent avatar.
type: string
avatar_symbol:
description: Updated symbol/initials for the agent avatar.
type: string
configuration:
additionalProperties: false
description: Updated configuration settings for the agent.
type: object
properties:
enable_elastic_capabilities:
description: When true, enables built-in Elastic capabilities for the agent.
type: boolean
instructions:
description: Updated system instructions that define the agent behavior.
type: string
plugin_ids:
description: Array of plugin IDs to assign to the agent.
items:
description: Plugin ID to assign to the agent.
type: string
maxItems: 100
type: array
skill_ids:
description: Array of skill IDs to be available to the agent.
items:
description: Skill ID to be available to the agent.
type: string
maxItems: 100
type: array
tools:
items:
additionalProperties: false
description: Tool selection configuration for the agent.
type: object
properties:
tool_ids:
description: Array of tool IDs that the agent can use.
items:
description: Tool ID to be available to the agent.
type: string
type: array
required:
- tool_ids
type: array
workflow_ids:
items:
description: Updated list of workflow IDs. When set, these workflows run every agent execution, in order.
type: string
maxItems: 100
type: array
description:
description: Updated description of what the agent does.
type: string
labels:
description: Updated labels for categorizing and organizing agents.
items:
description: Updated label for categorizing the agent.
type: string
type: array
name:
description: Updated display name for the agent.
type: string
visibility:
description: '**Technical Preview; added in 9.4.0.** Updated visibility setting: `public` (any privileged user can read/write), `shared` (any privileged user can read, only owner can write), `private` (only owner can read/write).'
enum:
- public
- shared
- private
type: string
responses:
'200':
content:
application/json:
examples:
updateAgentResponseExample:
description: Example response returning the agent definition with the changes applied from the request
value:
avatar_color: '#BFDBFF'
avatar_symbol: SI
configuration:
instructions: You are a custom agent that wants to help searching data using all indices starting with prefix "content-".
tools:
- tool_ids:
- platform.core.search
- platform.core.list_indices
- platform.core.get_index_mapping
- platform.core.get_document_by_id
description: Updated description - Search for anything in "content-*" indices!
id: created-agent-id
labels:
- custom-indices
- department-search
- elastic-employees
name: Search Index Helper
type: chat
description: Indicates a successful response
summary: Update an agent
tags:
- agent builder
x-codeSamples:
- lang: curl
source: |
curl \
-X PUT "${KIBANA_URL}/api/agent_builder/agents/{id}" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{
"name": "Search Index Helper",
"description": "Updated description - Search for anything in \"content-*\" indices!",
"labels": ["custom-indices", "department-search", "elastic-employees"],
"avatar_color": "#BFDBFF",
"avatar_symbol": "SI",
"configuration": {
"instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".",
"tools": [{
"tool_ids": [
"platform.core.search",
"platform.core.list_indices",
"platform.core.get_index_mapping",
"platform.core.get_document_by_id"
]
}]
}
}'
- lang: Console
source: |
PUT kbn://api/agent_builder/agents/{id}
{
"name": "Search Index Helper",
"description": "Updated description - Search for anything in \"content-*\" indices!",
"labels": ["custom-indices", "department-search", "elastic-employees"],
"avatar_color": "#BFDBFF",
"avatar_symbol": "SI",
"configuration": {
"instructions": "You are a custom agent that wants to help searching data using all indices starting with prefix \"content-\".",
"tools": [{
"tool_ids": [
"platform.core.search",
"platform.core.list_indices",
"platform.core.get_index_mapping",
"platform.core.get_document_by_id"
]
}]
}
}
x-state: Added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
/api/agent_builder/conversations:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/agent_builder/conversations
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
List all conversations for a user. Use the optional agent ID to filter conversations by a specific agent.
[Required authorization] Route required privileges: agentBuilder:read.
operationId: get-agent-builder-conversations
parameters:
- description: Optional agent ID to filter conversations by a specific agent.
in: query
name: agent_id
required: false
schema:
type: string
responses:
'200':
content:
application/json:
examples:
listConversationsResponseExample:
description: Example response containing the list of conversations with all agents
value:
results:
- agent_id: elastic-ai-agent
created_at: '2025-09-19T17:45:39.554Z'
id: bcc176c5-38f6-40be-be0c-898e34fa1480
title: General Greeting
updated_at: '2025-09-19T17:45:39.554Z'
user:
username: elastic
description: Indicates a successful response
summary: List conversations
tags:
- agent builder
x-codeSamples:
- lang: curl
source: |
curl \
-X GET "${KIBANA_URL}/api/agent_builder/conversations" \
-H "Authorization: ApiKey ${API_KEY}"
- lang: Console
source: |
GET kbn://api/agent_builder/conversations
x-state: Added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
/api/agent_builder/conversations/{conversation_id}:
delete:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete a conversation by ID. This action cannot be undone.
[Required authorization] Route required privileges: agentBuilder:read.
operationId: delete-agent-builder-conversations-conversation-id
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The unique identifier of the conversation to delete.
in: path
name: conversation_id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
deleteConversationResponseExample:
description: Example response showing that deletion of conversation has been successful
value:
success: true
description: Indicates a successful response
summary: Delete conversation by ID
tags:
- agent builder
x-codeSamples:
- lang: curl
source: |
curl \
-X DELETE "${KIBANA_URL}/api/agent_builder/conversations/{conversation_id}" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true"
- lang: Console
source: |
DELETE kbn://api/agent_builder/conversations/{conversation_id}
x-state: Added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a specific conversation by ID. Use this endpoint to retrieve the complete conversation history including all messages and metadata.
[Required authorization] Route required privileges: agentBuilder:read.
operationId: get-agent-builder-conversations-conversation-id
parameters:
- description: The unique identifier of the conversation to retrieve.
in: path
name: conversation_id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getConversationByIdResponseExample:
description: Example response containing the contents of a convesation with the chat agent
value:
agent_id: elastic-ai-agent
created_at: '2025-09-19T17:45:39.554Z'
id: bcc176c5-38f6-40be-be0c-898e34fa1480
rounds:
- id: 170ec3b2-0f5a-4538-8b60-549572386d2a
input:
message: Hello, how are you?
response:
message: |-
Since this is a general greeting that doesn't require any organizational or product-specific information, I can respond without using tools.
Hello! I'm doing well, thank you for asking. I'm here to help you with any questions you may have. How can I assist you today?
steps: []
title: General Greeting
updated_at: '2025-09-19T17:45:39.554Z'
user:
username: elastic
description: Indicates a successful response
summary: Get conversation by ID
tags:
- agent builder
x-codeSamples:
- lang: curl
source: |
curl \
-X GET "${KIBANA_URL}/api/agent_builder/conversations/{conversation_id}" \
-H "Authorization: ApiKey ${API_KEY}"
- lang: Console
source: |
GET kbn://api/agent_builder/conversations/{conversation_id}
x-state: Added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
/api/agent_builder/conversations/{conversation_id}/attachments:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
List all attachments for a conversation. Use the optional include_deleted query parameter to include soft-deleted attachments.
[Required authorization] Route required privileges: agentBuilder:read.
operationId: get-agent-builder-conversations-conversation-id-attachments
parameters:
- description: The unique identifier of the conversation.
in: path
name: conversation_id
required: true
schema:
type: string
- description: Whether to include deleted attachments in the list.
in: query
name: include_deleted
required: false
schema:
type: boolean
responses:
'200':
content:
application/json:
examples:
listAttachmentsResponseExample:
description: Example response containing active attachments for a conversation
value:
results:
- active: true
current_version: 2
description: My text file
id: attachment-1
type: text
versions:
- content_hash: abc123
created_at: '2025-01-01T10:00:00.000Z'
data: Initial content
estimated_tokens: 3
version: 1
- content_hash: def456
created_at: '2025-01-01T11:00:00.000Z'
data: Updated content
estimated_tokens: 3
version: 2
- active: true
current_version: 1
description: Configuration data
id: attachment-2
type: json
versions:
- content_hash: ghi789
created_at: '2025-01-01T12:00:00.000Z'
data:
key: value
nested:
field: 123
estimated_tokens: 15
version: 1
total_token_estimate: 21
description: Indicates a successful response
summary: List conversation attachments
tags:
- agent builder
x-state: Technical Preview; added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create a new attachment for a conversation with version tracking.
[Required authorization] Route required privileges: agentBuilder:read.
operationId: post-agent-builder-conversations-conversation-id-attachments
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The unique identifier of the conversation.
in: path
name: conversation_id
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
createHiddenAttachmentExample:
description: Example request for creating a hidden attachment
value:
data: Internal system data
description: System context
hidden: true
type: text
createJsonAttachmentExample:
description: Example request for creating a JSON attachment with custom ID
value:
data:
configuration:
enabled: true
threshold: 50
metadata:
source: user_input
description: Application settings
id: custom-attachment-id
type: json
createTextAttachmentExample:
description: Example request for creating a text attachment
value:
data: This is the content of my text attachment
description: Meeting notes
type: text
schema:
additionalProperties: false
type: object
properties:
data:
description: The attachment data/content. Required unless origin is provided.
nullable: true
description:
description: Human-readable description of the attachment.
type: string
hidden:
description: Whether the attachment should be hidden from the user.
type: boolean
id:
description: Optional custom ID for the attachment.
type: string
origin:
description: Origin string (for example, saved object ID) for by-reference attachments. When provided without data, the content is resolved once at creation time.
type: string
type:
description: The type of the attachment (e.g., text, esql, visualization).
type: string
required:
- type
- data
responses:
'200':
content:
application/json:
examples:
createAttachmentResponseExample:
description: Example response returning the created attachment
value:
attachment:
active: true
current_version: 1
description: Meeting notes
id: att-abc123
type: text
versions:
- content_hash: sha256-xyz
created_at: '2025-01-06T10:00:00.000Z'
data: This is the content of my text attachment
estimated_tokens: 12
version: 1
description: Indicates a successful response
summary: Create conversation attachment
tags:
- agent builder
x-state: Technical Preview; added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}:
delete:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete an attachment. By default performs a soft delete (can be restored). Use permanent=true to permanently remove unreferenced attachments.
[Required authorization] Route required privileges: agentBuilder:read.
operationId: delete-agent-builder-conversations-conversation-id-attachments-attachment-id
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The unique identifier of the conversation.
in: path
name: conversation_id
required: true
schema:
type: string
- description: The unique identifier of the attachment to delete.
in: path
name: attachment_id
required: true
schema:
type: string
- description: If true, permanently removes the attachment (only for unreferenced attachments).
in: query
name: permanent
required: false
schema:
type: boolean
responses:
'200':
content:
application/json:
examples:
permanentDeleteAttachmentResponseExample:
description: Example response for permanent delete (cannot be restored)
value:
permanent: true
success: true
softDeleteAttachmentResponseExample:
description: Example response for soft delete (can be restored)
value:
permanent: false
success: true
description: Indicates a successful response
summary: Delete conversation attachment
tags:
- agent builder
x-state: Technical Preview; added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
patch:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update an attachment content. Creates a new version if content changed.
[Required authorization] Route required privileges: agentBuilder:read.
operationId: put-agent-builder-conversations-conversation-id-attachments-attachment-id
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The unique identifier of the conversation.
in: path
name: conversation_id
required: true
schema:
type: string
- description: The unique identifier of the attachment to update.
in: path
name: attachment_id
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
updateAttachmentContentExample:
description: Example request for updating attachment content
value:
data: This is the updated content
updateAttachmentWithDescriptionExample:
description: Example request for updating both content and description
value:
data: New content version
description: Updated meeting notes - v2
schema:
additionalProperties: false
type: object
properties:
data:
description: The new attachment data/content.
nullable: true
description:
description: Optional new description for the attachment.
type: string
required:
- data
responses:
'200':
content:
application/json:
examples:
updateAttachmentResponseExample:
description: Example response returning the updated attachment with new version
value:
attachment:
active: true
current_version: 2
description: Meeting notes
id: att-abc123
type: text
versions:
- content_hash: sha256-abc
created_at: '2025-01-06T10:00:00.000Z'
data: Original content
estimated_tokens: 10
version: 1
- content_hash: sha256-def
created_at: '2025-01-06T11:00:00.000Z'
data: This is the updated content
estimated_tokens: 12
version: 2
new_version: 2
description: Indicates a successful response
summary: Update conversation attachment
tags:
- agent builder
x-state: Technical Preview; added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
/api/agent_builder/conversations/{conversation_id}/attachments/{attachment_id}/_restore:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update the origin reference for an attachment. Use this after saving a by-value attachment to link it to its persistent store.
[Required authorization] Route required privileges: agentBuilder:read.
operationId: put-agent-builder-conversations-conversation-id-attachments-attachment-id-origin
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The unique identifier of the conversation.
in: path
name: conversation_id
required: true
schema:
type: string
- description: The unique identifier of the attachment to update.
in: path
name: attachment_id
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
updateOriginExample:
description: Example request for linking an attachment to a saved visualization
value:
origin: abc123
schema:
additionalProperties: false
type: object
properties:
origin:
description: The origin string (e.g., saved object ID for visualizations and dashboards).
type: string
required:
- origin
responses:
'200':
content:
application/json:
examples:
updateOriginResponseExample:
description: Example response returning the attachment with updated origin
value:
attachment:
active: true
current_version: 1
description: Sales chart
id: att-123
origin: abc123
type: visualization
versions:
- content_hash: sha256-xyz
created_at: '2025-01-06T10:00:00.000Z'
data:
chart_type: bar
esql: FROM sales | STATS count=COUNT(*) BY month
query: Show monthly sales
visualization: {}
estimated_tokens: 50
version: 1
success: true
description: Indicates a successful response
summary: Update attachment origin
tags:
- agent builder
x-state: Technical Preview; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/agent_builder/conversations/{conversation_id}/attachments/stale:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Checks staleness for the latest version of all conversation attachments against their origin snapshot.
[Required authorization] Route required privileges: agentBuilder:read.
operationId: get-agent-builder-conversations-conversation-id-attachments-stale
parameters:
- description: The unique identifier of the conversation.
in: path
name: conversation_id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
checkStaleAttachmentsResponseExample:
description: 'Mixed conversation: attachments without a stale source return only id and is_stale. When a staleness check fails for one attachment, is_stale is false and an error explains why. When an origin-backed attachment is out of date, the response includes type, origin, and resolved data (here a simple text body) for resync.'
value:
attachments:
- id: att-text-meeting-notes
is_stale: false
- id: att-lens-active-users
is_stale: false
- error: Origin could not be resolved
id: att-query-attachment
is_stale: false
- data: This is the content of my text attachment
hidden: false
id: att-text-runbook
is_stale: true
origin: document:hr-onboarding-v2
type: text
description: Indicates a successful response
summary: Check attachment staleness
tags:
- agent builder
x-state: Technical Preview; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/agent_builder/converse:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/agent_builder/converse
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Send a message to an agent and receive a complete response. This synchronous endpoint waits for the agent to fully process your request before returning the final result. Use this for simple chat interactions where you need the complete response. To learn more, refer to the [agent chat documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/chat).
[Required authorization] Route required privileges: agentBuilder:read.
operationId: post-agent-builder-converse
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
converseRequestExample:
description: Example request to send a message to the agent as a part of the conversation
value:
agent_id: elastic-ai-agent
connector_id: my-connector-id
input: What is Elasticsearch?
converseRequestInferenceExample:
description: Example using inference_id (mutually exclusive with connector_id)
value:
agent_id: elastic-ai-agent
inference_id: my-inference-endpoint-id
input: What is Elasticsearch?
schema:
additionalProperties: false
type: object
properties:
_execution_mode:
description: '**Experimental; added in 9.4.0.** define how to execute the agent (local execution or via task_manager)'
enum:
- local
- task_manager
type: string
action:
description: The action to perform. "regenerate" re-executes the last round with the original input. Requires conversation_id.
enum:
- regenerate
type: string
agent_id:
default: elastic-ai-agent
description: The ID of the agent to chat with. Defaults to the default Elastic AI agent.
type: string
attachments:
description: '**Technical Preview; added in 9.3.0.** Optional attachments to send with the message.'
items:
additionalProperties: false
type: object
properties:
data:
additionalProperties:
nullable: true
description: Payload of the attachment. Required unless `origin` is provided (content is resolved once at send time).
type: object
hidden:
description: When true, the attachment will not be displayed in the UI.
type: boolean
id:
description: Optional id for the attachment.
type: string
origin:
description: Origin string (for example, saved object ID) for by-reference attachments. When provided without `data`, the content is resolved once using the attachment type’s `resolve` hook.
type: string
type:
description: Type of the attachment.
type: string
required:
- type
type: array
browser_api_tools:
description: Optional browser API tools to be registered as LLM tools with browser.* namespace. These tools execute on the client side.
items:
additionalProperties: false
type: object
properties:
description:
description: Description of what the browser API tool does.
type: string
id:
description: Unique identifier for the browser API tool.
type: string
schema:
description: JSON Schema defining the tool parameters (JsonSchema7Type).
nullable: true
required:
- id
- description
- schema
type: array
capabilities:
additionalProperties: false
description: Controls agent capabilities during conversation. Currently supports visualization rendering for tabular tool results.
type: object
properties:
visualizations:
description: When true, allows the agent to render tabular data from tool results as interactive visualizations using custom XML elements in responses.
type: boolean
configuration_overrides:
additionalProperties: false
description: Runtime configuration overrides. These override the stored agent configuration for this execution only.
type: object
properties:
instructions:
description: Custom instructions for the agent.
type: string
tools:
description: Tool selection to enable for this execution.
items:
additionalProperties: false
type: object
properties:
tool_ids:
items:
type: string
type: array
required:
- tool_ids
type: array
connector_id:
description: Optional connector ID for the agent to use for model routing. Mutually exclusive with `inference_id`; omit or use only one.
nullable: true
type: string
conversation_id:
description: Optional existing conversation ID to continue a previous conversation.
type: string
inference_id:
description: Optional inference endpoint ID for model routing (public alias for the same internal identifier as `connector_id`). Mutually exclusive with `connector_id`.
nullable: true
type: string
input:
description: The user input message to send to the agent.
type: string
prompts:
additionalProperties:
additionalProperties: false
type: object
properties:
allow:
type: boolean
required:
- allow
description: Can be used to respond to a confirmation prompt.
type: object
responses:
'200':
content:
application/json:
examples:
converseResponseExample:
description: Example response containing the chain of events representing a conversation with the agent
value:
conversation_id: 696ccd6d-4bff-4b26-a62e-522ccf2dcd16
response:
message: Elasticsearch is a distributed, RESTful search and analytics engine capable of addressing a growing number of use cases. As the heart of the Elastic Stack, it centrally stores your data for lightning fast search, fine‑tuned relevancy, and powerful analytics that scale with ease.
steps:
- reasoning: Searching for official documentation or content that explains what Elasticsearch is
type: reasoning
- params:
query: what is elasticsearch definition overview introduction
progression:
- message: Selecting the best target for this query
results:
- data:
message: Could not figure out which index to use
type: error
tool_call_id: tooluse_shOdUwKIRwC9YhqGzeg0cQ
tool_id: platform.core.search
type: tool_call
description: Indicates a successful response
summary: Send chat message
tags:
- agent builder
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/agent_builder/converse" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{
"input": "What is Elasticsearch?",
"agent_id": "elastic-ai-agent"}'
- lang: Console
source: |
POST kbn://api/agent_builder/converse
{
"input": "What is Elasticsearch?",
"agent_id": "elastic-ai-agent"
}
x-state: Added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
/api/agent_builder/converse/async:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Send a message to an agent and receive real-time streaming events. This asynchronous endpoint provides live updates as the agent processes your request, allowing you to see intermediate steps and progress. Use this for interactive experiences where you want to monitor the agent's thinking process.
## Event types
The endpoint emits Server-Sent Events (SSE) with the following custom event types:
`conversation_id_set`
Sets the conversation ID.
Schema:
```json
{
"conversation_id": "uuid"
}
```
---
`conversation_created`
Fires when a new conversation is persisted and assigned an ID.
Schema:
```json
{
"conversation_id": "uuid",
"title": "conversation title"
}
```
---
`conversation_updated`
Fires when a conversation is updated.
Schema:
```json
{
"conversation_id": "uuid",
"title": "updated conversation title"
}
```
---
`reasoning`
Handles reasoning-related data.
Schema:
```json
{
"reasoning": "plain text reasoning content",
"transient": false
}
```
---
`tool_call`
Triggers when a tool is invoked.
Schema:
```json
{
"tool_call_id": "uuid",
"tool_id": "tool_name",
"params": {}
}
```
---
`tool_progress`
Reports progress of a running tool.
Schema:
```json
{
"tool_call_id": "uuid",
"message": "progress message"
}
```
---
`tool_result`
Returns results from a completed tool call.
Schema:
```json
{
"tool_call_id": "uuid",
"tool_id": "tool_name",
"results": []
}
```
**Note:** `results` is an array of `ToolResult` objects.
---
`message_chunk`
Streams partial text chunks.
Schema:
```json
{
"message_id": "uuid",
"text_chunk": "partial text"
}
```
---
`message_complete`
Indicates message stream is finished.
Schema:
```json
{
"message_id": "uuid",
"message_content": "full text content of the message"
}
```
---
`thinking_complete`
Marks the end of the thinking/reasoning phase.
Schema:
```json
{
"time_to_first_token": 0
}
```
**Note:** `time_to_first_token` is in milliseconds.
---
`round_complete`
Marks end of one conversation round.
Schema:
```json
{
"round": {}
}
```
**Note:** `round` contains the full round json object.
---
## Event flow
A typical conversation round emits events in this sequence:
1. `reasoning` (potentially multiple, some transient)
2. `tool_call` (if tools are used)
3. `tool_progress` (zero or more progress updates)
4. `tool_result` (when tool completes)
5. `thinking_complete`
6. `message_chunk` (multiple, as text streams)
7. `message_complete`
8. `round_complete`
[Required authorization] Route required privileges: agentBuilder:read.
operationId: post-agent-builder-converse-async
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
converseAsyncRequestExample:
description: Example request to send a message to the agent as a part of the conversation
value:
agent_id: elastic-ai-agent
conversation_id: c250305b-1929-4248-b568-b9e3f065fda5
input: Hello
converseAsyncRequestInferenceExample:
description: Example using inference_id (mutually exclusive with connector_id)
value:
agent_id: elastic-ai-agent
inference_id: my-inference-endpoint-id
input: Hello
schema:
additionalProperties: false
type: object
properties:
_execution_mode:
description: '**Experimental; added in 9.4.0.** define how to execute the agent (local execution or via task_manager)'
enum:
- local
- task_manager
type: string
action:
description: The action to perform. "regenerate" re-executes the last round with the original input. Requires conversation_id.
enum:
- regenerate
type: string
agent_id:
default: elastic-ai-agent
description: The ID of the agent to chat with. Defaults to the default Elastic AI agent.
type: string
attachments:
description: '**Technical Preview; added in 9.3.0.** Optional attachments to send with the message.'
items:
additionalProperties: false
type: object
properties:
data:
additionalProperties:
nullable: true
description: Payload of the attachment. Required unless `origin` is provided (content is resolved once at send time).
type: object
hidden:
description: When true, the attachment will not be displayed in the UI.
type: boolean
id:
description: Optional id for the attachment.
type: string
origin:
description: Origin string (for example, saved object ID) for by-reference attachments. When provided without `data`, the content is resolved once using the attachment type’s `resolve` hook.
type: string
type:
description: Type of the attachment.
type: string
required:
- type
type: array
browser_api_tools:
description: Optional browser API tools to be registered as LLM tools with browser.* namespace. These tools execute on the client side.
items:
additionalProperties: false
type: object
properties:
description:
description: Description of what the browser API tool does.
type: string
id:
description: Unique identifier for the browser API tool.
type: string
schema:
description: JSON Schema defining the tool parameters (JsonSchema7Type).
nullable: true
required:
- id
- description
- schema
type: array
capabilities:
additionalProperties: false
description: Controls agent capabilities during conversation. Currently supports visualization rendering for tabular tool results.
type: object
properties:
visualizations:
description: When true, allows the agent to render tabular data from tool results as interactive visualizations using custom XML elements in responses.
type: boolean
configuration_overrides:
additionalProperties: false
description: Runtime configuration overrides. These override the stored agent configuration for this execution only.
type: object
properties:
instructions:
description: Custom instructions for the agent.
type: string
tools:
description: Tool selection to enable for this execution.
items:
additionalProperties: false
type: object
properties:
tool_ids:
items:
type: string
type: array
required:
- tool_ids
type: array
connector_id:
description: Optional connector ID for the agent to use for model routing. Mutually exclusive with `inference_id`; omit or use only one.
nullable: true
type: string
conversation_id:
description: Optional existing conversation ID to continue a previous conversation.
type: string
inference_id:
description: Optional inference endpoint ID for model routing (public alias for the same internal identifier as `connector_id`). Mutually exclusive with `connector_id`.
nullable: true
type: string
input:
description: The user input message to send to the agent.
type: string
prompts:
additionalProperties:
additionalProperties: false
type: object
properties:
allow:
type: boolean
required:
- allow
description: Can be used to respond to a confirmation prompt.
type: object
responses:
'200':
content:
text/event-stream:
examples:
converseAsyncResponseExample:
description: Example stream containing the chain of events representing a conversation with the agent
value:
- data:
data:
conversation_id: c250305b-1929-4248-b568-b9e3f065fda5
event: conversation_id_set
- data:
data:
reasoning: Starting with a general search to understand what content is available.
event: reasoning
- data:
data:
params:
query: latest documents
tool_call_id: tooluse__2aJELgyRYqD8SDOKSiwtg
tool_id: platform.core.search
event: tool_call
- data:
data:
results:
- data:
message: Could not figure out which index to use
type: error
tool_call_id: tooluse__2aJELgyRYqD8SDOKSiwtg
event: tool_result
- data:
data:
round:
id: a5692d54-bc06-4a6e-aea1-412779c73f66
input:
message: Hello
response:
message: Hello! How can I help you today?
event: round_complete
description: Indicates a successful response
summary: Send chat message (streaming)
tags:
- agent builder
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/agent_builder/converse/async" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{
"input": "Hello again let us have an async chat",
"agent_id": "elastic-ai-agent",
"conversation_id": ""
}'
- lang: Console
source: |
POST kbn://api/agent_builder/converse/async
{
"input": "Hello again let's have an async chat",
"agent_id": "elastic-ai-agent",
"conversation_id": ""
}
x-state: Added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
/api/agent_builder/mcp:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/agent_builder/mcp
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
> warn
> This endpoint is designed for MCP clients (Claude Desktop, Cursor, VS Code, etc.) and should not be used directly via REST APIs. Use MCP Inspector or native MCP clients instead.
To learn more, refer to the [MCP documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/mcp-server).
[Required authorization] Route required privileges: agentBuilder:read.
operationId: post-agent-builder-mcp
parameters:
- description: Comma-separated list of namespaces to filter tools. Only tools matching the specified namespaces will be returned.
in: query
name: namespace
required: false
schema:
type: string
requestBody:
content:
application/json:
examples:
mcpInitializeRequestExample:
description: 'WARNING: DO NOT USE THIS ENDPOINT VIA REST API. These examples are auto-generated and should not be run. Integrate with MCP using MCP Inspector or native MCP clients (Claude Desktop, Cursor, VS Code) instead.'
value:
id: 1
jsonrpc: '2.0'
method: initialize
params:
capabilities: {}
clientInfo:
name: test-client
version: 1.0.0
protocolVersion: '2024-11-05'
schema: {}
responses:
'200':
content:
application/json:
examples:
mcpInitializeResponseExample:
description: Example response showing the successful result of communication initialisation over MCP protocol
value:
id: 1
jsonrpc: '2.0'
result:
capabilities:
tools:
listChanged: true
protocolVersion: '2024-11-05'
serverInfo:
name: elastic-mcp-server
version: 0.0.1
description: Indicates a successful response
summary: MCP server
tags:
- agent builder
x-state: Added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
/api/agent_builder/plugins:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/agent_builder/plugins
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
List all installed plugins and their managed assets. Plugins are installable packages that bundle agent capabilities such as skills, following the [Claude agent plugin specification](https://code.claude.com/docs/en/plugins).
[Required authorization] Route required privileges: agentBuilder:read.
operationId: get-agent-builder-plugins
parameters: []
responses:
'200':
content:
application/json:
examples:
listPluginsResponseExample:
description: Example response that returns one installed plugin
value:
results:
- created_at: '2025-01-01T00:00:00.000Z'
description: Financial analysis tools and skills for Claude
id: financial-analysis
manifest:
author:
name: Anthropic
url: https://www.anthropic.com
keywords:
- finance
- analysis
repository: https://github.com/anthropics/financial-services-plugins
name: financial-analysis
skill_ids:
- financial-analysis-analyze-portfolio
source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis
unmanaged_assets:
agents: []
hooks: []
lsp_servers: []
mcp_servers: []
output_styles: []
updated_at: '2025-01-01T00:00:00.000Z'
version: 1.0.0
description: Indicates a successful response
summary: List plugins
tags:
- agent builder
x-codeSamples:
- lang: curl
source: |
curl \
-X GET "${KIBANA_URL}/api/agent_builder/plugins" \
-H "Authorization: ApiKey ${API_KEY}"
- lang: Console
source: |
GET kbn://api/agent_builder/plugins
x-state: Technical Preview; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/agent_builder/plugins/{pluginId}:
delete:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete an installed plugin by ID. This action cannot be undone.
[Required authorization] Route required privileges: agentBuilder:write.
operationId: delete-agent-builder-plugins-pluginid
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The unique identifier of the plugin.
in: path
name: pluginId
required: true
schema:
type: string
- description: If true, removes the plugin skills from agents that use them and then deletes the plugin. If false and any agent uses the plugin skills, the request returns 409 Conflict with the list of agents.
in: query
name: force
required: false
schema:
default: false
type: boolean
responses:
'200':
content:
application/json:
examples:
deletePluginResponseExample:
description: Example response showing that deletion of the plugin has been successful
value:
success: true
description: Indicates a successful response
summary: Delete a plugin
tags:
- agent builder
x-codeSamples:
- lang: curl
source: |
curl \
-X DELETE "${KIBANA_URL}/api/agent_builder/plugins/{id}" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true"
- lang: Console
source: |
DELETE kbn://api/agent_builder/plugins/{id}
x-state: Technical Preview; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Install a plugin from a [GitHub Claude plugin URL](https://code.claude.com/docs/en/plugins) or a direct ZIP URL. Plugins bundle agent capabilities such as skills.
[Required authorization] Route required privileges: agentBuilder:write.
operationId: post-agent-builder-plugins-install
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
installPluginFromGithubExample:
description: Example request for installing a plugin from a GitHub URL
value:
url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis
installPluginFromZipExample:
description: Example request for installing a plugin from a direct zip URL
value:
url: https://my-server.example.com/my-plugin.zip
installPluginWithNameOverrideExample:
description: Example request for installing a plugin with a custom name
value:
plugin_name: my-custom-plugin-name
url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis
schema:
additionalProperties: false
type: object
properties:
plugin_name:
description: Optional name override for the plugin. Defaults to the manifest name.
type: string
url:
description: URL to install the plugin from (GitHub URL or direct zip URL).
type: string
required:
- url
responses:
'200':
content:
application/json:
examples:
installPluginResponseExample:
description: Example response returning the definition of the installed plugin
value:
created_at: '2025-01-01T00:00:00.000Z'
description: Financial analysis tools and skills for Claude
id: financial-analysis
manifest:
author:
name: Anthropic
url: https://www.anthropic.com
keywords:
- finance
- analysis
repository: https://github.com/anthropics/financial-services-plugins
name: financial-analysis
skill_ids:
- financial-analysis-analyze-portfolio
source_url: https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis
unmanaged_assets:
agents: []
hooks: []
lsp_servers: []
mcp_servers: []
output_styles: []
updated_at: '2025-01-01T00:00:00.000Z'
version: 1.0.0
description: Indicates a successful response
summary: Install a plugin
tags:
- agent builder
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/agent_builder/plugins/install" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{
"url": "https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis"
}'
- lang: Console
source: |
POST kbn://api/agent_builder/plugins/install
{
"url": "https://github.com/anthropics/financial-services-plugins/tree/main/financial-analysis"
}
x-state: Technical Preview; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/agent_builder/skills:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/agent_builder/skills
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
List all available skills (built-in and user-created).
[Required authorization] Route required privileges: agentBuilder:read.
operationId: get-agent-builder-skills
parameters:
- description: Set to true to include skills from plugins.
in: query
name: include_plugins
required: false
schema:
default: false
type: boolean
responses: {}
summary: List skills
tags:
- agent builder
x-state: Technical Preview; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/agent_builder/skills
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create a new user-defined skill.
[Required authorization] Route required privileges: agentBuilder:manageSkills.
operationId: post-agent-builder-skills
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
schema:
additionalProperties: false
type: object
properties:
content:
description: Skill instructions content (markdown).
type: string
description:
description: Description of what the skill does.
type: string
id:
description: Unique identifier for the skill.
type: string
name:
description: Human-readable name for the skill.
type: string
referenced_content:
items:
additionalProperties: false
type: object
properties:
content:
description: Content of the reference.
type: string
name:
description: Name of the referenced content.
type: string
relativePath:
description: Relative path of the referenced content.
type: string
required:
- name
- relativePath
- content
maxItems: 100
type: array
tool_ids:
default: []
description: Tool IDs from the tool registry that this skill references.
items:
description: Tool ID from the tool registry.
type: string
maxItems: 100
type: array
required:
- id
- name
- description
- content
responses: {}
summary: Create a skill
tags:
- agent builder
x-state: Technical Preview; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/agent_builder/skills/{skillId}:
delete:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete a user-created skill by ID. If agents still reference the skill, the request returns 409 unless force=true, which removes the skill from agents first. Built-in skills cannot be deleted.
[Required authorization] Route required privileges: agentBuilder:manageSkills.
operationId: delete-agent-builder-skills-skillid
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The unique identifier of the skill.
in: path
name: skillId
required: true
schema:
maxLength: 512
minLength: 1
type: string
- description: If true, removes the skill from agents that use it and then deletes it. If false and any agent uses the skill, the request returns 409 Conflict with the list of agents.
in: query
name: force
required: false
schema:
default: false
type: boolean
responses:
'200':
content:
application/json:
examples:
deleteSkillResponseExample:
description: Example response showing that the deletion operation was successful
value:
success: true
description: Indicates a successful response
summary: Delete a skill
tags:
- agent builder
x-codeSamples:
- lang: curl
source: |
curl \
-X DELETE "https://${KIBANA_URL}/api/agent_builder/skills/{skillId}?force=false" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true"
- lang: Console
source: |
DELETE kbn:/api/agent_builder/skills/{skillId}
x-state: Technical Preview; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update an existing user-created skill.
[Required authorization] Route required privileges: agentBuilder:manageSkills.
operationId: put-agent-builder-skills-skillid
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The unique identifier of the skill.
in: path
name: skillId
required: true
schema:
maxLength: 512
minLength: 1
type: string
requestBody:
content:
application/json:
schema:
additionalProperties: false
type: object
properties:
content:
description: Updated skill instructions content.
type: string
description:
description: Updated description.
type: string
name:
description: Updated name for the skill.
type: string
referenced_content:
items:
additionalProperties: false
type: object
properties:
content:
description: Content of the reference.
type: string
name:
description: Name of the referenced content.
type: string
relativePath:
description: Relative path of the referenced content.
type: string
required:
- name
- relativePath
- content
maxItems: 100
type: array
tool_ids:
description: Updated tool IDs from the tool registry.
items:
description: Updated tool ID.
type: string
maxItems: 100
type: array
responses: {}
summary: Update a skill
tags:
- agent builder
x-state: Technical Preview; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/agent_builder/tools:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/agent_builder/tools
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
List all available tools. Use this endpoint to retrieve complete tool definitions including their schemas and configuration requirements. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).
[Required authorization] Route required privileges: agentBuilder:read.
operationId: get-agent-builder-tools
parameters: []
responses:
'200':
content:
application/json:
examples:
listToolsResponseExample:
description: Example response returning a list of existing tools
value:
results:
- configuration: {}
description: |-
A powerful tool for searching and analyzing data within your Elasticsearch cluster.
It supports both full-text relevance searches and structured analytical queries.
Use this tool for any query that involves finding documents, counting, aggregating, or summarizing data from a known index.
Examples of queries:
- "find articles about serverless architecture"
- "search for support tickets mentioning 'billing issue' or 'refund request'"
- "what is our policy on parental leave?"
- "list all products where the category is 'electronics'"
- "show me the last 5 documents from that index"
- "show me the sales over the last year break down by month"
Note:
- The 'index' parameter can be used to specify which index to search against.
If not provided, the tool will decide itself which is the best index to use.
- It is perfectly fine not to specify the 'index' parameter. It should only be specified when you already
know about the index and fields you want to search on, e.g. if the user explicitly specified it.
id: platform.core.search
readonly: true
schema:
$schema: http://json-schema.org/draft-07/schema#
additionalProperties: false
type: object
properties:
index:
description: (optional) Index to search against. If not provided, will automatically select the best index to use based on the query.
type: string
query:
description: A natural language query expressing the search request
type: string
required:
- query
tags: []
type: builtin
- configuration: {}
description: Retrieve the full content (source) of an Elasticsearch document based on its ID and index name.
id: platform.core.get_document_by_id
readonly: true
schema:
$schema: http://json-schema.org/draft-07/schema#
additionalProperties: false
type: object
properties:
id:
description: ID of the document to retrieve
type: string
index:
description: Name of the index to retrieve the document from
type: string
required:
- id
- index
tags: []
type: builtin
- configuration: {}
description: |-
Execute an ES|QL query and return the results in a tabular format.
**IMPORTANT**: This tool only **runs** queries; it does not write them.
Think of this as the final step after a query has been prepared.
You **must** get the query from one of two sources before calling this tool:
1. The output of the `platform.core.generate_esql` tool (if the tool is available).
2. A verbatim query provided directly by the user.
Under no circumstances should you invent, guess, or modify a query yourself for this tool.
If you need a query, use the `platform.core.generate_esql` tool first.
id: platform.core.execute_esql
readonly: true
schema:
$schema: http://json-schema.org/draft-07/schema#
additionalProperties: false
type: object
properties:
query:
description: The ES|QL query to execute
type: string
required:
- query
tags: []
type: builtin
- configuration:
params:
limit:
description: Maximum number of results to return
type: integer
startTime:
description: Start time for the analysis in ISO format
type: date
query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit
description: Example ES|QL query tool for analyzing financial trades with time filtering
id: example-esql-tool
readonly: false
schema:
$schema: http://json-schema.org/draft-07/schema#
additionalProperties: false
description: Parameters needed to execute the query
type: object
properties:
limit:
description: Maximum number of results to return
type: integer
startTime:
description: Start time for the analysis in ISO format
format: date-time
type: string
required:
- startTime
- limit
tags:
- analytics
- finance
type: esql
- configuration:
pattern: financial_*
description: Search tool specifically for financial data analysis and reporting
id: example-index-search-tool
readonly: false
schema:
$schema: http://json-schema.org/draft-07/schema#
additionalProperties: false
type: object
properties:
nlQuery:
description: A natural language query expressing the search request
type: string
required:
- nlQuery
tags:
- search
- finance
type: index_search
description: Indicates a successful response
summary: List tools
tags:
- agent builder
x-codeSamples:
- lang: curl
source: |
curl \
-X GET "https://${KIBANA_URL}/api/agent_builder/tools" \
-H "Authorization: ApiKey ${API_KEY}"
- lang: Console
source: |
GET kbn:/api/agent_builder/tools
x-state: Added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/agent_builder/tools
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create a new tool. Use this endpoint to define a custom tool with specific functionality and configuration for use by agents. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).
[Required authorization] Route required privileges: agentBuilder:manageTools.
operationId: post-agent-builder-tools
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
createEsqlToolRequest:
description: Example request to create an ESQL query tool with a pre-defined query
value:
configuration:
params:
limit:
description: Maximum number of results to return
type: integer
startTime:
description: Start time for the analysis in ISO format
type: date
query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit
description: Example ES|QL query tool for analyzing financial trades with time filtering
id: example-esql-tool
tags:
- analytics
- finance
type: esql
createIndexSearchToolRequest:
description: Example request to create an index_search tool with a pre-defined index pattern
value:
configuration:
pattern: financial_*
description: Search tool specifically for financial data analysis and reporting
id: example-index-search-tool
tags:
- search
- finance
type: index_search
schema:
additionalProperties: false
type: object
properties:
configuration:
additionalProperties:
nullable: true
description: Tool-specific configuration parameters. See examples for details.
type: object
description:
default: ''
description: Description of what the tool does.
type: string
id:
description: Unique identifier for the tool.
type: string
tags:
default: []
description: Optional tags for categorizing and organizing tools.
items:
description: Tag for categorizing the tool.
type: string
type: array
type:
description: The type of tool to create (e.g., esql, index_search).
enum:
- esql
- index_search
- workflow
- mcp
type: string
required:
- id
- type
- configuration
responses:
'200':
content:
application/json:
examples:
createEsqlToolExample:
description: Example response returning a definition of ESQL tool created
value:
configuration:
params:
limit:
description: Maximum number of results to return
type: integer
startTime:
description: Start time for the analysis in ISO format
type: date
query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit
description: Example ES|QL query tool for analyzing financial trades with time filtering
id: example-esql-tool
readonly: false
schema:
$schema: http://json-schema.org/draft-07/schema#
additionalProperties: false
description: Parameters needed to execute the query
type: object
properties:
limit:
description: Maximum number of results to return
type: integer
startTime:
description: Start time for the analysis in ISO format
format: date-time
type: string
required:
- startTime
- limit
tags:
- analytics
- finance
type: esql
createIndexSearchToolExample:
description: Example response returning a definition of search tool tool created
value:
configuration:
pattern: financial_*
description: Search tool specifically for financial data analysis and reporting
id: example-index-search-tool
readonly: false
schema:
$schema: http://json-schema.org/draft-07/schema#
additionalProperties: false
type: object
properties:
nlQuery:
description: A natural language query expressing the search request
type: string
required:
- nlQuery
tags:
- search
- finance
type: index_search
description: Indicates a successful response
summary: Create a tool
tags:
- agent builder
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "https://${KIBANA_URL}/api/agent_builder/tools" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{
"id": "example-esql-tool",
"type": "esql",
"description": "Example ES|QL query tool for analyzing financial trades with time filtering",
"tags": ["analytics", "finance"],
"configuration": {
"query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit",
"params": {
"startTime": {
"type": "date",
"description": "Start time for the analysis in ISO format"
},
"limit": {
"type": "integer",
"description": "Maximum number of results to return"
}
}
}
}'
- lang: Console
source: |
POST kbn:/api/agent_builder/tools
{
"id": "example-esql-tool",
"type": "esql",
"description": "An ES|QL query tool for analyzing financial trades with time filtering",
"tags": ["analytics", "finance", "updated"],
"configuration": {
"query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit",
"params": {
"startTime": {
"type": "date",
"description": "Start time for the analysis in ISO format"
},
"limit": {
"type": "integer",
"description": "Maximum number of results to return"
}
}
}
}
x-state: Added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
/api/agent_builder/tools/_execute:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Run a tool with parameters. Use this endpoint to run a tool directly with specified inputs and optional external connector integration. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).
[Required authorization] Route required privileges: agentBuilder:read.
operationId: post-agent-builder-tools-execute
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
executeBuiltinEsqlToolRequest:
description: Example request executing platform.core.execute_esql tool
value:
tool_id: platform.core.execute_esql
tool_params:
query: FROM financial_trades | LIMIT 3
executeBuiltinToolRequest:
description: Example request executing platform.core.get_document_by_id tool
value:
tool_id: platform.core.get_document_by_id
tool_params:
id: TRD-20250805-0820a89f
index: financial_trades
executeCustomEsqlToolRequest:
description: Example request executing custom example-esql-tool tool
value:
tool_id: example-esql-tool
tool_params:
limit: 3
startTime: '2024-01-01T00:00:00Z'
executeIndexSearchToolRequest:
description: Example request executing custom example-index-search-tool tool
value:
tool_id: example-index-search-tool
tool_params:
nlQuery: find trades with high execution prices above 100
schema:
additionalProperties: false
type: object
properties:
connector_id:
description: Optional connector ID for tools that require external integrations.
type: string
tool_id:
description: The ID of the tool to execute.
type: string
tool_params:
additionalProperties:
nullable: true
description: Parameters to pass to the tool execution. See examples for details
type: object
required:
- tool_id
- tool_params
responses:
'200':
content:
application/json:
examples:
executeBuiltinEsqlToolExample:
description: Example response calling built-in platform.core.execute_esql tool
value:
results:
- data:
esql: FROM financial_trades | LIMIT 3
type: query
- data:
columns:
- name: account_id
type: keyword
- name: execution_price
type: double
- name: symbol
type: keyword
- name: trade_type
type: keyword
query: FROM financial_trades | LIMIT 3
source: esql
values:
- - ACC00179-1f91
- 43.77000045776367
- CVX
- sell
- - ACC00407-0bbb
- 660.4199829101562
- V
- buy
- - ACC00179-1f91
- 440.3599853515625
- KO
- buy
tool_result_id: xTpT
type: esql_results
executeBuiltinToolExample:
description: Example response calling built-in platform.core.get_document_by_id tool
value:
results:
- data:
content:
account_id: ACC00271-fb5c
execution_price: 488.54
execution_timestamp: '2025-08-05T08:04:11.649855'
last_updated: '2025-09-15T13:23:36'
order_status: executed
order_type: market
quantity: 131
status_reason: fully_filled
symbol: EWL
trade_cost: 63998.74
trade_id: TRD-20250805-0820a89f
trade_type: sell
partial: false
reference:
id: TRD-20250805-0820a89f
index: financial_trades
type: resource
executeCustomEsqlToolExample:
description: Example response calling custom example-esql-tool tool
value:
results:
- data:
columns:
- name: trade_count
type: long
- name: avg_price
type: double
- name: symbol
type: keyword
query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit
source: esql
values:
- - 2115
- 89.33911587329621
- US_T_BOND_20YR
- - 2112
- 104.20854155945055
- INTL_CORP_ASIA_D
- - 2105
- 89.93244177666526
- INTL_CORP_EU_B
tool_result_id: Voy8
type: esql_results
executeIndexSearchToolExample:
description: Example response calling custom example-index-search-tool tool
value:
results:
- data:
esql: |-
FROM financial_trades
| WHERE execution_price > 100
| LIMIT 100
type: query
- data:
columns:
- name: account_id
type: keyword
- name: execution_price
type: double
- name: execution_timestamp
type: date
- name: symbol
type: keyword
- name: trade_type
type: keyword
query: |-
FROM financial_trades
| WHERE execution_price > 100
| LIMIT 100
source: esql
values:
- - ACC00407-0bbb
- 660.4199829101562
- '2020-09-25T11:06:08.687Z'
- V
- buy
- - ACC00179-1f91
- 440.3599853515625
- '2025-08-07T21:56:45.377Z'
- KO
- buy
- - ACC00407-0bbb
- 132.8800048828125
- '2020-11-19T04:39:13.655Z'
- JAP_JGB_10YR
- sell
tool_result_id: uE8y
type: esql_results
description: Indicates a successful response
summary: Run a tool
tags:
- agent builder
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "https://${KIBANA_URL}/api/agent_builder/tools/_execute" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{
"tool_id": "platform.core.search",
"tool_params": {
"query": "can you find john doe's email from the employee index?"}
}
}'
- lang: Console
source: |
POST kbn:/api/agent_builder/tools/_execute
{
"tool_id": "platform.core.search",
"tool_params": {
"query": "can you find john doe's email from the employee index?"
}
}
x-state: Added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
/api/agent_builder/tools/{toolId}:
delete:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete a tool by ID. This action cannot be undone. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).
[Required authorization] Route required privileges: agentBuilder:manageTools.
operationId: delete-agent-builder-tools-toolid
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The unique identifier of the tool to delete.
in: path
name: toolId
required: true
schema:
type: string
- description: If true, removes the tool from agents that use it and then deletes it. If false and any agent uses the tool, the request returns 409 Conflict with the list of agents.
in: query
name: force
required: false
schema:
default: false
type: boolean
responses:
'200':
content:
application/json:
examples:
deleteAgentResponseExample:
description: Example response showing that the deletion operation was successful
value:
success: true
description: Indicates a successful response
summary: Delete a tool
tags:
- agent builder
x-codeSamples:
- lang: curl
source: |
curl \
-X DELETE "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true"
- lang: Console
source: |
DELETE kbn:/api/agent_builder/tools/{toolId}
x-state: Added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/agent_builder/tools/{toolId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a specific tool by ID. Use this endpoint to retrieve the complete tool definition including its schema and configuration requirements. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).
[Required authorization] Route required privileges: agentBuilder:read.
operationId: get-agent-builder-tools-toolid
parameters:
- description: The unique identifier of the tool to retrieve.
in: path
name: toolId
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getBuiltinToolExample:
description: Example response returning built-in platform.core.search tool
value:
configuration: {}
description: |-
A powerful tool for searching and analyzing data within your Elasticsearch cluster.
It supports both full-text relevance searches and structured analytical queries.
Use this tool for any query that involves finding documents, counting, aggregating, or summarizing data from a known index.
Examples of queries:
- "find articles about serverless architecture"
- "search for support tickets mentioning 'billing issue' or 'refund request'"
- "what is our policy on parental leave?"
- "list all products where the category is 'electronics'"
- "show me the last 5 documents from that index"
- "show me the sales over the last year break down by month"
Note:
- The 'index' parameter can be used to specify which index to search against.
If not provided, the tool will decide itself which is the best index to use.
- It is perfectly fine not to specify the 'index' parameter. It should only be specified when you already
know about the index and fields you want to search on, e.g. if the user explicitly specified it.
id: platform.core.search
readonly: true
schema:
$schema: http://json-schema.org/draft-07/schema#
additionalProperties: false
type: object
properties:
index:
description: (optional) Index to search against. If not provided, will automatically select the best index to use based on the query.
type: string
query:
description: A natural language query expressing the search request
type: string
required:
- query
tags: []
type: builtin
getEsqlToolExample:
description: Example response returning custom example-esql-tool tool
value:
configuration:
params:
limit:
description: Maximum number of results to return
type: integer
startTime:
description: Start time for the analysis in ISO format
type: date
query: FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit
description: Example ES|QL query tool for analyzing financial trades with time filtering
id: example-esql-tool
readonly: false
schema:
$schema: http://json-schema.org/draft-07/schema#
additionalProperties: false
description: Parameters needed to execute the query
type: object
properties:
limit:
description: Maximum number of results to return
type: integer
startTime:
description: Start time for the analysis in ISO format
format: date-time
type: string
required:
- startTime
- limit
tags:
- analytics
- finance
type: esql
getIndexSearchToolExample:
description: Example response returning custom example-index-search-tool tool
value:
configuration:
pattern: financial_*
description: Search tool specifically for financial data analysis and reporting
id: example-index-search-tool
readonly: false
schema:
$schema: http://json-schema.org/draft-07/schema#
additionalProperties: false
type: object
properties:
nlQuery:
description: A natural language query expressing the search request
type: string
required:
- nlQuery
tags:
- search
- finance
type: index_search
description: Indicates a successful response
summary: Get a tool by id
tags:
- agent builder
x-codeSamples:
- lang: curl
source: |
curl \
-X GET "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \
-H "Authorization: ApiKey ${API_KEY}"
- lang: Console
source: |
GET kbn:/api/agent_builder/tools/{toolId}
x-state: Added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
put:
description: |-
**Spaces method and path for this operation:**
put/s/{space_id}/api/agent_builder/tools/{toolId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update an existing tool. Use this endpoint to modify any aspect of the tool's configuration or metadata. To learn more, refer to the [tools documentation](https://www.elastic.co/docs/explore-analyze/ai-features/agent-builder/tools).
[Required authorization] Route required privileges: agentBuilder:manageTools.
operationId: put-agent-builder-tools-toolid
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The unique identifier of the tool to update.
in: path
name: toolId
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
updateEsqlToolRequest:
description: Example request to update the custom ESQL tool
value:
configuration:
params:
limit:
description: Maximum number of results to return
type: integer
startTime:
description: Start time for the analysis in ISO format
type: date
symbolPattern:
description: Pattern to filter symbols (e.g., 'US_*' for US instruments)
type: keyword
query: FROM financial_trades | WHERE execution_timestamp >= ?startTime AND symbol LIKE ?symbolPattern | STATS trade_count=COUNT(*), avg_price=AVG(execution_price), total_volume=SUM(quantity) BY symbol | SORT trade_count DESC | LIMIT ?limit
description: Updated ES|QL query tool for comprehensive financial analysis with enhanced filtering
tags:
- analytics
- finance
- reporting
updateIndexSearchToolRequest:
description: Example request to update the custom Search tool
value:
description: Updated search tool for comprehensive financial data analysis, reporting, and compliance monitoring
tags:
- search
- finance
- compliance
- reporting
schema:
additionalProperties: false
type: object
properties:
configuration:
additionalProperties:
nullable: true
description: Updated tool-specific configuration parameters. See examples for details.
type: object
description:
description: Updated description of what the tool does.
type: string
tags:
description: Updated tags for categorizing and organizing tools.
items:
description: Updated tag for categorizing the tool.
type: string
type: array
responses:
'200':
content:
application/json:
examples:
updateEsqlToolExample:
description: Example response showing the updated ESQL tool
value:
configuration:
params:
limit:
description: Maximum number of results to return
type: integer
startTime:
description: Start time for the analysis in ISO format
type: date
symbolPattern:
description: Pattern to filter symbols (e.g., 'US_*' for US instruments)
type: keyword
query: FROM financial_trades | WHERE execution_timestamp >= ?startTime AND symbol LIKE ?symbolPattern | STATS trade_count=COUNT(*), avg_price=AVG(execution_price), total_volume=SUM(quantity) BY symbol | SORT trade_count DESC | LIMIT ?limit
description: Updated ES|QL query tool for comprehensive financial analysis with enhanced filtering
id: example-esql-tool
readonly: false
schema:
$schema: http://json-schema.org/draft-07/schema#
additionalProperties: false
description: Parameters needed to execute the enhanced query
type: object
properties:
limit:
description: Maximum number of results to return
type: integer
startTime:
description: Start time for the analysis in ISO format
format: date-time
type: string
symbolPattern:
description: Pattern to filter symbols (e.g., 'US_*' for US instruments)
type: string
required:
- startTime
- symbolPattern
- limit
tags:
- analytics
- finance
- reporting
type: esql
updateIndexSearchToolExample:
description: Example response showing the updated Search tool
value:
configuration:
pattern: financial_*
description: Updated search tool for comprehensive financial data analysis, reporting, and compliance monitoring
id: example-index-search-tool
readonly: false
schema:
$schema: http://json-schema.org/draft-07/schema#
additionalProperties: false
type: object
properties:
nlQuery:
description: A natural language query expressing the search request
type: string
required:
- nlQuery
tags:
- search
- finance
- compliance
- reporting
type: index_search
description: Indicates a successful response
summary: Update a tool
tags:
- agent builder
x-codeSamples:
- lang: curl
source: |
curl \
-X PUT "https://${KIBANA_URL}/api/agent_builder/tools/{toolId}" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{
"description": "Updated ES|QL query tool for analyzing financial trades with time filtering",
"tags": ["analytics", "finance", "updated"],
"configuration": {
"query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit",
"params": {
"startTime": {
"type": "date",
"description": "Start time for the analysis in ISO format"
},
"limit": {
"type": "integer",
"description": "Maximum number of results to return"
}
}
}
}'
- lang: Console
source: |
PUT kbn:/api/agent_builder/tools/{toolId}
{
"description": "Updated ES|QL query tool for analyzing financial trades with time filtering",
"tags": ["analytics", "finance", "updated"],
"configuration": {
"query": "FROM financial_trades | WHERE execution_timestamp >= ?startTime | STATS trade_count=COUNT(*), avg_price=AVG(execution_price) BY symbol | SORT trade_count DESC | LIMIT ?limit",
"params": {
"startTime": {
"type": "date",
"description": "Start time for the analysis in ISO format"
},
"limit": {
"type": "integer",
"description": "Maximum number of results to return"
}
}
}
}
x-state: Added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
/api/alerting/_health:
get:
description: |
**Spaces method and path for this operation:**
get/s/{space_id}/api/alerting/_health
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
You must have `read` privileges for the **Management > Stack Rules** feature or for at least one of the **Analytics > Discover**, **Analytics > Machine Learning**, **Observability**, or **Security** features.
operationId: getAlertingHealth
responses:
'200':
content:
application/json:
examples:
getAlertingHealthResponse:
$ref: '#/components/examples/Alerting_get_health_response'
schema:
type: object
properties:
alerting_framework_health:
description: |
Three substates identify the health of the alerting framework: `decryption_health`, `execution_health`, and `read_health`.
type: object
properties:
decryption_health:
description: The timestamp and status of the rule decryption.
type: object
properties:
status:
enum:
- error
- ok
- warn
example: ok
type: string
timestamp:
example: '2023-01-13T01:28:00.280Z'
format: date-time
type: string
execution_health:
description: The timestamp and status of the rule run.
type: object
properties:
status:
enum:
- error
- ok
- warn
example: ok
type: string
timestamp:
example: '2023-01-13T01:28:00.280Z'
format: date-time
type: string
read_health:
description: The timestamp and status of the rule reading events.
type: object
properties:
status:
enum:
- error
- ok
- warn
example: ok
type: string
timestamp:
example: '2023-01-13T01:28:00.280Z'
format: date-time
type: string
has_permanent_encryption_key:
description: If `false`, the encrypted saved object plugin does not have a permanent encryption key.
example: true
type: boolean
is_sufficiently_secure:
description: If `false`, security is enabled but TLS is not.
example: true
type: boolean
description: Indicates a successful call.
'401':
content:
application/json:
examples:
healthUnauthorizedResponse:
$ref: '#/components/examples/Alerting_401_health_response'
schema:
$ref: '#/components/schemas/Alerting_401_response'
description: Authorization information is missing or invalid.
summary: Get the alerting framework health
tags:
- alerting
x-metaTags:
- content: Kibana
name: product_name
/api/alerting/rule_types:
get:
description: |
**Spaces method and path for this operation:**
get/s/{space_id}/api/alerting/rule_types
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
If you have `read` privileges for one or more Kibana features, the API response contains information about the appropriate rule types. For example, there are rule types associated with the **Management > Stack Rules** feature, **Analytics > Discover** and **Machine Learning** features, **Observability** features, and **Security** features. To get rule types associated with the **Stack Monitoring** feature, use the `monitoring_user` built-in role.
operationId: getRuleTypes
responses:
'200':
content:
application/json:
examples:
getRuleTypesResponse:
$ref: '#/components/examples/Alerting_get_rule_types_response'
schema:
items:
type: object
properties:
action_groups:
description: |
An explicit list of groups for which the rule type can schedule actions, each with the action group's unique ID and human readable name. Rule actions validation uses this configuration to ensure that groups are valid.
items:
type: object
properties:
id:
type: string
name:
type: string
type: array
action_variables:
description: |
A list of action variables that the rule type makes available via context and state in action parameter templates, and a short human readable description. When you create a rule in Kibana, it uses this information to prompt you for these variables in action parameter editors.
type: object
properties:
context:
items:
type: object
properties:
description:
type: string
name:
type: string
useWithTripleBracesInTemplates:
type: boolean
type: array
params:
items:
type: object
properties:
description:
type: string
name:
type: string
type: array
state:
items:
type: object
properties:
description:
type: string
name:
type: string
type: array
alerts:
description: |
Details for writing alerts as data documents for this rule type.
type: object
properties:
context:
description: |
The namespace for this rule type.
enum:
- ml.anomaly-detection
- observability.apm
- observability.logs
- observability.metrics
- observability.slo
- observability.threshold
- observability.uptime
- security
- stack
type: string
dynamic:
description: Indicates whether new fields are added dynamically.
enum:
- 'false'
- runtime
- strict
- 'true'
type: string
isSpaceAware:
description: |
Indicates whether the alerts are space-aware. If true, space-specific alert indices are used.
type: boolean
mappings:
type: object
properties:
fieldMap:
additionalProperties:
$ref: '#/components/schemas/Alerting_fieldmap_properties'
description: |
Mapping information for each field supported in alerts as data documents for this rule type. For more information about mapping parameters, refer to the Elasticsearch documentation.
type: object
secondaryAlias:
description: |
A secondary alias. It is typically used to support the signals alias for detection rules.
type: string
shouldWrite:
description: |
Indicates whether the rule should write out alerts as data.
type: boolean
useEcs:
description: |
Indicates whether to include the ECS component template for the alerts.
type: boolean
useLegacyAlerts:
default: false
description: |
Indicates whether to include the legacy component template for the alerts.
type: boolean
authorized_consumers:
description: The list of the plugins IDs that have access to the rule type.
type: object
properties:
alerts:
type: object
properties:
all:
type: boolean
read:
type: boolean
apm:
type: object
properties:
all:
type: boolean
read:
type: boolean
discover:
type: object
properties:
all:
type: boolean
read:
type: boolean
infrastructure:
type: object
properties:
all:
type: boolean
read:
type: boolean
logs:
type: object
properties:
all:
type: boolean
read:
type: boolean
ml:
type: object
properties:
all:
type: boolean
read:
type: boolean
monitoring:
type: object
properties:
all:
type: boolean
read:
type: boolean
siem:
type: object
properties:
all:
type: boolean
read:
type: boolean
slo:
type: object
properties:
all:
type: boolean
read:
type: boolean
stackAlerts:
type: object
properties:
all:
type: boolean
read:
type: boolean
uptime:
type: object
properties:
all:
type: boolean
read:
type: boolean
category:
description: The rule category, which is used by features such as category-specific maintenance windows.
enum:
- management
- observability
- securitySolution
type: string
default_action_group_id:
description: The default identifier for the rule type group.
type: string
does_set_recovery_context:
description: Indicates whether the rule passes context variables to its recovery action.
type: boolean
enabled_in_license:
description: Indicates whether the rule type is enabled or disabled based on the subscription.
type: boolean
has_alerts_mappings:
description: Indicates whether the rule type has custom mappings for the alert data.
type: boolean
has_fields_for_a_a_d:
type: boolean
id:
description: The unique identifier for the rule type.
type: string
is_exportable:
description: Indicates whether the rule type is exportable in **Stack Management > Saved Objects**.
type: boolean
minimum_license_required:
description: The subscriptions required to use the rule type.
example: basic
type: string
name:
description: The descriptive name of the rule type.
type: string
producer:
description: An identifier for the application that produces this rule type.
example: stackAlerts
type: string
recovery_action_group:
description: An action group to use when an alert goes from an active state to an inactive one.
type: object
properties:
id:
type: string
name:
type: string
rule_task_timeout:
example: 5m
type: string
type: array
description: Indicates a successful call.
'401':
content:
application/json:
examples:
ruleTypesUnauthorizedResponse:
$ref: '#/components/examples/Alerting_401_rule_types_response'
schema:
$ref: '#/components/schemas/Alerting_401_response'
description: Authorization information is missing or invalid.
summary: Get the rule types
tags:
- alerting
x-metaTags:
- content: Kibana
name: product_name
/api/alerting/rule/{id}:
delete:
operationId: delete-alerting-rule-id
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The identifier for the rule.
in: path
name: id
required: true
schema:
type: string
responses:
'204':
description: Indicates a successful call.
'400':
description: Indicates an invalid schema or parameters.
'403':
description: Indicates that this call is forbidden.
'404':
description: Indicates a rule with the given ID does not exist.
summary: Delete a rule
tags:
- alerting
x-metaTags:
- content: Kibana
name: product_name
description: |-
**Spaces method and path for this operation:**
delete/s/{space_id}/api/alerting/rule/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
get:
operationId: get-alerting-rule-id
parameters:
- description: The identifier for the rule.
in: path
name: id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getRuleResponse:
description: A response that contains information about an index threshold rule.
summary: Get an index threshold rule
value:
actions: []
api_key_owner: elastic
consumer: alerts
created_at: '2022-12-05T23:40:33.132Z'
created_by: elastic
enabled: true
id: 3583a470-74f6-11ed-9801-35303b735aef
mute_all: false
muted_alert_ids: []
name: my alert
notify_when: onActionGroupChange
params:
aggField: sheet.version
aggType: avg
groupBy: top
index:
- test-index
termField: name.keyword
termSize: 6
threshold:
- 1000
thresholdComparator: '>'
timeField: '@timestamp'
timeWindowSize: 5
timeWindowUnit: m
revision: 0
rule_type_id: .index-threshold
schedule:
interval: 1m
tags:
- cpu
throttle: null
updated_at: '2022-12-05T23:40:33.132Z'
updated_by: elastic
schema:
additionalProperties: false
type: object
properties:
actions:
items:
additionalProperties: false
type: object
properties:
alerts_filter:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
connector_type_id:
description: The type of connector. This property appears in responses but cannot be set in requests.
type: string
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
- connector_type_id
- params
type: array
active_snoozes:
items:
description: List of active snoozes for the rule.
type: string
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
api_key_created_by_user:
description: Indicates whether the API key that is associated with the rule was created by the user.
nullable: true
type: boolean
api_key_owner:
description: The owner of the API key that is associated with the rule and used to run background tasks.
nullable: true
type: string
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
description: User-created content that describes alert causes and remdiation.
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
created_at:
description: The date and time that the rule was created.
type: string
created_by:
description: The identifier for the user that created the rule.
nullable: true
type: string
enabled:
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
execution_status:
additionalProperties: false
type: object
properties:
error:
additionalProperties: false
type: object
properties:
message:
description: Error message.
type: string
reason:
description: Reason for error.
enum:
- read
- decrypt
- execute
- unknown
- license
- timeout
- disabled
- validate
type: string
required:
- reason
- message
last_duration:
description: Duration of last execution of the rule.
type: number
last_execution_date:
description: The date and time when rule was executed last.
type: string
status:
description: Status of rule execution.
enum:
- ok
- active
- error
- warning
- pending
- unknown
type: string
warning:
additionalProperties: false
type: object
properties:
message:
description: Warning message.
type: string
reason:
description: Reason for warning.
enum:
- maxExecutableActions
- maxAlerts
- maxQueuedActions
- ruleExecution
type: string
required:
- reason
- message
required:
- status
- last_execution_date
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
id:
description: The identifier for the rule.
type: string
is_snoozed_until:
description: The date when the rule will no longer be snoozed.
nullable: true
type: string
last_run:
additionalProperties: false
nullable: true
type: object
properties:
alerts_count:
additionalProperties: false
type: object
properties:
active:
description: Number of active alerts during last run.
nullable: true
type: number
ignored:
description: Number of ignored alerts during last run.
nullable: true
type: number
new:
description: Number of new alerts during last run.
nullable: true
type: number
recovered:
description: Number of recovered alerts during last run.
nullable: true
type: number
outcome:
description: Outcome of last run of the rule. Value could be succeeded, warning or failed.
enum:
- succeeded
- warning
- failed
type: string
outcome_msg:
items:
description: Outcome message generated during last rule run.
type: string
nullable: true
type: array
outcome_order:
description: Order of the outcome.
type: number
warning:
description: Warning of last rule execution.
enum:
- read
- decrypt
- execute
- unknown
- license
- timeout
- disabled
- validate
- maxExecutableActions
- maxAlerts
- maxQueuedActions
- ruleExecution
nullable: true
type: string
required:
- outcome
- alerts_count
mapped_params:
additionalProperties:
nullable: true
type: object
monitoring:
additionalProperties: false
description: Monitoring details of the rule.
type: object
properties:
run:
additionalProperties: false
description: Rule run details.
type: object
properties:
calculated_metrics:
additionalProperties: false
description: Calculation of different percentiles and success ratio.
type: object
properties:
p50:
type: number
p95:
type: number
p99:
type: number
success_ratio:
type: number
required:
- success_ratio
history:
description: History of the rule run.
items:
additionalProperties: false
type: object
properties:
duration:
description: Duration of the rule run.
type: number
outcome:
description: Outcome of last run of the rule. Value could be succeeded, warning or failed.
enum:
- succeeded
- warning
- failed
type: string
success:
description: Indicates whether the rule run was successful.
type: boolean
timestamp:
description: Time of rule run.
type: number
required:
- success
- timestamp
type: array
last_run:
additionalProperties: false
type: object
properties:
metrics:
additionalProperties: false
type: object
properties:
duration:
description: Duration of most recent rule run.
type: number
gap_duration_s:
description: Duration in seconds of rule run gap.
nullable: true
type: number
gap_range:
additionalProperties: false
nullable: true
type: object
properties:
gte:
description: End of the gap range.
type: string
lte:
description: Start of the gap range.
type: string
required:
- lte
- gte
total_alerts_created:
description: Total number of alerts created during last rule run.
nullable: true
type: number
total_alerts_detected:
description: Total number of alerts detected during last rule run.
nullable: true
type: number
total_indexing_duration_ms:
description: Total time spent indexing documents during last rule run in milliseconds.
nullable: true
type: number
total_search_duration_ms:
description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.
nullable: true
type: number
timestamp:
description: Time of the most recent rule run.
type: string
required:
- timestamp
- metrics
required:
- history
- calculated_metrics
- last_run
required:
- run
mute_all:
description: Indicates whether all alerts are muted.
type: boolean
muted_alert_ids:
items:
description: 'List of identifiers of muted alerts. '
type: string
type: array
name:
description: ' The name of the rule.'
type: string
next_run:
description: Date and time of the next run of the rule.
nullable: true
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties:
nullable: true
description: The parameters for the rule.
type: object
revision:
description: The rule revision number.
type: number
rule_type_id:
description: The rule type identifier.
type: string
running:
description: Indicates whether the rule is running.
nullable: true
type: boolean
schedule:
additionalProperties: false
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
scheduled_task_id:
description: Identifier of the scheduled task.
type: string
snooze_schedule:
items:
additionalProperties: false
type: object
properties:
duration:
description: Duration of the rule snooze schedule.
type: number
id:
description: Identifier of the rule snooze schedule.
type: string
rRule:
additionalProperties: false
type: object
properties:
byhour:
items:
description: Indicates hours of the day to recur.
type: number
nullable: true
type: array
byminute:
items:
description: Indicates minutes of the hour to recur.
type: number
nullable: true
type: array
bymonth:
items:
description: Indicates months of the year that this rule should recur.
type: number
nullable: true
type: array
bymonthday:
items:
description: Indicates the days of the month to recur.
type: number
nullable: true
type: array
bysecond:
items:
description: Indicates seconds of the day to recur.
type: number
nullable: true
type: array
bysetpos:
items:
description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`.
type: number
nullable: true
type: array
byweekday:
items:
anyOf:
- type: string
- type: number
description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination.
nullable: true
type: array
byweekno:
items:
description: Indicates number of the week hours to recur.
type: number
nullable: true
type: array
byyearday:
items:
description: Indicates the days of the year that this rule should recur.
type: number
nullable: true
type: array
count:
description: Number of times the rule should recur until it stops.
type: number
dtstart:
description: Rule start date in Coordinated Universal Time (UTC).
type: string
freq:
description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.
enum:
- 0
- 1
- 2
- 3
- 4
- 5
- 6
type: integer
interval:
description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.
type: number
tzid:
description: Indicates timezone abbreviation.
type: string
until:
description: Recur the rule until this date.
type: string
wkst:
description: Indicates the start of week, defaults to Monday.
enum:
- MO
- TU
- WE
- TH
- FR
- SA
- SU
type: string
required:
- dtstart
- tzid
skipRecurrences:
items:
description: Skips recurrence of rule on this date.
type: string
type: array
required:
- duration
- rRule
type: array
tags:
items:
description: The tags for the rule.
type: string
type: array
throttle:
deprecated: true
description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
updated_at:
description: The date and time that the rule was updated most recently.
type: string
updated_by:
description: The identifier for the user that updated this rule most recently.
nullable: true
type: string
view_in_app_relative_url:
description: Relative URL to view rule in the app.
nullable: true
type: string
required:
- id
- enabled
- name
- tags
- rule_type_id
- consumer
- schedule
- actions
- params
- created_by
- updated_by
- created_at
- updated_at
- api_key_owner
- mute_all
- muted_alert_ids
- execution_status
- revision
description: Indicates a successful call.
'400':
description: Indicates an invalid schema or parameters.
'403':
description: Indicates that this call is forbidden.
'404':
description: Indicates a rule with the given ID does not exist.
summary: Get rule details
tags:
- alerting
x-metaTags:
- content: Kibana
name: product_name
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/alerting/rule/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
post:
operationId: post-alerting-rule-id
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The identifier for the rule. If it is omitted, an ID is randomly generated.
in: path
name: id
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
createEsQueryEsqlRuleRequest:
description: |
Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL) to define its query and a server log connector to send notifications.
summary: Elasticsearch query rule (ES|QL)
value:
actions:
- frequency:
notify_when: onActiveAlert
summary: false
group: query matched
id: d0db1fe0-78d6-11ee-9177-f7d404c8c945
params:
level: info
message: |-
Elasticsearch query rule '{{rule.name}}' is active:
- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}
consumer: stackAlerts
name: my Elasticsearch query ESQL rule
params:
esqlQuery:
esql: FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != "GB" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10
searchType: esqlQuery
size: 0
threshold:
- 0
thresholdComparator: '>'
timeField: '@timestamp'
timeWindowSize: 1
timeWindowUnit: d
rule_type_id: .es-query
schedule:
interval: 1d
createEsQueryKqlRuleRequest:
description: Create an Elasticsearch query rule that uses Kibana query language (KQL).
summary: Elasticsearch query rule (KQL)
value:
consumer: alerts
name: my Elasticsearch query KQL rule
params:
aggType: count
excludeHitsFromPreviousRun: true
groupBy: all
searchConfiguration:
index: 90943e30-9a47-11e8-b64d-95841ca0b247
query:
language: kuery
query: '""geo.src : "US" ""'
searchType: searchSource
size: 100
threshold:
- 1000
thresholdComparator: '>'
timeWindowSize: 5
timeWindowUnit: m
rule_type_id: .es-query
schedule:
interval: 1m
createEsQueryRuleRequest:
description: |
Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications.
summary: Elasticsearch query rule (DSL)
value:
actions:
- frequency:
notify_when: onThrottleInterval
summary: true
throttle: 1d
group: query matched
id: fdbece50-406c-11ee-850e-c71febc4ca7f
params:
level: info
message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts.
- frequency:
notify_when: onActionGroupChange
summary: false
group: recovered
id: fdbece50-406c-11ee-850e-c71febc4ca7f
params:
level: info
message: Recovered
consumer: alerts
name: my Elasticsearch query rule
params:
esQuery: '"""{"query":{"match_all" : {}}}"""'
index:
- kibana_sample_data_logs
size: 100
threshold:
- 100
thresholdComparator: '>'
timeField: '@timestamp'
timeWindowSize: 1
timeWindowUnit: d
rule_type_id: .es-query
schedule:
interval: 1d
createIndexThresholdRuleRequest:
description: |
Create an index threshold rule that uses a server log connector to send notifications when the threshold is met.
summary: Index threshold rule
value:
actions:
- frequency:
notify_when: onActionGroupChange
summary: false
group: threshold met
id: 48de3460-f401-11ed-9f8e-399c75a2deeb
params:
level: info
message: |-
Rule '{{rule.name}}' is active for group '{{context.group}}':
- Value: {{context.value}}
- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}
- Timestamp: {{context.date}}
alert_delay:
active: 3
consumer: alerts
name: my rule
params:
aggField: sheet.version
aggType: avg
groupBy: top
index:
- .test-index
termField: name.keyword
termSize: 6
threshold:
- 1000
thresholdComparator: '>'
timeField: '@timestamp'
timeWindowSize: 5
timeWindowUnit: m
rule_type_id: .index-threshold
schedule:
interval: 1m
tags:
- cpu
createTrackingContainmentRuleRequest:
description: |
Create a tracking containment rule that checks when an entity is contained or no longer contained within a boundary.
summary: Tracking containment rule
value:
consumer: alerts
name: my tracking rule
params:
boundaryGeoField: location
boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc
boundaryIndexTitle: boundary*
boundaryNameField: name
boundaryType: entireIndex
dateField": '@timestamp'
entity: agent.keyword
geoField: geo.coordinates
index: kibana_sample_data_logs
indexId: 90943e30-9a47-11e8-b64d-95841ca0b247
rule_type_id: .geo-containment
schedule:
interval: 1h
schema:
anyOf:
- discriminator:
mapping:
.es-query: '#/components/schemas/Kibana_HTTP_APIs_es-query-create-rule-body-alerting'
.geo-containment: '#/components/schemas/Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting'
.index-threshold: '#/components/schemas/Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting'
apm.anomaly: '#/components/schemas/Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting'
apm.error_rate: '#/components/schemas/Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting'
apm.transaction_duration: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting'
apm.transaction_error_rate: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting'
datasetQuality.degradedDocs: '#/components/schemas/Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting'
logs.alert.document.count: '#/components/schemas/Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting'
metrics.alert.inventory.threshold: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting'
metrics.alert.threshold: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting'
monitoring_alert_cluster_health: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting'
monitoring_alert_cpu_usage: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting'
monitoring_alert_disk_usage: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting'
monitoring_alert_elasticsearch_version_mismatch: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting'
monitoring_alert_jvm_memory_usage: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting'
monitoring_alert_kibana_version_mismatch: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting'
monitoring_alert_license_expiration: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting'
monitoring_alert_logstash_version_mismatch: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting'
monitoring_alert_missing_monitoring_data: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting'
monitoring_alert_nodes_changed: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting'
monitoring_alert_thread_pool_search_rejections: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting'
monitoring_alert_thread_pool_write_rejections: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting'
monitoring_ccr_read_exceptions: '#/components/schemas/Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting'
monitoring_shard_size: '#/components/schemas/Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting'
observability.rules.custom_threshold: '#/components/schemas/Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting'
slo.rules.burnRate: '#/components/schemas/Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting'
transform_health: '#/components/schemas/Kibana_HTTP_APIs_transform-health-create-rule-body-alerting'
xpack.ml.anomaly_detection_alert: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting'
xpack.ml.anomaly_detection_jobs_health: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting'
xpack.synthetics.alerts.monitorStatus: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting'
xpack.synthetics.alerts.tls: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting'
xpack.uptime.alerts.durationAnomaly: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting'
xpack.uptime.alerts.monitorStatus: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting'
xpack.uptime.alerts.tlsCertificate: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting'
propertyName: rule_type_id
oneOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_es-query-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_transform-health-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting'
- additionalProperties: false
type: object
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the rule.
type: object
rule_type_id:
description: The rule type identifier.
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
responses:
'200':
content:
application/json:
examples:
createEsQueryEsqlRuleResponse:
description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL).
summary: Elasticsearch query rule (ES|QL)
value:
actions:
- connector_type_id: .server-log
frequency:
notify_when: onActiveAlert
summary: false
throttle: null
group: query matched
id: d0db1fe0-78d6-11ee-9177-f7d404c8c945
params:
level: info
message: |-
Elasticsearch query rule '{{rule.name}}' is active:
- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}
uuid: bfe370a3-531b-4855-bbe6-ad739f578844
api_key_created_by_user: false
api_key_owner: elastic
consumer: stackAlerts
created_at: '2023-11-01T19:00:10.453Z'
created_by: elastic
enabled: true
execution_status:
last_execution_date: '2023-11-01T19:00:10.453Z'
status: pending
id: e0d62360-78e8-11ee-9177-f7d404c8c945
mute_all: false
muted_alert_ids: []
name: my Elasticsearch query ESQL rule
notify_when: null
params:
aggType: count
esqlQuery:
esql: FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != "GB" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10
excludeHitsFromPreviousRun": true,
groupBy: all
searchType: esqlQuery
size: 0
threshold:
- 0
thresholdComparator: '>'
timeField: '@timestamp'
timeWindowSize: 1
timeWindowUnit: d
revision: 0
rule_type_id: .es-query
running: false
schedule:
interval: 1d
scheduled_task_id: e0d62360-78e8-11ee-9177-f7d404c8c945
tags: []
throttle: null
updated_at: '2023-11-01T19:00:10.453Z'
updated_by: elastic",
createEsQueryKqlRuleResponse:
description: The response for successfully creating an Elasticsearch query rule that uses Kibana query language (KQL).
summary: Elasticsearch query rule (KQL)
value:
actions: []
api_key_created_by_user: false
api_key_owner: elastic
consumer: alerts
created_at: '2023-07-14T20:24:50.729Z'
created_by: elastic
enabled: true
execution_status:
last_execution_date: '2023-07-14T20:24:50.729Z'
status: pending
id: 7bd506d0-2284-11ee-8fad-6101956ced88
mute_all: false
muted_alert_ids: []
name: my Elasticsearch query KQL rule"
notify_when: null
params:
aggType: count
excludeHitsFromPreviousRun: true
groupBy: all
searchConfiguration:
index: 90943e30-9a47-11e8-b64d-95841ca0b247
query:
language: kuery
query: '""geo.src : "US" ""'
searchType: searchSource
size: 100
threshold:
- 1000
thresholdComparator: '>'
timeWindowSize: 5
timeWindowUnit: m
revision: 0
rule_type_id: .es-query
running: false
schedule:
interval: 1m
scheduled_task_id: 7bd506d0-2284-11ee-8fad-6101956ced88
tags: []
throttle: null
updated_at: '2023-07-14T20:24:50.729Z'
updated_by: elastic
createEsQueryRuleResponse:
description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL).
summary: Elasticsearch query rule (DSL)
value:
actions:
- connector_type_id: .server-log
frequency:
notify_when: onThrottleInterval
summary: true
throttle: 1d
group: query matched
id: fdbece50-406c-11ee-850e-c71febc4ca7f
params:
level: info
message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts.
uuid: 53f3c2a3-e5d0-4cfa-af3b-6f0881385e78
- connector_type_id: .server-log
frequency:
notify_when: onActionGroupChange
summary: false
throttle: null
group: recovered
id: fdbece50-406c-11ee-850e-c71febc4ca7f
params:
level: info
message: Recovered
uuid: 2324e45b-c0df-45c7-9d70-4993e30be758
api_key_created_by_user: false
api_key_owner: elastic
consumer: alerts
created_at: '2023-08-22T00:03:38.263Z'
created_by: elastic
enabled: true
execution_status:
last_execution_date: '2023-08-22T00:03:38.263Z'
status: pending
id: 58148c70-407f-11ee-850e-c71febc4ca7f
mute_all: false
muted_alert_ids: []
name: my Elasticsearch query rule
notify_when: null
params:
aggType: count
esQuery: '"""{"query":{"match_all" : {}}}"""'
excludeHitsFromPreviousRun: true
groupBy: all
index:
- kibana_sample_data_logs
searchType: esQuery
size: 100
threshold:
- 100
thresholdComparator: '>'
timeField: '@timestamp'
timeWindowSize: 1
timeWindowUnit: d
revision: 0
rule_type_id: .es-query
running: false
schedule:
interval: 1d
scheduled_task_id: 58148c70-407f-11ee-850e-c71febc4ca7f
tags: []
throttle: null
updated_at: '2023-08-22T00:03:38.263Z'
updated_by: elastic
createIndexThresholdRuleResponse:
description: The response for successfully creating an index threshold rule.
summary: Index threshold rule
value:
actions:
- connector_type_id: .server-log
frequency:
notify_when: onActionGroupChange
summary: false
throttle: null
group: threshold met
id: dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2
params:
level: info
message: |-
Rule {{rule.name}} is active for group {{context.group} :
- Value: {{context.value}}
- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}
- Timestamp: {{context.date}}
uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d
alert_delay:
active: 3
api_key_created_by_user: false
api_key_owner: elastic
consumer: alerts
created_at: '2022-06-08T17:20:31.632Z'
created_by: elastic
enabled: true
execution_status:
last_execution_date: '2022-06-08T17:20:31.632Z'
status: pending
id: 41893910-6bca-11eb-9e0d-85d233e3ee35
mute_all: false
muted_alert_ids: []
name: my rule
notify_when: null
params:
aggField: sheet.version
aggType: avg
groupBy: top
index:
- .test-index
termField: name.keyword
termSize: 6
threshold:
- 1000
thresholdComparator: '>'
timeField: '@timestamp'
timeWindowSize: 5
timeWindowUnit: m
revision: 0
rule_type_id: .index-threshold
running: false
schedule:
interval: 1m
scheduled_task_id: 425b0800-6bca-11eb-9e0d-85d233e3ee35
tags:
- cpu
throttle: null
updated_at: '2022-06-08T17:20:31.632Z'
updated_by: elastic
createTrackingContainmentRuleResponse:
description: The response for successfully creating a tracking containment rule.
summary: Tracking containment rule
value:
actions: []
api_key_created_by_user: false
api_key_owner: elastic
consumer: alerts
created_at: '2024-02-14T19:52:55.920Z'
created_by: elastic
enabled: true
execution_status:
last_duration: 74
last_execution_date: '2024-02-15T03:25:38.125Z'
status: ok
id: b6883f9d-5f70-4758-a66e-369d7c26012f
last_run:
alerts_count:
active: 0
ignored: 0
new: 0
recovered: 0
outcome: succeeded
outcome_msg: null
outcome_order: 0
warning: null
mute_all: false
muted_alert_ids: []
name: my tracking rule
next_run: '2024-02-15T03:26:38.033Z'
notify_when: null
params:
boundaryGeoField: location
boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc
boundaryIndexTitle: boundary*
boundaryNameField: name
boundaryType: entireIndex
dateField: '@timestamp'
entity: agent.keyword
geoField: geo.coordinates
index: kibana_sample_data_logs
indexId: 90943e30-9a47-11e8-b64d-95841ca0b247
revision: 1
rule_type_id: .geo-containment
running: false
schedule:
interval: 1h
scheduled_task_id: b6883f9d-5f70-4758-a66e-369d7c26012f
tags: []
throttle: null
updated_at: '2024-02-15T03:24:32.574Z'
updated_by: elastic
schema:
additionalProperties: false
type: object
properties:
actions:
items:
additionalProperties: false
type: object
properties:
alerts_filter:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
connector_type_id:
description: The type of connector. This property appears in responses but cannot be set in requests.
type: string
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
- connector_type_id
- params
type: array
active_snoozes:
items:
description: List of active snoozes for the rule.
type: string
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
api_key_created_by_user:
description: Indicates whether the API key that is associated with the rule was created by the user.
nullable: true
type: boolean
api_key_owner:
description: The owner of the API key that is associated with the rule and used to run background tasks.
nullable: true
type: string
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
description: User-created content that describes alert causes and remdiation.
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
created_at:
description: The date and time that the rule was created.
type: string
created_by:
description: The identifier for the user that created the rule.
nullable: true
type: string
enabled:
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
execution_status:
additionalProperties: false
type: object
properties:
error:
additionalProperties: false
type: object
properties:
message:
description: Error message.
type: string
reason:
description: Reason for error.
enum:
- read
- decrypt
- execute
- unknown
- license
- timeout
- disabled
- validate
type: string
required:
- reason
- message
last_duration:
description: Duration of last execution of the rule.
type: number
last_execution_date:
description: The date and time when rule was executed last.
type: string
status:
description: Status of rule execution.
enum:
- ok
- active
- error
- warning
- pending
- unknown
type: string
warning:
additionalProperties: false
type: object
properties:
message:
description: Warning message.
type: string
reason:
description: Reason for warning.
enum:
- maxExecutableActions
- maxAlerts
- maxQueuedActions
- ruleExecution
type: string
required:
- reason
- message
required:
- status
- last_execution_date
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
id:
description: The identifier for the rule.
type: string
is_snoozed_until:
description: The date when the rule will no longer be snoozed.
nullable: true
type: string
last_run:
additionalProperties: false
nullable: true
type: object
properties:
alerts_count:
additionalProperties: false
type: object
properties:
active:
description: Number of active alerts during last run.
nullable: true
type: number
ignored:
description: Number of ignored alerts during last run.
nullable: true
type: number
new:
description: Number of new alerts during last run.
nullable: true
type: number
recovered:
description: Number of recovered alerts during last run.
nullable: true
type: number
outcome:
description: Outcome of last run of the rule. Value could be succeeded, warning or failed.
enum:
- succeeded
- warning
- failed
type: string
outcome_msg:
items:
description: Outcome message generated during last rule run.
type: string
nullable: true
type: array
outcome_order:
description: Order of the outcome.
type: number
warning:
description: Warning of last rule execution.
enum:
- read
- decrypt
- execute
- unknown
- license
- timeout
- disabled
- validate
- maxExecutableActions
- maxAlerts
- maxQueuedActions
- ruleExecution
nullable: true
type: string
required:
- outcome
- alerts_count
mapped_params:
additionalProperties:
nullable: true
type: object
monitoring:
additionalProperties: false
description: Monitoring details of the rule.
type: object
properties:
run:
additionalProperties: false
description: Rule run details.
type: object
properties:
calculated_metrics:
additionalProperties: false
description: Calculation of different percentiles and success ratio.
type: object
properties:
p50:
type: number
p95:
type: number
p99:
type: number
success_ratio:
type: number
required:
- success_ratio
history:
description: History of the rule run.
items:
additionalProperties: false
type: object
properties:
duration:
description: Duration of the rule run.
type: number
outcome:
description: Outcome of last run of the rule. Value could be succeeded, warning or failed.
enum:
- succeeded
- warning
- failed
type: string
success:
description: Indicates whether the rule run was successful.
type: boolean
timestamp:
description: Time of rule run.
type: number
required:
- success
- timestamp
type: array
last_run:
additionalProperties: false
type: object
properties:
metrics:
additionalProperties: false
type: object
properties:
duration:
description: Duration of most recent rule run.
type: number
gap_duration_s:
description: Duration in seconds of rule run gap.
nullable: true
type: number
gap_range:
additionalProperties: false
nullable: true
type: object
properties:
gte:
description: End of the gap range.
type: string
lte:
description: Start of the gap range.
type: string
required:
- lte
- gte
total_alerts_created:
description: Total number of alerts created during last rule run.
nullable: true
type: number
total_alerts_detected:
description: Total number of alerts detected during last rule run.
nullable: true
type: number
total_indexing_duration_ms:
description: Total time spent indexing documents during last rule run in milliseconds.
nullable: true
type: number
total_search_duration_ms:
description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.
nullable: true
type: number
timestamp:
description: Time of the most recent rule run.
type: string
required:
- timestamp
- metrics
required:
- history
- calculated_metrics
- last_run
required:
- run
mute_all:
description: Indicates whether all alerts are muted.
type: boolean
muted_alert_ids:
items:
description: 'List of identifiers of muted alerts. '
type: string
type: array
name:
description: ' The name of the rule.'
type: string
next_run:
description: Date and time of the next run of the rule.
nullable: true
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties:
nullable: true
description: The parameters for the rule.
type: object
revision:
description: The rule revision number.
type: number
rule_type_id:
description: The rule type identifier.
type: string
running:
description: Indicates whether the rule is running.
nullable: true
type: boolean
schedule:
additionalProperties: false
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
scheduled_task_id:
description: Identifier of the scheduled task.
type: string
snooze_schedule:
items:
additionalProperties: false
type: object
properties:
duration:
description: Duration of the rule snooze schedule.
type: number
id:
description: Identifier of the rule snooze schedule.
type: string
rRule:
additionalProperties: false
type: object
properties:
byhour:
items:
description: Indicates hours of the day to recur.
type: number
nullable: true
type: array
byminute:
items:
description: Indicates minutes of the hour to recur.
type: number
nullable: true
type: array
bymonth:
items:
description: Indicates months of the year that this rule should recur.
type: number
nullable: true
type: array
bymonthday:
items:
description: Indicates the days of the month to recur.
type: number
nullable: true
type: array
bysecond:
items:
description: Indicates seconds of the day to recur.
type: number
nullable: true
type: array
bysetpos:
items:
description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`.
type: number
nullable: true
type: array
byweekday:
items:
anyOf:
- type: string
- type: number
description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination.
nullable: true
type: array
byweekno:
items:
description: Indicates number of the week hours to recur.
type: number
nullable: true
type: array
byyearday:
items:
description: Indicates the days of the year that this rule should recur.
type: number
nullable: true
type: array
count:
description: Number of times the rule should recur until it stops.
type: number
dtstart:
description: Rule start date in Coordinated Universal Time (UTC).
type: string
freq:
description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.
enum:
- 0
- 1
- 2
- 3
- 4
- 5
- 6
type: integer
interval:
description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.
type: number
tzid:
description: Indicates timezone abbreviation.
type: string
until:
description: Recur the rule until this date.
type: string
wkst:
description: Indicates the start of week, defaults to Monday.
enum:
- MO
- TU
- WE
- TH
- FR
- SA
- SU
type: string
required:
- dtstart
- tzid
skipRecurrences:
items:
description: Skips recurrence of rule on this date.
type: string
type: array
required:
- duration
- rRule
type: array
tags:
items:
description: The tags for the rule.
type: string
type: array
throttle:
deprecated: true
description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
updated_at:
description: The date and time that the rule was updated most recently.
type: string
updated_by:
description: The identifier for the user that updated this rule most recently.
nullable: true
type: string
view_in_app_relative_url:
description: Relative URL to view rule in the app.
nullable: true
type: string
required:
- id
- enabled
- name
- tags
- rule_type_id
- consumer
- schedule
- actions
- params
- created_by
- updated_by
- created_at
- updated_at
- api_key_owner
- mute_all
- muted_alert_ids
- execution_status
- revision
description: Indicates a successful call.
'400':
description: Indicates an invalid schema or parameters.
'403':
description: Indicates that this call is forbidden.
'409':
description: Indicates that the rule id is already in use.
summary: Create a rule
tags:
- alerting
x-metaTags:
- content: Kibana
name: product_name
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/alerting/rule/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
put:
operationId: put-alerting-rule-id
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The identifier for the rule.
in: path
name: id
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
updateRuleRequest:
description: Update an index threshold rule that uses a server log connector to send notifications when the threshold is met.
summary: Index threshold rule
value:
actions:
- frequency:
notify_when: onActionGroupChange
summary: false
group: threshold met
id: 96b668d0-a1b6-11ed-afdf-d39a49596974
params:
level: info
message: |-
Rule {{rule.name}} is active for group {{context.group}}:
- Value: {{context.value}}
- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}
- Timestamp: {{context.date}}
name: new name
params:
aggField: sheet.version
aggType: avg
groupBy: top
index:
- .updated-index
termField: name.keyword
termSize: 6
threshold:
- 1000
thresholdComparator: '>'
timeField: '@timestamp'
timeWindowSize: 5
timeWindowUnit: m
schedule:
interval: 1m
tags: []
schema:
additionalProperties: false
type: object
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the rule.
type: object
schedule:
additionalProperties: false
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
items:
description: The tags for the rule.
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- schedule
responses:
'200':
content:
application/json:
examples:
updateRuleResponse:
description: The response for successfully updating an index threshold rule.
summary: Index threshold rule
value:
actions:
- connector_type_id: .server-log
frequency:
notify_when: onActionGroupChange
summary: false
throttle: null
group: threshold met
id: 96b668d0-a1b6-11ed-afdf-d39a49596974
params:
level: info
message: |-
Rule {{rule.name}} is active for group {{context.group}}:
- Value: {{context.value}}
- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}
- Timestamp: {{context.date}
uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d
api_key_created_by_user: false
api_key_owner: elastic
consumer: alerts
created_at: '2024-03-26T23:13:20.985Z'
created_by: elastic
enabled: true
execution_status:
last_duration: 52
last_execution_date: '2024-03-26T23:22:51.390Z'
status: ok
id: ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74
last_run:
alerts_count:
active: 0
ignored: 0
new: 0
recovered: 0
outcome: succeeded
outcome_msg: null
warning: null
mute_all: false
muted_alert_ids: []
name: new name
next_run: '2024-03-26T23:23:51.316Z'
params:
aggField: sheet.version
aggType: avg
groupBy: top
index:
- .updated-index
termField: name.keyword
termSize: 6
threshold:
- 1000
thresholdComparator: '>'
timeField: '@timestamp'
timeWindowSize: 5
timeWindowUnit: m
revision: 1
rule_type_id: .index-threshold
running: false
schedule:
interval: 1m
scheduled_task_id: 4c5eda00-e74f-11ec-b72f-5b18752ff9ea
tags: []
throttle: null
updated_at: '2024-03-26T23:22:59.949Z'
updated_by: elastic
schema:
additionalProperties: false
type: object
properties:
actions:
items:
additionalProperties: false
type: object
properties:
alerts_filter:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
connector_type_id:
description: The type of connector. This property appears in responses but cannot be set in requests.
type: string
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
- connector_type_id
- params
type: array
active_snoozes:
items:
description: List of active snoozes for the rule.
type: string
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
api_key_created_by_user:
description: Indicates whether the API key that is associated with the rule was created by the user.
nullable: true
type: boolean
api_key_owner:
description: The owner of the API key that is associated with the rule and used to run background tasks.
nullable: true
type: string
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
description: User-created content that describes alert causes and remdiation.
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
created_at:
description: The date and time that the rule was created.
type: string
created_by:
description: The identifier for the user that created the rule.
nullable: true
type: string
enabled:
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
execution_status:
additionalProperties: false
type: object
properties:
error:
additionalProperties: false
type: object
properties:
message:
description: Error message.
type: string
reason:
description: Reason for error.
enum:
- read
- decrypt
- execute
- unknown
- license
- timeout
- disabled
- validate
type: string
required:
- reason
- message
last_duration:
description: Duration of last execution of the rule.
type: number
last_execution_date:
description: The date and time when rule was executed last.
type: string
status:
description: Status of rule execution.
enum:
- ok
- active
- error
- warning
- pending
- unknown
type: string
warning:
additionalProperties: false
type: object
properties:
message:
description: Warning message.
type: string
reason:
description: Reason for warning.
enum:
- maxExecutableActions
- maxAlerts
- maxQueuedActions
- ruleExecution
type: string
required:
- reason
- message
required:
- status
- last_execution_date
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
id:
description: The identifier for the rule.
type: string
is_snoozed_until:
description: The date when the rule will no longer be snoozed.
nullable: true
type: string
last_run:
additionalProperties: false
nullable: true
type: object
properties:
alerts_count:
additionalProperties: false
type: object
properties:
active:
description: Number of active alerts during last run.
nullable: true
type: number
ignored:
description: Number of ignored alerts during last run.
nullable: true
type: number
new:
description: Number of new alerts during last run.
nullable: true
type: number
recovered:
description: Number of recovered alerts during last run.
nullable: true
type: number
outcome:
description: Outcome of last run of the rule. Value could be succeeded, warning or failed.
enum:
- succeeded
- warning
- failed
type: string
outcome_msg:
items:
description: Outcome message generated during last rule run.
type: string
nullable: true
type: array
outcome_order:
description: Order of the outcome.
type: number
warning:
description: Warning of last rule execution.
enum:
- read
- decrypt
- execute
- unknown
- license
- timeout
- disabled
- validate
- maxExecutableActions
- maxAlerts
- maxQueuedActions
- ruleExecution
nullable: true
type: string
required:
- outcome
- alerts_count
mapped_params:
additionalProperties:
nullable: true
type: object
monitoring:
additionalProperties: false
description: Monitoring details of the rule.
type: object
properties:
run:
additionalProperties: false
description: Rule run details.
type: object
properties:
calculated_metrics:
additionalProperties: false
description: Calculation of different percentiles and success ratio.
type: object
properties:
p50:
type: number
p95:
type: number
p99:
type: number
success_ratio:
type: number
required:
- success_ratio
history:
description: History of the rule run.
items:
additionalProperties: false
type: object
properties:
duration:
description: Duration of the rule run.
type: number
outcome:
description: Outcome of last run of the rule. Value could be succeeded, warning or failed.
enum:
- succeeded
- warning
- failed
type: string
success:
description: Indicates whether the rule run was successful.
type: boolean
timestamp:
description: Time of rule run.
type: number
required:
- success
- timestamp
type: array
last_run:
additionalProperties: false
type: object
properties:
metrics:
additionalProperties: false
type: object
properties:
duration:
description: Duration of most recent rule run.
type: number
gap_duration_s:
description: Duration in seconds of rule run gap.
nullable: true
type: number
gap_range:
additionalProperties: false
nullable: true
type: object
properties:
gte:
description: End of the gap range.
type: string
lte:
description: Start of the gap range.
type: string
required:
- lte
- gte
total_alerts_created:
description: Total number of alerts created during last rule run.
nullable: true
type: number
total_alerts_detected:
description: Total number of alerts detected during last rule run.
nullable: true
type: number
total_indexing_duration_ms:
description: Total time spent indexing documents during last rule run in milliseconds.
nullable: true
type: number
total_search_duration_ms:
description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.
nullable: true
type: number
timestamp:
description: Time of the most recent rule run.
type: string
required:
- timestamp
- metrics
required:
- history
- calculated_metrics
- last_run
required:
- run
mute_all:
description: Indicates whether all alerts are muted.
type: boolean
muted_alert_ids:
items:
description: 'List of identifiers of muted alerts. '
type: string
type: array
name:
description: ' The name of the rule.'
type: string
next_run:
description: Date and time of the next run of the rule.
nullable: true
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties:
nullable: true
description: The parameters for the rule.
type: object
revision:
description: The rule revision number.
type: number
rule_type_id:
description: The rule type identifier.
type: string
running:
description: Indicates whether the rule is running.
nullable: true
type: boolean
schedule:
additionalProperties: false
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
scheduled_task_id:
description: Identifier of the scheduled task.
type: string
snooze_schedule:
items:
additionalProperties: false
type: object
properties:
duration:
description: Duration of the rule snooze schedule.
type: number
id:
description: Identifier of the rule snooze schedule.
type: string
rRule:
additionalProperties: false
type: object
properties:
byhour:
items:
description: Indicates hours of the day to recur.
type: number
nullable: true
type: array
byminute:
items:
description: Indicates minutes of the hour to recur.
type: number
nullable: true
type: array
bymonth:
items:
description: Indicates months of the year that this rule should recur.
type: number
nullable: true
type: array
bymonthday:
items:
description: Indicates the days of the month to recur.
type: number
nullable: true
type: array
bysecond:
items:
description: Indicates seconds of the day to recur.
type: number
nullable: true
type: array
bysetpos:
items:
description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`.
type: number
nullable: true
type: array
byweekday:
items:
anyOf:
- type: string
- type: number
description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination.
nullable: true
type: array
byweekno:
items:
description: Indicates number of the week hours to recur.
type: number
nullable: true
type: array
byyearday:
items:
description: Indicates the days of the year that this rule should recur.
type: number
nullable: true
type: array
count:
description: Number of times the rule should recur until it stops.
type: number
dtstart:
description: Rule start date in Coordinated Universal Time (UTC).
type: string
freq:
description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.
enum:
- 0
- 1
- 2
- 3
- 4
- 5
- 6
type: integer
interval:
description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.
type: number
tzid:
description: Indicates timezone abbreviation.
type: string
until:
description: Recur the rule until this date.
type: string
wkst:
description: Indicates the start of week, defaults to Monday.
enum:
- MO
- TU
- WE
- TH
- FR
- SA
- SU
type: string
required:
- dtstart
- tzid
skipRecurrences:
items:
description: Skips recurrence of rule on this date.
type: string
type: array
required:
- duration
- rRule
type: array
tags:
items:
description: The tags for the rule.
type: string
type: array
throttle:
deprecated: true
description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
updated_at:
description: The date and time that the rule was updated most recently.
type: string
updated_by:
description: The identifier for the user that updated this rule most recently.
nullable: true
type: string
view_in_app_relative_url:
description: Relative URL to view rule in the app.
nullable: true
type: string
required:
- id
- enabled
- name
- tags
- rule_type_id
- consumer
- schedule
- actions
- params
- created_by
- updated_by
- created_at
- updated_at
- api_key_owner
- mute_all
- muted_alert_ids
- execution_status
- revision
description: Indicates a successful call.
'400':
description: Indicates an invalid schema or parameters.
'403':
description: Indicates that this call is forbidden.
'404':
description: Indicates a rule with the given ID does not exist.
'409':
description: Indicates that the rule has already been updated by another user.
summary: Update a rule
tags:
- alerting
x-metaTags:
- content: Kibana
name: product_name
description: |-
**Spaces method and path for this operation:**
put/s/{space_id}/api/alerting/rule/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
/api/alerting/rule/{id}/_disable:
post:
operationId: post-alerting-rule-id-disable
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The identifier for the rule.
in: path
name: id
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
disableRuleRequest:
description: A request that disables a rule and untracks all alerts that were generated by the rule.
summary: Disable a rule and untrack its alerts
value:
untrack: true
schema:
additionalProperties: false
nullable: true
type: object
properties:
untrack:
description: Defines whether this rule's alerts should be untracked.
type: boolean
x-oas-optional: true
responses:
'204':
description: Indicates a successful call.
'400':
description: Indicates an invalid schema.
'403':
description: Indicates that this call is forbidden.
'404':
description: Indicates a rule with the given ID does not exist.
summary: Disable a rule
tags:
- alerting
x-metaTags:
- content: Kibana
name: product_name
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/alerting/rule/{id}/_disable
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
/api/alerting/rule/{id}/_enable:
post:
operationId: post-alerting-rule-id-enable
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The identifier for the rule.
in: path
name: id
required: true
schema:
type: string
responses:
'204':
description: Indicates a successful call.
'400':
description: Indicates an invalid schema or parameters.
'403':
description: Indicates that this call is forbidden.
'404':
description: Indicates a rule with the given ID does not exist.
summary: Enable a rule
tags:
- alerting
x-metaTags:
- content: Kibana
name: product_name
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/alerting/rule/{id}/_enable
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
/api/alerting/rule/{id}/_mute_all:
post:
operationId: post-alerting-rule-id-mute-all
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The identifier for the rule.
in: path
name: id
required: true
schema:
type: string
responses:
'204':
description: Indicates a successful call.
'400':
description: Indicates an invalid schema or parameters.
'403':
description: Indicates that this call is forbidden.
'404':
description: Indicates a rule with the given ID does not exist.
summary: Mute all alerts
tags:
- alerting
x-metaTags:
- content: Kibana
name: product_name
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
/api/alerting/rule/{id}/_unmute_all:
post:
operationId: post-alerting-rule-id-unmute-all
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The identifier for the rule.
in: path
name: id
required: true
schema:
type: string
responses:
'204':
description: Indicates a successful call.
'400':
description: Indicates an invalid schema or parameters.
'403':
description: Indicates that this call is forbidden.
'404':
description: Indicates a rule with the given ID does not exist.
summary: Unmute all alerts
tags:
- alerting
x-metaTags:
- content: Kibana
name: product_name
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
/api/alerting/rule/{id}/_update_api_key:
post:
operationId: post-alerting-rule-id-update-api-key
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The identifier for the rule.
in: path
name: id
required: true
schema:
type: string
responses:
'204':
description: Indicates a successful call.
'400':
description: Indicates an invalid schema or parameters.
'403':
description: Indicates that this call is forbidden.
'404':
description: Indicates a rule with the given ID does not exist.
'409':
description: Indicates that the rule has already been updated by another user.
summary: Update the API key for a rule
tags:
- alerting
x-metaTags:
- content: Kibana
name: product_name
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
/api/alerting/rule/{id}/snooze_schedule:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
When you snooze a rule, the rule checks continue to run but alerts will not generate actions. You can snooze for a specified period of time and schedule single or recurring downtimes.
operationId: post-alerting-rule-id-snooze-schedule
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: Identifier of the rule.
in: path
name: id
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
snoozeRuleRecurringRequest:
description: A request that snoozes a rule every Monday for 8 hours, for 4 occurrences.
summary: Snooze a rule on a recurring weekly schedule
value:
schedule:
custom:
duration: 8h
recurring:
every: 1w
occurrences: 4
onWeekDay:
- MO
start: '2025-03-17T09:00:00.000Z'
timezone: UTC
snoozeRuleRequest:
description: A request that snoozes a rule for 24 hours starting now.
summary: Snooze a rule for 24 hours
value:
schedule:
custom:
duration: 24h
start: '2025-03-12T12:00:00.000Z'
timezone: UTC
schema:
additionalProperties: false
type: object
properties:
schedule:
additionalProperties: false
type: object
properties:
custom:
additionalProperties: false
type: object
properties:
duration:
description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.'
type: string
recurring:
additionalProperties: false
type: object
properties:
end:
description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.'
type: string
every:
description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.'
type: string
occurrences:
description: The total number of recurrences of the schedule.
minimum: 1
type: number
onMonth:
description: The specific months for a recurring schedule. Valid values are 1-12.
items:
maximum: 12
minimum: 1
type: number
minItems: 1
type: array
onMonthDay:
description: The specific days of the month for a recurring schedule. Valid values are 1-31.
items:
maximum: 31
minimum: 1
type: number
minItems: 1
type: array
onWeekDay:
description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.
items:
type: string
minItems: 1
type: array
start:
description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.'
type: string
timezone:
description: The timezone of the schedule. The default timezone is UTC.
type: string
required:
- start
- duration
required:
- schedule
responses:
'200':
content:
application/json:
examples:
snoozeRuleResponse:
description: A response that contains the created snooze schedule.
summary: Snooze schedule response
value:
schedule:
custom:
duration: 24h
start: '2025-03-12T12:00:00.000Z'
timezone: UTC
id: 9ac67950-6737-11ec-8ded-d7f6e1581b26
schema:
additionalProperties: false
type: object
properties:
body:
additionalProperties: false
type: object
properties:
schedule:
additionalProperties: false
type: object
properties:
custom:
additionalProperties: false
type: object
properties:
duration:
description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.'
type: string
recurring:
additionalProperties: false
type: object
properties:
end:
description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.'
type: string
every:
description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.'
type: string
occurrences:
description: The total number of recurrences of the schedule.
minimum: 1
type: number
onMonth:
description: The specific months for a recurring schedule. Valid values are 1-12.
items:
maximum: 12
minimum: 1
type: number
minItems: 1
type: array
onMonthDay:
description: The specific days of the month for a recurring schedule. Valid values are 1-31.
items:
maximum: 31
minimum: 1
type: number
minItems: 1
type: array
onWeekDay:
description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.
items:
type: string
minItems: 1
type: array
start:
description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.'
type: string
timezone:
description: The timezone of the schedule. The default timezone is UTC.
type: string
required:
- start
- duration
id:
description: Identifier of the snooze schedule.
type: string
required:
- id
required:
- schedule
required:
- body
description: Indicates a successful call.
'400':
description: Indicates an invalid schema.
'403':
description: Indicates that this call is forbidden.
'404':
description: Indicates a rule with the given id does not exist.
summary: Schedule a snooze for the rule
tags:
- alerting
x-state: Generally available; added in 8.19.0
x-metaTags:
- content: Kibana
name: product_name
/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute:
post:
operationId: post-alerting-rule-rule-id-alert-alert-id-mute
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The identifier for the rule.
in: path
name: rule_id
required: true
schema:
type: string
- description: The identifier for the alert.
in: path
name: alert_id
required: true
schema:
type: string
- description: Whether to validate the existence of the alert.
in: query
name: validate_alerts_existence
required: false
schema:
type: boolean
responses:
'204':
description: Indicates a successful call.
'400':
description: Indicates an invalid schema or parameters.
'403':
description: Indicates that this call is forbidden.
'404':
description: Indicates a rule or alert with the given ID does not exist.
summary: Mute an alert
tags:
- alerting
x-metaTags:
- content: Kibana
name: product_name
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute:
post:
operationId: post-alerting-rule-rule-id-alert-alert-id-unmute
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The identifier for the rule.
in: path
name: rule_id
required: true
schema:
type: string
- description: The identifier for the alert.
in: path
name: alert_id
required: true
schema:
type: string
responses:
'204':
description: Indicates a successful call.
'400':
description: Indicates an invalid schema or parameters.
'403':
description: Indicates that this call is forbidden.
'404':
description: Indicates a rule or alert with the given ID does not exist.
summary: Unmute an alert
tags:
- alerting
x-metaTags:
- content: Kibana
name: product_name
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
/api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}:
delete:
operationId: delete-alerting-rule-ruleid-snooze-schedule-scheduleid
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The identifier for the rule.
in: path
name: ruleId
required: true
schema:
type: string
- description: The identifier for the snooze schedule.
in: path
name: scheduleId
required: true
schema:
type: string
responses:
'204':
description: Indicates a successful call.
'400':
description: Indicates an invalid schema.
'403':
description: Indicates that this call is forbidden.
'404':
description: Indicates a rule with the given id does not exist.
summary: Delete a snooze schedule for a rule
tags:
- alerting
x-state: Generally available; added in 8.19.0
x-metaTags:
- content: Kibana
name: product_name
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
/api/alerting/rules/_find:
get:
operationId: get-alerting-rules-find
parameters:
- description: The number of rules to return per page.
in: query
name: per_page
required: false
schema:
default: 10
minimum: 0
type: number
- description: The page number to return.
in: query
name: page
required: false
schema:
default: 1
minimum: 1
type: number
- description: An Elasticsearch simple_query_string query that filters the objects in the response.
in: query
name: search
required: false
schema:
type: string
- description: The default operator to use for the simple_query_string.
in: query
name: default_search_operator
required: false
schema:
default: OR
enum:
- OR
- AND
type: string
- description: The fields to perform the simple_query_string parsed query against.
in: query
name: search_fields
required: false
schema:
items:
type: string
type: array
- description: Determines which field is used to sort the results. The field must exist in the `attributes` key of the response.
in: query
name: sort_field
required: false
schema:
type: string
- description: Determines the sort order.
in: query
name: sort_order
required: false
schema:
enum:
- asc
- desc
type: string
- description: Filters the rules that have a relation with the reference objects with a specific type and identifier.
in: query
name: has_reference
required: false
schema:
additionalProperties: false
nullable: true
type: object
properties:
id:
type: string
type:
type: string
required:
- type
- id
- description: The fields to return in the `attributes` key of the response.
in: query
name: fields
required: false
schema:
items:
type: string
type: array
- description: 'A KQL string that you filter with an attribute from your saved object. It should look like `savedObjectType.attributes.title: "myTitle"`. However, if you used a direct attribute of a saved object, such as `updatedAt`, you must define your filter, for example, `savedObjectType.updatedAt > 2018-12-22`.'
in: query
name: filter
required: false
schema:
type: string
- in: query
name: filter_consumers
required: false
schema:
items:
description: List of consumers to filter.
type: string
type: array
responses:
'200':
content:
application/json:
examples:
findConditionalActionRulesResponse:
description: A response that contains information about an index threshold rule.
summary: Index threshold rule
value:
data:
- actions:
- frequency:
notify_when: onActionGroupChange
summary: false
throttle: null
group: threshold met
id: 9dca3e00-74f5-11ed-9801-35303b735aef
params:
connector_type_id: .server-log
level: info
message: |-
Rule {{rule.name}} is active for group {{context.group}}:
- Value: {{context.value}}
- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}
- Timestamp: {{context.date}}
uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61
api_key_created_by_user: false
api_key_owner: elastic
consumer: alerts
created_at: '2022-12-05T23:40:33.132Z'
created_by: elastic
enabled: true
execution_status:
last_duration: 48
last_execution_date: '2022-12-06T01:44:23.983Z'
status: ok
id: 3583a470-74f6-11ed-9801-35303b735aef
last_run:
alerts_count:
active: 0
ignored: 0
new: 0
recovered: 0
outcome: succeeded
outcome_msg: null
warning: null
mute_all: false
muted_alert_ids: []
name: my alert
next_run: '2022-12-06T01:45:23.912Z'
params:
aggField: sheet.version
aggType: avg
groupBy: top
index:
- test-index
termField: name.keyword
termSize: 6
threshold:
- 1000
thresholdComparator: '>'
timeField: '@timestamp'
timeWindowSize: 5
timeWindowUnit: m
revision: 1
rule_type_id: .index-threshold
schedule:
interval: 1m
scheduled_task_id: 3583a470-74f6-11ed-9801-35303b735aef
tags:
- cpu
throttle: null
updated_at: '2022-12-05T23:40:33.132Z'
updated_by: elastic
page: 1
per_page: 10
total: 1
findRulesResponse:
description: A response that contains information about a security rule that has conditional actions.
summary: Security rule
value:
data:
- actions:
- alerts_filter:
query:
filters:
- $state:
store: appState
meta:
alias: null
disabled: false
field: client.geo.region_iso_code
index: c4bdca79-e69e-4d80-82a1-e5192c621bea
key: client.geo.region_iso_code
negate: false
params:
query: CA-QC
type: phrase
query:
match_phrase:
client.geo.region_iso_code: CA-QC
kql: ''
timeframe:
days:
- 7
hours:
end: '17:00'
start: '08:00'
timezone: UTC
connector_type_id: .index
frequency:
notify_when: onActiveAlert
summary: true
throttle: null
group: default
id: 49eae970-f401-11ed-9f8e-399c75a2deeb
params:
documents:
- alert_id:
'[object Object]': null
context_message:
'[object Object]': null
rule_id:
'[object Object]': null
rule_name:
'[object Object]': null
uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61
api_key_created_by_user: false
api_key_owner: elastic
consumer: siem
created_at: '2023-05-16T15:50:28.358Z'
created_by: elastic
enabled: true
execution_status:
last_duration: 166
last_execution_date: '2023-05-16T20:26:49.590Z'
status: ok
id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb
last_run:
alerts_count:
active: 0
ignored: 0
new: 0
recovered: 0
outcome: succeeded
outcome_msg:
- Rule execution completed successfully
outcome_order: 0
warning: null
mute_all: false
muted_alert_ids: []
name: security_rule
next_run: '2023-05-16T20:27:49.507Z'
notify_when: null
params:
author: []
description: A security threshold rule.
exceptionsList: []
falsePositives: []
filters: []
from: now-3660s
immutable: false
index:
- kibana_sample_data_logs
language: kuery
license: ''
maxSignals: 100
meta:
from: 1h
kibana_siem_app_url: https://localhost:5601/app/security
outputIndex: ''
query: '*'
references: []
riskScore: 21
riskScoreMapping: []
ruleId: an_internal_rule_id
severity: low
severityMapping: []
threat: []
threshold:
cardinality: []
field:
- bytes
value: 1
to: now
type: threshold
version: 1
revision: 1
rule_type_id: siem.thresholdRule
running: false
schedule:
interval: 1m
scheduled_task_id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb
tags: []
throttle: null
updated_at: '2023-05-16T20:25:42.559Z'
updated_by: elastic
page: 1
per_page: 10
total: 1
schema:
additionalProperties: false
type: object
properties:
actions:
items:
additionalProperties: false
type: object
properties:
alerts_filter:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
connector_type_id:
description: The type of connector. This property appears in responses but cannot be set in requests.
type: string
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
- connector_type_id
- params
type: array
active_snoozes:
items:
description: List of active snoozes for the rule.
type: string
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
api_key_created_by_user:
description: Indicates whether the API key that is associated with the rule was created by the user.
nullable: true
type: boolean
api_key_owner:
description: The owner of the API key that is associated with the rule and used to run background tasks.
nullable: true
type: string
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
description: User-created content that describes alert causes and remdiation.
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
created_at:
description: The date and time that the rule was created.
type: string
created_by:
description: The identifier for the user that created the rule.
nullable: true
type: string
enabled:
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
execution_status:
additionalProperties: false
type: object
properties:
error:
additionalProperties: false
type: object
properties:
message:
description: Error message.
type: string
reason:
description: Reason for error.
enum:
- read
- decrypt
- execute
- unknown
- license
- timeout
- disabled
- validate
type: string
required:
- reason
- message
last_duration:
description: Duration of last execution of the rule.
type: number
last_execution_date:
description: The date and time when rule was executed last.
type: string
status:
description: Status of rule execution.
enum:
- ok
- active
- error
- warning
- pending
- unknown
type: string
warning:
additionalProperties: false
type: object
properties:
message:
description: Warning message.
type: string
reason:
description: Reason for warning.
enum:
- maxExecutableActions
- maxAlerts
- maxQueuedActions
- ruleExecution
type: string
required:
- reason
- message
required:
- status
- last_execution_date
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
id:
description: The identifier for the rule.
type: string
is_snoozed_until:
description: The date when the rule will no longer be snoozed.
nullable: true
type: string
last_run:
additionalProperties: false
nullable: true
type: object
properties:
alerts_count:
additionalProperties: false
type: object
properties:
active:
description: Number of active alerts during last run.
nullable: true
type: number
ignored:
description: Number of ignored alerts during last run.
nullable: true
type: number
new:
description: Number of new alerts during last run.
nullable: true
type: number
recovered:
description: Number of recovered alerts during last run.
nullable: true
type: number
outcome:
description: Outcome of last run of the rule. Value could be succeeded, warning or failed.
enum:
- succeeded
- warning
- failed
type: string
outcome_msg:
items:
description: Outcome message generated during last rule run.
type: string
nullable: true
type: array
outcome_order:
description: Order of the outcome.
type: number
warning:
description: Warning of last rule execution.
enum:
- read
- decrypt
- execute
- unknown
- license
- timeout
- disabled
- validate
- maxExecutableActions
- maxAlerts
- maxQueuedActions
- ruleExecution
nullable: true
type: string
required:
- outcome
- alerts_count
mapped_params:
additionalProperties:
nullable: true
type: object
monitoring:
additionalProperties: false
description: Monitoring details of the rule.
type: object
properties:
run:
additionalProperties: false
description: Rule run details.
type: object
properties:
calculated_metrics:
additionalProperties: false
description: Calculation of different percentiles and success ratio.
type: object
properties:
p50:
type: number
p95:
type: number
p99:
type: number
success_ratio:
type: number
required:
- success_ratio
history:
description: History of the rule run.
items:
additionalProperties: false
type: object
properties:
duration:
description: Duration of the rule run.
type: number
outcome:
description: Outcome of last run of the rule. Value could be succeeded, warning or failed.
enum:
- succeeded
- warning
- failed
type: string
success:
description: Indicates whether the rule run was successful.
type: boolean
timestamp:
description: Time of rule run.
type: number
required:
- success
- timestamp
type: array
last_run:
additionalProperties: false
type: object
properties:
metrics:
additionalProperties: false
type: object
properties:
duration:
description: Duration of most recent rule run.
type: number
gap_duration_s:
description: Duration in seconds of rule run gap.
nullable: true
type: number
gap_range:
additionalProperties: false
nullable: true
type: object
properties:
gte:
description: End of the gap range.
type: string
lte:
description: Start of the gap range.
type: string
required:
- lte
- gte
total_alerts_created:
description: Total number of alerts created during last rule run.
nullable: true
type: number
total_alerts_detected:
description: Total number of alerts detected during last rule run.
nullable: true
type: number
total_indexing_duration_ms:
description: Total time spent indexing documents during last rule run in milliseconds.
nullable: true
type: number
total_search_duration_ms:
description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.
nullable: true
type: number
timestamp:
description: Time of the most recent rule run.
type: string
required:
- timestamp
- metrics
required:
- history
- calculated_metrics
- last_run
required:
- run
mute_all:
description: Indicates whether all alerts are muted.
type: boolean
muted_alert_ids:
items:
description: 'List of identifiers of muted alerts. '
type: string
type: array
name:
description: ' The name of the rule.'
type: string
next_run:
description: Date and time of the next run of the rule.
nullable: true
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties:
nullable: true
description: The parameters for the rule.
type: object
revision:
description: The rule revision number.
type: number
rule_type_id:
description: The rule type identifier.
type: string
running:
description: Indicates whether the rule is running.
nullable: true
type: boolean
schedule:
additionalProperties: false
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
scheduled_task_id:
description: Identifier of the scheduled task.
type: string
snooze_schedule:
items:
additionalProperties: false
type: object
properties:
duration:
description: Duration of the rule snooze schedule.
type: number
id:
description: Identifier of the rule snooze schedule.
type: string
rRule:
additionalProperties: false
type: object
properties:
byhour:
items:
description: Indicates hours of the day to recur.
type: number
nullable: true
type: array
byminute:
items:
description: Indicates minutes of the hour to recur.
type: number
nullable: true
type: array
bymonth:
items:
description: Indicates months of the year that this rule should recur.
type: number
nullable: true
type: array
bymonthday:
items:
description: Indicates the days of the month to recur.
type: number
nullable: true
type: array
bysecond:
items:
description: Indicates seconds of the day to recur.
type: number
nullable: true
type: array
bysetpos:
items:
description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`.
type: number
nullable: true
type: array
byweekday:
items:
anyOf:
- type: string
- type: number
description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination.
nullable: true
type: array
byweekno:
items:
description: Indicates number of the week hours to recur.
type: number
nullable: true
type: array
byyearday:
items:
description: Indicates the days of the year that this rule should recur.
type: number
nullable: true
type: array
count:
description: Number of times the rule should recur until it stops.
type: number
dtstart:
description: Rule start date in Coordinated Universal Time (UTC).
type: string
freq:
description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.
enum:
- 0
- 1
- 2
- 3
- 4
- 5
- 6
type: integer
interval:
description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.
type: number
tzid:
description: Indicates timezone abbreviation.
type: string
until:
description: Recur the rule until this date.
type: string
wkst:
description: Indicates the start of week, defaults to Monday.
enum:
- MO
- TU
- WE
- TH
- FR
- SA
- SU
type: string
required:
- dtstart
- tzid
skipRecurrences:
items:
description: Skips recurrence of rule on this date.
type: string
type: array
required:
- duration
- rRule
type: array
tags:
items:
description: The tags for the rule.
type: string
type: array
throttle:
deprecated: true
description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
updated_at:
description: The date and time that the rule was updated most recently.
type: string
updated_by:
description: The identifier for the user that updated this rule most recently.
nullable: true
type: string
view_in_app_relative_url:
description: Relative URL to view rule in the app.
nullable: true
type: string
required:
- id
- enabled
- name
- tags
- rule_type_id
- consumer
- schedule
- actions
- params
- created_by
- updated_by
- created_at
- updated_at
- api_key_owner
- mute_all
- muted_alert_ids
- execution_status
- revision
description: Indicates a successful call.
'400':
description: Indicates an invalid schema or parameters.
'403':
description: Indicates that this call is forbidden.
summary: Get information about rules
tags:
- alerting
x-metaTags:
- content: Kibana
name: product_name
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/alerting/rules/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
/api/alerting/rules/backfill/_find:
post:
operationId: post-alerting-rules-backfill-find
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The end date for filtering backfills.
in: query
name: end
required: false
schema:
type: string
- description: The page number to return.
in: query
name: page
required: false
schema:
default: 1
minimum: 1
type: number
- description: The number of backfills to return per page.
in: query
name: per_page
required: false
schema:
default: 10
minimum: 0
type: number
- description: A comma-separated list of rule identifiers.
in: query
name: rule_ids
required: false
schema:
type: string
- description: The initiator of the backfill, either `user` for manual backfills or `system` for automatic gap fills.
in: query
name: initiator
required: false
schema:
enum:
- user
- system
type: string
- description: The start date for filtering backfills.
in: query
name: start
required: false
schema:
type: string
- description: The field to sort backfills by.
in: query
name: sort_field
required: false
schema:
enum:
- createdAt
- start
type: string
- description: The sort order.
in: query
name: sort_order
required: false
schema:
enum:
- asc
- desc
type: string
responses:
'200':
content:
application/json:
examples:
findBackfillResponse:
summary: Find backfills response
value:
data:
- created_at: '2024-01-30T00:00:00.000Z'
duration: 12h
enabled: true
id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6
initiator: user
rule:
api_key_owner: elastic
consumer: alerts
created_at: '2022-12-05T23:40:33.132Z'
created_by: elastic
enabled: true
id: 3583a470-74f6-11ed-9801-35303b735aef
name: my alert
params:
aggField: sheet.version
aggType: avg
groupBy: top
index:
- test-index
termField: name.keyword
termSize: 6
threshold:
- 1000
thresholdComparator: '>'
timeField: '@timestamp'
timeWindowSize: 5
timeWindowUnit: m
revision: 0
rule_type_id: .index-threshold
schedule:
interval: 1m
tags:
- cpu
updated_at: '2022-12-05T23:40:33.132Z'
updated_by: elastic
schedule:
- interval: 12h
run_at: '2024-01-01T12:00:00.000Z'
status: pending
- interval: 12h
run_at: '2024-01-02T00:00:00.000Z'
status: pending
space_id: default
start: '2024-01-01T00:00:00.000Z'
status: pending
page: 1
per_page: 10
total: 1
schema:
additionalProperties: false
type: object
properties:
data:
items:
additionalProperties: false
type: object
properties:
created_at:
type: string
duration:
type: string
enabled:
type: boolean
end:
type: string
id:
type: string
initiator:
enum:
- user
- system
type: string
initiator_id:
type: string
rule:
additionalProperties: false
type: object
properties:
api_key_created_by_user:
nullable: true
type: boolean
api_key_owner:
nullable: true
type: string
consumer:
type: string
created_at:
type: string
created_by:
nullable: true
type: string
enabled:
type: boolean
id:
type: string
name:
type: string
params:
additionalProperties:
nullable: true
description: The parameters for the rule.
type: object
revision:
type: number
rule_type_id:
type: string
schedule:
additionalProperties: false
type: object
properties:
interval:
type: string
required:
- interval
tags:
items:
type: string
type: array
updated_at:
type: string
updated_by:
nullable: true
type: string
required:
- id
- name
- tags
- rule_type_id
- params
- api_key_owner
- consumer
- enabled
- schedule
- created_by
- updated_by
- created_at
- updated_at
- revision
schedule:
items:
additionalProperties: false
type: object
properties:
interval:
type: string
run_at:
type: string
status:
enum:
- complete
- pending
- running
- error
- timeout
type: string
required:
- run_at
- status
- interval
type: array
space_id:
type: string
start:
type: string
status:
enum:
- complete
- pending
- running
- error
- timeout
type: string
required:
- id
- created_at
- duration
- enabled
- rule
- space_id
- initiator
- start
- status
- schedule
type: array
page:
type: number
per_page:
type: number
total:
type: number
required:
- page
- per_page
- total
- data
description: Indicates a successful call.
'400':
description: Indicates an invalid schema or parameters.
'403':
description: Indicates that this call is forbidden.
summary: Find backfills for rules
tags:
- alerting
x-metaTags:
- content: Kibana
name: product_name
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
/api/alerting/rules/backfill/{id}:
delete:
operationId: delete-alerting-rules-backfill-id
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The identifier for the backfill.
in: path
name: id
required: true
schema:
type: string
responses:
'204':
description: Indicates a successful call.
'400':
description: Indicates an invalid schema or parameters.
'403':
description: Indicates that this call is forbidden.
'404':
description: Indicates a backfill with the given ID does not exist.
summary: Delete a backfill by ID
tags:
- alerting
x-metaTags:
- content: Kibana
name: product_name
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
get:
operationId: get-alerting-rules-backfill-id
parameters:
- description: The identifier for the backfill.
in: path
name: id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getBackfillResponse:
summary: Get a backfill for an index threshold rule
value:
created_at: '2024-01-30T00:00:00.000Z'
duration: 12h
enabled: true
id: 85bdf571-f4fb-4666-a8d2-e05e1220ebc6
initiator: user
rule:
api_key_owner: elastic
consumer: alerts
created_at: '2022-12-05T23:40:33.132Z'
created_by: elastic
enabled: true
id: 3583a470-74f6-11ed-9801-35303b735aef
name: my alert
params:
aggField: sheet.version
aggType: avg
groupBy: top
index:
- test-index
termField: name.keyword
termSize: 6
threshold:
- 1000
thresholdComparator: '>'
timeField: '@timestamp'
timeWindowSize: 5
timeWindowUnit: m
revision: 0
rule_type_id: .index-threshold
schedule:
interval: 1m
tags:
- cpu
updated_at: '2022-12-05T23:40:33.132Z'
updated_by: elastic
schedule:
- interval: 12h
run_at: '2024-01-01T12:00:00.000Z'
status: pending
- interval: 12h
run_at: '2024-01-02T00:00:00.000Z'
status: pending
space_id: default
start: '2024-01-01T00:00:00.000Z'
status: pending
schema:
additionalProperties: false
type: object
properties:
created_at:
type: string
duration:
type: string
enabled:
type: boolean
end:
type: string
id:
type: string
initiator:
enum:
- user
- system
type: string
initiator_id:
type: string
rule:
additionalProperties: false
type: object
properties:
api_key_created_by_user:
nullable: true
type: boolean
api_key_owner:
nullable: true
type: string
consumer:
type: string
created_at:
type: string
created_by:
nullable: true
type: string
enabled:
type: boolean
id:
type: string
name:
type: string
params:
additionalProperties:
nullable: true
description: The parameters for the rule.
type: object
revision:
type: number
rule_type_id:
type: string
schedule:
additionalProperties: false
type: object
properties:
interval:
type: string
required:
- interval
tags:
items:
type: string
type: array
updated_at:
type: string
updated_by:
nullable: true
type: string
required:
- id
- name
- tags
- rule_type_id
- params
- api_key_owner
- consumer
- enabled
- schedule
- created_by
- updated_by
- created_at
- updated_at
- revision
schedule:
items:
additionalProperties: false
type: object
properties:
interval:
type: string
run_at:
type: string
status:
enum:
- complete
- pending
- running
- error
- timeout
type: string
required:
- run_at
- status
- interval
type: array
space_id:
type: string
start:
type: string
status:
enum:
- complete
- pending
- running
- error
- timeout
type: string
required:
- id
- created_at
- duration
- enabled
- rule
- space_id
- initiator
- start
- status
- schedule
description: Indicates a successful call.
'400':
description: Indicates an invalid schema or parameters.
'403':
description: Indicates that this call is forbidden.
'404':
description: Indicates a backfill with the given ID does not exist.
summary: Get a backfill by ID
tags:
- alerting
x-metaTags:
- content: Kibana
name: product_name
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/alerting/rules/backfill/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
/api/apm/agent_keys:
post:
description: |
**Spaces method and path for this operation:**
post/s/{space_id}/api/apm/agent_keys
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create a new agent key for APM.
The user creating an APM agent API key must have at least the `manage_own_api_key` cluster privilege and the APM application-level privileges that it wishes to grant.
After it is created, you can copy the API key (Base64 encoded) and use it to to authorize requests from APM agents to the APM Server.
operationId: createAgentKey
parameters:
- $ref: '#/components/parameters/APM_UI_elastic_api_version'
- $ref: '#/components/parameters/APM_UI_kbn_xsrf'
requestBody:
content:
application/json:
examples:
createAgentKeyRequest1:
$ref: '#/components/examples/APM_UI_agent_keys_object_post_request1'
schema:
$ref: '#/components/schemas/APM_UI_agent_keys_object'
required: true
responses:
'200':
content:
application/json:
examples:
createAgentKeyResponse1:
$ref: '#/components/examples/APM_UI_agent_keys_object_post_200_response1'
schema:
$ref: '#/components/schemas/APM_UI_agent_keys_response'
description: Agent key created successfully
'400':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_400_response'
description: Bad Request response
'401':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_401_response'
description: Unauthorized response
'403':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_403_response'
description: Forbidden response
'500':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_500_response'
description: Internal Server Error response
summary: Create an APM agent key
tags:
- APM agent keys
x-metaTags:
- content: Kibana
name: product_name
/api/apm/fleet/apm_server_schema:
post:
deprecated: true
description: |
**Spaces method and path for this operation:**
post/s/{space_id}/api/apm/fleet/apm_server_schema
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
DEPRECATED: This endpoint is intended for internal use by Fleet integrations to push the APM Server configuration schema. Do not use for new integrations. It stores the provided schema object as a Kibana saved object. If Fleet migration is not available on the current deployment, the API returns a 404.
operationId: saveApmServerSchema
parameters:
- $ref: '#/components/parameters/APM_UI_elastic_api_version'
- $ref: '#/components/parameters/APM_UI_kbn_xsrf'
requestBody:
content:
application/json:
schema:
type: object
properties:
schema:
additionalProperties: true
description: Schema object
example:
foo: bar
type: object
required: true
responses:
'200':
content:
application/json:
examples:
saveApmServerSchemaResponseExample1:
$ref: '#/components/examples/APM_UI_fleet_apm_server_schema_200_response1'
schema:
additionalProperties: false
description: The response body is intentionally empty for this endpoint.
type: object
description: Successful response
'400':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_400_response'
description: Bad Request response
'401':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_401_response'
description: Unauthorized response
'403':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_403_response'
description: Forbidden response
'404':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_404_response'
description: Not found response
summary: Save APM server schema
tags:
- APM server schema
x-metaTags:
- content: Kibana
name: product_name
/api/apm/services/{serviceName}/annotation:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Search for annotations related to a specific service.
operationId: getAnnotation
parameters:
- $ref: '#/components/parameters/APM_UI_elastic_api_version'
- description: The name of the service
in: path
name: serviceName
required: true
schema:
type: string
- description: The environment to filter annotations by
in: query
name: environment
required: false
schema:
type: string
- description: The start date for the search
example: '2024-01-01T00:00:00.000Z'
in: query
name: start
required: false
schema:
format: date-time
type: string
- description: The end date for the search
example: '2024-01-31T23:59:59.999Z'
in: query
name: end
required: false
schema:
format: date-time
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_annotation_search_response'
description: Successful response
'400':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_400_response'
description: Bad Request response
'401':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_401_response'
description: Unauthorized response
'500':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_500_response'
description: Internal Server Error response
summary: Search for annotations
tags:
- APM annotations
x-metaTags:
- content: Kibana
name: product_name
/api/apm/settings/agent-configuration:
delete:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieve all agent configurations. You must have `read` privileges for the APM and User Experience feature in Kibana. If agent configuration is not available on the current deployment, the API returns a 404.
operationId: getAgentConfigurations
parameters:
- $ref: '#/components/parameters/APM_UI_elastic_api_version'
responses:
'200':
content:
application/json:
examples:
getAgentConfigurationsResponseExample1:
$ref: '#/components/examples/APM_UI_agent_configuration_intake_object_get_200_response1'
schema:
$ref: '#/components/schemas/APM_UI_agent_configurations_response'
description: Successful response
'400':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_400_response'
description: Bad Request response
'401':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_401_response'
description: Unauthorized response
'404':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_404_response'
description: Not found response
summary: Get a list of agent configurations
tags:
- APM agent configuration
x-metaTags:
- content: Kibana
name: product_name
put:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create or update an agent configuration. You must have `all` privileges for the APM and User Experience feature in Kibana. When updating an existing configuration, the `?overwrite=true` query parameter is required. If the configuration already exists and `overwrite` is not set to `true`, the API returns a 400 error. When successful and Fleet is enabled, APM package policies are synchronized accordingly.
operationId: createUpdateAgentConfiguration
parameters:
- $ref: '#/components/parameters/APM_UI_elastic_api_version'
- $ref: '#/components/parameters/APM_UI_kbn_xsrf'
- description: If the config exists ?overwrite=true is required
in: query
name: overwrite
schema:
type: boolean
requestBody:
content:
application/json:
examples:
createUpdateAgentConfigurationRequestExample1:
$ref: '#/components/examples/APM_UI_agent_configuration_intake_object_put_request1'
schema:
$ref: '#/components/schemas/APM_UI_agent_configuration_intake_object'
required: true
responses:
'200':
content:
application/json:
examples:
createUpdateAgentConfigurationResponseExample1:
$ref: '#/components/examples/APM_UI_agent_configuration_intake_object_put_200_response1'
schema:
additionalProperties: false
description: The response body is intentionally empty for this endpoint.
type: object
description: Successful response
'400':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_400_response'
description: Bad Request response
'401':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_401_response'
description: Unauthorized response
'403':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_403_response'
description: Forbidden response
'404':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_404_response'
description: Not found response
summary: Create or update agent configuration
tags:
- APM agent configuration
x-metaTags:
- content: Kibana
name: product_name
/api/apm/settings/agent-configuration/agent_name:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieve the available environments for a given service, to be used in agent configuration. You must have `read` privileges for the APM and User Experience feature in Kibana. If `serviceName` is omitted, environments across all services are returned.
operationId: getEnvironmentsForService
parameters:
- $ref: '#/components/parameters/APM_UI_elastic_api_version'
- description: The name of the service. If omitted, environments across all services are returned.
example: opbeans-node
in: query
name: serviceName
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getEnvironmentsForServiceResponseExample1:
$ref: '#/components/examples/APM_UI_agent_configuration_environments_200_response1'
schema:
$ref: '#/components/schemas/APM_UI_service_environments_response'
description: Successful response
'400':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_400_response'
description: Bad Request response
'401':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_401_response'
description: Unauthorized response
'404':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_404_response'
description: Not found response
summary: Get environments for service
tags:
- APM agent configuration
x-metaTags:
- content: Kibana
name: product_name
/api/apm/settings/agent-configuration/search:
post:
deprecated: true
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
DEPRECATED: This endpoint is intended for internal use by APM agents to fetch their configuration and mark it as applied. Do not use for new integrations. It searches for a single agent configuration matching the given service, and optionally updates the `applied_by_agent` field when the provided `etag` matches the current configuration.
operationId: searchSingleConfiguration
parameters:
- $ref: '#/components/parameters/APM_UI_elastic_api_version'
- $ref: '#/components/parameters/APM_UI_kbn_xsrf'
requestBody:
content:
application/json:
examples:
searchSingleConfigurationRequest1:
$ref: '#/components/examples/APM_UI_agent_configuration_intake_object_search_request1'
schema:
$ref: '#/components/schemas/APM_UI_search_agent_configuration_object'
required: true
responses:
'200':
content:
application/json:
examples:
searchSingleConfigurationResponse1:
$ref: '#/components/examples/APM_UI_agent_configuration_intake_object_search_200_response1'
schema:
$ref: '#/components/schemas/APM_UI_search_agent_configuration_response'
description: Successful response
'400':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_400_response'
description: Bad Request response
'401':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_401_response'
description: Unauthorized response
'404':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_404_response'
description: Not found response
summary: Lookup single agent configuration
tags:
- APM agent configuration
x-metaTags:
- content: Kibana
name: product_name
/api/apm/settings/agent-configuration/view:
get:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieve a single agent configuration matching the given service name and environment. You must have `read` privileges for the APM and User Experience feature in Kibana. If no matching configuration is found, the API returns a 404.
operationId: getSingleAgentConfiguration
parameters:
- $ref: '#/components/parameters/APM_UI_elastic_api_version'
- description: Service name
example: node
in: query
name: name
schema:
type: string
- description: Service environment
example: prod
in: query
name: environment
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getSingleAgentConfigurationResponseExample1:
$ref: '#/components/examples/APM_UI_agent_configuration_intake_object_view_200_response1'
schema:
$ref: '#/components/schemas/APM_UI_single_agent_configuration_response'
description: Successful response
'400':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_400_response'
description: Bad Request response
'401':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_401_response'
description: Unauthorized response
'404':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_404_response'
description: Not found response
summary: Get single agent configuration
tags:
- APM agent configuration
x-metaTags:
- content: Kibana
name: product_name
/api/apm/sourcemaps:
get:
description: |
**Spaces method and path for this operation:**
get/s/{space_id}/api/apm/sourcemaps
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get an array of Fleet artifacts, including source map uploads. You must have `read` or `all` Kibana privileges for the APM and User Experience feature.
operationId: getSourceMaps
parameters:
- $ref: '#/components/parameters/APM_UI_elastic_api_version'
- description: Page number
in: query
name: page
schema:
type: number
- description: Number of records per page
in: query
name: perPage
schema:
type: number
responses:
'200':
content:
application/json:
examples:
getSourceMapsResponse1:
$ref: '#/components/examples/APM_UI_source_maps_get_200_response1'
schema:
$ref: '#/components/schemas/APM_UI_source_maps_response'
description: Successful response
'400':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_400_response'
description: Bad Request response
'401':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_401_response'
description: Unauthorized response
'500':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_500_response'
description: Internal Server Error response
'501':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_501_response'
description: Not Implemented response
summary: Get source maps
tags:
- APM sourcemaps
x-codeSamples:
- lang: Curl
source: |
curl -X GET "http://localhost:5601/api/apm/sourcemaps" \
-H 'Content-Type: application/json' \
-H 'kbn-xsrf: true' \
-H 'Authorization: ApiKey ${YOUR_API_KEY}'
x-metaTags:
- content: Kibana
name: product_name
post:
description: |
**Spaces method and path for this operation:**
post/s/{space_id}/api/apm/sourcemaps
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Upload a source map for a specific service and version. You must have `all` Kibana privileges for the APM and User Experience feature.
The maximum payload size is `1mb`. If you attempt to upload a source map that exceeds the maximum payload size, you will get a 413 error. Before uploading source maps that exceed this default, change the maximum payload size allowed by Kibana with the `server.maxPayload` variable.
operationId: uploadSourceMap
parameters:
- $ref: '#/components/parameters/APM_UI_elastic_api_version'
- $ref: '#/components/parameters/APM_UI_kbn_xsrf'
requestBody:
content:
multipart/form-data:
schema:
$ref: '#/components/schemas/APM_UI_upload_source_map_object'
required: true
responses:
'200':
content:
application/json:
examples:
uploadSourceMapResponse1:
$ref: '#/components/examples/APM_UI_source_maps_upload_200_response1'
schema:
$ref: '#/components/schemas/APM_UI_upload_source_maps_response'
description: Successful response
'400':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_400_response'
description: Bad Request response
'401':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_401_response'
description: Unauthorized response
'403':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_403_response'
description: Forbidden response
'500':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_500_response'
description: Internal Server Error response
'501':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_501_response'
description: Not Implemented response
summary: Upload a source map
tags:
- APM sourcemaps
x-codeSamples:
- lang: Curl
source: |
curl -X POST "http://localhost:5601/api/apm/sourcemaps" \
-H 'Content-Type: multipart/form-data' \
-H 'kbn-xsrf: true' \
-H 'Authorization: ApiKey ${YOUR_API_KEY}' \
-F 'service_name="foo"' \
-F 'service_version="1.0.0"' \
-F 'bundle_filepath="/test/e2e/general-usecase/bundle.js"' \
-F 'sourcemap="{\"version\":3,\"file\":\"static/js/main.chunk.js\",\"sources\":[\"fleet-source-map-client/src/index.css\",\"fleet-source-map-client/src/App.js\",\"webpack:///./src/index.css?bb0a\",\"fleet-source-map-client/src/index.js\",\"fleet-source-map-client/src/reportWebVitals.js\"],\"sourcesContent\":[\"content\"],\"mappings\":\"mapping\",\"sourceRoot\":\"\"}"'
x-metaTags:
- content: Kibana
name: product_name
/api/apm/sourcemaps/{id}:
delete:
description: |
**Spaces method and path for this operation:**
delete/s/{space_id}/api/apm/sourcemaps/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete a previously uploaded source map. You must have `all` Kibana privileges for the APM and User Experience feature.
operationId: deleteSourceMap
parameters:
- $ref: '#/components/parameters/APM_UI_elastic_api_version'
- $ref: '#/components/parameters/APM_UI_kbn_xsrf'
- description: Source map identifier
in: path
name: id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
deleteSourceMapResponseExample1:
$ref: '#/components/examples/APM_UI_source_maps_delete_200_response1'
schema:
additionalProperties: false
description: The response body is intentionally empty for this endpoint.
type: object
description: Successful response
'400':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_400_response'
description: Bad Request response
'401':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_401_response'
description: Unauthorized response
'403':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_403_response'
description: Forbidden response
'500':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_500_response'
description: Internal Server Error response
'501':
content:
application/json:
schema:
$ref: '#/components/schemas/APM_UI_501_response'
description: Not Implemented response
summary: Delete source map
tags:
- APM sourcemaps
x-codeSamples:
- lang: Curl
source: |
curl -X DELETE "http://localhost:5601/api/apm/sourcemaps/apm:foo-1.0.0-644fd5a9" \
-H 'Content-Type: application/json' \
-H 'kbn-xsrf: true' \
-H 'Authorization: ApiKey ${YOUR_API_KEY}'
x-metaTags:
- content: Kibana
name: product_name
/api/asset_criticality:
delete:
description: |-
**Spaces method and path for this operation:**
delete/s/{space_id}/api/asset_criticality
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete the asset criticality record for a specific entity.
operationId: DeleteAssetCriticalityRecord
parameters:
- description: The ID value of the asset.
example: my_host
in: query
name: id_value
required: true
schema:
type: string
- description: The field representing the ID.
example: host.name
in: query
name: id_field
required: true
schema:
$ref: '#/components/schemas/Security_Entity_Analytics_API_IdField'
- description: If 'wait_for' the request will wait for the index refresh.
in: query
name: refresh
required: false
schema:
enum:
- wait_for
type: string
responses:
'200':
content:
application/json:
schema:
type: object
properties:
deleted:
description: True if the record was deleted or false if the record did not exist.
type: boolean
record:
$ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord'
description: The deleted record if it existed.
required:
- deleted
description: Successful response
'400':
description: Invalid request
summary: Delete an asset criticality record
tags:
- Security Entity Analytics API
x-metaTags:
- content: Kibana
name: product_name
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/asset_criticality
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the asset criticality record for a specific entity.
operationId: GetAssetCriticalityRecord
parameters:
- description: The ID value of the asset.
example: my_host
in: query
name: id_value
required: true
schema:
type: string
- description: The field representing the ID.
example: host.name
in: query
name: id_field
required: true
schema:
$ref: '#/components/schemas/Security_Entity_Analytics_API_IdField'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord'
description: Successful response
'400':
description: Invalid request
'404':
description: Criticality record not found
summary: Get an asset criticality record
tags:
- Security Entity Analytics API
x-metaTags:
- content: Kibana
name: product_name
post:
description: |
**Spaces method and path for this operation:**
post/s/{space_id}/api/asset_criticality
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create or update an asset criticality record for a specific entity.
If a record already exists for the specified entity, that record is overwritten with the specified value. If a record doesn't exist for the specified entity, a new record is created.
operationId: CreateAssetCriticalityRecord
requestBody:
content:
application/json:
schema:
allOf:
- $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord'
- type: object
properties:
refresh:
description: If 'wait_for' the request will wait for the index refresh.
enum:
- wait_for
type: string
example:
criticality_level: high_impact
id_field: host.name
id_value: my_host
required: true
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord'
description: Successful response
'400':
description: Invalid request
summary: Upsert an asset criticality record
tags:
- Security Entity Analytics API
x-metaTags:
- content: Kibana
name: product_name
/api/asset_criticality/bulk:
post:
description: |
**Spaces method and path for this operation:**
post/s/{space_id}/api/asset_criticality/bulk
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Bulk upsert up to 1000 asset criticality records.
If asset criticality records already exist for the specified entities, those records are overwritten with the specified values. If asset criticality records don't exist for the specified entities, new records are created.
operationId: BulkUpsertAssetCriticalityRecords
requestBody:
content:
application/json:
schema:
example:
records:
- criticality_level: low_impact
id_field: host.name
id_value: host-1
- criticality_level: medium_impact
id_field: host.name
id_value: host-2
type: object
properties:
records:
items:
allOf:
- $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts'
- type: object
properties:
criticality_level:
$ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload'
required:
- criticality_level
maxItems: 1000
minItems: 1
type: array
required:
- records
responses:
'200':
content:
application/json:
schema:
example:
errors:
- index: 0
message: Invalid ID field
stats:
failed: 1
successful: 1
total: 2
type: object
properties:
errors:
items:
$ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem'
type: array
stats:
$ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats'
required:
- errors
- stats
description: Bulk upload successful
'413':
description: File too large
summary: Bulk upsert asset criticality records
tags:
- Security Entity Analytics API
x-metaTags:
- content: Kibana
name: product_name
/api/asset_criticality/list:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/asset_criticality/list
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
List asset criticality records, paging, sorting and filtering as needed.
operationId: FindAssetCriticalityRecords
parameters:
- description: The field to sort by.
in: query
name: sort_field
required: false
schema:
enum:
- id_value
- id_field
- criticality_level
- '@timestamp'
type: string
- description: The order to sort by.
in: query
name: sort_direction
required: false
schema:
enum:
- asc
- desc
type: string
- description: The page number to return.
in: query
name: page
required: false
schema:
minimum: 1
type: integer
- description: The number of records to return per page.
in: query
name: per_page
required: false
schema:
maximum: 1000
minimum: 1
type: integer
- description: The kuery to filter by.
in: query
name: kuery
required: false
schema:
type: string
responses:
'200':
content:
application/json:
schema:
example:
page: 1
per_page: 10
records:
- '@timestamp': '2024-08-02T14:40:35.705Z'
asset:
criticality: medium_impact
criticality_level: medium_impact
host:
asset:
criticality: medium_impact
name: my_other_host
id_field: host.name
id_value: my_other_host
- '@timestamp': '2024-08-02T11:15:34.290Z'
asset:
criticality: high_impact
criticality_level: high_impact
host:
asset:
criticality: high_impact
name: my_host
id_field: host.name
id_value: my_host
total: 2
type: object
properties:
page:
minimum: 1
type: integer
per_page:
maximum: 1000
minimum: 1
type: integer
records:
items:
$ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord'
type: array
total:
minimum: 0
type: integer
required:
- records
- page
- per_page
- total
description: Successfully retrieved asset criticality records
summary: List asset criticality records
tags:
- Security Entity Analytics API
x-metaTags:
- content: Kibana
name: product_name
/api/attack_discovery/_bulk:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/attack_discovery/_bulk
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Performs bulk updates on multiple Attack discoveries, including workflow status changes and visibility settings. This endpoint allows efficient batch processing of alert modifications without requiring individual API calls for each alert.
operationId: PostAttackDiscoveryBulk
requestBody:
content:
application/json:
examples:
PostAttackDiscoveryBulkRequestBodyExample:
summary: Acknowledge two Attack discoveries in bulk.
value:
update:
enable_field_rendering: false
ids:
- c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f
- 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7
kibana_alert_workflow_status: acknowledged
with_replacements: true
schema:
type: object
properties:
update:
description: Configuration object containing all parameters for the bulk update operation
type: object
properties:
enable_field_rendering:
default: false
description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`.
example: false
type: boolean
ids:
description: Array of Attack Discovery IDs to update
example:
- c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f
- 5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7
items:
type: string
type: array
kibana_alert_workflow_status:
description: When provided, update the kibana.alert.workflow_status of the attack discovery alerts
enum:
- open
- acknowledged
- closed
example: acknowledged
type: string
visibility:
description: When provided, update the visibility of the alert, as determined by the kibana.alert.attack_discovery.users field
enum:
- not_shared
- shared
example: shared
type: string
with_replacements:
default: true
description: When true, returns the updated Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. This substitutes anonymized values with human-readable equivalents. Defaults to `true`.
example: true
type: boolean
required:
- ids
required:
- update
description: Bulk update parameters for Attack discoveries
required: true
responses:
'200':
content:
application/json:
examples:
PostAttackDiscoveryBulkResponse200Example:
summary: A successful bulk update response containing the modified Attack discoveries.
value:
data:
- alert_ids:
- alert-abc-1
alert_workflow_status: acknowledged
connector_id: gen-ai-connector
connector_name: OpenAI GPT-4
details_markdown: '- **Host** `workstation-01` showed credential access patterns consistent with mimikatz.'
generation_uuid: 550e8400-e29b-41d4-a716-446655440000
id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f
summary_markdown: A user account was compromised using mimikatz to dump credentials.
timestamp: '2024-01-15T10:00:00.000Z'
title: Credential theft via mimikatz
schema:
type: object
properties:
data:
description: Array of updated Attack Discovery alert objects. Each item includes the applied modifications from the bulk update request.
items:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert'
type: array
required:
- data
description: Indicates a successful call.
'400':
content:
application/json:
examples:
PostAttackDiscoveryBulkResponse400Example:
summary: Bad Request error returned when the bulk update payload is invalid.
value:
error: Bad Request
message: Invalid request parameters.
status_code: 400
schema:
type: object
properties:
error:
description: Error type
example: Bad Request
type: string
message:
description: Human-readable error message describing what went wrong with the bulk update request
example: Invalid request parameters.
type: string
status_code:
description: HTTP status code
example: 400
type: number
required:
- status_code
- error
- message
description: Bad Request response.
summary: Bulk update Attack discoveries
tags:
- Security Attack discovery API
x-codeSamples:
- label: Example request
lang: curl
source: |
curl \
--request POST 'http://localhost:5601/api/attack_discovery/_bulk' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data-raw '{
"update": {
"ids": [
"c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f",
"5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7"
],
"kibana_alert_workflow_status": "acknowledged"
}
}'
x-metaTags:
- content: Kibana
name: product_name
/api/attack_discovery/_find:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/attack_discovery/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Find Attack discoveries that match the search criteria. Supports free text search, filtering, pagination, and sorting.
operationId: AttackDiscoveryFind
parameters:
- description: Filter results to Attack discoveries that include any of the provided alert IDs
in: query
name: alert_ids
required: false
schema:
items:
type: string
type: array
- description: Filter results to Attack discoveries created by any of the provided human readable connector names. Note that values must match the human readable `connector_name` property of an Attack discovery, e.g. "GPT-5 Chat", which are distinct from `connector_id` values used to generate Attack discoveries.
in: query
name: connector_names
required: false
schema:
items:
type: string
type: array
- description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`.
example: false
in: query
name: enable_field_rendering
required: false
schema:
default: false
type: boolean
- description: End of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h").
example: now
in: query
name: end
required: false
schema:
type: string
- description: Filter results to the Attack discoveries with the specified IDs
in: query
name: ids
required: false
schema:
items:
type: string
type: array
- description: If `true`, the response will include `unique_alert_ids` and `unique_alert_ids_count` aggregated across the matched Attack discoveries
example: false
in: query
name: include_unique_alert_ids
required: false
schema:
type: boolean
- description: Page number to return (used for pagination). Defaults to 1.
example: 1
in: query
name: page
required: false
schema:
default: 1
minimum: 1
type: integer
- description: Number of Attack discoveries to return per page (used for pagination). Defaults to 10.
example: 10
in: query
name: per_page
required: false
schema:
default: 10
minimum: 1
type: integer
- description: Free-text search query applied to relevant text fields of Attack discoveries (title, description, tags, etc.)
example: ''
in: query
name: search
required: false
schema:
type: string
- description: Whether to filter by shared visibility. If omitted, both shared and privately visible Attack discoveries are returned. Use `true` to return only shared discoveries, `false` to return only those visible to the current user.
in: query
name: shared
required: false
schema:
type: boolean
- description: Whether to filter by scheduled or ad-hoc attack discoveries. If omitted, both types of attack discoveries are returned. Use `true` to return only scheduled discoveries or `false` to return only ad-hoc discoveries.
in: query
name: scheduled
required: false
schema:
type: boolean
- description: Field used to sort results. See `AttackDiscoveryFindSortField` for allowed values.
example: '@timestamp'
in: query
name: sort_field
required: false
schema:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryFindSortField'
default: '@timestamp'
- description: Sort order direction `asc` for ascending or `desc` for descending. Defaults to `desc`.
example: desc
in: query
name: sort_order
required: false
schema:
$ref: '#/components/schemas/Security_Attack_discovery_API_SortOrder'
default: desc
- description: Start of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now-7d").
example: now-24h
in: query
name: start
required: false
schema:
type: string
- description: Filter by alert workflow status. Provide one or more of the allowed workflow states.
example:
- open
- acknowledged
in: query
name: status
required: false
schema:
items:
enum:
- acknowledged
- closed
- open
type: string
type: array
- description: When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to `true`.
example: true
in: query
name: with_replacements
required: false
schema:
default: true
type: boolean
responses:
'200':
content:
application/json:
examples:
AttackDiscoveryFindResponse200Example:
summary: Paginated list of Attack discoveries matching the search criteria.
value:
connector_names:
- GPT-5 Chat
data:
- connector_name: GPT-5 Chat
id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f
title: Suspicious process execution on host-01
page: 1
per_page: 10
total: 1
unique_alert_ids_count: 0
schema:
type: object
properties:
connector_names:
description: List of human readable connector names that are present in the matched Attack discoveries. Useful for building client filters or summaries.
items:
type: string
type: array
data:
description: Array of matched Attack discovery objects. Each item follows the `AttackDiscoveryApiAlert` schema.
items:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert'
type: array
page:
description: Current page number of the paginated result set.
type: integer
per_page:
description: Number of items requested per page.
type: integer
total:
description: Total number of Attack discoveries matching the query (across all pages).
type: integer
unique_alert_ids:
description: List of unique alert IDs aggregated from the matched Attack discoveries. Only present if `include_unique_alert_ids=true` in the request.
items:
type: string
type: array
unique_alert_ids_count:
description: Number of unique alert IDs across all matched Attack discoveries. Only present if `include_unique_alert_ids=true` in the request.
type: integer
required:
- connector_names
- data
- page
- per_page
- total
- unique_alert_ids_count
description: Indicates a successful call.
'400':
content:
application/json:
examples:
AttackDiscoveryFindResponse400Example:
summary: Bad Request error returned when find query parameters are invalid.
value:
error: Bad Request
message: Invalid request payload.
status_code: 400
schema:
type: object
properties:
error:
description: Error type
example: Bad Request
type: string
message:
description: Human-readable error message
example: Invalid request payload.
type: string
status_code:
description: HTTP status code
example: 400
type: number
description: Bad Request response.
summary: Find Attack discoveries that match the search criteria
tags:
- Security Attack discovery API
x-codeSamples:
- label: Example request
lang: curl
source: |
curl \
--request GET 'http://localhost:5601/api/attack_discovery/_find?end=now&include_unique_alert_ids=false&page=1&per_page=10&search=&sort_field=%40timestamp&sort_order=desc&start=now-24h&status=open&status=acknowledged' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json"
x-metaTags:
- content: Kibana
name: product_name
/api/attack_discovery/_generate:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the latest Attack Discovery generations metadata (that are not dismissed) for the current user. This endpoint retrieves generation metadata including execution status and statistics for Attack Discovery generations.
operationId: GetAttackDiscoveryGenerations
parameters:
- description: End of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h").
example: now
in: query
name: end
required: false
schema:
type: string
- description: The maximum number of generations to retrieve
example: 50
in: query
name: size
required: false
schema:
default: 50
minimum: 1
type: number
- description: Start of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now-7d").
example: now-24h
in: query
name: start
required: false
schema:
type: string
responses:
'200':
content:
application/json:
examples:
GetAttackDiscoveryGenerationsResponse200Example:
summary: Latest Attack Discovery generation metadata for the current user.
value:
generations:
- alerts_context_count: 75
connector_id: chatGpt5_0ChatAzure
discoveries: 3
end: '2025-09-29T06:42:44.810Z'
execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7
loading_message: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries.
start: '2025-09-29T06:42:08.962Z'
status: succeeded
schema:
type: object
properties:
generations:
description: List of Attack Discovery generations
items:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration'
type: array
required:
- generations
description: Indicates a successful call.
'400':
content:
application/json:
examples:
GetAttackDiscoveryGenerationsResponse400Example:
summary: Bad Request error returned when the size parameter is invalid.
value:
error: Bad Request
message: Invalid size parameter. Must be a positive number.
status_code: 400
schema:
type: object
properties:
error:
description: Error type
example: Bad Request
type: string
message:
description: Human-readable error message
example: Invalid size parameter. Must be a positive number.
type: string
status_code:
description: HTTP status code
example: 400
type: number
description: Bad Request response.
summary: Get the latest Attack Discovery generations metadata for the current user
tags:
- Security Attack discovery API
x-codeSamples:
- label: Example request
lang: curl
source: |
curl \
--request GET 'http://localhost:5601/api/attack_discovery/generations?size=50&start=now-24h&end=now' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json"
x-metaTags:
- content: Kibana
name: product_name
/api/attack_discovery/generations/{execution_uuid}:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Returns a specific Attack Discovery generation, including all generated Attack discoveries and associated metadata, including execution status and statistics.
operationId: GetAttackDiscoveryGeneration
parameters:
- description: The unique identifier for the Attack Discovery generation execution. This UUID is returned at the start of an Attack Discovery generation.
example: 2e13f386-46cf-4d65-9e2b-68609e132ba5
in: path
name: execution_uuid
required: true
schema:
$ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString'
- description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack Discovery views within Kibana. Defaults to `false`.
example: false
in: query
name: enable_field_rendering
required: false
schema:
default: false
type: boolean
- description: When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to `true`.
example: true
in: query
name: with_replacements
required: false
schema:
default: true
type: boolean
responses:
'200':
content:
application/json:
examples:
GetAttackDiscoveryGenerationResponse200Example:
summary: Single Attack Discovery generation with its discoveries and metadata.
value:
data:
- id: c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f
title: Suspicious process execution on host-01
generation:
alerts_context_count: 50
discoveries: 1
end: '2025-09-29T06:42:44.810Z'
execution_uuid: 2e13f386-46cf-4d65-9e2b-68609e132ba5
start: '2025-09-29T06:42:08.962Z'
status: succeeded
schema:
type: object
properties:
data:
description: Array of Attack discoveries generated during this execution.
items:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert'
type: array
generation:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration'
description: Optional metadata about the attack discovery generation process, metadata including execution status and statistics. This metadata may not be available for all generations.
required:
- data
description: Indicates a successful call.
'400':
content:
application/json:
examples:
GetAttackDiscoveryGenerationResponse400Example:
summary: Bad Request error returned when the get-generation request is invalid.
value:
error: Bad Request
message: Invalid request parameters.
status_code: 400
schema:
type: object
properties:
error:
description: Error type
example: Bad Request
type: string
message:
description: Human-readable error message describing what went wrong with the request
example: Invalid request parameters.
type: string
status_code:
description: HTTP status code
example: 400
type: number
required:
- status_code
- error
- message
description: Bad Request response.
summary: Get a single Attack Discovery generation, including its discoveries and (optional) generation metadata
tags:
- Security Attack discovery API
x-codeSamples:
- label: Example request
lang: curl
source: |
curl \
--request GET 'http://localhost:5601/api/attack_discovery/generations/2e13f386-46cf-4d65-9e2b-68609e132ba5' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json"
x-metaTags:
- content: Kibana
name: product_name
/api/attack_discovery/generations/{execution_uuid}/_dismiss:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Dismisses an Attack Discovery generation for the current user, indicating that its status should not be reported in the UI. This sets the generation's status to "dismissed" and affects how the generation appears in subsequent queries.
operationId: PostAttackDiscoveryGenerationsDismiss
parameters:
- description: The unique identifier for the Attack Discovery generation execution. This UUID is returned when an Attack Discovery generation is created and can be found in generation responses.
example: 46b218d5-535d-4329-be56-d0f6af6986b7
in: path
name: execution_uuid
required: true
schema:
$ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString'
responses:
'200':
content:
application/json:
examples:
PostAttackDiscoveryGenerationsDismissResponse200Example:
summary: Successfully dismissed an Attack Discovery generation.
value:
alerts_context_count: 75
connector_id: chatGpt5_0ChatAzure
discoveries: 3
end: '2025-09-29T06:42:44.810Z'
execution_uuid: 46b218d5-535d-4329-be56-d0f6af6986b7
loading_message: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries.
start: '2025-09-29T06:42:08.962Z'
status: dismissed
schema:
type: object
properties:
alerts_context_count:
description: The number of alerts that were sent as context to the LLM for this generation.
example: 75
type: number
connector_id:
description: The unique identifier of the connector used to generate the attack discoveries.
example: chatGpt5_0ChatAzure
type: string
connector_stats:
description: Statistical information about the connector's performance for this user, providing insights into usage patterns and success rates.
type: object
properties:
average_successful_duration_nanoseconds:
description: The average duration in nanoseconds for successful generations using this connector by the current user.
example: 47958500000
type: number
successful_generations:
description: The total number of Attack discoveries successfully created for this generation
example: 2
type: number
discoveries:
description: The number of attack discoveries that were generated during this execution.
example: 3
type: number
end:
description: The timestamp when the generation process completed, in ISO 8601 format. This field may be absent for generations that haven't finished.
example: '2025-09-29T06:42:44.810Z'
type: string
execution_uuid:
description: The unique identifier for this attack discovery generation execution. This UUID can be used to reference this specific generation in other API calls.
example: 46b218d5-535d-4329-be56-d0f6af6986b7
type: string
loading_message:
description: A human-readable message describing the current state or progress of the generation process. Provides context about what the AI is analyzing.
example: AI is analyzing up to 100 alerts in the last 24 hours to generate discoveries.
type: string
reason:
description: Additional context or reasoning provided when a generation fails or encounters issues. This field helps diagnose problems with the generation process.
example: Connection timeout to AI service
type: string
start:
description: The timestamp when the generation process began, in ISO 8601 format. This marks the beginning of the AI analysis.
example: '2025-09-29T06:42:08.962Z'
type: string
status:
description: The current status of the attack discovery generation. After dismissing, this will be set to "dismissed".
enum:
- canceled
- dismissed
- failed
- started
- succeeded
example: dismissed
type: string
required:
- connector_id
- discoveries
- execution_uuid
- loading_message
- start
- status
description: Indicates a successful call.
'400':
content:
application/json:
examples:
PostAttackDiscoveryGenerationsDismissResponse400Example:
summary: Bad Request error returned when the dismiss request is invalid.
value:
error: Bad Request
message: Invalid request parameters.
status_code: 400
schema:
type: object
properties:
error:
description: Error type or category
example: Bad Request
type: string
message:
description: Human-readable error message describing what went wrong with the request.
example: Invalid request parameters.
type: string
status_code:
description: HTTP status code indicating the type of client error
example: 400
type: number
required:
- status_code
- error
- message
description: Bad Request response.
summary: Dismiss an Attack Discovery generation
tags:
- Security Attack discovery API
x-codeSamples:
- label: Example request
lang: curl
source: |
curl \
--request POST 'http://localhost:5601/api/attack_discovery/generations/46b218d5-535d-4329-be56-d0f6af6986b7/_dismiss' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json"
x-metaTags:
- content: Kibana
name: product_name
/api/attack_discovery/schedules:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/attack_discovery/schedules
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Creates a new Attack Discovery schedule that analyzes security alerts at specified intervals. The schedule defines when and how Attack Discovery analysis should run, including which alerts to analyze, which AI connector to use, and what actions to take when discoveries are found.
operationId: CreateAttackDiscoverySchedules
requestBody:
content:
application/json:
examples:
CreateAttackDiscoverySchedulesRequestBodyExample:
summary: Create a daily Attack Discovery schedule that runs every 24 hours.
value:
actions: []
enabled: true
name: Daily Security Analysis
params:
alerts_index_pattern: .alerts-security.alerts-default
api_config:
actionTypeId: bedrock
connectorId: my-bedrock-connector
name: Claude 3.5 Sonnet
end: now
size: 100
start: now-24h
schedule:
interval: 24h
schema:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps'
description: Attack Discovery schedule configuration including name, parameters, schedule interval, and actions
required: true
responses:
'200':
content:
application/json:
examples:
CreateAttackDiscoverySchedulesResponse200Example:
summary: A newly created Attack Discovery schedule.
value:
actions: []
created_at: '2023-10-31T10:00:00.000Z'
created_by: elastic
enabled: true
id: 12345678-1234-1234-1234-123456789012
name: Daily Security Analysis
params:
alerts_index_pattern: .alerts-security.alerts-default
api_config:
actionTypeId: bedrock
connectorId: my-bedrock-connector
name: Claude 3.5 Sonnet
end: now
size: 100
start: now-24h
schedule:
interval: 24h
updated_at: '2023-10-31T10:00:00.000Z'
updated_by: elastic
schema:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule'
description: The Attack Discovery schedule was successfully created.
'400':
content:
application/json:
examples:
CreateAttackDiscoverySchedulesResponse400Example:
summary: Bad Request error returned when the create schedule payload is invalid.
value:
error: Bad Request
message: Invalid request parameters.
status_code: 400
schema:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError'
description: Bad Request response.
summary: Create Attack Discovery schedule
tags:
- Security Attack discovery API
x-codeSamples:
- label: Create an Attack Discovery schedule
lang: curl
source: |
curl \
--request POST 'http://localhost:5601/api/attack_discovery/schedules' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '{
"name": "Daily Security Analysis",
"enabled": true,
"params": {
"alerts_index_pattern": ".alerts-security.alerts-default",
"api_config": {
"actionTypeId": "bedrock",
"connectorId": "my-bedrock-connector",
"name": "Claude 3.5 Sonnet"
},
"size": 100,
"start": "now-24h",
"end": "now"
},
"schedule": {
"interval": "24h"
},
"actions": [
{
"action_type_id": ".cases",
"id": "system-connector-.cases",
"params": {
"subAction": "run",
"subActionParams": {
"timeWindow": "7d",
"reopenClosedCases": false,
"groupingBy": [],
"templateId": null
}
},
"uuid": "12345678-1234-1234-1234-123456789012"
}
]
}'
x-metaTags:
- content: Kibana
name: product_name
/api/attack_discovery/schedules/_find:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Find Attack Discovery schedules that match the search criteria. Supports pagination and sorting by various fields.
operationId: FindAttackDiscoverySchedules
parameters:
- description: Page number to return (used for pagination). Defaults to 1.
example: 1
in: query
name: page
required: false
schema:
type: number
- description: Number of Attack Discovery schedules to return per page (used for pagination). Defaults to 10.
example: 10
in: query
name: per_page
required: false
schema:
type: number
- description: Field used to sort results. Common fields include 'name', 'created_at', 'updated_at', and 'enabled'.
example: name
in: query
name: sort_field
required: false
schema:
$ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString'
- description: Sort order direction. Use 'asc' for ascending or 'desc' for descending. Defaults to 'asc'.
example: asc
in: query
name: sort_direction
required: false
schema:
enum:
- asc
- desc
type: string
responses:
'200':
content:
application/json:
examples:
FindAttackDiscoverySchedulesResponse200Example:
summary: Paginated list of Attack Discovery schedules matching the search criteria.
value:
data:
- actions: []
created_at: '2023-10-31T10:00:00.000Z'
created_by: elastic
enabled: true
id: 12345678-1234-1234-1234-123456789012
name: Daily Security Analysis
params:
alerts_index_pattern: .alerts-security.alerts-default
api_config:
actionTypeId: bedrock
connectorId: my-bedrock-connector
name: Claude 3.5 Sonnet
end: now
size: 100
start: now-24h
schedule:
interval: 24h
updated_at: '2023-10-31T10:00:00.000Z'
updated_by: elastic
page: 1
per_page: 10
total: 1
schema:
type: object
properties:
data:
description: Array of matched Attack Discovery schedule objects.
items:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule'
type: array
page:
description: Current page number of the paginated result set.
type: number
per_page:
description: Number of items requested per page.
type: number
total:
description: Total number of Attack Discovery schedules matching the query (across all pages).
type: number
required:
- page
- per_page
- total
- data
description: Indicates a successful call.
'400':
content:
application/json:
examples:
FindAttackDiscoverySchedulesResponse400Example:
summary: Bad Request error returned when find-schedules query parameters are invalid.
value:
error: Bad Request
message: Invalid request payload.
status_code: 400
schema:
type: object
properties:
error:
description: Error type
example: Bad Request
type: string
message:
description: Human-readable error message
example: Invalid request payload.
type: string
status_code:
description: HTTP status code
example: 400
type: number
description: Bad Request response.
summary: Find Attack Discovery schedules that match the search criteria
tags:
- Security Attack discovery API
x-codeSamples:
- label: Example request
lang: curl
source: |
curl \
--request GET 'http://localhost:5601/api/attack_discovery/schedules/_find' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json"
x-metaTags:
- content: Kibana
name: product_name
/api/attack_discovery/schedules/{id}:
delete:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Permanently deletes an Attack Discovery schedule and all associated configuration.
operationId: DeleteAttackDiscoverySchedules
parameters:
- description: The unique identifier (UUID) of the Attack Discovery schedule to delete. This ID is returned when creating a schedule and can be found in schedule listings.
example: 12345678-1234-1234-1234-123456789012
in: path
name: id
required: true
schema:
$ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString'
responses:
'200':
content:
application/json:
examples:
DeleteAttackDiscoverySchedulesResponse200Example:
summary: Confirmation returned after deleting an Attack Discovery schedule.
value:
id: 12345678-1234-1234-1234-123456789012
schema:
type: object
properties:
id:
$ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString'
description: The unique identifier of the deleted Attack Discovery schedule
required:
- id
description: Successfully deleted Attack Discovery schedule, returning the ID of the deleted schedule for confirmation
'400':
content:
application/json:
examples:
DeleteAttackDiscoverySchedulesResponse400Example:
summary: Bad Request error returned when the delete schedule request is invalid.
value:
error: Bad Request
message: Invalid request parameters.
status_code: 400
schema:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError'
description: Bad Request response.
summary: Delete Attack Discovery schedule
tags:
- Security Attack discovery API
x-codeSamples:
- label: Delete an Attack Discovery schedule
lang: curl
source: |
curl \
--request DELETE 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json"
x-metaTags:
- content: Kibana
name: product_name
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieves a specific Attack Discovery schedule by its unique identifier. Returns complete schedule configuration including parameters, interval settings, associated actions, and execution history.
operationId: GetAttackDiscoverySchedules
parameters:
- description: The unique identifier (UUID) of the Attack Discovery schedule to retrieve. This ID is returned when creating a schedule and can be found in schedule listings.
example: 12345678-1234-1234-1234-123456789012
in: path
name: id
required: true
schema:
$ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString'
responses:
'200':
content:
application/json:
examples:
GetAttackDiscoverySchedulesResponse200Example:
summary: An Attack Discovery schedule retrieved by ID, including last execution metadata.
value:
actions: []
created_at: '2023-10-31T10:00:00.000Z'
created_by: elastic
enabled: true
id: 12345678-1234-1234-1234-123456789012
last_execution:
date: '2023-10-31T10:00:00.000Z'
last_duration: 45.2
status: ok
name: Daily Security Analysis
params:
alerts_index_pattern: .alerts-security.alerts-default
api_config:
actionTypeId: bedrock
connectorId: my-bedrock-connector
name: Claude 3.5 Sonnet
end: now
size: 100
start: now-24h
schedule:
interval: 24h
updated_at: '2023-10-31T10:00:00.000Z'
updated_by: elastic
schema:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule'
description: Successfully retrieved Attack Discovery schedule with complete configuration and metadata
'400':
content:
application/json:
examples:
GetAttackDiscoverySchedulesResponse400Example:
summary: Bad Request error returned when the get-schedule request is invalid.
value:
error: Bad Request
message: Invalid request parameters.
status_code: 400
schema:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError'
description: Bad Request response.
summary: Get Attack Discovery schedule by ID
tags:
- Security Attack discovery API
x-codeSamples:
- label: Get an Attack Discovery schedule by ID
lang: curl
source: |
curl \
--request GET 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json"
x-metaTags:
- content: Kibana
name: product_name
put:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Disables an Attack Discovery schedule, preventing it from running according to its configured interval. The schedule configuration is preserved and can be re-enabled later. Any currently running executions will complete, but no new executions will be started.
operationId: DisableAttackDiscoverySchedules
parameters:
- description: The unique identifier (UUID) of the Attack Discovery schedule to disable. This ID is returned when creating a schedule and can be found in schedule listings.
example: 12345678-1234-1234-1234-123456789012
in: path
name: id
required: true
schema:
$ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString'
responses:
'200':
content:
application/json:
examples:
DisableAttackDiscoverySchedulesResponse200Example:
summary: Confirmation returned after disabling an Attack Discovery schedule.
value:
id: 12345678-1234-1234-1234-123456789012
schema:
type: object
properties:
id:
$ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString'
description: The unique identifier of the disabled Attack Discovery schedule
required:
- id
description: Successfully disabled Attack Discovery schedule, returning the schedule ID for confirmation
'400':
content:
application/json:
examples:
DisableAttackDiscoverySchedulesResponse400Example:
summary: Bad Request error returned when the disable schedule request is invalid.
value:
error: Bad Request
message: Invalid request parameters.
status_code: 400
schema:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError'
description: Bad Request response.
summary: Disable Attack Discovery schedule
tags:
- Security Attack discovery API
x-codeSamples:
- label: Disable an Attack Discovery schedule
lang: curl
source: |
curl \
--request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_disable' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json"
x-metaTags:
- content: Kibana
name: product_name
/api/attack_discovery/schedules/{id}/_enable:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Enables a previously disabled Attack Discovery schedule, allowing it to run according to its configured interval. Once enabled, the schedule will begin executing at the next scheduled time based on its interval configuration.
operationId: EnableAttackDiscoverySchedules
parameters:
- description: The unique identifier (UUID) of the Attack Discovery schedule to enable. This ID is returned when creating a schedule and can be found in schedule listings.
example: 12345678-1234-1234-1234-123456789012
in: path
name: id
required: true
schema:
$ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString'
responses:
'200':
content:
application/json:
examples:
EnableAttackDiscoverySchedulesResponse200Example:
summary: Confirmation returned after enabling an Attack Discovery schedule.
value:
id: 12345678-1234-1234-1234-123456789012
schema:
type: object
properties:
id:
$ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString'
description: The unique identifier of the enabled Attack Discovery schedule
required:
- id
description: Successfully enabled Attack Discovery schedule, returning the schedule ID for confirmation
'400':
content:
application/json:
examples:
EnableAttackDiscoverySchedulesResponse400Example:
summary: Bad Request error returned when the enable schedule request is invalid.
value:
error: Bad Request
message: Invalid request parameters.
status_code: 400
schema:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError'
description: Bad Request response.
summary: Enable Attack Discovery schedule
tags:
- Security Attack discovery API
x-codeSamples:
- label: Enable an Attack Discovery schedule
lang: curl
source: |
curl \
--request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_enable' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json"
x-metaTags:
- content: Kibana
name: product_name
/api/cases:
delete:
description: |
**Spaces method and path for this operation:**
delete/s/{space_id}/api/cases
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
You must have `read` or `all` privileges and the `delete` sub-feature privilege for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting.
operationId: deleteCaseDefaultSpace
parameters:
- $ref: '#/components/parameters/Cases_kbn_xsrf'
- $ref: '#/components/parameters/Cases_ids'
responses:
'204':
description: Indicates a successful call.
'401':
content:
application/json:
examples:
response401:
$ref: '#/components/examples/Cases_response_401'
schema:
$ref: '#/components/schemas/Cases_response_4xx'
description: Authorization information is missing or invalid.
summary: Delete cases
tags:
- cases
x-codeSamples:
- label: curl
lang: curl
source: |
curl \
--request DELETE 'https://localhost:5601/api/cases?ids=%5B%22030e6e34-6470-4001-864f-b229511ad188%22%2C%22e662ff34-0493-4538-b9d1-6706ced02ff2%22%5D' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true"
- label: Console
lang: console
source: |
DELETE kbn:/api/cases?ids=["030e6e34-6470-4001-864f-b229511ad188","e662ff34-0493-4538-b9d1-6706ced02ff2"]
x-metaTags:
- content: Kibana
name: product_name
patch:
description: |
**Spaces method and path for this operation:**
patch/s/{space_id}/api/cases
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating.
operationId: updateCaseDefaultSpace
parameters:
- $ref: '#/components/parameters/Cases_kbn_xsrf'
requestBody:
content:
application/json:
examples:
updateCaseRequest:
$ref: '#/components/examples/Cases_update_case_request'
schema:
$ref: '#/components/schemas/Cases_update_case_request'
responses:
'200':
content:
application/json:
examples:
updateCaseResponse:
$ref: '#/components/examples/Cases_update_case_response'
schema:
items:
$ref: '#/components/schemas/Cases_case_response_properties'
type: array
description: Indicates a successful call.
'401':
content:
application/json:
examples:
response401:
$ref: '#/components/examples/Cases_response_401'
schema:
$ref: '#/components/schemas/Cases_response_4xx'
description: Authorization information is missing or invalid.
summary: Update cases
tags:
- cases
x-metaTags:
- content: Kibana
name: product_name
post:
description: |
**Spaces method and path for this operation:**
post/s/{space_id}/api/cases
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're creating.
operationId: createCaseDefaultSpace
parameters:
- $ref: '#/components/parameters/Cases_kbn_xsrf'
requestBody:
content:
application/json:
examples:
createCaseRequest:
$ref: '#/components/examples/Cases_create_case_request'
schema:
$ref: '#/components/schemas/Cases_create_case_request'
required: true
responses:
'200':
content:
application/json:
examples:
createCaseResponse:
$ref: '#/components/examples/Cases_create_case_response'
schema:
$ref: '#/components/schemas/Cases_case_response_properties'
description: Indicates a successful call.
'401':
content:
application/json:
examples:
response401:
$ref: '#/components/examples/Cases_response_401'
schema:
$ref: '#/components/schemas/Cases_response_4xx'
description: Authorization information is missing or invalid.
summary: Create a case
tags:
- cases
x-metaTags:
- content: Kibana
name: product_name
/api/cases/_find:
get:
description: |
**Spaces method and path for this operation:**
get/s/{space_id}/api/cases/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
operationId: findCasesDefaultSpace
parameters:
- $ref: '#/components/parameters/Cases_assignees_filter'
- $ref: '#/components/parameters/Cases_category'
- $ref: '#/components/parameters/Cases_defaultSearchOperator'
- $ref: '#/components/parameters/Cases_from'
- $ref: '#/components/parameters/Cases_owner_filter'
- $ref: '#/components/parameters/Cases_page_index'
- $ref: '#/components/parameters/Cases_page_size'
- $ref: '#/components/parameters/Cases_reporters'
- $ref: '#/components/parameters/Cases_search'
- $ref: '#/components/parameters/Cases_searchFields'
- $ref: '#/components/parameters/Cases_severity'
- $ref: '#/components/parameters/Cases_sortField'
- $ref: '#/components/parameters/Cases_sort_order'
- $ref: '#/components/parameters/Cases_status'
- $ref: '#/components/parameters/Cases_tags'
- $ref: '#/components/parameters/Cases_to'
responses:
'200':
content:
application/json:
examples:
findCaseResponse:
$ref: '#/components/examples/Cases_find_case_response'
schema:
type: object
properties:
cases:
items:
$ref: '#/components/schemas/Cases_case_response_properties'
maxItems: 10000
type: array
count_closed_cases:
type: integer
count_in_progress_cases:
type: integer
count_open_cases:
type: integer
page:
type: integer
per_page:
type: integer
total:
type: integer
description: Indicates a successful call.
'401':
content:
application/json:
examples:
response401:
$ref: '#/components/examples/Cases_response_401'
schema:
$ref: '#/components/schemas/Cases_response_4xx'
description: Authorization information is missing or invalid.
summary: Search cases
tags:
- cases
x-metaTags:
- content: Kibana
name: product_name
/api/cases/{caseId}:
get:
description: |
**Spaces method and path for this operation:**
get/s/{space_id}/api/cases/{caseId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Returns case details. The response does not include a comments property; use the find case comments API to retrieve comments. The totalComment field reflects the actual number of user comments on the case. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're seeking.
operationId: getCaseDefaultSpace
parameters:
- $ref: '#/components/parameters/Cases_case_id'
responses:
'200':
content:
application/json:
examples:
getDefaultCaseResponse:
$ref: '#/components/examples/Cases_get_case_response'
getDefaultObservabilityCaseResponse:
$ref: '#/components/examples/Cases_get_case_observability_response'
schema:
$ref: '#/components/schemas/Cases_case_response_get_case'
description: Indicates a successful call.
'401':
content:
application/json:
examples:
response401:
$ref: '#/components/examples/Cases_response_401'
schema:
$ref: '#/components/schemas/Cases_response_4xx'
description: Authorization information is missing or invalid.
summary: Get case information
tags:
- cases
x-metaTags:
- content: Kibana
name: product_name
/api/cases/{caseId}/alerts:
get:
description: |
**Spaces method and path for this operation:**
get/s/{space_id}/api/cases/{caseId}/alerts
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
operationId: getCaseAlertsDefaultSpace
parameters:
- $ref: '#/components/parameters/Cases_case_id'
responses:
'200':
content:
application/json:
examples:
getCaseAlertsResponse:
$ref: '#/components/examples/Cases_get_case_alerts_response'
schema:
items:
$ref: '#/components/schemas/Cases_alert_response_properties'
type: array
description: Indicates a successful call.
'401':
content:
application/json:
examples:
response401:
$ref: '#/components/examples/Cases_response_401'
schema:
$ref: '#/components/schemas/Cases_response_4xx'
description: Authorization information is missing or invalid.
summary: Get all alerts for a case
tags:
- cases
x-state: Technical preview
x-metaTags:
- content: Kibana
name: product_name
/api/cases/{caseId}/comments:
delete:
description: |
**Spaces method and path for this operation:**
delete/s/{space_id}/api/cases/{caseId}/comments
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Deletes all comments and alerts from a case. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting.
operationId: deleteCaseCommentsDefaultSpace
parameters:
- $ref: '#/components/parameters/Cases_kbn_xsrf'
- $ref: '#/components/parameters/Cases_case_id'
responses:
'204':
description: Indicates a successful call.
'401':
content:
application/json:
examples:
response401:
$ref: '#/components/examples/Cases_response_401'
schema:
$ref: '#/components/schemas/Cases_response_4xx'
description: Authorization information is missing or invalid.
summary: Delete all case comments and alerts
tags:
- cases
x-codeSamples:
- label: curl
lang: curl
source: |
curl \
--request DELETE 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"
- label: Console
lang: console
source: |
DELETE kbn:/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments
x-metaTags:
- content: Kibana
name: product_name
patch:
description: |
**Spaces method and path for this operation:**
patch/s/{space_id}/api/cases/{caseId}/comments
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. NOTE: You cannot change the comment type or the owner of a comment.
operationId: updateCaseCommentDefaultSpace
parameters:
- $ref: '#/components/parameters/Cases_kbn_xsrf'
- $ref: '#/components/parameters/Cases_case_id'
requestBody:
content:
application/json:
examples:
updateCaseCommentRequest:
$ref: '#/components/examples/Cases_update_comment_request'
schema:
$ref: '#/components/schemas/Cases_update_case_comment_request'
required: true
responses:
'200':
content:
application/json:
examples:
updateCaseCommentResponse:
$ref: '#/components/examples/Cases_update_comment_response'
schema:
$ref: '#/components/schemas/Cases_case_response_properties'
description: Indicates a successful call.
'401':
content:
application/json:
examples:
response401:
$ref: '#/components/examples/Cases_response_401'
schema:
$ref: '#/components/schemas/Cases_response_4xx'
description: Authorization information is missing or invalid.
summary: Update a case comment or alert
tags:
- cases
x-metaTags:
- content: Kibana
name: product_name
post:
description: |
**Spaces method and path for this operation:**
post/s/{space_id}/api/cases/{caseId}/comments
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're creating. NOTE: Each case can have a maximum of 1,000 alerts.
operationId: addCaseCommentDefaultSpace
parameters:
- $ref: '#/components/parameters/Cases_kbn_xsrf'
- $ref: '#/components/parameters/Cases_case_id'
requestBody:
content:
application/json:
examples:
createCaseCommentRequest:
$ref: '#/components/examples/Cases_add_comment_request'
schema:
$ref: '#/components/schemas/Cases_add_case_comment_request'
required: true
responses:
'200':
content:
application/json:
examples:
createCaseCommentResponse:
$ref: '#/components/examples/Cases_add_comment_response'
schema:
$ref: '#/components/schemas/Cases_case_response_properties'
description: Indicates a successful call.
'401':
content:
application/json:
examples:
response401:
$ref: '#/components/examples/Cases_response_401'
schema:
$ref: '#/components/schemas/Cases_response_4xx'
description: Authorization information is missing or invalid.
summary: Add a case comment or alert
tags:
- cases
x-metaTags:
- content: Kibana
name: product_name
/api/cases/{caseId}/comments/_find:
get:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieves a paginated list of comments for a case. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.
operationId: findCaseCommentsDefaultSpace
parameters:
- $ref: '#/components/parameters/Cases_case_id'
- $ref: '#/components/parameters/Cases_page_index'
- $ref: '#/components/parameters/Cases_page_size'
- $ref: '#/components/parameters/Cases_sort_order'
responses:
'200':
content:
application/json:
examples:
findCaseCommentsResponse:
$ref: '#/components/examples/Cases_find_case_comments_response'
schema:
$ref: '#/components/schemas/Cases_find_comments_response'
description: Indicates a successful call.
'401':
content:
application/json:
examples:
response401:
$ref: '#/components/examples/Cases_response_401'
schema:
$ref: '#/components/schemas/Cases_response_4xx'
description: Authorization information is missing or invalid.
summary: Find case comments
tags:
- cases
x-metaTags:
- content: Kibana
name: product_name
/api/cases/{caseId}/comments/{commentId}:
delete:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting.
operationId: deleteCaseCommentDefaultSpace
parameters:
- $ref: '#/components/parameters/Cases_kbn_xsrf'
- $ref: '#/components/parameters/Cases_case_id'
- $ref: '#/components/parameters/Cases_comment_id'
responses:
'204':
description: Indicates a successful call.
'401':
content:
application/json:
examples:
response401:
$ref: '#/components/examples/Cases_response_401'
schema:
$ref: '#/components/schemas/Cases_response_4xx'
description: Authorization information is missing or invalid.
summary: Delete a case comment or alert
tags:
- cases
x-codeSamples:
- label: curl
lang: curl
source: |
curl \
--request DELETE 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"
- label: Console
lang: console
source: |
DELETE kbn:/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2
x-metaTags:
- content: Kibana
name: product_name
get:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.
operationId: getCaseCommentDefaultSpace
parameters:
- $ref: '#/components/parameters/Cases_case_id'
- $ref: '#/components/parameters/Cases_comment_id'
responses:
'200':
content:
application/json:
examples:
getCaseCommentResponse:
$ref: '#/components/examples/Cases_get_comment_response'
schema:
oneOf:
- $ref: '#/components/schemas/Cases_alert_comment_response_properties'
- $ref: '#/components/schemas/Cases_user_comment_response_properties'
description: Indicates a successful call.
'401':
content:
application/json:
examples:
response401:
$ref: '#/components/examples/Cases_response_401'
schema:
$ref: '#/components/schemas/Cases_response_4xx'
description: Authorization information is missing or invalid.
summary: Get a case comment or alert
tags:
- cases
x-metaTags:
- content: Kibana
name: product_name
/api/cases/{caseId}/connector/{connectorId}/_push:
post:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
You must have `all` privileges for the **Actions and Connectors** feature in the **Management** section of the Kibana feature privileges. You must also have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're pushing.
operationId: pushCaseDefaultSpace
parameters:
- $ref: '#/components/parameters/Cases_case_id'
- $ref: '#/components/parameters/Cases_connector_id'
- $ref: '#/components/parameters/Cases_kbn_xsrf'
requestBody:
content:
application/json:
examples:
pushCaseRequest:
summary: Push a case to an external service. No request body is required.
value: null
schema:
nullable: true
type: object
responses:
'200':
content:
application/json:
examples:
pushCaseResponse:
$ref: '#/components/examples/Cases_push_case_response'
schema:
$ref: '#/components/schemas/Cases_case_response_properties'
description: Indicates a successful call.
'401':
content:
application/json:
examples:
response401:
$ref: '#/components/examples/Cases_response_401'
schema:
$ref: '#/components/schemas/Cases_response_4xx'
description: Authorization information is missing or invalid.
summary: Push a case to an external service
tags:
- cases
x-metaTags:
- content: Kibana
name: product_name
/api/cases/{caseId}/files:
post:
description: |
**Spaces method and path for this operation:**
post/s/{space_id}/api/cases/{caseId}/files
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Attach a file to a case. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. The request must include:
- The `Content-Type: multipart/form-data` HTTP header.
- The location of the file that is being uploaded.
operationId: addCaseFileDefaultSpace
parameters:
- $ref: '#/components/parameters/Cases_kbn_xsrf'
- $ref: '#/components/parameters/Cases_case_id'
requestBody:
content:
multipart/form-data:
examples:
addCaseFileRequest:
summary: Attach a plain text file named "my_attachment".
value:
filename: my_attachment
schema:
$ref: '#/components/schemas/Cases_add_case_file_request'
required: true
responses:
'200':
content:
application/json:
examples:
addCaseFileResponse:
$ref: '#/components/examples/Cases_add_comment_response'
schema:
$ref: '#/components/schemas/Cases_case_response_properties'
description: Indicates a successful call.
'401':
content:
application/json:
examples:
response401:
$ref: '#/components/examples/Cases_response_401'
schema:
$ref: '#/components/schemas/Cases_response_4xx'
description: Authorization information is missing or invalid.
summary: Attach a file to a case
tags:
- cases
x-codeSamples:
- label: curl
lang: curl
source: |
curl \
--request POST 'https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/files' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true" \
--form "file=@/path/to/my_attachment.txt" \
--form "filename=my_attachment"
x-metaTags:
- content: Kibana
name: product_name
/api/cases/{caseId}/user_actions/_find:
get:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieves a paginated list of user activity for a case. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're seeking.
operationId: findCaseActivityDefaultSpace
parameters:
- $ref: '#/components/parameters/Cases_case_id'
- $ref: '#/components/parameters/Cases_page_index'
- $ref: '#/components/parameters/Cases_page_size'
- $ref: '#/components/parameters/Cases_sort_order'
- $ref: '#/components/parameters/Cases_user_action_types'
responses:
'200':
content:
application/json:
examples:
findCaseActivityResponse:
$ref: '#/components/examples/Cases_find_case_activity_response'
schema:
type: object
properties:
page:
type: integer
perPage:
type: integer
total:
type: integer
userActions:
items:
$ref: '#/components/schemas/Cases_user_actions_find_response_properties'
maxItems: 10000
type: array
description: Indicates a successful call.
'401':
content:
application/json:
examples:
response401:
$ref: '#/components/examples/Cases_response_401'
schema:
$ref: '#/components/schemas/Cases_response_4xx'
description: Authorization information is missing or invalid.
summary: Find case activity
tags:
- cases
x-metaTags:
- content: Kibana
name: product_name
/api/cases/alerts/{alertId}:
get:
description: |
**Spaces method and path for this operation:**
get/s/{space_id}/api/cases/alerts/{alertId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
operationId: getCasesByAlertDefaultSpace
parameters:
- $ref: '#/components/parameters/Cases_alert_id'
- $ref: '#/components/parameters/Cases_owner_filter'
responses:
'200':
content:
application/json:
examples:
getCasesByAlertResponse:
summary: Cases associated with a given alert.
value:
- createdAt: '2020-02-19T23:06:33.798Z'
description: Investigating suspicious activity
id: 06116b80-e1c3-11ec-be9b-9b1838238ee6
status: open
title: security_case
totals:
alerts: 1
events: 0
userComments: 0
schema:
items:
$ref: '#/components/schemas/Cases_related_case'
maxItems: 10000
type: array
description: Indicates a successful call.
'401':
content:
application/json:
examples:
response401:
$ref: '#/components/examples/Cases_response_401'
schema:
$ref: '#/components/schemas/Cases_response_4xx'
description: Authorization information is missing or invalid.
summary: Get cases for an alert
tags:
- cases
x-state: Technical preview
x-metaTags:
- content: Kibana
name: product_name
/api/cases/configure:
get:
description: |
**Spaces method and path for this operation:**
get/s/{space_id}/api/cases/configure
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get setting details such as the closure type, custom fields, templates, and the default connector for cases. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where the cases were created.
operationId: getCaseConfigurationDefaultSpace
parameters:
- $ref: '#/components/parameters/Cases_owner_filter'
responses:
'200':
content:
application/json:
examples:
getConfigurationResponse:
$ref: '#/components/examples/Cases_get_case_configuration_response'
schema:
items:
type: object
properties:
closure_type:
$ref: '#/components/schemas/Cases_closure_types'
connector:
type: object
properties:
fields:
description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`.
nullable: true
type: object
id:
description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API.
example: none
type: string
name:
description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API.
example: none
type: string
type:
$ref: '#/components/schemas/Cases_connector_types'
created_at:
example: '2022-06-01T17:07:17.767Z'
format: date-time
type: string
created_by:
type: object
properties:
email:
example: null
nullable: true
type: string
full_name:
example: null
nullable: true
type: string
profile_uid:
example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0
type: string
username:
example: elastic
nullable: true
type: string
required:
- email
- full_name
- username
customFields:
description: Custom fields configuration details.
items:
type: object
properties:
defaultValue:
description: |
A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean.
oneOf:
- type: string
- type: boolean
key:
description: |
A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.
maxLength: 36
minLength: 1
type: string
label:
description: The custom field label that is displayed in the case.
maxLength: 50
minLength: 1
type: string
type:
description: The type of the custom field.
enum:
- text
- toggle
type: string
required:
description: |
Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated.
type: boolean
type: array
error:
example: null
nullable: true
type: string
id:
example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6
type: string
mappings:
items:
type: object
properties:
action_type:
example: overwrite
type: string
source:
example: title
type: string
target:
example: summary
type: string
type: array
observableTypes:
description: Custom observable type configuration details.
items:
type: object
properties:
key:
description: The observable type key.
example: d312efda-ec2b-42ec-9e2c-84981795c581
type: string
label:
description: The observable type label.
example: My observable type
type: string
type: array
owner:
$ref: '#/components/schemas/Cases_owner'
templates:
$ref: '#/components/schemas/Cases_templates'
updated_at:
example: '2022-06-01T19:58:48.169Z'
format: date-time
nullable: true
type: string
updated_by:
nullable: true
type: object
properties:
email:
example: null
nullable: true
type: string
full_name:
example: null
nullable: true
type: string
profile_uid:
example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0
type: string
username:
example: elastic
nullable: true
type: string
required:
- email
- full_name
- username
version:
example: WzIwNzMsMV0=
type: string
type: array
description: Indicates a successful call.
'401':
content:
application/json:
examples:
response401:
$ref: '#/components/examples/Cases_response_401'
schema:
$ref: '#/components/schemas/Cases_response_4xx'
description: Authorization information is missing or invalid.
summary: Get case settings
tags:
- cases
x-metaTags:
- content: Kibana
name: product_name
post:
description: |
**Spaces method and path for this operation:**
post/s/{space_id}/api/cases/configure
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Case settings include external connection details, custom fields, and templates. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. If you set a default connector, it is automatically selected when you create cases in Kibana. If you use the create case API, however, you must still specify all of the connector details. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where you are creating cases.
operationId: setCaseConfigurationDefaultSpace
parameters:
- $ref: '#/components/parameters/Cases_kbn_xsrf'
requestBody:
content:
application/json:
examples:
setCaseConfigRequest:
$ref: '#/components/examples/Cases_set_case_configuration_request'
schema:
$ref: '#/components/schemas/Cases_set_case_configuration_request'
responses:
'200':
content:
application/json:
examples:
setCaseConfigResponse:
$ref: '#/components/examples/Cases_set_case_configuration_response'
schema:
type: object
properties:
closure_type:
$ref: '#/components/schemas/Cases_closure_types'
connector:
type: object
properties:
fields:
description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`.
nullable: true
type: object
id:
description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API.
example: none
type: string
name:
description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API.
example: none
type: string
type:
$ref: '#/components/schemas/Cases_connector_types'
created_at:
example: '2022-06-01T17:07:17.767Z'
format: date-time
type: string
created_by:
type: object
properties:
email:
example: null
nullable: true
type: string
full_name:
example: null
nullable: true
type: string
profile_uid:
example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0
type: string
username:
example: elastic
nullable: true
type: string
required:
- email
- full_name
- username
customFields:
description: Custom fields configuration details.
items:
type: object
properties:
defaultValue:
description: |
A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean.
oneOf:
- type: string
- type: boolean
key:
description: |
A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.
maxLength: 36
minLength: 1
type: string
label:
description: The custom field label that is displayed in the case.
maxLength: 50
minLength: 1
type: string
type:
description: The type of the custom field.
enum:
- text
- toggle
type: string
required:
description: |
Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated.
type: boolean
type: array
error:
example: null
nullable: true
type: string
id:
example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6
type: string
mappings:
items:
type: object
properties:
action_type:
example: overwrite
type: string
source:
example: title
type: string
target:
example: summary
type: string
type: array
observableTypes:
description: Custom observable type configuration details.
items:
type: object
properties:
key:
description: The observable type key.
example: d312efda-ec2b-42ec-9e2c-84981795c581
type: string
label:
description: The observable type label.
example: My observable type
type: string
type: array
owner:
$ref: '#/components/schemas/Cases_owner'
templates:
$ref: '#/components/schemas/Cases_templates'
updated_at:
example: '2022-06-01T19:58:48.169Z'
format: date-time
nullable: true
type: string
updated_by:
nullable: true
type: object
properties:
email:
example: null
nullable: true
type: string
full_name:
example: null
nullable: true
type: string
profile_uid:
example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0
type: string
username:
example: elastic
nullable: true
type: string
required:
- email
- full_name
- username
version:
example: WzIwNzMsMV0=
type: string
description: Indicates a successful call.
'401':
content:
application/json:
examples:
response401:
$ref: '#/components/examples/Cases_response_401'
schema:
$ref: '#/components/schemas/Cases_response_4xx'
description: Authorization information is missing or invalid.
summary: Add case settings
tags:
- cases
x-metaTags:
- content: Kibana
name: product_name
/api/cases/configure/{configurationId}:
patch:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Updates setting details such as the closure type, custom fields, templates, and the default connector for cases. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where the case was created.
operationId: updateCaseConfigurationDefaultSpace
parameters:
- $ref: '#/components/parameters/Cases_kbn_xsrf'
- $ref: '#/components/parameters/Cases_configuration_id'
requestBody:
content:
application/json:
examples:
updateCaseConfigurationRequest:
$ref: '#/components/examples/Cases_update_case_configuration_request'
schema:
$ref: '#/components/schemas/Cases_update_case_configuration_request'
responses:
'200':
content:
application/json:
examples:
updateCaseConfigurationResponse:
$ref: '#/components/examples/Cases_update_case_configuration_response'
schema:
type: object
properties:
closure_type:
$ref: '#/components/schemas/Cases_closure_types'
connector:
type: object
properties:
fields:
description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`.
nullable: true
type: object
id:
description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API.
example: none
type: string
name:
description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API.
example: none
type: string
type:
$ref: '#/components/schemas/Cases_connector_types'
created_at:
example: '2022-06-01T17:07:17.767Z'
format: date-time
type: string
created_by:
type: object
properties:
email:
example: null
nullable: true
type: string
full_name:
example: null
nullable: true
type: string
profile_uid:
example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0
type: string
username:
example: elastic
nullable: true
type: string
required:
- email
- full_name
- username
customFields:
description: Custom fields configuration details.
items:
type: object
properties:
defaultValue:
description: |
A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean.
oneOf:
- type: string
- type: boolean
key:
description: |
A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.
maxLength: 36
minLength: 1
type: string
label:
description: The custom field label that is displayed in the case.
maxLength: 50
minLength: 1
type: string
type:
description: The type of the custom field.
enum:
- text
- toggle
type: string
required:
description: |
Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated.
type: boolean
type: array
error:
example: null
nullable: true
type: string
id:
example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6
type: string
mappings:
items:
type: object
properties:
action_type:
example: overwrite
type: string
source:
example: title
type: string
target:
example: summary
type: string
type: array
observableTypes:
description: Custom observable type configuration details.
items:
type: object
properties:
key:
description: The observable type key.
example: d312efda-ec2b-42ec-9e2c-84981795c581
type: string
label:
description: The observable type label.
example: My observable type
type: string
type: array
owner:
$ref: '#/components/schemas/Cases_owner'
templates:
$ref: '#/components/schemas/Cases_templates'
updated_at:
example: '2022-06-01T19:58:48.169Z'
format: date-time
nullable: true
type: string
updated_by:
nullable: true
type: object
properties:
email:
example: null
nullable: true
type: string
full_name:
example: null
nullable: true
type: string
profile_uid:
example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0
type: string
username:
example: elastic
nullable: true
type: string
required:
- email
- full_name
- username
version:
example: WzIwNzMsMV0=
type: string
description: Indicates a successful call.
'401':
content:
application/json:
examples:
response401:
$ref: '#/components/examples/Cases_response_401'
schema:
$ref: '#/components/schemas/Cases_response_4xx'
description: Authorization information is missing or invalid.
summary: Update case settings
tags:
- cases
x-metaTags:
- content: Kibana
name: product_name
/api/cases/configure/connectors/_find:
get:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get information about connectors that are supported for use in cases. You must have `read` privileges for the **Actions and Connectors** feature in the **Management** section of the Kibana feature privileges.
operationId: findCaseConnectorsDefaultSpace
responses:
'200':
content:
application/json:
examples:
findConnectorResponse:
$ref: '#/components/examples/Cases_find_connector_response'
schema:
items:
type: object
properties:
actionTypeId:
$ref: '#/components/schemas/Cases_connector_types'
config:
additionalProperties: true
type: object
properties:
apiUrl:
type: string
projectKey:
type: string
id:
type: string
isDeprecated:
type: boolean
isMissingSecrets:
type: boolean
isPreconfigured:
type: boolean
name:
type: string
referencedByCount:
type: integer
maxItems: 1000
type: array
description: Indicates a successful call.
'401':
content:
application/json:
examples:
response401:
$ref: '#/components/examples/Cases_response_401'
schema:
$ref: '#/components/schemas/Cases_response_4xx'
description: Authorization information is missing or invalid.
summary: Get case connectors
tags:
- cases
x-metaTags:
- content: Kibana
name: product_name
/api/cases/reporters:
get:
description: |
Returns information about the users who opened cases. You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases. The API returns information about the users as they existed at the time of the case creation, including their name, full name, and email address. If any of those details change thereafter or if a user is deleted, the information returned by this API is unchanged.
operationId: getCaseReportersDefaultSpace
parameters:
- $ref: '#/components/parameters/Cases_owner_filter'
responses:
'200':
content:
application/json:
examples:
getReportersResponse:
$ref: '#/components/examples/Cases_get_reporters_response'
schema:
items:
type: object
properties:
email:
example: null
nullable: true
type: string
full_name:
example: null
nullable: true
type: string
profile_uid:
example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0
type: string
username:
example: elastic
nullable: true
type: string
required:
- email
- full_name
- username
maxItems: 10000
type: array
description: Indicates a successful call.
'401':
content:
application/json:
examples:
response401:
$ref: '#/components/examples/Cases_response_401'
schema:
$ref: '#/components/schemas/Cases_response_4xx'
description: Authorization information is missing or invalid.
summary: Get case creators
tags:
- cases
x-metaTags:
- content: Kibana
name: product_name
/api/cases/tags:
get:
description: |
**Spaces method and path for this operation:**
get/s/{space_id}/api/cases/tags
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Aggregates and returns a list of case tags. You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
operationId: getCaseTagsDefaultSpace
parameters:
- $ref: '#/components/parameters/Cases_owner_filter'
responses:
'200':
content:
application/json:
examples:
getTagsResponse:
$ref: '#/components/examples/Cases_get_tags_response'
schema:
items:
type: string
maxItems: 10000
type: array
description: Indicates a successful call.
'401':
content:
application/json:
examples:
response401:
$ref: '#/components/examples/Cases_response_401'
schema:
$ref: '#/components/schemas/Cases_response_4xx'
description: Authorization information is missing or invalid.
summary: Get case tags
tags:
- cases
x-metaTags:
- content: Kibana
name: product_name
/api/data_views:
get:
description: |
**Spaces method and path for this operation:**
get/s/{space_id}/api/data_views
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieve a list of all data views. Use this endpoint to identify available data views in the current Kibana space.
operationId: getAllDataViewsDefault
responses:
'200':
content:
application/json:
examples:
getAllDataViewsResponse:
$ref: '#/components/examples/Data_views_get_data_views_response'
schema:
type: object
properties:
data_view:
items:
type: object
properties:
id:
type: string
name:
type: string
namespaces:
items:
type: string
type: array
title:
type: string
typeMeta:
type: object
type: array
description: Indicates a successful call.
'400':
content:
application/json:
examples:
getAllDataViewsBadRequest:
$ref: '#/components/examples/Data_views_error_400_response'
schema:
$ref: '#/components/schemas/Data_views_400_response'
description: Bad request
summary: Get all data views
tags:
- data views
x-codeSamples:
- lang: curl
source: |
curl \
-X GET "${KIBANA_URL}/api/data_views" \
-H "Authorization: ApiKey ${API_KEY}"
- lang: Console
source: |
GET kbn://api/data_views
x-metaTags:
- content: Kibana
name: product_name
/api/data_views/data_view:
post:
description: |
**Spaces method and path for this operation:**
post/s/{space_id}/api/data_views/data_view
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create a data view. Data views identify the Elasticsearch data you want to explore and visualize. They can point to one or more data streams, indices, or index aliases, and use optional runtime fields to compute values at query time. Note that data views are not required for ES|QL-based visualizations. To learn more, refer to the [data views documentation](https://www.elastic.co/docs/explore-analyze/find-and-organize/data-views).
operationId: createDataViewDefaultw
parameters:
- $ref: '#/components/parameters/Data_views_kbn_xsrf'
requestBody:
content:
application/json:
examples:
createDataViewRequest:
$ref: '#/components/examples/Data_views_create_data_view_request'
schema:
$ref: '#/components/schemas/Data_views_create_data_view_request_object'
required: true
responses:
'200':
content:
application/json:
examples:
createDataViewResponse:
$ref: '#/components/examples/Data_views_create_data_view_response'
schema:
$ref: '#/components/schemas/Data_views_data_view_response_object'
description: Indicates a successful call.
'400':
content:
application/json:
examples:
createDataViewBadRequest:
$ref: '#/components/examples/Data_views_error_400_response'
schema:
$ref: '#/components/schemas/Data_views_400_response'
description: Bad request
summary: Create a data view
tags:
- data views
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/data_views/data_view" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{"data_view":{"title":"logstash-*","name":"My Logstash data view"}}'
- lang: Console
source: |
POST kbn://api/data_views/data_view
{"data_view":{"title":"logstash-*","name":"My Logstash data view"}}
x-metaTags:
- content: Kibana
name: product_name
/api/data_views/data_view/{viewId}:
delete:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete a data view by its identifier. WARNING: When you delete a data view, it cannot be recovered.
operationId: deleteDataViewDefault
parameters:
- $ref: '#/components/parameters/Data_views_kbn_xsrf'
- $ref: '#/components/parameters/Data_views_view_id'
responses:
'204':
description: Indicates a successful call.
'404':
content:
application/json:
examples:
deleteDataViewNotFound:
$ref: '#/components/examples/Data_views_error_404_response'
schema:
$ref: '#/components/schemas/Data_views_404_response'
description: Object is not found.
summary: Delete a data view
tags:
- data views
x-codeSamples:
- lang: curl
source: |
curl \
-X DELETE "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true"
- lang: Console
source: |
DELETE kbn://api/data_views/data_view/{viewId}
x-metaTags:
- content: Kibana
name: product_name
get:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieve a single data view by its identifier. Data views identify the Elasticsearch data you want to explore and visualize. They can point to one or more data streams, indices, or index aliases, and use optional runtime fields to compute values at query time. Note that data views are not required for ES|QL-based visualizations. To learn more, refer to the [data views documentation](https://www.elastic.co/docs/explore-analyze/find-and-organize/data-views).
operationId: getDataViewDefault
parameters:
- $ref: '#/components/parameters/Data_views_view_id'
responses:
'200':
content:
application/json:
examples:
getDataViewResponse:
$ref: '#/components/examples/Data_views_get_data_view_response'
schema:
$ref: '#/components/schemas/Data_views_data_view_response_object'
description: Indicates a successful call.
'404':
content:
application/json:
examples:
getDataViewNotFound:
$ref: '#/components/examples/Data_views_error_404_response'
schema:
$ref: '#/components/schemas/Data_views_404_response'
description: Object is not found.
summary: Get a data view
tags:
- data views
x-codeSamples:
- lang: curl
source: |
curl \
-X GET "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}" \
-H "Authorization: ApiKey ${API_KEY}"
- lang: Console
source: |
GET kbn://api/data_views/data_view/{viewId}
x-metaTags:
- content: Kibana
name: product_name
post:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create a runtime field for a data view. Runtime fields are computed at query time using a [Painless script](https://www.elastic.co/docs/explore-analyze/scripting/modules-scripting-painless) and do not require reindexing. If no `script` is provided, the runtime field returns the corresponding value from the document `_source`.
operationId: createRuntimeFieldDefault
parameters:
- $ref: '#/components/parameters/Data_views_kbn_xsrf'
- $ref: '#/components/parameters/Data_views_view_id'
requestBody:
content:
application/json:
examples:
createRuntimeFieldRequest:
$ref: '#/components/examples/Data_views_create_runtime_field_request'
schema:
type: object
properties:
name:
description: |
The name for a runtime field.
type: string
runtimeField:
description: |
The runtime field definition object.
type: object
required:
- name
- runtimeField
required: true
responses:
'200':
content:
application/json:
examples:
createRuntimeFieldResponse:
$ref: '#/components/examples/Data_views_create_runtime_field_response'
schema:
type: object
description: Indicates a successful call.
summary: Create a runtime field
tags:
- data views
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}'
- lang: Console
source: |
POST kbn://api/data_views/data_view/{viewId}/runtime_field
{"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}}
x-metaTags:
- content: Kibana
name: product_name
put:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create or update a runtime field for a data view. If the runtime field already exists, it is replaced with the new definition.
operationId: createUpdateRuntimeFieldDefault
parameters:
- $ref: '#/components/parameters/Data_views_kbn_xsrf'
- description: |
The ID of the data view fields you want to update.
in: path
name: viewId
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
updateRuntimeFieldRequest:
$ref: '#/components/examples/Data_views_create_runtime_field_request'
schema:
type: object
properties:
name:
description: |
The name for a runtime field.
type: string
runtimeField:
description: |
The runtime field definition object.
type: object
required:
- name
- runtimeField
required: true
responses:
'200':
content:
application/json:
examples:
createUpdateRuntimeFieldResponse:
$ref: '#/components/examples/Data_views_create_runtime_field_response'
schema:
type: object
properties:
data_view:
type: object
fields:
items:
type: object
type: array
description: Indicates a successful call.
'400':
content:
application/json:
examples:
createUpdateRuntimeFieldBadRequest:
$ref: '#/components/examples/Data_views_error_400_response'
schema:
$ref: '#/components/schemas/Data_views_400_response'
description: Bad request
summary: Create or update a runtime field
tags:
- data views
x-codeSamples:
- lang: curl
source: |
curl \
-X PUT "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}'
- lang: Console
source: |
PUT kbn://api/data_views/data_view/{viewId}/runtime_field
{"name":"hour_of_day","runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}}
x-metaTags:
- content: Kibana
name: product_name
/api/data_views/data_view/{viewId}/runtime_field/{fieldName}:
delete:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieve a single runtime field by name from a data view.
operationId: getRuntimeFieldDefault
parameters:
- $ref: '#/components/parameters/Data_views_field_name'
- $ref: '#/components/parameters/Data_views_view_id'
responses:
'200':
content:
application/json:
examples:
getRuntimeFieldResponse:
$ref: '#/components/examples/Data_views_get_runtime_field_response'
schema:
type: object
properties:
data_view:
type: object
fields:
items:
type: object
type: array
description: Indicates a successful call.
'404':
content:
application/json:
examples:
getRuntimeFieldNotFound:
$ref: '#/components/examples/Data_views_error_404_response'
schema:
$ref: '#/components/schemas/Data_views_404_response'
description: Object is not found.
summary: Get a runtime field
tags:
- data views
x-codeSamples:
- lang: curl
source: |
curl \
-X GET "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \
-H "Authorization: ApiKey ${API_KEY}"
- lang: Console
source: |
GET kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName}
x-metaTags:
- content: Kibana
name: product_name
post:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update an existing runtime field in a data view. Only the fields provided in the request body are updated.
operationId: updateRuntimeFieldDefault
parameters:
- $ref: '#/components/parameters/Data_views_field_name'
- $ref: '#/components/parameters/Data_views_view_id'
requestBody:
content:
application/json:
examples:
updateRuntimeFieldRequest:
$ref: '#/components/examples/Data_views_update_runtime_field_request'
schema:
type: object
properties:
runtimeField:
description: |
The runtime field definition object.
You can update following fields:
- `type`
- `script`
type: object
required:
- runtimeField
required: true
responses:
'200':
description: Indicates a successful call.
'400':
content:
application/json:
examples:
updateRuntimeFieldBadRequest:
$ref: '#/components/examples/Data_views_error_400_response'
schema:
$ref: '#/components/schemas/Data_views_400_response'
description: Bad request
summary: Update a runtime field
tags:
- data views
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/data_views/data_view/${DATA_VIEW_ID}/runtime_field/${FIELD_NAME}" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{"runtimeField":{"type":"long","script":{"source":"emit(doc['"'"'timestamp'"'"'].value.getHour())"}}}'
- lang: Console
source: |
POST kbn://api/data_views/data_view/{viewId}/runtime_field/{fieldName}
{"runtimeField":{"type":"long","script":{"source":"emit(doc['timestamp'].value.getHour())"}}}
x-metaTags:
- content: Kibana
name: product_name
/api/data_views/default:
get:
description: |
**Spaces method and path for this operation:**
get/s/{space_id}/api/data_views/default
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieve the identifier of the default data view for the current Kibana space.
operationId: getDefaultDataViewDefault
responses:
'200':
content:
application/json:
examples:
getDefaultDataViewResponse:
$ref: '#/components/examples/Data_views_get_default_data_view_response'
schema:
type: object
properties:
data_view_id:
type: string
description: Indicates a successful call.
'400':
content:
application/json:
examples:
getDefaultDataViewBadRequest:
$ref: '#/components/examples/Data_views_error_400_response'
schema:
$ref: '#/components/schemas/Data_views_400_response'
description: Bad request
summary: Get the default data view
tags:
- data views
x-codeSamples:
- lang: curl
source: |
curl \
-X GET "${KIBANA_URL}/api/data_views/default" \
-H "Authorization: ApiKey ${API_KEY}"
- lang: Console
source: |
GET kbn://api/data_views/default
x-metaTags:
- content: Kibana
name: product_name
post:
description: |
**Spaces method and path for this operation:**
post/s/{space_id}/api/data_views/default
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Set the default data view for the current Kibana space. The default data view is used as a fallback when no specific data view is selected.
operationId: setDefaultDatailViewDefault
parameters:
- $ref: '#/components/parameters/Data_views_kbn_xsrf'
requestBody:
content:
application/json:
examples:
setDefaultDataViewRequest:
$ref: '#/components/examples/Data_views_set_default_data_view_request'
schema:
type: object
properties:
data_view_id:
description: |
The data view identifier. NOTE: The API does not validate whether it is a valid identifier. Use `null` to unset the default data view.
nullable: true
type: string
force:
default: false
description: Update an existing default data view identifier.
type: boolean
required:
- data_view_id
required: true
responses:
'200':
content:
application/json:
examples:
setDefaultDataViewResponse:
$ref: '#/components/examples/Data_views_set_default_data_view_response'
schema:
type: object
properties:
acknowledged:
type: boolean
description: Indicates a successful call.
'400':
content:
application/json:
examples:
setDefaultDataViewBadRequest:
$ref: '#/components/examples/Data_views_error_400_response'
schema:
$ref: '#/components/schemas/Data_views_400_response'
description: Bad request
summary: Set the default data view
tags:
- data views
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/data_views/default" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","force":true}'
- lang: Console
source: |
POST kbn://api/data_views/default
{"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f","force":true}
x-metaTags:
- content: Kibana
name: product_name
/api/data_views/swap_references:
post:
description: |
**Spaces method and path for this operation:**
post/s/{space_id}/api/data_views/swap_references
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Swap saved object references from one data view to another. Use this endpoint to update dashboards, visualizations, and other saved objects that reference a data view. WARNING: Misuse can break large numbers of saved objects! Use the [`_preview`](https://www.elastic.co/docs/api/doc/kibana/operation/operation-previewswapdataviewsdefault) endpoint to see which saved objects would be affected before making changes.
operationId: swapDataViewsDefault
parameters:
- $ref: '#/components/parameters/Data_views_kbn_xsrf'
requestBody:
content:
application/json:
examples:
swapDataViewRequest:
$ref: '#/components/examples/Data_views_swap_data_view_request'
schema:
$ref: '#/components/schemas/Data_views_swap_data_view_request_object'
required: true
responses:
'200':
content:
application/json:
examples:
swapDataViewResponse:
$ref: '#/components/examples/Data_views_swap_data_view_response'
schema:
type: object
properties:
deleteStatus:
type: object
properties:
deletePerformed:
type: boolean
remainingRefs:
type: integer
result:
items:
type: object
properties:
id:
description: A saved object identifier.
type: string
type:
description: The saved object type.
type: string
type: array
description: Indicates a successful call.
summary: Swap saved object references
tags:
- data views
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/data_views/swap_references" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{"fromId":"abcd-efg","toId":"xyz-123","delete":true}'
- lang: Console
source: |
POST kbn://api/data_views/swap_references
{"fromId":"abcd-efg","toId":"xyz-123","delete":true}
x-metaTags:
- content: Kibana
name: product_name
/api/data_views/swap_references/_preview:
post:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Preview the effect of swapping saved object references from one data view to another. Returns the list of affected saved objects without making any changes.
operationId: previewSwapDataViewsDefault
parameters:
- $ref: '#/components/parameters/Data_views_kbn_xsrf'
requestBody:
content:
application/json:
examples:
previewSwapDataViewRequest:
$ref: '#/components/examples/Data_views_preview_swap_data_view_request'
schema:
$ref: '#/components/schemas/Data_views_swap_data_view_request_object'
required: true
responses:
'200':
content:
application/json:
examples:
previewSwapDataViewResponse:
$ref: '#/components/examples/Data_views_preview_swap_data_view_response'
schema:
type: object
properties:
result:
items:
type: object
properties:
id:
description: A saved object identifier.
type: string
type:
description: The saved object type.
type: string
type: array
description: Indicates a successful call.
summary: Preview swap references
tags:
- data views
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/data_views/swap_references/_preview" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{"fromId":"abcd-efg","toId":"xyz-123"}'
- lang: Console
source: |
POST kbn://api/data_views/swap_references/_preview
{"fromId":"abcd-efg","toId":"xyz-123"}
x-metaTags:
- content: Kibana
name: product_name
/api/detection_engine/index:
delete:
description: |
**Spaces method and path for this operation:**
delete/s/{space_id}/api/detection_engine/index
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Permanently deletes the Elastic Security alerts backing index in the current space, including the alerts
stored in it. Use with caution; prefer lifecycle policies or the UI when available.
Call `GET /api/detection_engine/index` first to confirm the index that will be removed.
operationId: DeleteAlertsIndex
responses:
'200':
content:
application/json:
examples:
acknowledged:
value:
acknowledged: true
schema:
type: object
properties:
acknowledged:
type: boolean
required:
- acknowledged
description: Successful response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]"
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
message: API [DELETE /api/detection_engine/index] is unauthorized for the current user. The user needs alerts management permissions for the space.
status_code: 403
schema:
$ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
description: Not enough permissions response
'404':
content:
application/json:
examples:
notFound:
value:
message: The Elastic Security alerts index to delete was not found.
status_code: 404
schema:
$ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
description: Index does not exist response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
description: Internal server error response
summary: Delete an alerts index
tags:
- Security Detections API
x-metaTags:
- content: Kibana
name: product_name
get:
description: |
**Spaces method and path for this operation:**
get/s/{space_id}/api/detection_engine/index
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Returns the backing Elasticsearch index for Elastic Security detection alerts in the current space, and
whether its mapping is outdated. Use this to verify that an alert index is provisioned before creating
or running rules that write alerts to it.
operationId: ReadAlertsIndex
responses:
'200':
content:
application/json:
examples:
success:
value:
index_mapping_outdated: false
name: .alerts-security.alerts-default
schema:
type: object
properties:
index_mapping_outdated:
nullable: true
type: boolean
name:
type: string
required:
- name
- index_mapping_outdated
description: Successful response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]"
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
message: API [GET /api/detection_engine/index] is unauthorized for the current user. Check Security and Kibana feature privileges (detection engine / alerts) for the space.
status_code: 403
schema:
$ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
description: Not enough permissions response
'404':
content:
application/json:
examples:
notFound:
value:
message: Elastic Security alert index is not found for the current space.
status_code: 404
schema:
$ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
description: Not found
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
description: Internal server error response
summary: Reads the alert index name if it exists
tags:
- Security Detections API
x-metaTags:
- content: Kibana
name: product_name
post:
description: |
**Spaces method and path for this operation:**
post/s/{space_id}/api/detection_engine/index
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Creates an index for Elastic Security alerts. Calling this API is not
required for the detection engine to function properly. You can create
rules and alerts without calling this API.
operationId: CreateAlertsIndex
responses:
'200':
content:
application/json:
examples:
acknowledged:
value:
acknowledged: true
schema:
type: object
properties:
acknowledged:
type: boolean
required:
- acknowledged
description: Successful response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]"
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
message: API [POST /api/detection_engine/index] is unauthorized for the current user. The user must be able to create indices for the Elastic Security solution.
status_code: 403
schema:
$ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
description: Not enough permissions response
'404':
content:
application/json:
examples:
notFound:
value:
message: A prerequisite resource required to create the alerts index was not found.
status_code: 404
schema:
$ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
description: Not found
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
description: Internal server error response
summary: Create an alerts index
tags:
- Security Detections API
x-metaTags:
- content: Kibana
name: product_name
/api/detection_engine/privileges:
get:
description: |
**Spaces method and path for this operation:**
get/s/{space_id}/api/detection_engine/privileges
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieves whether or not the user is authenticated, and the user's Kibana
space and index privileges, which determine if the user can create an
index for the Elastic Security alerts generated by
detection engine rules.
operationId: ReadPrivileges
responses:
'200':
content:
application/json:
examples:
success:
value:
application: {}
cluster:
all: true
manage: true
manage_api_key: true
manage_index_templates: true
manage_ml: true
manage_own_api_key: true
manage_pipeline: true
manage_security: true
manage_transform: true
monitor: true
monitor_ml: true
monitor_transform: true
has_all_requested: true
has_encryption_key: true
index:
.alerts-security.alerts-default:
all: true
create: true
create_doc: true
create_index: true
delete: true
delete_index: true
index: true
maintenance: true
manage: true
monitor: true
read: true
view_index_metadata: true
write: true
is_authenticated: true
username: elastic
schema:
type: object
properties:
has_encryption_key:
type: boolean
is_authenticated:
type: boolean
required:
- is_authenticated
- has_encryption_key
description: Successful response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]"
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
description: Internal server error response
summary: Returns user privileges for the Kibana space
tags:
- Security Detections API
x-metaTags:
- content: Kibana
name: product_name
/api/detection_engine/rules:
delete:
description: |
**Spaces method and path for this operation:**
delete/s/{space_id}/api/detection_engine/rules
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete a detection rule using the `rule_id` or `id` field.
The URL query must include one of the following:
* `id` - `DELETE /api/detection_engine/rules?id=`
* `rule_id`- `DELETE /api/detection_engine/rules?rule_id=`
The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation.
operationId: DeleteRule
parameters:
- description: The rule's `id` value.
in: query
name: id
required: false
schema:
$ref: '#/components/schemas/Security_Detections_API_UUID'
- description: The rule's `rule_id` value.
in: query
name: rule_id
required: false
schema:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
responses:
'200':
content:
application/json:
examples:
deletedRule:
summary: Response shape after a rule is deleted
value:
actions: []
created_at: '2020-02-03T11:19:04.259Z'
created_by: elastic
description: Process started by MS Office program in user folder
enabled: false
false_positives: []
from: now-4200s
id: c41d170b-8ba6-4de6-b8ec-76440a35ace3
immutable: false
interval: 1h
language: kuery
max_signals: 100
name: MS Office child process
query: event.action:Process*
references: []
risk_score: 50
rule_id: process_started_by_ms_office_user_folder
severity: low
tags:
- tag
throttle: null
to: now
type: query
updated_at: '2020-02-03T11:19:04.462Z'
updated_by: elastic
version: 3
schema:
$ref: '#/components/schemas/Security_Detections_API_RuleResponse'
description: Indicates a successful call.
summary: Delete a detection rule
tags:
- Security Detections API
x-codeSamples:
- lang: cURL
source: |
curl \
--request DELETE https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \
--header "Content-Type: application/json; Elastic-Api-Version=2023-10-31"
x-metaTags:
- content: Kibana
name: product_name
get:
description: |
**Spaces method and path for this operation:**
get/s/{space_id}/api/detection_engine/rules
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieve a detection rule using the `rule_id` or `id` field.
The URL query must include one of the following:
* `id` - `GET /api/detection_engine/rules?id=`
* `rule_id` - `GET /api/detection_engine/rules?rule_id=`
The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation.
operationId: ReadRule
parameters:
- description: The rule's `id` value.
in: query
name: id
required: false
schema:
$ref: '#/components/schemas/Security_Detections_API_UUID'
- description: The rule's `rule_id` value.
in: query
name: rule_id
required: false
schema:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
responses:
'200':
content:
application/json:
examples:
example1:
summary: Example response for a retrieved rule
value:
created_at: '2020-02-03T11:19:04.259Z'
created_by: elastic
description: Process started by MS Office program in user folder
enabled: false
execution_summary:
last_execution:
date: '2022-03-23T16:06:12.787Z'
message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found.
metrics:
execution_gap_duration_s: 0
total_indexing_duration_ms: 15
total_search_duration_ms: 135
status: partial failure
status_order: 20
false_positives: []
filters:
- query:
match:
event.action:
query: 'Process Create (rule: ProcessCreate)'
type: phrase
from: now-4200s
id: c41d170b-8ba6-4de6-b8ec-76440a35ace3
immutable: false
interval: 1h
language: kuery
max_signals: 100
name: MS Office child process
query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE
references: []
related_integrations:
- package: o365
version: ^2.3.2
required_fields:
- ecs: true
name: process.name
type: keyword
- ecs: true
name: process.parent.name
type: keyword
risk_score: 21
rule_id: process_started_by_ms_office_user_folder
setup: ''
severity: low
tags:
- child process
- ms office
threat:
- framework: MITRE ATT&CK
tactic:
id: TA0001
name: Initial Access
reference: https://attack.mitre.org/tactics/TA0001
technique:
- id: T1193
name: Spearphishing Attachment
reference: https://attack.mitre.org/techniques/T1193
to: now-300s
type: query
updated_at: '2020-02-03T11:19:04.462Z'
updated_by: elastic
version: 1
schema:
$ref: '#/components/schemas/Security_Detections_API_RuleResponse'
description: |
Indicates a successful call.
> info
> These fields are under development and their usage or schema may change: execution_summary.
summary: Retrieve a detection rule
tags:
- Security Detections API
x-codeSamples:
- lang: cURL
source: |
curl \
--request GET https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \
--header "Content-Type: application/json; Elastic-Api-Version=2023-10-31"
x-metaTags:
- content: Kibana
name: product_name
patch:
description: |
**Spaces method and path for this operation:**
patch/s/{space_id}/api/detection_engine/rules
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update specific fields of an existing detection rule using the `rule_id` or `id` field.
The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation.
> warn
> When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.
> If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.
operationId: PatchRule
requestBody:
content:
application/json:
examples:
example1:
summary: Patch query rule
value:
id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76
name: New name
example2:
summary: Patch EQL rule
value:
rule_id: process_started_by_ms_office_program_possible_payload
threat:
- framework: MITRE ATT&CK
tactic:
id: TA0001
name: Initial Access
reference: https://attack.mitre.org/tactics/TA0001
technique:
- id: T1193
name: Spearphishing Attachment
reference: https://attack.mitre.org/techniques/T1193
example3:
summary: Patch threshold rule
value:
id: 005d2c4f-51ca-493d-a2bd-20ef076339b1
query: 'agent.version : * and agent.id : "243d9b4f-ca01-4311-8e5c-9abbee91afd8"'
threshold:
cardinality: []
field: []
value: 600
example4:
summary: Patch new terms rule
value:
history_window_start: now-3d
id: 569aac91-40dc-4807-a8ae-a2c8698089c4
new_terms_fields:
- Endpoint.policy.applied.artifacts.global.identifiers.name
example5:
summary: Patch esql rule
value:
id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd
query: |
FROM logs-abc*
| STATS count = COUNT(*), min_timestamp = MIN(@timestamp)
| EVAL event_rate = count / DATE_DIFF("seconds", min_timestamp, NOW())
| KEEP event_rate
example6:
summary: Patch indicator match rule
value:
id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd
threat_query: '@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:"false"'
example7:
summary: Patch machine learning rule
value:
anomaly_threshold: 50
id: 60b13926-289b-41b1-a537-197ef1fa5059
machine_learning_job_id:
- auth_high_count_logon_events_ea
schema:
$ref: '#/components/schemas/Security_Detections_API_RulePatchProps'
description: |
> info
> You cannot modify the `id` or `rule_id` values.
required: true
responses:
'200':
content:
application/json:
examples:
example1:
summary: Example response for an updated rule
value:
actions: []
created_at: '2020-04-07T14:51:09.755Z'
created_by: elastic
description: Updated description for the rule.
enabled: false
false_positives: []
filters:
- query: null
from: now-70m
id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1
immutable: false
interval: 1h
language: kuery
max_signals: 100
name: Updated Rule Name
query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE
references: []
related_integrations:
- package: o365
required_fields:
- name: process.parent.name
risk_score: 50
rule_id: process_started_by_ms_office_program
setup: ''
severity: low
tags:
- child process
- ms office
threat: []
to: now
type: query
updated_at: '2020-04-07T14:51:09.970Z'
updated_by: elastic
version: 2
schema:
$ref: '#/components/schemas/Security_Detections_API_RuleResponse'
description: Indicates a successful call.
summary: Patch a detection rule
tags:
- Security Detections API
x-metaTags:
- content: Kibana
name: product_name
post:
description: |
**Spaces method and path for this operation:**
post/s/{space_id}/api/detection_engine/rules
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create a new detection rule.
> warn
> When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.
> If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.
You can create the following types of rules:
* **Custom query**: Searches the defined indices and creates an alert when a document matches the rule's KQL query.
* **Event correlation**: Searches the defined indices and creates an alert when results match an [Event Query Language (EQL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql.html) query.
* **Threshold**: Searches the defined indices and creates an alert when the number of times the specified field's value meets the threshold during a single execution. When there are multiple values that meet the threshold, an alert is generated for each value.
For example, if the threshold `field` is `source.ip` and its `value` is `10`, an alert is generated for every source IP address that appears in at least 10 of the rule's search results. If you're interested, see [Terms Aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html) for more information.
* **Indicator match**: Creates an alert when fields match values defined in the specified [Elasticsearch index](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html). For example, you can create an index for IP addresses and use this index to create an alert whenever an event's `destination.ip` equals a value in the index. The index's field mappings should be [ECS-compliant](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html).
* **New terms**: Generates an alert for each new term detected in source documents within a specified time range.
* **ES|QL**: Uses [Elasticsearch Query Language (ES|QL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql.html) to find events and aggregate search results.
* **Machine learning rules**: Creates an alert when a machine learning job discovers an anomaly above the defined threshold.
> info
> To create machine learning rules, you must have the [appropriate license](https://www.elastic.co/subscriptions) or use a [cloud deployment](https://cloud.elastic.co/registration). Additionally, for the machine learning rule to function correctly, the associated machine learning job must be running.
To retrieve machine learning job IDs, which are required to create machine learning jobs, call the [Elasticsearch Get jobs API](https://www.elastic.co/guide/en/elasticsearch/reference/current/ml-get-job.html). Machine learning jobs that contain `siem` in the `groups` field can be used to create rules:
```json
...
"job_id": "linux_anomalous_network_activity_ecs",
"job_type": "anomaly_detector",
"job_version": "7.7.0",
"groups": [
"auditbeat",
"process",
"siem"
],
...
```
Additionally, you can set up notifications for when rules create alerts. The notifications use the [Alerting and Actions framework](https://www.elastic.co/docs/explore-analyze/alerting). Each action type requires a connector. Connectors store the information required to send notifications via external systems. The following connector types are supported for rule notifications:
* Slack
* Email
* PagerDuty
* Webhook
* Microsoft Teams
* IBM Resilient
* Jira
* ServiceNow ITSM
> info
> For more information on PagerDuty fields, see [Send a v2 Event](https://developer.pagerduty.com/docs/events-api-v2/trigger-events/).
To retrieve connector IDs, which are required to configure rule notifications, call the [Find objects API](https://www.elastic.co/docs/api/doc/kibana/operation/operation-findsavedobjects) with `"type": "action"` in the request payload.
For detailed information on Kibana actions and alerting, and additional API calls, see:
* [Alerting API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-alerting)
* [Alerting and Actions framework](https://www.elastic.co/docs/explore-analyze/alerting)
* [Connectors API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-connectors)
operationId: CreateRule
requestBody:
content:
application/json:
examples:
example1:
description: Query rule that searches for processes started by MS Office
summary: Query rule
value:
description: Process started by MS Office program - possible payload
enabled: false
filters:
- query:
match:
event.action:
query: 'Process Create (rule: ProcessCreate)'
type: phrase
from: now-70m
interval: 1h
language: kuery
name: MS Office child process
query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE
related_integrations:
- package: o365
version: ^2.3.2
required_fields:
- name: process.parent.name
type: keyword
risk_score: 50
rule_id: process_started_by_ms_office_program
severity: low
tags:
- child process
- ms office
type: query
example2:
description: Threshold rule that detects multiple failed login attempts to a Windows host from the same external source IP address
summary: Threshold rule
value:
description: Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame.
enabled: true
exceptions_list:
- id: int-ips
namespace_type: single
type: detection
from: now-180s
index:
- winlogbeat-*
interval: 2m
name: Windows server prml-19
query: host.name:prml-19 and event.category:authentication and event.outcome:failure
required_fields:
- name: source.ip
type: ip
risk_score: 30
rule_id: liv-win-ser-logins
severity: low
severity_mapping:
- field: source.geo.city_name
operator: equals
severity: low
value: Manchester
- field: source.geo.city_name
operator: equals
severity: medium
value: London
- field: source.geo.city_name
operator: equals
severity: high
value: Birmingham
- field: source.geo.city_name
operator: equals
severity: critical
value: Wallingford
tags:
- Brute force
threshold:
field: source.ip
value: 20
type: threshold
example3:
description: Machine learning rule that creates alerts, and sends Slack notifications, when the linux_anomalous_network_activity_ecs machine learning job discovers anomalies with a threshold of 70 or above.
summary: Machine learning rule
value:
actions:
- action_type_id: .slack
group: default
id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5
params:
message: 'Urgent: {{context.rule.description}}'
anomaly_threshold: 70
description: Generates alerts when the job discovers anomalies over 70
enabled: true
from: now-6m
interval: 5m
machine_learning_job_id: linux_anomalous_network_activity_ecs
name: Anomalous Linux network activity
note: Shut down the internet.
risk_score: 70
rule_id: ml_linux_network_high_threshold
setup: This rule requires data coming in from Elastic Defend.
severity: high
tags:
- machine learning
- Linux
type: machine_learning
example4:
description: Event correlation rule that creates alerts when the Windows rundll32.exe process makes unusual network connections
summary: EQL rule
value:
description: Unusual rundll32.exe network connection
language: eql
name: rundll32.exe network connection
query: sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")]
required_fields:
- name: event.type
type: keyword
- name: process.args
type: keyword
- name: process.args_count
type: long
- name: process.entity_id
type: keyword
- name: process.name
type: keyword
- name: process.pe.original_file_name
type: keyword
risk_score: 21
rule_id: eql-outbound-rundll32-connections
severity: low
tags:
- EQL
- Windows
- rundll32.exe
type: eql
example5:
description: |
Indicator match rule that creates an alert when one of the following is true: The event's destination IP address and port number matches destination IP and port values in the threat_index index; The event's source IP address matches a host IP address value in the threat_index index.
summary: Indicator match rule
value:
actions: []
description: Checks for bad IP addresses listed in the ip-threat-list index
index:
- packetbeat-*
name: Bad IP threat match
query: destination.ip:* or host.ip:*
required_fields:
- name: destination.ip
type: ip
- name: destination.port
type: long
- name: host.ip
type: ip
risk_score: 50
severity: medium
threat_index:
- ip-threat-list
threat_mapping:
- entries:
- field: destination.ip
type: mapping
value: destination.ip
- field: destination.port
type: mapping
value: destination.port
- entries:
- field: source.ip
type: mapping
value: host.ip
threat_query: '*:*'
type: threat_match
example6:
description: New terms rule that creates alerts a new IP address is detected for a user
summary: New terms rule
value:
description: Detects a user associated with a new IP address
history_window_start: now-30d
index:
- auditbeat*
language: kuery
name: New User IP Detected
new_terms_fields:
- user.id
- source.ip
query: '*'
required_fields:
- name: user.id
type: keyword
- name: source.ip
type: ip
risk_score: 21
severity: medium
type: new_terms
example7:
description: esql rule that creates alerts from events that match an Excel parent process
summary: Esql rule
value:
description: Find Excel events
enabled: false
from: now-360s
interval: 5m
language: esql
name: Find Excel events
query: from auditbeat-8.10.2 METADATA _id, _version, _index | where process.parent.name == "EXCEL.EXE"
required_fields:
- name: process.parent.name
type: keyword
risk_score: 21
severity: low
tags: []
to: now
type: esql
example8:
description: Query rule that searches for processes started by MS Office and suppresses alerts by the process.parent.name field within a 5-hour time period
summary: Query rule 2
value:
alert_suppression:
duration:
unit: h
value: 5
group_by:
- process.parent.name
missing_fields_strategy: suppress
description: Process started by MS Office program - possible payload
enabled: false
filters:
- query:
match:
event.action:
query: 'Process Create (rule: ProcessCreate)'
type: phrase
from: now-70m
interval: 1h
language: kuery
name: MS Office child process
query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE
risk_score: 50
rule_id: process_started_by_ms_office_program
severity: low
tags:
- child process
- ms office
type: query
schema:
$ref: '#/components/schemas/Security_Detections_API_RuleCreateProps'
required: true
responses:
'200':
content:
application/json:
examples:
example1:
description: Example response for a query rule
summary: Query rule response
value:
actions: []
created_at: '2020-04-07T14:51:09.755Z'
created_by: elastic
description: Process started by MS Office program - possible payload
enabled: false
false_positives: []
filters:
- query:
match:
event.action:
query: 'Process Create (rule: ProcessCreate)'
type: phrase
from: now-70m
id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1
immutable: false
interval: 1h
language: kuery
max_signals: 100
name: MS Office child process
query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE
references: []
related_integrations:
- package: o365
version: ^2.3.2
- integration: graphactivitylogs
package: azure
version: ^1.11.4
required_fields:
- ecs: true
name: process.parent.name
type: keyword
risk_score: 50
rule_id: process_started_by_ms_office_program
setup: ''
severity: low
tags:
- child process
- ms office
threat: []
to: now
type: query
updated_at: '2020-04-07T14:51:09.970Z'
updated_by: elastic
version: 1
example2:
description: Example response for a machine learning job rule
summary: Machine learning response
value:
actions:
- action_type_id: .slack
frequency:
notifyWhen: onActiveAlert
summary: true
throttle: null
group: default
id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5
params:
message: 'Urgent: {{context.rule.description}}'
anomaly_threshold: 70
created_at: '2020-04-07T14:45:15.679Z'
created_by: elastic
description: Generates alerts when the job discovers anomalies over 70
enabled: true
false_positives: []
from: now-6m
id: 83876f66-3a57-4a99-bf37-416494c80f3b
immutable: false
interval: 5m
machine_learning_job_id: linux_anomalous_network_activity_ecs
max_signals: 100
name: Anomalous Linux network activity
note: Shut down the internet.
references: []
related_integrations: []
required_fields: []
risk_score: 70
rule_id: ml_linux_network_high_threshold
setup: ''
severity: high
status: going to run
status_date: '2020-04-07T14:45:21.685Z'
tags:
- machine learning
- Linux
threat: []
to: now
type: machine_learning
updated_at: '2020-04-07T14:45:15.892Z'
updated_by: elastic
version: 1
example3:
description: Example response for a threshold rule
summary: Threshold rule response
value:
actions: []
author: []
created_at: '2020-07-22T10:27:23.486Z'
created_by: elastic
description: Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame.
enabled: true
exceptions_list:
- id: int-ips
namespace_type: single
type: detection
false_positives: []
from: now-180s
id: 15dbde26-b627-4d74-bb1f-a5e0ed9e4993
immutable: false
index:
- winlogbeat-*
interval: 2m
language: kuery
max_signals: 100
name: Windows server prml-19
query: host.name:prml-19 and event.category:authentication and event.outcome:failure
references: []
related_integrations:
- package: o365
version: ^2.3.2
required_fields:
- ecs: true
name: source.ip
type: ip
risk_score: 30
risk_score_mapping: []
rule_id: liv-win-ser-logins
setup: ''
severity: low
severity_mapping:
- field: source.geo.city_name
operator: equals
severity: low
value: Manchester
- field: source.geo.city_name
operator: equals
severity: medium
value: London
- field: source.geo.city_name
operator: equals
severity: high
value: Birmingham
- field: source.geo.city_name
operator: equals
severity: critical
value: Wallingford
tags:
- Brute force
threat: []
threshold:
field: source.ip
value: 20
to: now
type: threshold
updated_at: '2020-07-22T10:27:23.673Z'
updated_by: elastic
version: 1
example4:
description: Example response for an EQL rule
summary: EQL rule response
value:
author: []
created_at: '2020-10-05T09:06:16.392Z'
created_by: elastic
description: Unusual rundll32.exe network connection
enabled: true
exceptions_list: []
false_positives: []
from: now-6m
id: 93808cae-b05b-4dc9-8479-73574b50f8b1
immutable: false
interval: 5m
language: eql
max_signals: 100
name: rundll32.exe network connection
query: sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")]
references: []
related_integrations:
- package: o365
version: ^2.3.2
required_fields:
- ecs: true
name: event.type
type: keyword
- ecs: true
name: process.args
type: keyword
- ecs: true
name: process.args_count
type: long
- ecs: true
name: process.entity_id
type: keyword
- ecs: true
name: process.name
type: keyword
- ecs: true
name: process.pe.original_file_name
type: keyword
risk_score: 21
risk_score_mapping: []
rule_id: eql-outbound-rundll32-connections
setup: ''
severity: low
severity_mapping: []
tags:
- EQL
- Windows
- rundll32.exe
threat: []
throttle: no_actions
to: now
type: eql
updated_at: '2020-10-05T09:06:16.403Z'
updated_by: elastic
version: 1
example5:
description: Example response for an indicator match rule
summary: Indicator match rule response
value:
author: []
created_at: '2020-10-06T07:07:58.227Z'
created_by: elastic
description: Checks for bad IP addresses listed in the ip-threat-list index
enabled: true
exceptions_list: []
false_positives: []
from: now-6m
id: d5daa13f-81fb-4b13-be2f-31011e1d9ae1
immutable: false
index:
- packetbeat-*
interval: 5m
language: kuery
max_signals: 100
name: Bad IP threat match
query: destination.ip:* or host.ip:*
references: []
related_integrations:
- package: o365
version: ^2.3.2
required_fields:
- ecs: true
name: destination.ip
type: ip
- ecs: true
name: destination.port
type: long
- ecs: true
name: host.ip
type: ip
risk_score: 50
risk_score_mapping: []
rule_id: 608501e4-c768-4f64-9326-cec55b5d439b
setup: ''
severity: medium
severity_mapping: []
tags: []
threat: []
threat_index:
- ip-threat-list
threat_mapping:
- entries:
- field: destination.ip
type: mapping
value: destination.ip
- field: destination.port
type: mapping
value: destination.port
- entries:
- field: source.ip
type: mapping
value: host.ip
threat_query: '*:*'
to: now
type: threat_match
updated_at: '2020-10-06T07:07:58.237Z'
updated_by: elastic
version: 1
example6:
description: Example response for a new terms rule
summary: New terms rule response
value:
author: []
created_at: '2020-10-06T07:07:58.227Z'
created_by: elastic
description: Detects a user associated with a new IP address
enabled: true
exceptions_list: []
false_positives: []
from: now-6m
history_window_start: now-30d
id: eb7225c0-566b-11ee-8b4f-bbf3afdeb9f4
immutable: false
index:
- auditbeat*
interval: 5m
language: kuery
max_signals: 100
name: New User IP Detected
new_terms_fields:
- user.id
- source.ip
query: '*'
references: []
related_integrations:
- package: o365
version: ^2.3.2
required_fields:
- ecs: true
name: user.id
type: keyword
- ecs: true
name: source.ip
type: ip
risk_score: 21
risk_score_mapping: []
rule_id: c6f5d0bc-7be9-47d4-b2f3-073d22641e30
setup: ''
severity: medium
severity_mapping: []
tags: []
threat: []
to: now
type: new_terms
updated_at: '2020-10-06T07:07:58.237Z'
updated_by: elastic
version: 1
example7:
description: Example response for an Esql rule
summary: Esql rule response
value:
actions: []
author: []
created_at: '2023-10-18T10:55:14.269Z'
created_by: elastic
description: Find Excel events
enabled: false
exceptions_list: []
false_positives: []
from: now-360s
id: d0f20490-6da4-11ee-b85e-09e9b661f2e2
immutable: false
interval: 5m
language: esql
max_signals: 100
name: Find Excel events
output_index: ''
query: from auditbeat-8.10.2 METADATA _id | where process.parent.name == "EXCEL.EXE"
references: []
related_integrations:
- package: o365
version: ^2.3.2
required_fields:
- ecs: true
name: process.parent.name
type: keyword
revision: 0
risk_score: 21
risk_score_mapping: []
rule_id: e4b53a89-debd-4a0d-a3e3-20606952e589
setup: ''
severity: low
severity_mapping: []
tags: []
threat: []
to: now
type: esql
updated_at: '2023-10-18T10:55:14.269Z'
updated_by: elastic
version: 1
schema:
$ref: '#/components/schemas/Security_Detections_API_RuleResponse'
description: Indicates a successful call.
summary: Create a detection rule
tags:
- Security Detections API
x-metaTags:
- content: Kibana
name: product_name
put:
description: |
**Spaces method and path for this operation:**
put/s/{space_id}/api/detection_engine/rules
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update a detection rule using the `rule_id` or `id` field. The original rule is replaced, and all unspecified fields are deleted.
The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation.
> warn
> When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.
> If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.
operationId: UpdateRule
requestBody:
content:
application/json:
examples:
example1:
summary: Update query rule
value:
description: A new description
id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76
name: A new name for the rule
risk_score: 22
severity: medium
type: query
example2:
summary: Update EQL rule
value:
description: eql rule test
id: 9b684efb-acf9-4323-9bff-8335b3867d14
index:
- apm-*-transaction*
language: eql
name: New name for EQL rule
query: process where process.name == "regsvr32.exe"
risk_score: 21
severity: low
type: eql
example3:
summary: Update threshold rule
value:
description: Description of threat rule test
id: 005d2c4f-51ca-493d-a2bd-20ef076339b1
language: kuery
name: New name for threat rule
query: 'agent.version : * and agent.id : "243d9b4f-ca01-4311-8e5c-9abbee91afd8"'
risk_score: 21
severity: low
tags:
- new_tag
threshold:
cardinality: []
field: []
value: 400
type: threshold
example4:
summary: Update new terms rule
value:
description: New description
history_window_start: now-7d
id: 569aac91-40dc-4807-a8ae-a2c8698089c4
interval: 5m
name: New terms rule name
new_terms_fields:
- Endpoint.policy.applied.artifacts.global.identifiers.name
query: 'agent.version : "9.1.0"'
risk_score: 21
severity: low
type: new_terms
example5:
summary: Update esql rule
value:
description: New description for esql rule
id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd
language: esql
name: New name for esql rule
query: |
FROM logs*
| STATS count = COUNT(*), min_timestamp = MIN(@timestamp) /* MIN(dateField) finds the earliest timestamp in the dataset. */
| EVAL event_rate = count / DATE_DIFF("seconds", min_timestamp, NOW()) /* Calculates the event rate by dividing the total count of events by the time difference (in seconds) between the earliest event and the current time. */
| KEEP event_rate
risk_score: 21
severity: low
type: esql
example6:
summary: Update indicator match rule
value:
description: New description
id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd
name: New name for Indicator Match rule
query: source.ip:* or destination.ip:*\n
risk_score: 99
severity: critical
threat_index:
- filebeat-*
- logs-ti_*
threat_mapping:
- entries:
- field: source.ip
type: mapping
value: threat.indicator.ip
- entries:
- field: destination.ip
type: mapping
value: threat.indicator.ip
threat_query: '@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:"true"'
type: threat_match
example7:
summary: Update machine learning rule
value:
anomaly_threshold: 50
description: New description of ml rule
id: 60b13926-289b-41b1-a537-197ef1fa5059
machine_learning_job_id:
- auth_high_count_logon_events_ea
name: New name of ml rule
risk_score: 21
severity: low
type: machine_learning
schema:
$ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps'
description: |
> info
> All unspecified fields are deleted. You cannot modify the `id` or `rule_id` values.
required: true
responses:
'200':
content:
application/json:
examples:
example1:
summary: Example response for an updated rule
value:
actions: []
created_at: '2020-04-07T14:51:09.755Z'
created_by: elastic
description: Updated description for the rule.
enabled: false
false_positives: []
filters:
- query: null
from: now-70m
id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1
immutable: false
interval: 1h
language: kuery
max_signals: 100
name: Updated Rule Name
query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE
references: []
related_integrations:
- package: o365
required_fields:
- name: process.parent.name
risk_score: 50
rule_id: process_started_by_ms_office_program
setup: ''
severity: low
tags:
- child process
- ms office
threat: []
to: now
type: query
updated_at: '2020-04-07T14:51:09.970Z'
updated_by: elastic
version: 2
schema:
$ref: '#/components/schemas/Security_Detections_API_RuleResponse'
description: Indicates a successful call.
summary: Update a detection rule
tags:
- Security Detections API
x-metaTags:
- content: Kibana
name: product_name
/api/detection_engine/rules/_bulk_action:
post:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Apply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs.
The edit action allows you to add, delete, or set tags, index patterns, investigation fields, rule actions and schedules for multiple rules at once.
The edit action is idempotent, meaning that if you add a tag to a rule that already has that tag, no changes are made. The same is true for other edit actions, for example removing an index pattern that is not specified in a rule will not result in any changes. The only exception is the `add_rule_actions` and `set_rule_actions` action, which is non-idempotent. This means that if you add or set a rule action to a rule that already has that action, a new action is created with a new unique ID.
> warn
> When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.
> If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.
operationId: PerformRulesBulkAction
parameters:
- description: |
Enables dry run mode for the request call.
Enable dry run mode to verify that bulk actions can be applied to specified rules. Certain rules, such as prebuilt Elastic rules on a Basic subscription, can’t be edited and will return errors in the request response. Error details will contain an explanation, the rule name and/or ID, and additional troubleshooting information.
To enable dry run mode on a request, add the query parameter `dry_run=true` to the end of the request URL. Rules specified in the request will be temporarily updated. These updates won’t be written to Elasticsearch.
> info
> Dry run mode is not supported for the `export` bulk action. A 400 error will be returned in the request response.
in: query
name: dry_run
required: false
schema:
type: boolean
requestBody:
content:
application/json:
examples:
example01:
description: The following request activates all rules with the test tag.
summary: Enable - Enable all rules with the test tag
value:
action: enable
query: 'alert.attributes.tags: "test"'
example02:
description: The following request enables the rule with the specified ID.
summary: Enable - Enable a specific rule by ID.
value:
action: enable
ids:
- 748694f0-6977-4ea5-8384-cd2e39730779
example03:
description: The following request disables the rule with the specified ID.
summary: Disable - Disable a specific rule by ID
value:
action: disable
ids:
- 748694f0-6977-4ea5-8384-cd2e39730779
example04:
description: The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions.
summary: Duplicate - Duplicate rules with specific IDs
value:
action: duplicate
duplicate:
include_exceptions: true
include_expired_exceptions: false
ids:
- 748694f0-6977-4ea5-8384-cd2e39730779
- 461a4c22-416e-4009-a9a7-cf79656454bf
example05:
description: The following request deletes the rule with the specified ID.
summary: Delete - Delete a specific rule by ID
value:
action: delete
ids:
- cf4abfd1-7c37-4519-ab0f-5ea5c75fac60
example06:
description: The following request runs the rule with the specified ID within the given date range.
summary: Run - Run a specific rule by ID
value:
action: run
ids:
- 748694f0-6977-4ea5-8384-cd2e39730779
run:
end_date: '2025-03-10T23:59:59.999Z'
start_date: '2025-03-01T00:00:00.000Z'
example07:
description: The following request exports the rules with the specified IDs.
summary: Export - Export specific rules by ID
value:
action: export
ids:
- 748694f0-6977-4ea5-8384-cd2e39730779
example08:
description: The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true
summary: Edit - dry run - Validate add_index_patterns bulk action
value:
action: edit
edit:
- type: add_index_patterns
value:
- test-*
ids:
- 81aa0480-06af-11ed-94fb-dd1a0597d8d2
- dc015d10-0831-11ed-ac8b-05a222bd8d4a
- de8f5af0-0831-11ed-ac8b-05a222bd8d4a
example09:
description: The following request adds the tag "tag-1" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made.
summary: Edit - Add a tag to rules (idempotent)
value:
action: edit
edit:
- type: add_tags
value:
- tag-1
ids:
- 8bc7dad0-9320-11ec-9265-8b772383a08d
- 8e5c1a40-9320-11ec-9265-8b772383a08d
example10:
description: The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made.
summary: Edit - Add two tags to rules (idempotent)
value:
action: edit
edit:
- type: add_tags
value:
- tag-1
- tag-2
ids:
- 8bc7dad0-9320-11ec-9265-8b772383a08d
- 8e5c1a40-9320-11ec-9265-8b772383a08d
example11:
description: The following request removes the tag "tag-1" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made.
summary: Edit - Delete a tag from rules (idempotent)
value:
action: edit
edit:
- type: delete_tags
value:
- tag-1
ids:
- 8bc7dad0-9320-11ec-9265-8b772383a08d
- 8e5c1a40-9320-11ec-9265-8b772383a08d
example12:
description: The following request sets the tags "tag-1" and "tag-2" for the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made.
summary: Edit - Set (overwrite existing) tags for rules (idempotent)
value:
action: edit
edit:
- type: set_tags
value:
- tag-1
- tag-2
ids:
- 8bc7dad0-9320-11ec-9265-8b772383a08d
- 8e5c1a40-9320-11ec-9265-8b772383a08d
example13:
description: The following request adds the index pattern "test-*" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made.
summary: Edit - Add index patterns to rules (idempotent)
value:
action: edit
edit:
- type: add_index_patterns
value:
- test-*
ids:
- 81aa0480-06af-11ed-94fb-dd1a0597d8d2
- dc015d10-0831-11ed-ac8b-05a222bd8d4a
example14:
description: The following request removes the index pattern "test-*" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made.
summary: Edit - Remove index patterns from rules (idempotent)
value:
action: edit
edit:
- type: delete_index_patterns
value:
- test-*
ids:
- 81aa0480-06af-11ed-94fb-dd1a0597d8d2
- dc015d10-0831-11ed-ac8b-05a222bd8d4a
example15:
description: The following request sets the index patterns "test-*" and "prod-*" for the rules with the specified IDs, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made.
summary: Edit - Set (overwrite existing) index patterns for rules patterns (idempotent)
value:
action: edit
edit:
- type: set_index_patterns
value:
- test-*
ids:
- 81aa0480-06af-11ed-94fb-dd1a0597d8d2
- dc015d10-0831-11ed-ac8b-05a222bd8d4a
example16:
description: The following request adds investigation field to the rules with the specified IDs.
summary: Edit - Add investigation field to rules
value:
action: edit
edit:
- type: add_investigation_fields
value:
field_names:
- alert.status
ids:
- 12345678-1234-1234-1234-1234567890ab
- 87654321-4321-4321-4321-0987654321ba
example17:
description: The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made.
summary: Edit - Delete investigation fields from rules (idempotent)
value:
action: edit
edit:
- type: delete_investigation_fields
ids:
- 12345678-1234-1234-1234-1234567890ab
- 87654321-4321-4321-4321-0987654321ba
value:
- field1
- field2
example18:
description: The following request sets investigation fields for the rules with the specified IDs, overwriting any existing investigation fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made.
summary: Edit - Set (overwrite existing) investigation fields for rules (idempotent)
value:
action: edit
edit:
- type: set_investigation_fields
value:
- field1
- field2
ids:
- 12345678-1234-1234-1234-1234567890ab
- 87654321-4321-4321-4321-0987654321ba
example19:
description: The following request sets a timeline template for the rules with the specified IDs. If the same timeline template is already set for a rule, no changes are made.
summary: Edit - Set (overwrite existing) timeline template for rules (idempotent)
value:
action: edit
edit:
- type: set_timeline
value:
timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd
timeline_title: Alerts Involving a Single User Timeline
ids:
- eacdfc95-e007-41c9-986e-4b2cbdfdc71b
example20:
description: The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made.
summary: Edit - Set (overwrite existing) schedule for rules (idempotent)
value:
action: edit
edit:
- type: set_schedule
value:
interval: 1h
lookback: 30m
ids:
- 99887766-5544-3322-1100-aabbccddeeff
example21:
description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID.
summary: Edit - Add rule actions to rules (non-idempotent)
value:
action: edit
edit:
- type: add_rule_actions
value:
actions:
- group: default
id: 20fbf986-a270-460e-80f3-7b83c08b430f
params:
body: The message body
ids:
- 9e946bfc-3118-4c77-bb25-67d781191928
example22:
description: The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID.
summary: Edit - Set (overwrite existing) rule actions for rules (non-idempotent)
value:
action: edit
edit:
- type: set_rule_actions
value:
actions:
- group: default
id: 20fbf986-a270-460e-80f3-7b83c08b430f
params:
body: The message body
ids:
- 9e946bfc-3118-4c77-bb25-67d781191928
example23:
description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID.
summary: Edit - Add rule actions to rules for a webhook connector
value:
action: edit
edit:
- type: add_rule_actions
value:
actions:
- group: default3
id: 20fbf986-a270-460e-80f3-7b83c08b430f
params:
body: The message body
ids:
- 9e946bfc-3118-4c77-bb25-67d781191921
example24:
description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID.
summary: Edit - Add rule actions to rules for an email connector
value:
action: edit
edit:
- type: add_rule_actions
value:
actions:
- group: default3
id: 20fbf986-a270-460e-80f3-7b83c08b430f
params:
message: The message body
subject: Subject
to: address@domain.com
ids:
- 9e946bfc-3118-4c77-bb25-67d781191921
example25:
description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID.
summary: Edit - Add rule actions to rules for a slack connector
value:
action: edit
edit:
- type: add_rule_actions
value:
actions:
- group: default3
id: 20fbf986-a270-460e-80f3-7b83c08b430f
params:
message: The content of the message
ids:
- 9e946bfc-3118-4c77-bb25-67d781191921
example26:
description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID.
summary: Edit - Add rule actions to rules for a PagerDuty connector
value:
action: edit
edit:
- type: add_rule_actions
value:
actions:
- group: default3
id: 20fbf986-a270-460e-80f3-7b83c08b430f
params:
eventAction: trigger
severity: critical
summary: The message body
timestamp: '2023-10-31T00:00:00.000Z'
ids:
- 9e946bfc-3118-4c77-bb25-67d781191921
example27:
description: The following request set alert suppression to the rules with the specified IDs.
summary: Edit - Set alert suppression to rules (idempotent)
value:
action: edit
edit:
- type: set_alert_suppression
value:
duration:
unit: h
value: 1
group_by:
- source.ip
missing_fields_strategy: suppress
ids:
- 12345678-1234-1234-1234-1234567890ab
- 87654321-4321-4321-4321-0987654321ba
example28:
description: The following request set alert suppression to threshold rules with the specified IDs.
summary: Edit - Set alert suppression to threshold rules (idempotent)
value:
action: edit
edit:
- type: set_alert_suppression_for_threshold
value:
duration:
unit: h
value: 1
ids:
- 12345678-1234-1234-1234-1234567890ab
- 87654321-4321-4321-4321-0987654321ba
example29:
description: The following request removes alert suppression from the rules with the specified IDs. If the rules do not have alert suppression, no changes are made.
summary: Edit - Removes alert suppression from rules (idempotent)
value:
action: edit
edit:
- type: delete_alert_suppression
ids:
- 12345678-1234-1234-1234-1234567890ab
- 87654321-4321-4321-4321-0987654321ba
example30:
description: The following request triggers the filling of gaps for the specified rule ids and time range
summary: Fill Gaps - Manually trigger the filling of gaps for specified rules
value:
action: fill_gaps
ids:
- 748694f0-6977-4ea5-8384-cd2e39730779
- 164d0918-f720-4c9f-9f5c-c5122587cf19
run:
end_date: '2025-03-10T23:59:59.999Z'
start_date: '2025-03-01T00:00:00.000Z'
schema:
oneOf:
- $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules'
- $ref: '#/components/schemas/Security_Detections_API_BulkDisableRules'
- $ref: '#/components/schemas/Security_Detections_API_BulkEnableRules'
- $ref: '#/components/schemas/Security_Detections_API_BulkExportRules'
- $ref: '#/components/schemas/Security_Detections_API_BulkDuplicateRules'
- $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleRun'
- $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleFillGaps'
- $ref: '#/components/schemas/Security_Detections_API_BulkEditRules'
responses:
'200':
content:
application/json:
examples:
example01:
description: In this response one rule was updated and one was skipped. Objects returned in attributes.results.skipped will only include rules' id, name, and skip_reason.
summary: Successful response
value:
attributes:
results:
created: []
deleted: []
skipped:
- id: 51658332-a15e-4c9e-912a-67214e2e2359
name: Skipped rule
skip_reason: RULE_NOT_MODIFIED
updated:
- anomaly_threshold: 50
author:
- Elastic
created_at: '2022-02-21T14:14:13.801Z'
created_by: elastic
description: A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data.
enabled: true
exceptions_list: []
execution_summary:
last_execution:
date: '2022-03-23T16:06:12.787Z'
message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found.
metrics:
execution_gap_duration_s: 0
total_indexing_duration_ms: 15
total_search_duration_ms: 135
status: partial failure
status_order: 20
false_positives:
- DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded.
from: now-45m
id: 8bc7dad0-9320-11ec-9265-8b772383a08d
immutable: false
interval: 15m
license: Elastic License v2
machine_learning_job_id:
- packetbeat_dns_tunneling_ea
max_signals: 100
name: DNS Tunneling [Duplicate]
references:
- https://www.elastic.co/docs/reference/machine-learning/ootb-ml-jobs-siem
related_integrations: []
required_fields: []
risk_score: 21
risk_score_mapping: []
rule_id: 7289bf08-4e91-4c70-bf01-e04c4c5d7756
setup: ''
severity: low
severity_mapping: []
tags:
- Elastic
- Network
- Threat Detection
- ML
threat: []
to: now
type: machine_learning
updated_at: '2022-02-21T17:05:50.883Z'
updated_by: elastic
version: 6
summary:
failed: 0
skipped: 1
succeeded: 1
total: 2
rules_count: 1
success: true
example02:
description: If processing of any rule fails, a partial error outputs the ID and/or name of the affected rule and the corresponding error, as well as successfully processed rules (in the same format as a successful 200 request).
summary: Partial failure
value:
value:
attributes:
errors:
- message: Index patterns can't be added. Machine learning rule doesn't have index patterns property
rules:
- id: 8bc7dad0-9320-11ec-9265-8b772383a08d
name: DNS Tunneling [Duplicate]
status_code: 500
results:
created: []
deleted: []
skipped: []
updated:
- actions: []
author:
- Elastic
created_at: '2022-02-21T14:14:17.883Z'
created_by: elastic
description: Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app.
enabled: true
exceptions_list: []
execution_summary:
last_execution:
date: '2022-03-23T16:06:12.787Z'
message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found.
metrics:
execution_gap_duration_s: 0
total_indexing_duration_ms: 15
total_search_duration_ms: 135
status: partial failure
status_order: 20
false_positives: []
from: now-6m
id: 8e5c1a40-9320-11ec-9265-8b772383a08d
immutable: false
index:
- apm-*-transaction*
- traces-apm*
- auditbeat-*
- filebeat-*
- logs-*
- packetbeat-*
- winlogbeat-*
- added-by-id-*
interval: 5m
language: kuery
license: Elastic License v2
max_signals: 10000
name: External Alerts [Duplicate]
query: |
event.kind:alert and not event.module:(endgame or endpoint)
references: []
related_integrations: []
required_fields: []
risk_score: 47
risk_score_mapping:
- field: event.risk_score
operator: equals
value: ''
rule_id: 941faf98-0cdc-4569-b16d-4af962914d61
rule_name_override: message
setup: ''
severity: medium
severity_mapping:
- field: event.severity
operator: equals
severity: low
value: '21'
- field: event.severity
operator: equals
severity: medium
value: '47'
- field: event.severity
operator: equals
severity: high
value: '73'
- field: event.severity
operator: equals
severity: critical
value: '99'
tags:
- Elastic
- Network
- Windows
- APM
- macOS
- Linux
threat: []
timestamp_override: event.ingested
to: now
type: query
updated_at: '2022-02-21T16:56:22.818Z'
updated_by: elastic
version: 5
summary:
failed: 1
skipped: 0
succeeded: 1
total: 2
message: Bulk edit partially failed
rules_count: 2
status_code: 500
success: false
example03:
description: The attributes.errors section of the response shows that two rules failed to update and one succeeded. The same results would be returned if you ran the request without dry run mode enabled. Notice that there are no arrays in attributes.results. In dry run mode, rule updates are not applied and saved to Elasticsearch, so the endpoint wouldn’t return results for rules that have been updated, created, or deleted.
summary: Dry run
value:
attributes:
errors:
- err_code: IMMUTABLE
message: Elastic rule can't be edited
rules:
- id: 81aa0480-06af-11ed-94fb-dd1a0597d8d2
name: Unusual AWS Command for a User
status_code: 500
- err_code: MACHINE_LEARNING_INDEX_PATTERN
message: Machine learning rule doesn't have index patterns
rules:
- id: dc015d10-0831-11ed-ac8b-05a222bd8d4a
name: Suspicious Powershell Script [Duplicate]
status_code: 500
results:
created: []
deleted: []
skipped: []
updated: []
summary:
failed: 2
skipped: 0
succeeded: 1
total: 3
message: Bulk edit partially failed
status_code: 500
example04:
description: This example presents the successful setting of tags for 2 rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated.
summary: Set tags successsully for 2 rules
value:
attributes:
results:
created: []
deleted: []
skipped: []
updated:
- actions: []
author: []
created_at: '2025-03-25T11:46:41.899Z'
created_by: elastic
description: test
enabled: false
exceptions_list: []
false_positives: []
filters: []
from: now-6m
id: 738112cd-6cfa-414a-8457-2a658845d6ba
immutable: false
index:
- apm-*-transaction*
- auditbeat-*
- endgame-*
- filebeat-*
- logs-*
- packetbeat-*
- traces-apm*
- winlogbeat-*
- '-*elastic-cloud-logs-*'
interval: 5m
language: kuery
license: ''
max_signals: 100
meta:
kibana_siem_app_url: http://localhost:5601/kbn/app/security
name: Rule 1
output_index: ''
query: '*'
references: []
related_integrations: []
required_fields: []
revision: 1
risk_score: 21
risk_score_mapping: []
rule_id: 6fb746a0-dfe5-40fa-b03f-5cbb84f3e32e
rule_source:
type: internal
setup: ''
severity: low
severity_mapping: []
tags:
- tag-1
- tag-2
threat: []
to: now
type: query
updated_at: '2025-03-25T11:47:11.350Z'
updated_by: elastic
version: 2
- actions:
- action_type_id: .webhook
frequency:
notifyWhen: onActiveAlert
summary: true
throttle: null
group: default
id: 20fbf986-a270-460e-80f3-7b83c08b430f
params:
body: Hello
uuid: 580e2e16-5e91-411c-999b-7b75a11ed441
author: []
created_at: '2025-03-25T09:49:08.343Z'
created_by: elastic
description: test
enabled: false
exceptions_list: []
false_positives: []
filters: []
from: now-360s
id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b
immutable: false
index:
- apm-*-transaction*
- auditbeat-*
- endgame-*
- filebeat-*
- logs-*
- packetbeat-*
- traces-apm*
- winlogbeat-*
- '-*elastic-cloud-logs-*'
interval: 3m
investigation_fields:
field_names:
- alert.status
- Endpoint.policy.applied.artifacts.global.channel
language: kuery
license: ''
max_signals: 100
meta:
from: 3m
kibana_siem_app_url: http://localhost:5601/kbn/app/security
name: Rule 2
output_index: ''
query: '*'
references: []
related_integrations: []
required_fields: []
revision: 33
risk_score: 21
risk_score_mapping: []
rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180
rule_source:
type: internal
setup: ''
severity: low
severity_mapping: []
tags:
- tag-1
- tag-2
threat: []
timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd
timeline_title: Alerts Involving a Single User Timeline
to: now
type: query
updated_at: '2025-03-25T11:47:11.357Z'
updated_by: elastic
version: 24
summary:
failed: 0
skipped: 0
succeeded: 2
total: 2
rules_count: 2
success: true
example05:
description: This example presents the idempotent behavior of the edit action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them.
summary: Idempotent behavior of set_tags
value:
attributes:
results:
created: []
deleted: []
skipped:
- id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b
name: Rule 1
skip_reason: RULE_NOT_MODIFIED
- id: 738112cd-6cfa-414a-8457-2a658845d6ba
name: Rule 2
skip_reason: RULE_NOT_MODIFIED
updated: []
summary:
failed: 0
skipped: 2
succeeded: 0
total: 2
rules_count: 2
success: true
example06:
description: This example presents the idempotent behavior of the edit action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added.
summary: Idempotent behavior of add_tags
value:
attributes:
results:
created: []
deleted: []
skipped:
- id: 738112cd-6cfa-414a-8457-2a658845d6ba
name: Test Rule 2
skip_reason: RULE_NOT_MODIFIED
updated:
- actions:
- action_type_id: .webhook
frequency:
notifyWhen: onActiveAlert
summary: true
throttle: null
group: default
id: 20fbf986-a270-460e-80f3-7b83c08b430f
params:
body: Hello
uuid: 580e2e16-5e91-411c-999b-7b75a11ed441
author: []
created_at: '2025-03-25T09:49:08.343Z'
created_by: elastic
description: test
enabled: false
exceptions_list: []
false_positives: []
filters: []
from: now-360s
id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b
immutable: false
index:
- apm-*-transaction*
- auditbeat-*
- endgame-*
- filebeat-*
- logs-*
- packetbeat-*
- traces-apm*
- winlogbeat-*
- '-*elastic-cloud-logs-*'
interval: 3m
investigation_fields:
field_names:
- alert.status
- Endpoint.policy.applied.artifacts.global.channel
language: kuery
license: ''
max_signals: 100
meta:
from: 3m
kibana_siem_app_url: http://localhost:5601/kbn/app/security
name: Test rule
output_index: ''
query: '*'
references: []
related_integrations: []
required_fields: []
revision: 34
risk_score: 21
risk_score_mapping: []
rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180
rule_source:
type: internal
setup: ''
severity: low
severity_mapping: []
tags:
- tag-1
- tag-2
- tag-4
threat: []
timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd
timeline_title: Alerts Involving a Single User Timeline
to: now
type: query
updated_at: '2025-03-25T11:55:12.752Z'
updated_by: elastic
version: 25
summary:
failed: 0
skipped: 1
succeeded: 1
total: 2
rules_count: 2
success: true
example07:
description: This example shows a non-idempotent nature of the set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID.
summary: Non-idempotent behavior for set_rule_actions
value:
attributes:
results:
created: []
deleted: []
skipped: []
updated:
- actions:
- action_type_id: .webhook
frequency:
notifyWhen: onActiveAlert
summary: true
throttle: null
group: default
id: 20fbf986-a270-460e-80f3-7b83c08b430f
params:
body: Hello
uuid: e48428e5-efac-4856-b8ad-b271c14eaa91
author: []
created_at: '2025-03-25T09:49:08.343Z'
created_by: elastic
description: test
enabled: false
exceptions_list: []
false_positives: []
filters: []
from: now-360s
id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b
immutable: false
index:
- apm-*-transaction*
- auditbeat-*
- endgame-*
- filebeat-*
- logs-*
- packetbeat-*
- traces-apm*
- winlogbeat-*
- '-*elastic-cloud-logs-*'
interval: 3m
investigation_fields:
field_names:
- alert.status
- Endpoint.policy.applied.artifacts.global.channel
language: kuery
license: ''
max_signals: 100
meta:
from: 3m
kibana_siem_app_url: http://localhost:5601/kbn/app/security
name: Test rule
output_index: ''
query: '*'
references: []
related_integrations: []
required_fields: []
revision: 39
risk_score: 21
risk_score_mapping: []
rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180
rule_source:
type: internal
setup: ''
severity: low
severity_mapping: []
tags:
- tag-1
- tag-2
- tag-4
threat: []
timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd
timeline_title: Alerts Involving a Single User Timeline
to: now
type: query
updated_at: '2025-03-25T12:17:40.528Z'
updated_by: elastic
version: 30
summary:
failed: 0
skipped: 0
succeeded: 1
total: 1
rules_count: 1
success: true
example08:
description: This example shows a non-idempotent nature of the add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID.
summary: Non-idempotent behavior for add_rule_actions
value:
attributes:
results:
created: []
deleted: []
skipped: []
updated:
- actions:
- action_type_id: .webhook
frequency:
notifyWhen: onActiveAlert
summary: true
throttle: null
group: default
id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4
params:
body: Message body
uuid: 0309347e-3954-429c-9168-5da2663389af
- action_type_id: .webhook
frequency:
notifyWhen: onActiveAlert
summary: true
throttle: null
group: default
id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4
params:
body: Message body
uuid: 49ddaa94-d63d-410e-90dc-8c1bad9552bd
author: []
created_at: '2025-04-02T12:42:03.400Z'
created_by: elastic
description: test
enabled: false
exceptions_list: []
false_positives: []
filters: []
from: now-6m
id: 0d3eb0cd-88c4-4651-ac87-6d9f0cb87217
immutable: false
index:
- apm-*-transaction*
- auditbeat-*
- endgame-*
- filebeat-*
- logs-*
- packetbeat-*
- traces-apm*
- winlogbeat-*
- '-*elastic-cloud-logs-*'
interval: 5m
language: kuery
license: ''
max_signals: 100
meta:
kibana_siem_app_url: http://localhost:5601/kbn/app/security
name: Jacek test rule
output_index: ''
query: '*'
references: []
related_integrations: []
required_fields: []
revision: 2
risk_score: 21
risk_score_mapping: []
rule_id: 2684c020-1370-4719-ac27-eafe6428fe10
rule_source:
type: internal
setup: ''
severity: low
severity_mapping: []
tags: []
threat: []
to: now
type: query
updated_at: '2025-04-02T12:51:40.215Z'
updated_by: elastic
version: 2
summary:
failed: 0
skipped: 0
succeeded: 1
total: 1
rules_count: 1
success: true
schema:
oneOf:
- $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResponse'
- $ref: '#/components/schemas/Security_Detections_API_BulkExportActionResponse'
description: OK
summary: Apply a bulk action to detection rules
tags:
- Security Detections API
x-metaTags:
- content: Kibana
name: product_name
/api/detection_engine/rules/_export:
post:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Export detection rules to an `.ndjson` file. The following configuration items are also included in the `.ndjson` file:
- Actions
- Exception lists
> info
> Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules.
> You can use Kibana’s [Saved Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules.
> Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately.
operationId: ExportRules
parameters:
- description: Determines whether a summary of the exported rules is returned.
in: query
name: exclude_export_details
required: false
schema:
default: false
type: boolean
- description: |
File name for saving the exported rules.
> info
> When using cURL to export rules to a file, use the -O and -J options to save the rules to the file name specified in the URL.
in: query
name: file_name
required: false
schema:
default: export.ndjson
type: string
requestBody:
content:
application/json:
examples:
exportByRuleIds:
summary: Request body to export a subset of rules
value:
objects:
- rule_id: 343580b5-c811-447c-8d2d-2ccf052c6900
- rule_id: 2938c9fa-53eb-4c04-b79c-33cbf041b18d
schema:
nullable: true
type: object
properties:
objects:
description: Array of objects with a rule's `rule_id` field. Do not use rule's `id` here. Exports all rules when unspecified.
items:
type: object
properties:
rule_id:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
required:
- rule_id
type: array
required:
- objects
required: false
responses:
'200':
content:
application/ndjson:
examples:
sampleNdjson:
value: |
{"rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900","name":"Example rule","type":"query","enabled":true}
{"exception_list":true}
{"export_summary":{"total_rules":1,"exceptions_count":0}}
schema:
description: |
An `.ndjson` file containing the returned rules.
Each line in the file represents an object (a rule, exception list parent container, or exception list item), and the last line includes a summary of what was exported.
format: binary
type: string
description: Indicates a successful call.
summary: Export detection rules
tags:
- Security Detections API
x-codeSamples:
- lang: cURL
source: |
curl -X POST "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'
{
"objects": [
{
"rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900"
},
{
"rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d"
}
]
}
x-metaTags:
- content: Kibana
name: product_name
/api/detection_engine/rules/_find:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/detection_engine/rules/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page.
operationId: FindRules
parameters:
- description: |
List of `alert.attributes` field names to return for each rule (for example `name`, `enabled`).
If omitted, the default field set is returned. Repeat the parameter to pass multiple field names, or
use comma-separated values when supported by your client.
in: query
name: fields
required: false
schema:
items:
type: string
type: array
- description: |
Search query
Filters the returned results according to the value of the specified field, using the alert.attributes.: syntax, where can be:
- name
- enabled
- tags
- createdBy
- interval
- updatedBy
> info
> Even though the JSON rule object uses created_by and updated_by fields, you must use createdBy and updatedBy fields in the filter.
in: query
name: filter
required: false
schema:
type: string
- description: Field to sort by
in: query
name: sort_field
required: false
schema:
$ref: '#/components/schemas/Security_Detections_API_FindRulesSortField'
- description: Sort order
in: query
name: sort_order
required: false
schema:
$ref: '#/components/schemas/Security_Detections_API_SortOrder'
- description: Page number
in: query
name: page
required: false
schema:
default: 1
minimum: 1
type: integer
- description: Rules per page
in: query
name: per_page
required: false
schema:
default: 20
minimum: 0
type: integer
- description: Gaps range start
in: query
name: gaps_range_start
required: false
schema:
type: string
- description: Gaps range end
in: query
name: gaps_range_end
required: false
schema:
type: string
- description: Gap fill statuses
in: query
name: gap_fill_statuses
required: false
schema:
items:
$ref: '#/components/schemas/Security_Detections_API_GapFillStatus'
type: array
- description: Gap auto fill scheduler ID used to determine gap fill status for rules
in: query
name: gap_auto_fill_scheduler_id
required: false
schema:
type: string
responses:
'200':
content:
application/json:
examples:
example1:
value:
data:
- created_at: '2020-02-02T10:05:19.613Z'
created_by: elastic
description: Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity.
enabled: false
execution_summary:
last_execution:
date: '2022-03-23T16:06:12.787Z'
message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found.
metrics:
execution_gap_duration_s: 0
total_indexing_duration_ms: 15
total_search_duration_ms: 135
status: partial failure
status_order: 20
false_positives: []
from: now-6m
id: 89761517-fdb0-4223-b67b-7621acc48f9e
immutable: true
index:
- winlogbeat-*
interval: 5m
language: kuery
max_signals: 33
name: Windows Script Executing PowerShell
query: 'event.action:"Process Create (rule: ProcessCreate)" and process.parent.name:("wscript.exe" or "cscript.exe") and process.name:"powershell.exe"'
references: []
related_integrations:
- package: o365
version: ^2.3.2
required_fields:
- ecs: true
name: event.action
type: keyword
- ecs: true
name: process.name
type: keyword
- ecs: true
name: process.parent.name
type: keyword
risk_score: 21
rule_id: f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc
setup: ''
severity: low
tags:
- Elastic
- Windows
threat:
- framework: MITRE ATT&CK
tactic:
id: TA0002
name: Execution
reference: https://attack.mitre.org/tactics/TA0002/
technique:
- id: T1193
name: Spearphishing Attachment
reference: https://attack.mitre.org/techniques/T1193/
to: now
type: query
updated_at: '2020-02-02T10:05:19.830Z'
updated_by: elastic
page: 1
perPage: 5
total: 4
schema:
type: object
properties:
data:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleResponse'
type: array
page:
type: integer
perPage:
type: integer
total:
type: integer
warnings:
items:
$ref: '#/components/schemas/Security_Detections_API_WarningSchema'
type: array
required:
- page
- perPage
- total
- data
description: |
Successful response
> info
> These fields are under development and their usage or schema may change: execution_summary.
summary: List all detection rules
tags:
- Security Detections API
x-codeSamples:
- lang: cURL
source: |
curl -X GET "localhost:5601/api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows" -H 'kbn-xsrf: true'
x-metaTags:
- content: Kibana
name: product_name
/api/detection_engine/rules/_import:
post:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Import detection rules from an `.ndjson` file, including actions and exception lists. The request must include:
- The `Content-Type: multipart/form-data` HTTP header.
- A link to the `.ndjson` file containing the rules.
> warn
> When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.
> If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.
> info
> To import rules with actions, you need at least Read privileges for the Action and Connectors feature. To overwrite or add new connectors, you need All privileges for the Actions and Connectors feature. To import rules without actions, you don’t need Actions and Connectors privileges. Refer to [Enable and access detections](https://www.elastic.co/docs/solutions/security/detect-and-alert/detections-privileges) for more information.
> info
> Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules.
> You can use Kibana’s [Saved Objects](https://www.elastic.co/docs/explore-analyze/find-and-organize/saved-objects) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules.
> Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately.
operationId: ImportRules
parameters:
- description: Determines whether existing rules with the same `rule_id` are overwritten.
in: query
name: overwrite
required: false
schema:
default: false
type: boolean
- description: Determines whether existing exception lists with the same `list_id` are overwritten. Both the exception list container and its items are overwritten.
in: query
name: overwrite_exceptions
required: false
schema:
default: false
type: boolean
- description: Determines whether existing actions with the same `kibana.alert.rule.actions.id` are overwritten.
in: query
name: overwrite_action_connectors
required: false
schema:
default: false
type: boolean
- description: Generates a new list ID for each imported exception list.
in: query
name: as_new_list
required: false
schema:
default: false
type: boolean
requestBody:
content:
multipart/form-data:
examples:
rulesFile:
summary: Multipart part containing a rule export
value:
file: rules_import.ndjson
schema:
type: object
properties:
file:
description: The `.ndjson` file containing the rules.
format: binary
type: string
required: true
responses:
'200':
content:
application/json:
examples:
example1:
summary: Import rules with success
value:
errors: []
exceptions_errors: []
exceptions_success: true
exceptions_success_count: 0
rules_count: 1
success: true
success_count: 1
schema:
additionalProperties: false
type: object
properties:
action_connectors_errors:
items:
$ref: '#/components/schemas/Security_Detections_API_ErrorSchema'
type: array
action_connectors_success:
type: boolean
action_connectors_success_count:
minimum: 0
type: integer
action_connectors_warnings:
items:
$ref: '#/components/schemas/Security_Detections_API_WarningSchema'
type: array
errors:
items:
$ref: '#/components/schemas/Security_Detections_API_ErrorSchema'
type: array
exceptions_errors:
items:
$ref: '#/components/schemas/Security_Detections_API_ErrorSchema'
type: array
exceptions_success:
type: boolean
exceptions_success_count:
minimum: 0
type: integer
rules_count:
minimum: 0
type: integer
success:
type: boolean
success_count:
minimum: 0
type: integer
required:
- exceptions_success
- exceptions_success_count
- exceptions_errors
- rules_count
- success
- success_count
- errors
- action_connectors_errors
- action_connectors_warnings
- action_connectors_success
- action_connectors_success_count
description: Indicates a successful call.
summary: Import detection rules
tags:
- Security Detections API
x-codeSamples:
- lang: cURL
source: |
curl -X POST "/api/detection_engine/rules/_import"
-u : -H 'kbn-xsrf: true'
-H 'Content-Type: multipart/form-data'
--form "file=@"
x-metaTags:
- content: Kibana
name: product_name
/api/detection_engine/rules/{id}/exceptions:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Install and update all Elastic prebuilt detection rules and Timelines.
This endpoint allows you to install and update prebuilt detection rules and Timelines provided by Elastic.
When you call this endpoint, it will:
- Install any new prebuilt detection rules that are not currently installed in your system.
- Update any existing prebuilt detection rules that have been modified or improved by Elastic.
- Install any new prebuilt Timelines that are not currently installed in your system.
- Update any existing prebuilt Timelines that have been modified or improved by Elastic.
This ensures that your detection engine is always up-to-date with the latest rules and Timelines,
providing you with the most current and effective threat detection capabilities.
operationId: InstallPrebuiltRulesAndTimelines
responses:
'200':
content:
application/json:
examples:
example1:
value:
rules_installed: 112
rules_updated: 0
timelines_installed: 5
timelines_updated: 2
schema:
additionalProperties: false
type: object
properties:
rules_installed:
description: The number of rules installed
minimum: 0
type: integer
rules_updated:
description: The number of rules updated
minimum: 0
type: integer
timelines_installed:
description: The number of timelines installed
minimum: 0
type: integer
timelines_updated:
description: The number of timelines updated
minimum: 0
type: integer
required:
- rules_installed
- rules_updated
- timelines_installed
- timelines_updated
description: Indicates a successful call
summary: Install prebuilt detection rules and Timelines
tags:
- Security Detections API
x-metaTags:
- content: Kibana
name: product_name
/api/detection_engine/rules/prepackaged/_status:
get:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieve the status of all Elastic prebuilt detection rules and Timelines.
This endpoint provides detailed information about the number of custom rules, installed prebuilt rules, available prebuilt rules that are not installed, outdated prebuilt rules, installed prebuilt timelines, available prebuilt timelines that are not installed, and outdated prebuilt timelines.
operationId: ReadPrebuiltRulesAndTimelinesStatus
responses:
'200':
content:
application/json:
examples:
example1:
value:
rules_custom_installed: 0
rules_installed: 0
rules_not_installed: 112
rules_not_updated: 0
timelines_installed: 0
timelines_not_installed: 0
timelines_not_updated: 0
schema:
additionalProperties: false
type: object
properties:
rules_custom_installed:
description: The total number of custom rules
minimum: 0
type: integer
rules_installed:
description: The total number of installed prebuilt rules
minimum: 0
type: integer
rules_not_installed:
description: The total number of available prebuilt rules that are not installed
minimum: 0
type: integer
rules_not_updated:
description: The total number of outdated prebuilt rules
minimum: 0
type: integer
timelines_installed:
description: The total number of installed prebuilt timelines
minimum: 0
type: integer
timelines_not_installed:
description: The total number of available prebuilt timelines that are not installed
minimum: 0
type: integer
timelines_not_updated:
description: The total number of outdated prebuilt timelines
minimum: 0
type: integer
required:
- rules_custom_installed
- rules_installed
- rules_not_installed
- rules_not_updated
- timelines_installed
- timelines_not_installed
- timelines_not_updated
description: Indicates a successful call
summary: Retrieve the status of prebuilt detection rules and Timelines
tags:
- Security Detections API
x-metaTags:
- content: Kibana
name: product_name
/api/detection_engine/rules/preview:
post:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Assign users to detection alerts, and unassign them from alerts.
> info
> You cannot add and remove the same assignee in the same request.
operationId: SetAlertAssignees
requestBody:
content:
application/json:
examples:
add:
$ref: '#/components/examples/Security_Detections_API_SetAlertAssigneesBodyAdd'
remove:
$ref: '#/components/examples/Security_Detections_API_SetAlertAssigneesBodyRemove'
schema:
$ref: '#/components/schemas/Security_Detections_API_SetAlertAssigneesBody'
description: User profile IDs to add or remove on each listed alert document ID.
required: true
responses:
'200':
content:
application/json:
examples:
add:
value:
batches: 1
deleted: 0
failures: []
noops: 0
requests_per_second: -1
retries:
bulk: 0
search: 0
throttled_millis: 0
throttled_until_millis: 0
timed_out: false
took: 76
total: 1
updated: 1
version_conflicts: 0
schema:
additionalProperties: true
description: Elasticsearch update by query response
type: object
description: |
Indicates a successful call. The body matches an Elasticsearch update-by-query response
(for example `took`, `updated`, `failures`).
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request
message: '[request body].ids: at least one alert id is required to update assignees'
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]"
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [POST /api/detection_engine/signals/assignees] is unauthorized for the current user, this action is granted by the Kibana Security Solution privileges for cases and detections
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse'
description: Not enough privileges response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
description: Internal server error response
summary: Assign and unassign users from detection alerts
tags:
- Security Detections API
x-metaTags:
- content: Kibana
name: product_name
/api/detection_engine/signals/finalize_migration:
post:
deprecated: true
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
**DEPRECATED.** Completes a legacy alert index migration. Do not automate against this in new code.
**WARNING:** Finalizing swaps read aliases; confirm the migration has finished successfully before calling.
Finalize successful migrations of detection alerts. This replaces the original index's alias with the
successfully migrated index's alias. The endpoint is idempotent, so you can poll until a migration
finishes and then call this operation once.
operationId: FinalizeAlertsMigration
requestBody:
content:
application/json:
examples:
oneMigration:
value:
migration_ids:
- 924f7c50-505f-11eb-ae0a-3fa2e626a51d
schema:
example:
migration_ids:
- 924f7c50-505f-11eb-ae0a-3fa2e626a51d
type: object
properties:
migration_ids:
description: Array of `migration_id`s to finalize.
items:
type: string
minItems: 1
type: array
required:
- migration_ids
description: Array of `migration_id`s to finalize
required: true
responses:
'200':
content:
application/json:
examples:
success:
value:
migrations:
- completed: true
destinationIndex: .siem-signals-default-000002-r000016
id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d
sourceIndex: .siem-signals-default-000002
status: success
updated: '2021-01-06T22:05:56.859Z'
version: 16
schema:
items:
$ref: '#/components/schemas/Security_Detections_API_MigrationFinalizationResult'
type: array
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request
message: '[request body].migration_ids: at least one migration id is required to finalize'
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]"
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
description: Internal server error response
summary: Finalize detection alert migrations
tags:
- Security Detections API
x-metaTags:
- content: Kibana
name: product_name
/api/detection_engine/signals/migration:
delete:
deprecated: true
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
**DEPRECATED.** Cleanup API for old migration artifacts. Do not add new call sites.
**WARNING:** This schedules deletions; ensure no production reads still point at the source index.
Migrations favor data integrity over shard size. Consequently, unused or orphaned indices are artifacts of
the migration process. A successful migration can leave both the old and new indices present, so the old
index may be deleted. While you can delete these indices manually, the endpoint applies a deletion policy
to the relevant index, causing it to be deleted after 30 days, and removes other migration-specific artifacts.
operationId: AlertsMigrationCleanup
requestBody:
content:
application/json:
examples:
cleanupMigrations:
value:
migration_ids:
- 924f7c50-505f-11eb-ae0a-3fa2e626a51d
schema:
example:
migration_ids:
- 924f7c50-505f-11eb-ae0a-3fa2e626a51d
type: object
properties:
migration_ids:
description: Array of `migration_id`s to cleanup.
items:
type: string
minItems: 1
type: array
required:
- migration_ids
description: Array of `migration_id`s to cleanup
required: true
responses:
'200':
content:
application/json:
examples:
success:
value:
migrations:
- destinationIndex: .siem-signals-default-000002-r000016
id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d
sourceIndex: .siem-signals-default-000002
status: success
updated: '2021-01-06T22:05:56.859Z'
version: 16
schema:
items:
$ref: '#/components/schemas/Security_Detections_API_MigrationCleanupResult'
type: array
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request
message: '[request body].migration_ids: at least one migration id is required to run cleanup'
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]"
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
description: Internal server error response
summary: Clean up detection alert migrations
tags:
- Security Detections API
x-metaTags:
- content: Kibana
name: product_name
post:
deprecated: true
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
**DEPRECATED.** Legacy API for on-demand reindexing of old `.siem-signals-*` alert indices. Do not build new
integrations; upgrade the Elastic Stack and rely on product-managed data lifecycle instead.
**WARNING:** Migrations can be resource intensive and should be planned during a maintenance window.
Initiate a migration of detection alerts. Migrations are initiated per index. The process is not destructive
and should not remove existing data, but it can consume significant cluster resources. Plan capacity accordingly.
operationId: CreateAlertsMigration
requestBody:
content:
application/json:
examples:
singleIndex:
value:
index:
- .siem-signals-default-000001
schema:
allOf:
- type: object
properties:
index:
description: Array of index names to migrate.
items:
format: nonempty
minLength: 1
type: string
minItems: 1
type: array
required:
- index
- $ref: '#/components/schemas/Security_Detections_API_AlertsReindexOptions'
description: Alerts migration parameters
required: true
responses:
'200':
content:
application/json:
examples:
success:
value:
indices:
- index: .siem-signals-default-000001,
migration_id: 923f7c50-505f-11eb-ae0a-3fa2e626a51d
migration_index: .siem-signals-default-000001-r000016
schema:
type: object
properties:
indices:
items:
oneOf:
- $ref: '#/components/schemas/Security_Detections_API_AlertsIndexMigrationSuccess'
- $ref: '#/components/schemas/Security_Detections_API_AlertsIndexMigrationError'
- $ref: '#/components/schemas/Security_Detections_API_SkippedAlertsIndexMigration'
type: array
required:
- indices
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request
message: '[request body].index: at least one index name is required to start a migration'
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]"
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
description: Internal server error response
summary: Initiate a detection alert migration
tags:
- Security Detections API
x-metaTags:
- content: Kibana
name: product_name
/api/detection_engine/signals/migration_status:
get:
deprecated: true
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
**DEPRECATED.** This endpoint was used for historical `.siem-signals-*` index migration workflows. Do not use
for new automations; there is no supported replacement in this public API.
**WARNING:** Prefer upgrading through supported Elastic stack upgrades rather than ad-hoc index migrations.
Retrieves indices that contain detection alerts of a particular age, along with migration information for
each of those indices.
operationId: ReadAlertsMigrationStatus
parameters:
- description: Maximum age of qualifying detection alerts
in: query
name: from
required: true
schema:
description: |
Time from which data is analyzed. For example, now-4200s means the rule analyzes data from 70 minutes
before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
example: now-30d
format: date-math
type: string
responses:
'200':
content:
application/json:
examples:
success:
value:
indices:
- index: .siem-signals-default-000002
is_outdated: true
migrations:
- id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d
status: pending
updated: '2021-01-06T20:41:37.173Z'
version: 16
signal_versions:
- count: 100
version: 15
- count: 87
version: 16
version: 15
- index: .siem-signals-default-000003
is_outdated: false
migrations: []
signal_versions:
- count: 54
version: 16
version: 16
schema:
type: object
properties:
indices:
items:
$ref: '#/components/schemas/Security_Detections_API_IndexMigrationStatus'
type: array
required:
- indices
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request
message: '[request query].from: expected date-math, received null'
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]"
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
description: Internal server error response
summary: Retrieve the status of detection alert migrations
tags:
- Security Detections API
x-metaTags:
- content: Kibana
name: product_name
/api/detection_engine/signals/search:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Add tags to detection alerts, and remove them from alerts, by alert IDs or a query, in a single request.
> info
> You cannot add and remove the same alert tag in the same request.
operationId: SetAlertTags
requestBody:
content:
application/json:
examples:
add:
$ref: '#/components/examples/Security_Detections_API_SetAlertTagsBodyAdd'
remove:
$ref: '#/components/examples/Security_Detections_API_SetAlertTagsBodyRemove'
schema:
$ref: '#/components/schemas/Security_Detections_API_SetAlertTagsBody'
description: An object containing tags to add or remove and alert ids the changes will be applied
required: true
responses:
'200':
content:
application/json:
examples:
success:
value:
batches: 1,
deleted: 0,
failures: []
noops: 0,
requests_per_second: '-1,'
retries:
bulk: 0,
search: 0
throttled_millis: 0,
throttled_until_millis: 0,
timed_out: false,
took: 68,
total: 1,
updated: 1,
version_conflicts: 0,
schema:
additionalProperties: true
description: Elasticsearch update by query response
type: object
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request
message: '[request body].tags: cannot add and remove the same tag in a single request'
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]"
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
description: Internal server error response
summary: Add and remove detection alert tags
tags:
- Security Detections API
x-metaTags:
- content: Kibana
name: product_name
/api/detection_engine/tags:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/detection_engine/tags
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
List all unique tags from all detection rules.
operationId: ReadTags
responses:
'200':
content:
application/json:
examples:
example1:
value:
- zeek
- suricata
- windows
- linux
- network
- initial access
- remote access
- phishing
schema:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
description: Indicates a successful call
summary: List all detection rule tags
tags:
- Security Detections API
x-metaTags:
- content: Kibana
name: product_name
/api/encrypted_saved_objects/_rotate_key:
post:
description: |
Superuser role required.
If a saved object cannot be decrypted using the primary encryption key, then Kibana will attempt to decrypt it using the specified decryption-only keys. In most of the cases this overhead is negligible, but if you're dealing with a large number of saved objects and experiencing performance issues, you may want to rotate the encryption key.
This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
operationId: rotateEncryptionKey
parameters:
- description: |
Specifies a maximum number of saved objects that Kibana can process in a single batch. Bulk key rotation is an iterative process since Kibana may not be able to fetch and process all required saved objects in one go and splits processing into consequent batches. By default, the batch size is 10000, which is also a maximum allowed value.
in: query
name: batch_size
required: false
schema:
default: 10000
type: number
- description: |
Limits encryption key rotation only to the saved objects with the specified type. By default, Kibana tries to rotate the encryption key for all saved object types that may contain encrypted attributes.
in: query
name: type
required: false
schema:
type: string
responses:
'200':
content:
application/json:
examples:
rotateEncryptionKeyResponse:
$ref: '#/components/examples/Saved_objects_key_rotation_response'
schema:
type: object
properties:
failed:
description: |
Indicates the number of the saved objects that were still encrypted with one of the old encryption keys that Kibana failed to re-encrypt with the primary key.
type: number
successful:
description: |
Indicates the total number of all encrypted saved objects (optionally filtered by the requested `type`), regardless of the key Kibana used for encryption.
NOTE: In most cases, `total` will be greater than `successful` even if `failed` is zero. The reason is that Kibana may not need or may not be able to rotate encryption keys for all encrypted saved objects.
type: number
total:
description: |
Indicates the total number of all encrypted saved objects (optionally filtered by the requested `type`), regardless of the key Kibana used for encryption.
type: number
description: Indicates a successful call.
'400':
content:
application/json:
schema:
$ref: '#/components/schemas/Saved_objects_400_response'
description: Bad request
'429':
content:
application/json:
schema:
type: object
description: Already in progress.
summary: Rotate a key for encrypted saved objects
tags:
- saved objects
x-metaTags:
- content: Kibana
name: product_name
/api/endpoint_list:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/endpoint_list
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create the exception list for Elastic Endpoint rule exceptions. When you create the exception list, it will have a `list_id` of `endpoint_list`. If the Elastic Endpoint exception list already exists, your request will return an empty response.
operationId: CreateEndpointList
responses:
'200':
content:
application/json:
examples:
alreadyExists:
summary: Endpoint exception list already exists (empty response)
value: {}
newList:
summary: Endpoint exception list created
value:
created_at: '2025-01-01T00:00:00.000Z'
created_by: elastic
description: Endpoint Security Exception List
id: 2e23a8c4-ef7e-4c10-adfa-3eae4e4b4b8b
immutable: false
list_id: endpoint_list
name: Endpoint Security Exception List
namespace_type: agnostic
os_types: []
tags: []
tie_breaker_id: e3c5a8e0-5b6a-4b4b-8b3a-2e23a8c4ef7e
type: endpoint
updated_at: '2025-01-01T00:00:00.000Z'
updated_by: elastic
version: 1
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointList'
description: Successful response
'400':
content:
application/json:
schema:
oneOf:
- $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
description: Invalid input data
'401':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
description: Unsuccessful authentication
'403':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
description: Insufficient privileges
'500':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
description: Internal server error
summary: Create an Elastic Endpoint rule exception list
tags:
- Security Endpoint Exceptions API
x-metaTags:
- content: Kibana
name: product_name
/api/endpoint_list/items:
delete:
description: |-
**Spaces method and path for this operation:**
delete/s/{space_id}/api/endpoint_list/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete an Elastic Endpoint exception list item, specified by the `id` or `item_id` field.
operationId: DeleteEndpointListItem
parameters:
- description: Either `id` or `item_id` must be specified
in: query
name: id
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId'
- description: Either `id` or `item_id` must be specified
in: query
name: item_id
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId'
responses:
'200':
content:
application/json:
examples:
deleted:
summary: Deleted endpoint exception list item
value:
comments: []
created_at: '2025-01-01T12:00:00.000Z'
created_by: elastic
description: Blocks a known malicious file by its hash
entries:
- field: file.hash.sha256
operator: included
type: match
value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e
item_id: block-malicious-file
list_id: endpoint_list
name: Block malicious file
namespace_type: agnostic
os_types:
- windows
tags: []
tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890
type: simple
updated_at: '2025-01-01T12:00:00.000Z'
updated_by: elastic
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem'
description: Successful response
'400':
content:
application/json:
schema:
oneOf:
- $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
description: Invalid input data
'401':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
description: Unsuccessful authentication
'403':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
description: Insufficient privileges
'404':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
description: Endpoint list item not found
'500':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
description: Internal server error
summary: Delete an Elastic Endpoint exception list item
tags:
- Security Endpoint Exceptions API
x-metaTags:
- content: Kibana
name: product_name
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/endpoint_list/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the details of an Elastic Endpoint exception list item, specified by the `id` or `item_id` field.
operationId: ReadEndpointListItem
parameters:
- description: Either `id` or `item_id` must be specified
in: query
name: id
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId'
- description: Either `id` or `item_id` must be specified
in: query
name: item_id
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId'
responses:
'200':
content:
application/json:
examples:
item:
summary: Endpoint exception list item
value:
comments: []
created_at: '2025-01-01T12:00:00.000Z'
created_by: elastic
description: Blocks a known malicious file by its hash
entries:
- field: file.hash.sha256
operator: included
type: match
value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e
item_id: block-malicious-file
list_id: endpoint_list
name: Block malicious file
namespace_type: agnostic
os_types:
- windows
tags:
- policy:all
tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890
type: simple
updated_at: '2025-01-01T12:00:00.000Z'
updated_by: elastic
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem'
description: Successful response
'400':
content:
application/json:
schema:
oneOf:
- $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
description: Invalid input data
'401':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
description: Unsuccessful authentication
'403':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
description: Insufficient privileges
'404':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
description: Endpoint list item not found
'500':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
description: Internal server error
summary: Get an Elastic Endpoint rule exception list item
tags:
- Security Endpoint Exceptions API
x-metaTags:
- content: Kibana
name: product_name
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/endpoint_list/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create an Elastic Endpoint exception list item, and associate it with the Elastic Endpoint exception list.
operationId: CreateEndpointListItem
requestBody:
content:
application/json:
examples:
matchAny:
summary: Exclude multiple process names
value:
description: Exclude common security tools from endpoint protection
entries:
- field: process.name
operator: included
type: match_any
value:
- scanner.exe
- updater.exe
name: Trusted security tools
os_types:
- windows
type: simple
simpleMatch:
summary: Block a specific file hash
value:
description: Blocks a known malicious file by its hash
entries:
- field: file.hash.sha256
operator: included
type: match
value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
name: Block malicious file
os_types:
- windows
tags:
- policy:all
type: simple
schema:
type: object
properties:
comments:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray'
default: []
description:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription'
entries:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray'
item_id:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId'
meta:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta'
name:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName'
os_types:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray'
default: []
tags:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags'
default: []
type:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType'
required:
- type
- name
- description
- entries
description: Exception list item's properties
required: true
responses:
'200':
content:
application/json:
examples:
created:
summary: Endpoint exception list item created
value:
comments: []
created_at: '2025-01-01T12:00:00.000Z'
created_by: elastic
description: Blocks a known malicious file by its hash
entries:
- field: file.hash.sha256
operator: included
type: match
value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e
item_id: block-malicious-file
list_id: endpoint_list
name: Block malicious file
namespace_type: agnostic
os_types:
- windows
tags:
- policy:all
tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890
type: simple
updated_at: '2025-01-01T12:00:00.000Z'
updated_by: elastic
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem'
description: Successful response
'400':
content:
application/json:
schema:
oneOf:
- $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
description: Invalid input data
'401':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
description: Unsuccessful authentication
'403':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
description: Insufficient privileges
'409':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
description: Endpoint list item already exists
'500':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
description: Internal server error
summary: Create an Elastic Endpoint rule exception list item
tags:
- Security Endpoint Exceptions API
x-metaTags:
- content: Kibana
name: product_name
put:
description: |-
**Spaces method and path for this operation:**
put/s/{space_id}/api/endpoint_list/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update an Elastic Endpoint exception list item, specified by the `id` or `item_id` field.
operationId: UpdateEndpointListItem
requestBody:
content:
application/json:
examples:
updateName:
summary: Update an endpoint exception list item
value:
description: Updated description for the exception
entries:
- field: file.hash.sha256
operator: included
type: match
value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
item_id: block-malicious-file
name: Block malicious file (updated)
os_types:
- windows
- linux
type: simple
schema:
type: object
properties:
_version:
description: The version id, normally returned by the API when the item is retrieved. Use it ensure updates are made against the latest version.
type: string
comments:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray'
default: []
description:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription'
entries:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray'
id:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId'
description: Either `id` or `item_id` must be specified
item_id:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId'
description: Either `id` or `item_id` must be specified
meta:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta'
name:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName'
os_types:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray'
default: []
tags:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags'
type:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType'
required:
- type
- name
- description
- entries
description: Exception list item's properties
required: true
responses:
'200':
content:
application/json:
examples:
updated:
summary: Endpoint exception list item updated
value:
comments: []
created_at: '2025-01-01T12:00:00.000Z'
created_by: elastic
description: Updated description for the exception
entries:
- field: file.hash.sha256
operator: included
type: match
value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e
item_id: block-malicious-file
list_id: endpoint_list
name: Block malicious file (updated)
namespace_type: agnostic
os_types:
- windows
- linux
tags:
- policy:all
tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890
type: simple
updated_at: '2025-01-15T09:30:00.000Z'
updated_by: elastic
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem'
description: Successful response
'400':
content:
application/json:
schema:
oneOf:
- $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
description: Invalid input data
'401':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
description: Unsuccessful authentication
'403':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
description: Insufficient privileges
'404':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
description: Endpoint list item not found
'500':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
description: Internal server error
summary: Update an Elastic Endpoint rule exception list item
tags:
- Security Endpoint Exceptions API
x-metaTags:
- content: Kibana
name: product_name
/api/endpoint_list/items/_find:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/endpoint_list/items/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a list of all Elastic Endpoint exception list items.
operationId: FindEndpointListItems
parameters:
- description: |
Filters the returned results according to the value of the specified field,
using the `:` syntax.
in: query
name: filter
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
- description: The page number to return
in: query
name: page
required: false
schema:
minimum: 0
type: integer
- description: The number of exception list items to return per page
in: query
name: per_page
required: false
schema:
minimum: 0
type: integer
- description: Determines which field is used to sort the results
in: query
name: sort_field
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
- description: Determines the sort order, which can be `desc` or `asc`
in: query
name: sort_order
required: false
schema:
enum:
- desc
- asc
type: string
responses:
'200':
content:
application/json:
examples:
foundItems:
summary: Found endpoint exception list items
value:
data:
- comments: []
created_at: '2025-01-01T12:00:00.000Z'
created_by: elastic
description: Blocks a known malicious file by its hash
entries:
- field: file.hash.sha256
operator: included
type: match
value: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
id: d4b0c1e2-3f4a-5b6c-7d8e-9f0a1b2c3d4e
item_id: block-malicious-file
list_id: endpoint_list
name: Block malicious file
namespace_type: agnostic
os_types:
- windows
tags:
- policy:all
tie_breaker_id: f1e2d3c4-b5a6-7890-abcd-ef1234567890
type: simple
updated_at: '2025-01-01T12:00:00.000Z'
updated_by: elastic
page: 1
per_page: 20
total: 1
schema:
type: object
properties:
data:
description: The list of endpoint exception list items.
items:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem'
type: array
page:
description: The current page number.
minimum: 0
type: integer
per_page:
description: The number of items per page.
minimum: 0
type: integer
pit:
description: The point-in-time ID for pagination.
type: string
total:
description: The total number of endpoint exception list items.
minimum: 0
type: integer
required:
- data
- page
- per_page
- total
description: Successful response
'400':
content:
application/json:
schema:
oneOf:
- $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
description: Invalid input data
'401':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
description: Unsuccessful authentication
'403':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
description: Insufficient privileges
'404':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
description: Endpoint list not found
'500':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
description: Internal server error
summary: Get Elastic Endpoint exception list items
tags:
- Security Endpoint Exceptions API
x-metaTags:
- content: Kibana
name: product_name
/api/endpoint/action:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the status of response actions for the specified agent IDs.
operationId: EndpointGetActionsStatus
parameters:
- description: A list of agent IDs to get the action status for.
in: query
name: agent_ids
required: true
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse'
description: Indicates a successful call.
summary: Get response actions status
tags:
- Security Endpoint Management API
x-metaTags:
- content: Kibana
name: product_name
/api/endpoint/action/{action_id}:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/endpoint/action/{action_id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the details of a response action using the action ID.
operationId: EndpointGetActionsDetails
parameters:
- in: path
name: action_id
required: true
schema:
description: The ID of the action to retrieve.
example: fr518850-681a-4y60-aa98-e22640cae2b8
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_ActionDetailsResponse'
description: OK
summary: Get action details
tags:
- Security Endpoint Management API
x-metaTags:
- content: Kibana
name: product_name
/api/endpoint/action/{action_id}/file/{file_id}:
get:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get information for the specified response action file download.
operationId: EndpointFileInfo
parameters:
- description: The ID of the response action that generated the file.
in: path
name: action_id
required: true
schema:
type: string
- description: |
The file identifier is constructed in one of two ways:
- For Elastic Defend agents (`agentType` of `endpoint`): combine the `action_id` and `agent_id` values using a dot (`.`) separator:
`{file_id}` = `{action_id}.{agent_id}`
- For all other agent types: the `file_id` is the `agent_id` for which the response action was sent to.
in: path
name: file_id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
schema:
properties:
data:
type: object
properties:
actionId:
description: The response action ID.
type: string
agentId:
description: The agent ID that generated the file.
type: string
agentType:
description: The type of agent that generated the file.
type: string
created:
description: The date and time the file was created.
format: date-time
type: string
id:
description: The unique file identifier.
type: string
mimeType:
description: The MIME type of the file.
type: string
name:
description: The file name.
type: string
size:
description: The file size in bytes.
type: number
status:
description: The file upload status.
enum:
- AWAITING_UPLOAD
- UPLOADING
- READY
- UPLOAD_ERROR
- DELETED
type: string
description: Indicates a successful call.
summary: Get file information
tags:
- Security Endpoint Management API
x-metaTags:
- content: Kibana
name: product_name
/api/endpoint/action/{action_id}/file/{file_id}/download:
get:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Download a file associated with a response action. Files are downloaded in a password-protected `.zip` archive to prevent the file from running. Use password `elastic` to open the `.zip` in a safe environment.
> info
> Files retrieved from third-party-protected hosts require a different password. Refer to [Third-party response actions](https://www.elastic.co/docs/solutions/security/endpoint-response-actions/third-party-response-actions) for your system's password.
operationId: EndpointFileDownload
parameters:
- description: The ID of the response action that generated the file.
in: path
name: action_id
required: true
schema:
type: string
- description: |
The file identifier is constructed in one of two ways:
- For Elastic Defend agents (`agentType` of `endpoint`): combine the `action_id` and `agent_id` values using a dot (`.`) separator:
`{file_id}` = `{action_id}.{agent_id}`
- For all other agent types: the `file_id` is the `agent_id` for which the response action was sent to.
in: path
name: file_id
required: true
schema:
type: string
responses:
'200':
content:
application/octet-stream:
schema:
format: binary
type: string
description: Indicates a successful call.
summary: Download a file
tags:
- Security Endpoint Management API
x-metaTags:
- content: Kibana
name: product_name
/api/endpoint/action/cancel:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/endpoint/action/cancel
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Cancel a running or pending response action (Applies only to some agent types).
operationId: CancelAction
requestBody:
content:
application/json:
examples:
MicrosoftDefenderEndpoint:
summary: Cancel a response action on a Microsoft Defender for Endpoint host
value:
agent_type: microsoft_defender_endpoint
comment: Cancelling action due to change in requirements
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_CancelRouteRequestBody'
required: true
responses:
'200':
content:
application/json:
examples:
CancelSuccess:
summary: Cancel action successfully created
value:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: microsoft_defender_endpoint
command: cancel
createdBy: elastic
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-node-1235412
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: false
isExpired: false
outputs: {}
parameters:
id: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d
startedAt: '2022-07-29T19:08:49.126Z'
status: pending
wasSuccessful: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse'
description: Indicates a successful call.
summary: Cancel a response action
tags:
- Security Endpoint Management API
x-metaTags:
- content: Kibana
name: product_name
/api/endpoint/action/execute:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/endpoint/action/execute
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Run a shell command on an endpoint.
operationId: EndpointExecuteAction
requestBody:
content:
application/json:
examples:
executeCommand:
summary: Execute a shell command on an endpoint
value:
comment: Get list of all files
endpoint_ids:
- b3d6de74-36b0-4fa8-be46-c375bf1771bf
parameters:
command: ls -al
timeout: 600
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody'
required: true
responses:
'200':
content:
application/json:
examples:
ExecuteSuccess:
summary: Execute action successfully created
value:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: execute
createdBy: elastic
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-node-1235412
id: 9f934028-2300-4927-b531-b26376793dc4
isCompleted: false
isExpired: false
outputs: {}
parameters:
command: ls -al
timeout: 600
startedAt: '2023-07-28T18:43:27.362Z'
status: pending
wasSuccessful: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse'
description: Indicates a successful call.
summary: Run a command
tags:
- Security Endpoint Management API
x-metaTags:
- content: Kibana
name: product_name
/api/endpoint/action/get_file:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/endpoint/action/get_file
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a file from an endpoint.
operationId: EndpointGetFileAction
requestBody:
content:
application/json:
examples:
getFile:
summary: Get a specific file from an endpoint
value:
comment: Get my file
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
path: /usr/my-file.txt
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody'
required: true
responses:
'200':
content:
application/json:
examples:
GetFileSuccess:
summary: Get file action successfully created
value:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: get-file
createdBy: elastic
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-node-1235412
id: 27ba1b42-7cc6-4e53-86ce-675c876092b2
isCompleted: false
isExpired: false
outputs: {}
parameters:
path: /usr/my-file.txt
startedAt: '2023-07-28T19:00:03.911Z'
status: pending
wasSuccessful: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse'
description: Indicates a successful call.
summary: Get a file
tags:
- Security Endpoint Management API
x-metaTags:
- content: Kibana
name: product_name
/api/endpoint/action/isolate:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/endpoint/action/isolate
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Isolate an endpoint from the network. The endpoint remains isolated until it's released.
operationId: EndpointIsolateAction
requestBody:
content:
application/json:
examples:
multiple_endpoints:
summary: Isolates several hosts; includes a comment
value:
comment: Locked down, pending further investigation
endpoint_ids:
- 9972d10e-4b9e-41aa-a534-a85e2a28ea42
- bc0e4f0c-3bca-4633-9fee-156c0b505d16
- fa89271b-b9d4-43f2-a684-307cffddeb5a
single_endpoint:
summary: Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8
value:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
with_case_id:
summary: Isolates a single host with a case_id value of 1234
value:
case_ids:
- 4976be38-c134-4554-bd5e-0fd89ce63667
comment: Isolating as initial response
endpoint_ids:
- 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0
- b30a11bf-1395-4707-b508-fbb45ef9793e
schema:
type: object
properties:
agent_type:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
alert_ids:
description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50.
example:
- alert-id-1
- alert-id-2
items:
minLength: 1
type: string
maxItems: 50
minItems: 1
type: array
case_ids:
description: The IDs of cases where the action taken will be logged. Max of 50.
example:
- case-id-1
- case-id-2
items:
minLength: 1
type: string
maxItems: 50
minItems: 1
type: array
comment:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
endpoint_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
parameters:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
required: true
responses:
'200':
content:
application/json:
examples:
IsolateSuccess:
summary: Isolate action successfully created
value:
action: 233db9ea-6733-4849-9226-5a7039c7161d
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: isolate
createdBy: elastic
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-node-1235412
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: false
isExpired: false
outputs: {}
startedAt: '2022-07-29T19:08:49.126Z'
status: pending
wasSuccessful: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse'
description: Indicates a successful call.
summary: Isolate an endpoint
tags:
- Security Endpoint Management API
x-metaTags:
- content: Kibana
name: product_name
/api/endpoint/action/kill_process:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a list of all processes running on an endpoint.
operationId: EndpointGetProcessesAction
requestBody:
content:
application/json:
examples:
singleEndpoint:
summary: Get running processes on a single endpoint
value:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody'
required: true
responses:
'200':
content:
application/json:
examples:
RunningProcsSuccess:
summary: Running processes action successfully created
value:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: running-processes
createdBy: elastic
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-node-1235412
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: false
isExpired: false
outputs: {}
startedAt: '2022-07-29T19:08:49.126Z'
status: pending
wasSuccessful: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse'
description: Indicates a successful call.
summary: Get running processes
tags:
- Security Endpoint Management API
x-metaTags:
- content: Kibana
name: product_name
/api/endpoint/action/runscript:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/endpoint/action/runscript
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Run a script on a host. Currently supported only for some agent types.
operationId: RunScriptAction
requestBody:
content:
application/json:
examples:
MDE:
description: Microsoft Defender Endpoint runscript
summary: Run a script against a Microsoft Defender Endpoint agent
value:
agent_type: microsoft_defender_endpoint
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
args: '-param1 value1 -param2 value2'
scriptName: my-script.ps1
SentinelOne:
description: SentinelOne runscript
summary: Run a script against a SentinelOne agent
value:
agent_type: sentinel_one
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
scriptId: 1111-2222-3333-4444-5555-6666-7777-8888
scriptInput: '--delete --paths-to-delete /tmp/temp_file.txt,/tmp/random_file.txt'
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_RunScriptRouteRequestBody'
required: true
responses:
'200':
content:
application/json:
examples:
RunScriptSuccess:
summary: Run script action successfully created
value:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: sentinel_one
command: runscript
createdBy: elastic
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-node-1235412
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: false
isExpired: false
outputs: {}
parameters:
scriptId: 1111-2222-3333-4444-5555-6666-7777-8888
startedAt: '2022-07-29T19:08:49.126Z'
status: pending
wasSuccessful: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse'
description: Indicates a successful call.
summary: Run a script
tags:
- Security Endpoint Management API
x-metaTags:
- content: Kibana
name: product_name
/api/endpoint/action/scan:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/endpoint/action/scan
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Scan a specific file or directory on an endpoint for malware.
operationId: EndpointScanAction
requestBody:
content:
application/json:
examples:
scanFile:
summary: Scan a file on an endpoint
value:
comment: Scan the file for malware
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
path: /usr/my-file.txt
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody'
required: true
responses:
'200':
content:
application/json:
examples:
ScanSuccess:
summary: Scan action successfully created
value:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: scan
createdBy: elastic
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-node-1235412
id: 27ba1b42-7cc6-4e53-86ce-675c876092b2
isCompleted: false
isExpired: false
outputs: {}
parameters:
path: /usr/my-file.txt
startedAt: '2023-07-28T19:00:03.911Z'
status: pending
wasSuccessful: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse'
description: Indicates a successful call.
summary: Scan a file or directory
tags:
- Security Endpoint Management API
x-metaTags:
- content: Kibana
name: product_name
/api/endpoint/action/state:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/endpoint/action/state
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a response actions state, which reports whether encryption is enabled.
operationId: EndpointGetActionsState
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse'
description: OK
summary: Get actions state
tags:
- Security Endpoint Management API
x-metaTags:
- content: Kibana
name: product_name
/api/endpoint/action/suspend_process:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Suspend a running process on an endpoint.
operationId: EndpointSuspendProcessAction
requestBody:
content:
application/json:
examples:
byEntityId:
summary: Suspend a process by entity ID
value:
comment: Suspending suspicious process
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
entity_id: abc123
byPid:
summary: Suspend a process by PID
value:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
pid: 1234
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody'
required: true
responses:
'200':
content:
application/json:
examples:
SuspendProcessSuccess:
summary: Suspend process action successfully created
value:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: suspend-process
createdBy: elastic
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-node-1235412
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: false
isExpired: false
outputs: {}
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
status: pending
wasSuccessful: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse'
description: Indicates a successful call.
summary: Suspend a process
tags:
- Security Endpoint Management API
x-metaTags:
- content: Kibana
name: product_name
/api/endpoint/action/unisolate:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/endpoint/action/unisolate
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Release an isolated endpoint, allowing it to rejoin a network.
operationId: EndpointUnisolateAction
requestBody:
content:
application/json:
examples:
multipleHosts:
summary: 'Releases several hosts; includes a comment:'
value:
comment: Benign process identified, releasing group
endpoint_ids:
- 9972d10e-4b9e-41aa-a534-a85e2a28ea42
- bc0e4f0c-3bca-4633-9fee-156c0b505d16
- fa89271b-b9d4-43f2-a684-307cffddeb5a
singleHost:
summary: Releases a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8
value:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
withCaseId:
summary: Releases hosts with an associated case; includes a comment.
value:
case_ids:
- 4976be38-c134-4554-bd5e-0fd89ce63667
comment: Remediation complete, restoring network
endpoint_ids:
- 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0
- b30a11bf-1395-4707-b508-fbb45ef9793e
schema:
type: object
properties:
agent_type:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
alert_ids:
description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50.
example:
- alert-id-1
- alert-id-2
items:
minLength: 1
type: string
maxItems: 50
minItems: 1
type: array
case_ids:
description: The IDs of cases where the action taken will be logged. Max of 50.
example:
- case-id-1
- case-id-2
items:
minLength: 1
type: string
maxItems: 50
minItems: 1
type: array
comment:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
endpoint_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
parameters:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
required: true
responses:
'200':
content:
application/json:
examples:
UnisolateSuccess:
summary: Unisolate action successfully created
value:
action: 233db9ea-6733-4849-9226-5a7039c7161d
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: unisolate
createdBy: elastic
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-node-1235412
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: false
isExpired: false
outputs: {}
startedAt: '2022-07-29T19:08:49.126Z'
status: pending
wasSuccessful: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse'
description: Indicates a successful call.
summary: Release an isolated endpoint
tags:
- Security Endpoint Management API
x-metaTags:
- content: Kibana
name: product_name
/api/endpoint/action/upload:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/endpoint/action/upload
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Upload a file to an endpoint.
operationId: EndpointUploadAction
requestBody:
content:
multipart/form-data:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody'
required: true
responses:
'200':
content:
application/json:
examples:
UploadSuccess:
summary: Upload action successfully created
value:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: upload
createdBy: elastic
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: Host-5i6cuc8kdv
id: 9ff6aebc-2cb6-481e-8869-9b30036c9731
isCompleted: false
isExpired: false
outputs: {}
parameters:
file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280
file_name: fix-malware.sh
file_sha256: a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a
file_size: 69
startedAt: '2023-07-03T15:07:22.837Z'
status: pending
wasSuccessful: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse'
description: Indicates a successful call.
summary: Upload a file
tags:
- Security Endpoint Management API
x-metaTags:
- content: Kibana
name: product_name
/api/endpoint/metadata:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/endpoint/metadata
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a list of all endpoint host metadata.
operationId: GetEndpointMetadataList
parameters:
- in: query
name: page
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Page'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize'
- in: query
name: kuery
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery'
- in: query
name: hostStatuses
required: true
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_HostStatuses'
- in: query
name: sortField
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SortField'
- in: query
name: sortDirection
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SortDirection'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_MetadataListResponse'
description: Indicates a successful call.
summary: Get a metadata list
tags:
- Security Endpoint Management API
x-metaTags:
- content: Kibana
name: product_name
/api/endpoint/metadata/{id}:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/endpoint/metadata/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get host metadata for a specific endpoint.
operationId: GetEndpointMetadata
parameters:
- description: The agent ID of the endpoint.
in: path
name: id
required: true
schema:
example: ed518850-681a-4d60-bb98-e22640cae2a8
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointMetadataResponse'
description: Indicates a successful call.
summary: Get metadata
tags:
- Security Endpoint Management API
x-metaTags:
- content: Kibana
name: product_name
/api/endpoint/policy_response:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/endpoint/policy_response
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the most recent policy response for an endpoint.
operationId: GetPolicyResponse
parameters:
- description: The agent ID to retrieve the policy response for.
in: query
name: agentId
required: true
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
description: Indicates a successful call.
summary: Get a policy response
tags:
- Security Endpoint Management API
x-metaTags:
- content: Kibana
name: product_name
/api/endpoint/protection_updates_note/{package_policy_id}:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the protection updates note for a package policy.
operationId: GetProtectionUpdatesNote
parameters:
- description: The package policy ID to retrieve the protection updates note for.
in: path
name: package_policy_id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse'
description: Indicates a successful call.
summary: Get a protection updates note
tags:
- Security Endpoint Management API
x-metaTags:
- content: Kibana
name: product_name
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Returns the current health status of the Privilege Monitoring Engine, including engine status, error details, and user count statistics.
operationId: PrivMonHealth
responses:
'200':
content:
application/json:
examples:
PrivMonHealthResponse:
summary: Healthy privilege monitoring engine
value:
status: started
users:
current_count: 42
max_allowed: 1000
schema:
type: object
properties:
error:
type: object
properties:
message:
type: string
required:
- status
status:
$ref: '#/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus'
users:
description: User statistics for privilege monitoring
type: object
properties:
current_count:
description: Current number of privileged users being monitored
type: integer
max_allowed:
description: Maximum number of privileged users allowed to be monitored
type: integer
required:
- current_count
- max_allowed
required:
- status
description: Successful response
summary: Health check on Privilege Monitoring
tags:
- Security Entity Analytics API
x-metaTags:
- content: Kibana
name: product_name
/api/entity_analytics/monitoring/privileges/privileges:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Check if the current user has all required permissions for Privilege Monitoring
operationId: PrivMonPrivileges
responses:
'200':
content:
application/json:
examples:
PrivMonPrivilegesResponse:
summary: Privileges check response
value:
has_all_required: true
privileges:
elasticsearch:
index:
.entity_analytics.monitoring.user-default:
read: true
schema:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntityAnalyticsPrivileges'
description: Successful response
summary: Run a privileges check on Privilege Monitoring
tags:
- Security Entity Analytics API
x-metaTags:
- content: Kibana
name: product_name
/api/entity_analytics/monitoring/users:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Creates a new privileged user to be monitored by the Privilege Monitoring Engine.
operationId: CreatePrivMonUser
requestBody:
content:
application/json:
examples:
CreatePrivMonUserRequest:
summary: Create a monitored user
value:
entity_analytics_monitoring:
labels:
- field: department
source: api
value: IT
user:
name: john.doe
schema:
$ref: '#/components/schemas/Security_Entity_Analytics_API_UserName'
required: true
responses:
'200':
content:
application/json:
examples:
CreatePrivMonUserResponse:
summary: Created monitored user
value:
'@timestamp': '2026-01-28T12:00:00.000Z'
entity_analytics_monitoring:
labels:
- field: department
source: api
value: IT
event:
ingested: '2026-01-28T12:00:00.000Z'
id: user-abc-123
user:
is_privileged: true
name: john.doe
schema:
$ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc'
description: User created successfully
summary: Create a new monitored user
tags:
- Security Entity Analytics API
x-metaTags:
- content: Kibana
name: product_name
/api/entity_analytics/monitoring/users/_csv:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Removes a privileged user from monitoring by their document ID.
operationId: DeletePrivMonUser
parameters:
- description: The document ID of the monitored user to delete
in: path
name: id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
DeletePrivMonUserResponse:
summary: User deleted successfully
value:
acknowledged: true
message: User deleted successfully
schema:
type: object
properties:
acknowledged:
description: Indicates if the deletion was successful
type: boolean
message:
description: A message providing additional information about the deletion status
type: string
required:
- success
description: User deleted successfully
summary: Delete a monitored user
tags:
- Security Entity Analytics API
x-metaTags:
- content: Kibana
name: product_name
put:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Updates the details of an existing monitored privileged user by their document ID.
operationId: UpdatePrivMonUser
parameters:
- description: The document ID of the monitored user to update
in: path
name: id
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
UpdatePrivMonUserRequest:
summary: Update a monitored user
value:
entity_analytics_monitoring:
labels:
- field: department
source: api
value: Security
user:
is_privileged: true
name: john.doe
schema:
$ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc'
required: true
responses:
'200':
content:
application/json:
examples:
UpdatePrivMonUserResponse:
summary: Updated monitored user
value:
'@timestamp': '2026-01-28T12:00:00.000Z'
entity_analytics_monitoring:
labels:
- field: department
source: api
value: Security
event:
ingested: '2026-01-28T12:00:00.000Z'
id: user-abc-123
user:
is_privileged: true
name: john.doe
schema:
$ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc'
description: User updated successfully
summary: Update a monitored user
tags:
- Security Entity Analytics API
x-metaTags:
- content: Kibana
name: product_name
/api/entity_analytics/monitoring/users/list:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Returns the installation and ML module setup status of the privileged access detection package, along with the state of each associated ML job.
operationId: GetPrivilegedAccessDetectionPackageStatus
responses:
'200':
content:
application/json:
examples:
GetPrivilegedAccessDetectionPackageStatusResponse:
summary: Package fully installed and running
value:
jobs:
- description: Detects high-risk login patterns
job_id: pad-high-risk-login
state: opened
- description: Detects privilege escalation events
job_id: pad-privilege-escalation
state: opened
ml_module_setup_status: complete
package_installation_status: complete
schema:
type: object
properties:
jobs:
items:
type: object
properties:
description:
type: string
job_id:
type: string
state:
enum:
- closing
- closed
- opened
- failed
- opening
type: string
required:
- job_id
- state
type: array
ml_module_setup_status:
enum:
- complete
- incomplete
type: string
package_installation_status:
enum:
- complete
- incomplete
type: string
required:
- package_installation_status
- ml_module_setup_status
- jobs
description: Privileged access detection status retrieved
summary: Gets the status of the privileged access detection package for the Entity Analytics privileged user monitoring experience
tags:
- Security Entity Analytics API
x-metaTags:
- content: Kibana
name: product_name
/api/entity_analytics/watchlists:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/entity_analytics/watchlists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Creates a new entity analytics watchlist with an optional set of entity sources. Watchlists apply a risk score modifier to matched entities.
operationId: CreateWatchlist
requestBody:
content:
application/json:
examples:
CreateWatchlistRequest:
summary: Create watchlist request
value:
description: High risk vendor watchlist
managed: false
name: High Risk Vendors
riskModifier: 1.5
CreateWatchlistWithSourcesRequest:
summary: Create watchlist with entity sources
value:
description: High risk vendor watchlist
entitySources:
- enabled: true
identifierField: user.name
indexPattern: my-sync-index
name: My User Index Source
type: index
managed: false
name: High Risk Vendors
riskModifier: 1.5
schema:
type: object
properties:
description:
description: Description of the watchlist
type: string
entitySources:
description: Optional entity sources to create and link to the watchlist
items:
additionalProperties: false
type: object
properties:
enabled:
type: boolean
filter:
$ref: '#/components/schemas/Security_Entity_Analytics_API_Filter'
identifierField:
description: Field used to query the entity store for index-type sources
type: string
indexPattern:
type: string
integrationName:
description: Required when type is entity_analytics_integration. One of entityanalytics_okta, entityanalytics_ad.
type: string
matchers:
items:
$ref: '#/components/schemas/Security_Entity_Analytics_API_Matcher'
type: array
name:
type: string
queryRule:
description: KQL query used to filter data from the provided index patterns
type: string
range:
$ref: '#/components/schemas/Security_Entity_Analytics_API_DateRange'
type:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntitySourceType'
required:
- type
- name
type: array
managed:
description: Indicates if the watchlist is managed by the system
type: boolean
name:
description: Unique name for the watchlist
type: string
riskModifier:
description: Risk score modifier associated with the watchlist
maximum: 2
minimum: 0
type: number
required:
- name
- riskModifier
required: true
responses:
'200':
content:
application/json:
examples:
CreateWatchlistResponse:
summary: Created watchlist
value:
createdAt: '2026-01-28T12:00:00.000Z'
description: High risk vendor watchlist
id: watchlist-123
managed: false
name: High Risk Vendors
riskModifier: 1.5
updatedAt: '2026-01-28T12:00:00.000Z'
schema:
allOf:
- $ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject'
- type: object
properties:
entitySources:
items:
$ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySource'
type: array
description: Watchlist created successfully
summary: Create a new watchlist
tags:
- Security Entity Analytics API
x-state: Technical Preview
x-metaTags:
- content: Kibana
name: product_name
/api/entity_analytics/watchlists/{id}:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieves the details of an entity analytics watchlist by its unique identifier.
operationId: GetWatchlist
parameters:
- description: Unique ID of the watchlist
in: path
name: id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
GetWatchlistResponse:
summary: Watchlist details
value:
createdAt: '2026-01-28T12:00:00.000Z'
description: High risk vendor watchlist
id: watchlist-123
managed: false
name: High Risk Vendors
riskModifier: 1.5
updatedAt: '2026-02-18T12:00:00.000Z'
schema:
$ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject'
description: Watchlist details
summary: Get a watchlist by ID
tags:
- Security Entity Analytics API
x-state: Technical Preview
x-metaTags:
- content: Kibana
name: product_name
put:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Updates the name, description, risk modifier, or managed status of an existing entity analytics watchlist.
operationId: UpdateWatchlist
parameters:
- description: The ID of the watchlist to update
in: path
name: id
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
UpdateWatchlistRequest:
summary: Update watchlist request
value:
description: High risk vendor watchlist
managed: false
name: High Risk Vendors
riskModifier: 1.5
schema:
type: object
properties:
description:
description: Description of the watchlist
type: string
managed:
description: Indicates if the watchlist is managed by the system
type: boolean
name:
description: Unique name of the watchlist
type: string
riskModifier:
description: Risk score modifier associated with the watchlist
maximum: 2
minimum: 0
type: number
required:
- name
- riskModifier
required: true
responses:
'200':
content:
application/json:
examples:
UpdateWatchlistResponse:
summary: Updated watchlist
value:
createdAt: '2026-01-28T12:00:00.000Z'
description: High risk vendor watchlist
id: watchlist-123
managed: false
name: High Risk Vendors
riskModifier: 1.5
updatedAt: '2026-02-18T12:00:00.000Z'
schema:
$ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject'
description: Watchlist updated successfully
summary: Update an existing watchlist
tags:
- Security Entity Analytics API
x-state: Technical Preview
x-metaTags:
- content: Kibana
name: product_name
/api/entity_analytics/watchlists/{watchlist_id}/csv_upload:
post:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Uploads a CSV file to add entities to a watchlist. The CSV must contain a header row
with a "type" column (user, host, service, or generic) and one or more ECS identity
fields (e.g. "user.name", "host.hostname") used to match entities in the entity store.
Matched entities are added to the watchlist and their `entity.attributes.watchlists`
field is updated in the entity store.
Each row will match up to 10,000 entities.
operationId: UploadWatchlistCsv
parameters:
- description: The ID of the watchlist to add entities to
example: high-risk-vendors
in: path
name: watchlist_id
required: true
schema:
type: string
requestBody:
content:
multipart/form-data:
examples:
csvUpload:
summary: CSV file with user entities
value:
file: |
type,user.name
user,john.doe
user,jane.smith
schema:
type: object
properties:
file:
description: The CSV file to upload.
format: binary
type: string
required:
- file
required: true
responses:
'200':
content:
application/json:
examples:
CsvUploadResponse:
summary: CSV upload response with mixed results
value:
failed: 1
items:
- matchedEntities: 1
status: success
- error: Invalid entity type
matchedEntities: 0
status: failure
- matchedEntities: 0
status: unmatched
successful: 1
total: 3
unmatched: 1
schema:
type: object
properties:
failed:
description: Number of rows that failed to process
example: 1
type: integer
items:
items:
$ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem'
type: array
successful:
description: Number of rows that matched at least one entity
example: 1
type: integer
total:
description: Total number of rows processed
example: 3
type: integer
unmatched:
description: Number of rows that matched no entities
example: 1
type: integer
required:
- successful
- failed
- total
- unmatched
- items
description: Upload successful
'413':
description: File too large
summary: Upload a CSV file to add entities to a watchlist
tags:
- Security Entity Analytics API
x-state: Technical Preview
x-metaTags:
- content: Kibana
name: product_name
/api/entity_analytics/watchlists/{watchlist_id}/entities/assign:
post:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Assigns the provided entities to the specified watchlist using a "manual" source label.
The entities must already exist in the entity store.
If an entity is already on the watchlist, no new document is created — the "manual" label
is added to its existing source labels instead.
operationId: AssignWatchlistEntities
parameters:
- description: The ID of the watchlist to add entities to
example: high-risk-vendors
in: path
name: watchlist_id
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
assignEntities:
summary: Assign two entities to a watchlist
value:
euids:
- user:john.doe
- host:web-01
schema:
type: object
properties:
euids:
description: The EUIDs of the entities to assign
example:
- user:john.doe
- host:web-01
items:
type: string
type: array
required:
- euids
required: true
responses:
'200':
content:
application/json:
examples:
assignEntitiesResponse:
summary: Successful assignment of two entities
value:
failed: 0
items:
- euid: user:john.doe
status: success
- euid: host:web-01
status: not_found
not_found: 1
successful: 1
total: 2
schema:
type: object
properties:
failed:
description: Number of entities that failed to process
example: 0
type: integer
items:
items:
$ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem'
type: array
not_found:
description: Number of entities not found in the entity store
example: 1
type: integer
successful:
description: Number of entities successfully assigned
example: 1
type: integer
total:
description: Total number of entities processed
example: 2
type: integer
required:
- successful
- failed
- not_found
- total
- items
description: Assignment successful
summary: Manually assign entities to a watchlist
tags:
- Security Entity Analytics API
x-state: Technical Preview; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/entity_analytics/watchlists/{watchlist_id}/entities/unassign:
post:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Unassigns the provided entities from the specified watchlist.
This only removes the "manual" assignment. If the entity is also
assigned via other sources (for example, index or integration), it will
remain on the watchlist.
operationId: UnassignWatchlistEntities
parameters:
- description: The ID of the watchlist to remove entities from
example: high-risk-vendors
in: path
name: watchlist_id
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
unassignEntities:
summary: Unassign two entities from a watchlist
value:
euids:
- user:john.doe
- host:web-01
schema:
type: object
properties:
euids:
description: The EUIDs of the entities to unassign
example:
- user:john.doe
- host:web-01
items:
type: string
type: array
required:
- euids
required: true
responses:
'200':
content:
application/json:
examples:
unassignEntitiesResponse:
summary: Successful unassignment of two entities
value:
failed: 0
items:
- euid: user:john.doe
status: success
- euid: host:web-01
status: not_found
not_found: 1
successful: 1
total: 2
schema:
type: object
properties:
failed:
description: Number of entities that failed to process
example: 0
type: integer
items:
items:
$ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem'
type: array
not_found:
description: Number of entities not found in the manual watchlist assignment
example: 1
type: integer
successful:
description: Number of entities successfully unassigned
example: 1
type: integer
total:
description: Total number of entities processed
example: 2
type: integer
required:
- successful
- failed
- not_found
- total
- items
description: Unassignment successful
summary: Manually unassign entities from a watchlist
tags:
- Security Entity Analytics API
x-state: Technical Preview; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/entity_analytics/watchlists/list:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Returns a list of all entity analytics watchlists.
operationId: ListWatchlists
responses:
'200':
content:
application/json:
examples:
ListWatchlistsResponse:
summary: List of watchlists
value:
- createdAt: '2026-01-28T12:00:00.000Z'
description: High risk vendor watchlist
id: watchlist-123
managed: false
name: High Risk Vendors
riskModifier: 1.5
updatedAt: '2026-02-18T12:00:00.000Z'
- createdAt: '2026-01-10T09:30:00.000Z'
description: Privileged user monitoring watchlist
id: watchlist-456
managed: true
name: Privileged Accounts
riskModifier: 2
updatedAt: '2026-02-01T15:45:00.000Z'
schema:
items:
$ref: '#/components/schemas/Security_Entity_Analytics_API_WatchlistObject'
type: array
description: List of watchlists
summary: List all watchlists
tags:
- Security Entity Analytics API
x-state: Technical Preview
x-metaTags:
- content: Kibana
name: product_name
/api/entity_store/enable:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/entity_store/enable
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Initialize the entire Entity Store, creating engines for all or specified entity types.
operationId: InitEntityStore
requestBody:
content:
application/json:
schema:
type: object
properties:
delay:
default: 1m
description: The delay before the transform will run.
pattern: '[smdh]$'
type: string
docsPerSecond:
default: -1
description: The number of documents per second to process.
type: integer
enrichPolicyExecutionInterval:
$ref: '#/components/schemas/Security_Entity_Analytics_API_Interval'
entityTypes:
items:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType'
type: array
fieldHistoryLength:
default: 10
description: The number of historical values to keep for each field.
type: integer
filter:
type: string
frequency:
default: 1m
description: The frequency at which the transform will run.
pattern: '[smdh]$'
type: string
indexPattern:
$ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern'
lookbackPeriod:
default: 3h
description: The amount of time the transform looks back to calculate the aggregations.
pattern: '[smdh]$'
type: string
maxPageSearchSize:
default: 500
description: The initial page size to use for the composite aggregation of each checkpoint.
type: integer
timeout:
default: 180s
description: The timeout for initializing the aggregating transform.
pattern: '[smdh]$'
type: string
timestampField:
default: '@timestamp'
description: The field to use as the timestamp.
type: string
description: Configuration for the entity store initialization.
required: true
responses:
'200':
content:
application/json:
examples:
initEntityStoreExample:
description: The Entity Store was successfully initialized, creating host and user engines in the installing state.
summary: Entity Store initialized with host and user engines
value:
engines:
- delay: 1m
fieldHistoryLength: 10
frequency: 1m
indexPattern: ''
lookbackPeriod: 24h
status: installing
timeout: 180s
timestampField: '@timestamp'
type: host
- delay: 1m
fieldHistoryLength: 10
frequency: 1m
indexPattern: ''
lookbackPeriod: 24h
status: installing
timeout: 180s
timestampField: '@timestamp'
type: user
succeeded: true
schema:
type: object
properties:
engines:
description: The engine descriptors created during initialization.
items:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor'
type: array
succeeded:
description: Whether the Entity Store was initialized successfully.
type: boolean
description: Successful response
'400':
description: Invalid request
summary: Initialize the Entity Store
tags:
- Security Entity Analytics API
x-metaTags:
- content: Kibana
name: product_name
/api/entity_store/engines:
delete:
operationId: DeleteEntityEngines
parameters:
- description: The entity type of the engine ('user', 'host', 'service', 'generic').
examples:
hostAndService:
value: host,service
in: query
name: entityTypes
required: false
schema:
description: Array of engine types to delete. Empty by default, which results in all the engines being deleted.
items:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType'
type: array
- description: Control flag to also delete the entity data.
in: query
name: delete_data
required: false
schema:
type: boolean
responses:
'200':
content:
application/json:
examples:
deleteEntityEnginesExample:
description: Example response after deleting 'host' engine
value:
deleted:
- host
still_running:
- generic
- user
- service
schema:
type: object
properties:
deleted:
description: Entity types whose engines were successfully deleted.
items:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType'
type: array
still_running:
description: Entity types whose engines are still running.
items:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType'
type: array
description: Successful response
summary: Delete Entity Engines
tags:
- Security Entity Analytics API
x-metaTags:
- content: Kibana
name: product_name
description: |-
**Spaces method and path for this operation:**
delete/s/{space_id}/api/entity_store/engines
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/entity_store/engines
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a list of all installed entity engines and their current status.
operationId: ListEntityEngines
responses:
'200':
content:
application/json:
examples:
listEntityEnginesExample:
description: Returns a list with one running host engine and one stopped user engine.
summary: Two engines installed
value:
count: 2
engines:
- delay: 1m
fieldHistoryLength: 10
frequency: 1m
indexPattern: ''
lookbackPeriod: 24h
status: started
timeout: 180s
timestampField: '@timestamp'
type: host
- delay: 1m
fieldHistoryLength: 10
frequency: 1m
indexPattern: ''
lookbackPeriod: 24h
status: stopped
timeout: 180s
timestampField: '@timestamp'
type: user
schema:
type: object
properties:
count:
description: The total number of entity engines.
type: integer
engines:
description: An array of engine descriptors.
items:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor'
type: array
description: Successful response
summary: List the Entity Engines
tags:
- Security Entity Analytics API
x-metaTags:
- content: Kibana
name: product_name
/api/entity_store/engines/{entityType}:
delete:
operationId: DeleteEntityEngine
parameters:
- description: The entity type of the engine (either 'user' or 'host').
examples:
host:
value: host
in: path
name: entityType
required: true
schema:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType'
- description: Control flag to also delete the entity data.
in: query
name: delete_data
required: false
schema:
type: boolean
- deprecated: true
description: Control flag to also delete the entity data.
in: query
name: data
required: false
schema:
type: boolean
responses:
'200':
content:
application/json:
examples:
deleteEntityEngineExample:
description: Example response after deleting 'host' engine
value:
deleted: true
schema:
type: object
properties:
deleted:
description: Whether the engine was successfully deleted.
type: boolean
description: Successful response
summary: Delete the Entity Engine
tags:
- Security Entity Analytics API
x-metaTags:
- content: Kibana
name: product_name
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the engine descriptor for a specific entity type, including its configuration and current status.
operationId: GetEntityEngine
parameters:
- description: The entity type of the engine.
example: host
in: path
name: entityType
required: true
schema:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType'
responses:
'200':
content:
application/json:
examples:
getEntityEngineExample:
description: Returns the engine descriptor for a host engine that is currently running with default settings.
summary: A running host engine
value:
delay: 1m
fieldHistoryLength: 10
frequency: 1m
indexPattern: ''
lookbackPeriod: 24h
status: started
timeout: 180s
timestampField: '@timestamp'
type: host
schema:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor'
description: Successful response
summary: Get an Entity Engine
tags:
- Security Entity Analytics API
x-metaTags:
- content: Kibana
name: product_name
/api/entity_store/engines/{entityType}/init:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Initialize a single entity engine for the specified entity type.
operationId: InitEntityEngine
parameters:
- description: The entity type of the engine.
in: path
name: entityType
required: true
schema:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType'
requestBody:
content:
application/json:
schema:
type: object
properties:
delay:
default: 1m
description: The delay before the transform will run.
pattern: '[smdh]$'
type: string
docsPerSecond:
default: -1
description: The number of documents per second to process.
type: integer
enrichPolicyExecutionInterval:
$ref: '#/components/schemas/Security_Entity_Analytics_API_Interval'
fieldHistoryLength:
default: 10
description: The number of historical values to keep for each field.
type: integer
filter:
type: string
frequency:
default: 1m
description: The frequency at which the transform will run.
pattern: '[smdh]$'
type: string
indexPattern:
$ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern'
lookbackPeriod:
default: 3h
description: The amount of time the transform looks back to calculate the aggregations.
pattern: '[smdh]$'
type: string
maxPageSearchSize:
default: 500
description: The initial page size to use for the composite aggregation of each checkpoint.
type: integer
timeout:
default: 180s
description: The timeout for initializing the aggregating transform.
pattern: '[smdh]$'
type: string
timestampField:
default: '@timestamp'
description: The field to use as the timestamp for the entity type.
type: string
description: Schema for the engine initialization
required: true
responses:
'200':
content:
application/json:
examples:
initEntityEngineExample:
description: A host engine was successfully initialized and is now in the installing state.
summary: Host engine initialized
value:
delay: 1m
fieldHistoryLength: 10
frequency: 1m
indexPattern: ''
lookbackPeriod: 3h
status: installing
timeout: 180s
timestampField: '@timestamp'
type: host
schema:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor'
description: Successful response
'400':
description: Invalid request
summary: Initialize an Entity Engine
tags:
- Security Entity Analytics API
x-metaTags:
- content: Kibana
name: product_name
/api/entity_store/engines/{entityType}/start:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Start a previously stopped entity engine, resuming transform processing for the given entity type.
operationId: StartEntityEngine
parameters:
- description: The entity type of the engine to start.
example: host
in: path
name: entityType
required: true
schema:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType'
responses:
'200':
content:
application/json:
examples:
startEntityEngineExample:
description: The engine was successfully started and is now processing data.
summary: Engine started successfully
value:
started: true
schema:
type: object
properties:
started:
description: Whether the engine was successfully started.
type: boolean
description: Successful response
summary: Start an Entity Engine
tags:
- Security Entity Analytics API
x-metaTags:
- content: Kibana
name: product_name
/api/entity_store/engines/{entityType}/stop:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Stop a running entity engine, pausing transform processing for the given entity type.
operationId: StopEntityEngine
parameters:
- description: The entity type of the engine to stop.
example: host
in: path
name: entityType
required: true
schema:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType'
responses:
'200':
content:
application/json:
examples:
stopEntityEngineExample:
description: The engine was successfully stopped and is no longer processing data.
summary: Engine stopped successfully
value:
stopped: true
schema:
type: object
properties:
stopped:
description: Whether the engine was successfully stopped.
type: boolean
description: Successful response
summary: Stop an Entity Engine
tags:
- Security Entity Analytics API
x-metaTags:
- content: Kibana
name: product_name
/api/entity_store/engines/apply_dataview_indices:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Synchronize data view index patterns to all running entity engines so that newly added indices are picked up by the transforms.
operationId: ApplyEntityEngineDataviewIndices
responses:
'200':
content:
application/json:
examples:
applyDataviewIndicesExample:
description: All running engines were successfully updated with the current data view index patterns.
summary: All engines updated
value:
result:
- changes:
indexPatterns:
- logs-*
- filebeat-*
- auditbeat-*
type: host
- changes:
indexPatterns:
- logs-*
- filebeat-*
- auditbeat-*
type: user
success: true
schema:
type: object
properties:
result:
description: Per-engine update results.
items:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult'
type: array
success:
description: Whether all engines updated successfully.
type: boolean
description: Successful response
'207':
content:
application/json:
examples:
partialSuccessExample:
description: The host engine was updated but the user engine failed due to insufficient privileges.
summary: One engine failed
value:
errors:
- 'Failed to update user engine: insufficient privileges'
result:
- changes:
indexPatterns:
- logs-*
- filebeat-*
type: host
success: false
schema:
type: object
properties:
errors:
description: Error messages for engines that failed to update.
items:
type: string
type: array
result:
description: Per-engine update results for engines that succeeded.
items:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult'
type: array
success:
description: Always `false` for a partial success.
type: boolean
description: Partial successful response
'500':
content:
application/json:
examples:
serverErrorExample:
description: An unexpected error occurred while applying data view indices.
summary: Internal server error
value:
body: An internal error occurred while updating engine indices
statusCode: 500
schema:
type: object
properties:
body:
description: Error message.
type: string
statusCode:
description: HTTP status code.
type: number
description: Error response
summary: Apply DataView indices to all installed engines
tags:
- Security Entity Analytics API
x-metaTags:
- content: Kibana
name: product_name
/api/entity_store/entities/{entityType}:
delete:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete a single entity in Entity Store.
The entity will be immediately deleted from the latest index. It will remain available in historical snapshots if it has been snapshotted. The delete operation does not prevent the entity from being recreated if it is observed again in the future.
operationId: DeleteSingleEntity
parameters:
- example: user
in: path
name: entityType
required: true
schema:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType'
requestBody:
content:
application/json:
schema:
type: object
properties:
id:
description: Identifier of the entity to be deleted, commonly entity.id value.
example: arn:aws:iam::123456789012:user/jane.doe
type: string
required:
- id
description: Schema for the deleting entity
required: true
responses:
'200':
content:
application/json:
examples:
deleteEntityExample:
description: The entity was found and successfully removed from the latest index.
summary: Entity deleted
value:
deleted: true
schema:
type: object
properties:
deleted:
description: Whether the entity was successfully deleted.
type: boolean
description: Successful response. Entity deleted.
'404':
description: Entity Not Found. No entity with this ID and Type exists.
'503':
description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled
summary: Delete an entity in Entity Store
tags:
- Security Entity Analytics API
x-metaTags:
- content: Kibana
name: product_name
put:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update or create an entity in Entity Store.
If the specified entity already exists, it is updated with the provided values. If the entity does not exist, a new one is created. By default, only the following fields can be updated: * `entity.attributes.*` * `entity.lifecycle.*` * `entity.behavior.*` To update other fields, set the `force` query parameter to `true`. > info > Some fields always retain the first observed value. Updates to these fields will not appear in the final index.
> Due to technical limitations, not all updates are guaranteed to appear in the final list of observed values.
> Due to technical limitations, create is an async operation. The time for a document to be present in the > final index depends on the entity store transform and usually takes more than 1 minute.
operationId: UpsertEntity
parameters:
- example: user
in: path
name: entityType
required: true
schema:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType'
- description: When true, allows updating protected fields.
in: query
name: force
required: false
schema:
default: false
type: boolean
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Entity_Analytics_API_Entity'
description: Schema for the updating a single entity
required: true
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Entity_Analytics_API_Entity'
description: Entity updated or created
'403':
description: Operation on a restricted field
'409':
description: Conflict. The entity was updated while another update was happening in ElasticSearch
'503':
description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled
summary: Upsert an entity in Entity Store
tags:
- Security Entity Analytics API
x-metaTags:
- content: Kibana
name: product_name
/api/entity_store/entities/bulk:
put:
description: |
**Spaces method and path for this operation:**
put/s/{space_id}/api/entity_store/entities/bulk
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update or create many entities in Entity Store.
If the specified entity already exists, it is updated with the provided values. If the entity does not exist, a new one is created.
The creation is asynchronous. The time for a document to be present in the final index depends on the entity store transform and usually takes more than 1 minute.
operationId: UpsertEntitiesBulk
parameters:
- description: When true, allows updating protected fields.
in: query
name: force
required: false
schema:
default: false
type: boolean
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntitiesContainer'
description: Schema for the updating many entities
required: true
responses:
'200':
description: Entities updated or created
'403':
description: Operation on a restricted field
'503':
description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled
summary: Upsert many entities in Entity Store
tags:
- Security Entity Analytics API
x-metaTags:
- content: Kibana
name: product_name
/api/entity_store/entities/list:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/entity_store/entities/list
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
List entities records, paging, sorting and filtering as needed.
operationId: ListEntities
parameters:
- description: Field to sort results by.
example: entity.name
in: query
name: sort_field
required: false
schema:
type: string
- description: Sort order.
in: query
name: sort_order
required: false
schema:
enum:
- asc
- desc
type: string
- description: Page number to return (1-indexed).
example: 1
in: query
name: page
required: false
schema:
minimum: 1
type: integer
- description: Number of entities per page.
example: 10
in: query
name: per_page
required: false
schema:
maximum: 10000
minimum: 1
type: integer
- description: An ES query to filter by.
in: query
name: filterQuery
required: false
schema:
type: string
- description: Entity types to include in the results.
in: query
name: entity_types
required: true
schema:
items:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType'
type: array
responses:
'200':
content:
application/json:
schema:
type: object
properties:
inspect:
$ref: '#/components/schemas/Security_Entity_Analytics_API_InspectQuery'
page:
description: Current page number.
minimum: 1
type: integer
per_page:
description: Number of entities per page.
maximum: 1000
minimum: 1
type: integer
records:
description: The entity records for this page.
items:
$ref: '#/components/schemas/Security_Entity_Analytics_API_Entity'
type: array
total:
description: Total number of entities matching the query.
minimum: 0
type: integer
required:
- records
- page
- per_page
- total
description: Entities returned successfully
summary: List Entity Store Entities
tags:
- Security Entity Analytics API
x-metaTags:
- content: Kibana
name: product_name
/api/entity_store/status:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/entity_store/status
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the overall Entity Store status and per-engine statuses, optionally including component-level health details.
operationId: GetEntityStoreStatus
parameters:
- description: If true, returns a detailed status of each engine including all its components.
example: true
in: query
name: include_components
schema:
type: boolean
responses:
'200':
content:
application/json:
examples:
entityStoreRunning:
description: The Entity Store is running with both host and user engines started and using default settings.
summary: Entity Store running with two engines
value:
engines:
- delay: 1m
fieldHistoryLength: 10
frequency: 1m
indexPattern: ''
lookbackPeriod: 24h
status: started
timeout: 180s
timestampField: '@timestamp'
type: host
- delay: 1m
fieldHistoryLength: 10
frequency: 1m
indexPattern: ''
lookbackPeriod: 24h
status: started
timeout: 180s
timestampField: '@timestamp'
type: user
status: running
schema:
type: object
properties:
engines:
description: Per-engine status information.
items:
allOf:
- $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor'
- type: object
properties:
components:
description: Detailed component-level status. Only included when include_components is true.
items:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentStatus'
type: array
type: array
status:
$ref: '#/components/schemas/Security_Entity_Analytics_API_StoreStatus'
description: The overall status of the Entity Store.
required:
- status
- engines
description: Successful response
summary: Get the status of the Entity Store
tags:
- Security Entity Analytics API
x-metaTags:
- content: Kibana
name: product_name
/api/exception_lists:
delete:
description: |-
**Spaces method and path for this operation:**
delete/s/{space_id}/api/exception_lists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete an exception list using the `id` or `list_id` field.
operationId: DeleteExceptionList
parameters:
- description: Exception list's identifier. Either `id` or `list_id` must be specified.
in: query
name: id
required: false
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId'
- description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified.
examples:
autogeneratedId:
value: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2
list_id:
value: simple_list
in: query
name: list_id
required: false
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId'
- description: |
`single` deletes the list in the current Kibana space; `agnostic` deletes a global list. Must match the
list you are removing when using `list_id` or `id`.
examples:
agnostic:
value: agnostic
single:
value: single
in: query
name: namespace_type
required: false
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
default: single
responses:
'200':
content:
application/json:
examples:
detectionExceptionList:
value:
_version: WzIsMV0=
created_at: '2025-01-07T19:34:27.942Z'
created_by: elastic
description: This is a sample detection type exception list.
id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85
immutable: false
list_id: simple_list
name: Sample Detection Exception List
namespace_type: single
os_types:
- linux
tags:
- malware
tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3
type: detection
updated_at: '2025-01-07T19:34:27.942Z'
updated_by: elastic
version: 1
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionList'
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request
message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob'''
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [DELETE /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Not enough privileges response
'404':
content:
application/json:
examples:
notFound:
value:
message: 'exception list list_id: "foo" does not exist'
status_code: 404
schema:
$ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Exception list not found response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Internal server error response
summary: Delete an exception list
tags:
- Security Exceptions API
x-metaTags:
- content: Kibana
name: product_name
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/exception_lists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the details of an exception list using the `id` or `list_id` field.
operationId: ReadExceptionList
parameters:
- description: Exception list's identifier. Either `id` or `list_id` must be specified.
in: query
name: id
required: false
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId'
- description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified.
in: query
name: list_id
required: false
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId'
- description: |
When `single`, the list is resolved in the current Kibana space. When `agnostic`, the list is a global
(space-agnostic) container. Required for looking up the correct list when `list_id` is not unique.
examples:
agnostic:
value: agnostic
single:
value: single
in: query
name: namespace_type
required: false
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
default: single
responses:
'200':
content:
application/json:
examples:
detectionType:
value:
_version: WzIsMV0=
created_at: '2025-01-07T19:34:27.942Z'
created_by: elastic
description: This is a sample detection type exception list.
id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85
immutable: false
list_id: simple_list
name: Sample Detection Exception List
namespace_type: single
os_types:
- linux
tags:
- malware
tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3
type: detection
updated_at: '2025-01-07T19:34:27.942Z'
updated_by: elastic
version: 1
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionList'
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request
message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob'''
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [GET /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Not enough privileges response
'404':
content:
application/json:
examples:
notFound:
value:
message": 'exception list id: "foo" does not exist'
status_code": 404
schema:
$ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Exception list item not found response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Internal server error response
summary: Get exception list details
tags:
- Security Exceptions API
x-metaTags:
- content: Kibana
name: product_name
post:
description: |
**Spaces method and path for this operation:**
post/s/{space_id}/api/exception_lists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
An exception list groups exception items and can be associated with detection rules. You can assign exception lists to multiple detection rules.
> info
> All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item.
operationId: CreateExceptionList
requestBody:
content:
application/json:
examples:
createDetection:
value:
description: This is a sample detection type exception list.
list_id: simple_list
name: Sample Detection Exception List
namespace_type: single
os_types:
- linux
tags:
- malware
type: detection
schema:
example:
description: This is a sample detection type exception list.
list_id: simple_list
name: Sample Detection Exception List
namespace_type: single
os_types:
- linux
tags:
- malware
type: detection
type: object
properties:
description:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription'
list_id:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId'
meta:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta'
name:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName'
namespace_type:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
default: single
os_types:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray'
tags:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags'
default: []
type:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType'
version:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion'
default: 1
required:
- name
- description
- type
description: Exception list's properties
required: true
responses:
'200':
content:
application/json:
examples:
autogeneratedListId:
value:
_version: WzMsMV0=
created_at: '2025-01-09T01:05:23.019Z'
created_by: elastic
description: This is a sample detection type exception with an autogenerated list_id.
id: 28243c2f-624a-4443-823d-c0b894880931
immutable: false
list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783
name: Sample Detection Exception List
namespace_type: single
os_types: []
tags:
- malware
tie_breaker_id: ad94de31-39f7-4ad7-b8e4-988bfa95f338
type: detection
updated_at: '2025-01-09T01:05:23.020Z'
updated_by: elastic
version: 1
namespaceAgnostic:
value:
_version: WzUsMV0=
created_at: '2025-01-09T01:10:36.369Z'
created_by: elastic
description: This is a sample agnostic endpoint type exception.
id: 1a744e77-22ca-4b6b-9085-54f55275ebe5
immutable: false
list_id: b935eb55-7b21-4c1c-b235-faa1df23b3d6
name: Sample Agnostic Endpoint Exception List
namespace_type: agnostic
os_types:
- linux
tags:
- malware
tie_breaker_id: 49ea0adc-a2b8-4d83-a8f3-2fb98301dea3
type: endpoint
updated_at: '2025-01-09T01:10:36.369Z'
updated_by: elastic
version: 1
typeDetection:
value:
_version: WzIsMV0=
created_at: '2025-01-07T19:34:27.942Z'
created_by: elastic
description: This is a sample detection type exception list.
id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85
immutable: false
list_id: simple_list
name: Sample Detection Exception List
namespace_type: single
os_types:
- linux
tags:
- malware
tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3
type: detection
updated_at: '2025-01-07T19:34:27.942Z'
updated_by: elastic
version: 1
typeEndpoint:
value:
_version: WzQsMV0=
created_at: '2025-01-09T01:07:49.658Z'
created_by: elastic
description: This is a sample endpoint type exception list.
id: a79f4730-6e32-4278-abfc-349c0add7d54
immutable: false
list_id: endpoint_list
name: Sample Endpoint Exception List
namespace_type: single
os_types:
- linux
tags:
- malware
tie_breaker_id: 94a028af-8f47-427a-aca5-ffaf829e64ee
type: endpoint
updated_at: '2025-01-09T01:07:49.658Z'
updated_by: elastic
version: 1
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionList'
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request
message: '[request body]: list_id: Expected string, received number'
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]"
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [POST /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Not enough privileges response
'409':
content:
application/json:
examples:
alreadyExists:
value:
message: 'exception list id: "simple_list" already exists'
status_code: 409
schema:
$ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Exception list already exists response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Internal server error response
summary: Create an exception list
tags:
- Security Exceptions API
x-metaTags:
- content: Kibana
name: product_name
put:
description: |-
**Spaces method and path for this operation:**
put/s/{space_id}/api/exception_lists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update an exception list using the `id` or `list_id` field.
operationId: UpdateExceptionList
requestBody:
content:
application/json:
examples:
fullReplace:
value:
description: Different description
list_id: simple_list
name: Updated exception list name
os_types:
- linux
tags:
- draft
- malware
type: detection
schema:
example:
description: Different description
list_id: simple_list
name: Updated exception list name
os_types:
- linux
tags:
- draft malware
type: detection
type: object
properties:
_version:
description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
type: string
description:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription'
id:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId'
list_id:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId'
meta:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta'
name:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName'
namespace_type:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
default: single
os_types:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray'
default: []
tags:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags'
type:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType'
version:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion'
required:
- name
- description
- type
description: Exception list's properties
required: true
responses:
'200':
content:
application/json:
examples:
simpleList:
value:
_version: WzExLDFd
created_at: '2025-01-07T20:43:55.264Z'
created_by: elastic
description: Different description
id: fa7f545f-191b-4d32-b1f0-c7cd62a79e55
immutable: false
list_id: simple_list
name: Updated exception list name
namespace_type: single
os_types: []
tags:
- draft malware
tie_breaker_id: 319fe983-acdd-4806-b6c4-3098eae9392f
type: detection
updated_at: '2025-01-07T21:32:03.726Z'
updated_by: elastic
version: 2
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionList'
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request
message: '[request body]: list_id: Expected string, received number'
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [PUT /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Not enough privileges response
'404':
content:
application/json:
examples:
notFound:
value:
message": 'exception list id: "foo" does not exist'
status_code": 404
schema:
$ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Exception list not found response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Internal server error response
summary: Update an exception list
tags:
- Security Exceptions API
x-metaTags:
- content: Kibana
name: product_name
/api/exception_lists/_duplicate:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/exception_lists/_duplicate
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Duplicate an existing exception list.
operationId: DuplicateExceptionList
parameters:
- description: The `list_id` of the existing exception list to copy (source list).
in: query
name: list_id
required: true
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId'
- description: Scope in which the source list is defined (`single` = current space, `agnostic` = all spaces).
examples:
agnostic:
value: agnostic
single:
value: single
in: query
name: namespace_type
required: true
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
- description: Determines whether to include expired exceptions in the duplicated list. Expiration date defined by `expire_time`.
in: query
name: include_expired_exceptions
required: true
schema:
default: 'true'
enum:
- 'true'
- 'false'
example: true
type: string
responses:
'200':
content:
application/json:
examples:
detectionExceptionList:
value:
_version: WzExNDY1LDFd
created_at: '2025-01-09T16:19:50.280Z'
created_by: elastic
description: This is a sample detection type exception
id: b2f4a715-6ab1-444c-8b1e-3fa1b1049429
immutable: false
list_id: d6390d60-bce3-4a48-9002-52db600f329c
name: Sample Detection Exception List [Duplicate]
namespace_type: single
os_types: []
tags:
- malware
tie_breaker_id: 6fa670bd-666d-4c9c-9f1e-d1dbc516e985
type: detection
updated_at: '2025-01-09T16:19:50.280Z'
updated_by: elastic
version: 1
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionList'
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request
message: '[request query]: namespace_type: Invalid enum value. Expected ''agnostic'' | ''single'', received ''foo'''
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [POST /api/exception_lists/_duplicate] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Not enough privileges response
'404':
content:
application/json:
examples:
notFound:
value:
message: 'exception list id: "foo" does not exist'
status_code: 404
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Exception list not found
'405':
content:
application/json:
examples:
notAllowed:
value:
message: 'Cannot duplicate: list is immutable or the operation is not allowed in this state'
status_code: 405
schema:
$ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Exception list to duplicate not found response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Internal server error response
summary: Duplicate an exception list
tags:
- Security Exceptions API
x-metaTags:
- content: Kibana
name: product_name
/api/exception_lists/_export:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/exception_lists/_export
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Export an exception list and its associated items to an NDJSON file.
operationId: ExportExceptionList
parameters:
- description: Exception list's internal `id` (UUID) returned on create; use with `list_id` and `namespace_type` for an unambiguous target.
in: query
name: id
required: true
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId'
- description: Human-readable `list_id` of the exception list to export, as shown in the UI and API responses.
in: query
name: list_id
required: true
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId'
- description: |
`single` exports a list in the current Kibana space; `agnostic` exports a global (space-agnostic) list.
examples:
agnostic:
value: agnostic
single:
value: single
in: query
name: namespace_type
required: true
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
- description: Determines whether to include expired exceptions in the exported list. Expiration date defined by `expire_time`.
example: true
in: query
name: include_expired_exceptions
required: true
schema:
default: 'true'
enum:
- 'true'
- 'false'
type: string
responses:
'200':
content:
application/ndjson:
examples:
exportSavedObjectsResponse:
value: |
{"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1}
{"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"}
{"exported_exception_list_count":1,"exported_exception_list_item_count":1,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0}
schema:
description: A `.ndjson` file containing specified exception list and its items
format: binary
type: string
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request
message: '[request query]: list_id: Required, namespace_type: Required'
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [POST /api/exception_lists/_export] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Not enough privileges response
'404':
content:
application/json:
examples:
notFound:
value:
message": 'exception list id: "foo" does not exist'
status_code": 404
schema:
$ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Exception list not found response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Internal server error response
summary: Export an exception list
tags:
- Security Exceptions API
x-metaTags:
- content: Kibana
name: product_name
/api/exception_lists/_find:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/exception_lists/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a list of all exception list containers.
operationId: FindExceptionLists
parameters:
- description: |
Filters the returned results according to the value of the specified field.
Uses the `so type.field name:field` value syntax, where `so type` can be:
- `exception-list`: Specify a space-aware exception list.
- `exception-list-agnostic`: Specify an exception list that is shared across spaces.
in: query
name: filter
required: false
schema:
$ref: '#/components/schemas/Security_Exceptions_API_FindExceptionListsFilter'
- description: |
Determines whether the returned containers are Kibana associated with a Kibana space
or available in all spaces (`agnostic` or `single`)
examples:
agnostic:
value: agnostic
single:
value: single
in: query
name: namespace_type
required: false
schema:
default:
- single
items:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
type: array
- description: The page number to return
in: query
name: page
required: false
schema:
example: 1
minimum: 1
type: integer
- description: The number of exception lists to return per page
in: query
name: per_page
required: false
schema:
example: 20
minimum: 1
type: integer
- description: Determines which field is used to sort the results.
in: query
name: sort_field
required: false
schema:
example: name
type: string
- description: Determines the sort order, which can be `desc` or `asc`.
in: query
name: sort_order
required: false
schema:
enum:
- desc
- asc
example: desc
type: string
responses:
'200':
content:
application/json:
examples:
simpleLists:
value:
data:
- _version: WzIsMV0=
created_at: '2025-01-07T19:34:27.942Z'
created_by: elastic
description: This is a sample detection type exception list.
id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85
immutable: false
list_id: simple_list
name: Detection Exception List
namespace_type: single
os_types: []
tags:
- malware
tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3
type: detection
updated_at: '2025-01-07T19:34:27.942Z'
updated_by: elastic
version: 1
page: 1
per_page: 20
total: 1
schema:
type: object
properties:
data:
items:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionList'
type: array
page:
minimum: 1
type: integer
per_page:
minimum: 1
type: integer
total:
minimum: 0
type: integer
required:
- data
- page
- per_page
- total
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request
message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob'''
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [GET /api/exception_lists/_find?namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Not enough privileges response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Internal server error response
summary: Get exception lists
tags:
- Security Exceptions API
x-metaTags:
- content: Kibana
name: product_name
/api/exception_lists/_import:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/exception_lists/_import
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Import an exception list and its associated items from an NDJSON file.
operationId: ImportExceptionList
parameters:
- description: |
Determines whether existing exception lists with the same `list_id` are overwritten.
If any exception items have the same `item_id`, those are also overwritten.
in: query
name: overwrite
required: false
schema:
default: false
example: false
type: boolean
- description: |
Determines whether the list being imported will have a new `list_id` generated.
Additional `item_id`'s are generated for each exception item. Both the exception
list and its items are overwritten.
in: query
name: as_new_list
required: false
schema:
default: false
example: false
type: boolean
requestBody:
content:
multipart/form-data:
examples:
ndjsonUpload:
value:
file: exception_lists.ndjson
schema:
type: object
properties:
file:
description: A `.ndjson` file containing the exception list
example: |
{"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1}
{"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"}
format: binary
type: string
required: true
responses:
'200':
content:
application/json:
examples:
withErrors:
value:
errors:
- error:
message: 'Error found importing exception list: Invalid value \"4\" supplied to \"list_id\"'
status_code: 400
list_id: (unknown list_id)
- error:
message: 'Found that item_id: \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" already exists. Import of item_id: \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" skipped.'
status_code: 409
item_id: f7fd00bb-dba8-4c93-9d59-6cbd427b6330
list_id: 7d7cccb8-db72-4667-b1f3-648efad7c1ee
success: false,
success_count: 0,
success_count_exception_list_items: 0
success_count_exception_lists: 0,
success_exception_list_items: false,
success_exception_lists: false,
withoutErrors:
value:
errors: []
success: true
success_count: 2
success_count_exception_list_items: 1
success_count_exception_lists: 1
success_exception_list_items: true
success_exception_lists: true,
schema:
type: object
properties:
errors:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray'
success:
type: boolean
success_count:
minimum: 0
type: integer
success_count_exception_list_items:
minimum: 0
type: integer
success_count_exception_lists:
minimum: 0
type: integer
success_exception_list_items:
type: boolean
success_exception_lists:
type: boolean
required:
- errors
- success
- success_count
- success_exception_lists
- success_count_exception_lists
- success_exception_list_items
- success_count_exception_list_items
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request
message: Multipart part `file` is required and must contain a valid .ndjson exception list export
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [POST /api/exception_lists/_import] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Not enough privileges response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Internal server error response
summary: Import an exception list
tags:
- Security Exceptions API
x-metaTags:
- content: Kibana
name: product_name
/api/exception_lists/items:
delete:
description: |-
**Spaces method and path for this operation:**
delete/s/{space_id}/api/exception_lists/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete an exception list item using the `id` or `item_id` field.
operationId: DeleteExceptionListItem
parameters:
- description: Exception item's identifier. Either `id` or `item_id` must be specified
in: query
name: id
required: false
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId'
- description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified
in: query
name: item_id
required: false
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId'
- description: |
`single` deletes the item in the current Kibana space; `agnostic` deletes an item in a space-agnostic list. Must match the list that owns the item.
examples:
agnostic:
value: agnostic
single:
value: single
in: query
name: namespace_type
required: false
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
default: single
responses:
'200':
content:
application/json:
examples:
simpleExceptionItem:
value:
_version: WzQsMV0=
comments: []
created_at: '2025-01-07T20:07:33.119Z'
created_by: elastic
description: This is a sample detection type exception item.
entries:
- field: actingProcess.file.signer
operator: excluded
type: exists
- field: host.name
operator: included
type: match_any
value:
- saturn
- jupiter
id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2
item_id: simple_list_item
list_id: simple_list
name: Sample Exception List Item
namespace_type: single
os_types:
- linux
tags:
- malware
tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c
type: simple
updated_at: '2025-01-07T20:07:33.119Z'
updated_by: elastic
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem'
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request
message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob'''
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [DELETE /api/exception_lists/items?item_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Not enough privileges response
'404':
content:
application/json:
examples:
notFound:
value:
message: 'exception list item item_id: \"foo\" does not exist'
status_code: 404
schema:
$ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Exception list item not found response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Internal server error response
summary: Delete an exception list item
tags:
- Security Exceptions API
x-metaTags:
- content: Kibana
name: product_name
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/exception_lists/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the details of an exception list item using the `id` or `item_id` field.
operationId: ReadExceptionListItem
parameters:
- description: Exception list item's identifier. Either `id` or `item_id` must be specified.
in: query
name: id
required: false
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId'
- description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified.
in: query
name: item_id
required: false
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId'
- description: |
`single` fetches the item in the current space; `agnostic` fetches a global (space-agnostic) item. Must
match how the list was created.
examples:
agnostic:
value: agnostic
single:
value: single
in: query
name: namespace_type
required: false
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
default: single
responses:
'200':
content:
application/json:
examples:
simpleListItem:
value:
_version: WzQsMV0=
comments: []
created_at: '2025-01-07T20:07:33.119Z'
created_by: elastic
description: This is a sample detection type exception item.
entries:
- field: actingProcess.file.signer
operator: excluded
type: exists
- field: host.name
operator: included
type: match_any
value:
- saturn
- jupiter
id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2
item_id: simple_list_item
list_id: simple_list
name: Sample Exception List Item
namespace_type: single
os_types:
- linux
tags:
- malware
tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c
type: simple
updated_at: '2025-01-07T20:07:33.119Z'
updated_by: elastic
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem'
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request
message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob'''
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [GET /api/exception_lists/items?item_id=&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Not enough privileges response
'404':
content:
application/json:
examples:
notFound:
value:
message: 'exception list item item_id: \"foo\" does not exist'
status_code: 404
schema:
$ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Exception list item not found response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Internal server error response
summary: Get an exception list item
tags:
- Security Exceptions API
x-metaTags:
- content: Kibana
name: product_name
post:
description: |
**Spaces method and path for this operation:**
post/s/{space_id}/api/exception_lists/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create an exception item and associate it with the specified exception list.
> info
> Before creating exception items, you must create an exception list.
operationId: CreateExceptionListItem
requestBody:
content:
application/json:
examples:
simpleItem:
value:
description: This is a sample detection type exception item.
entries:
- field: actingProcess.file.signer
operator: excluded
type: exists
item_id: simple_list_item
list_id: simple_list
name: Sample Exception List Item
namespace_type: single
os_types:
- linux
tags:
- malware
type: simple
schema:
oneOf:
- $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemGeneric'
- $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemEndpointList'
- $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows'
- $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac'
- $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux'
- $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows'
- $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac'
- $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac'
- $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemEventFilters'
- $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemHostIsolation'
- $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistWindows'
- $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistLinux'
- $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBlocklistMac'
description: Exception list item's properties
required: true
responses:
'200':
content:
application/json:
examples:
autogeneratedItemId:
value:
_version: WzYsMV0=
comments: []
created_at: '2025-01-09T01:16:23.322Z'
created_by: elastic
description: This is a sample exception that has no item_id so it is autogenerated.
entries:
- field: actingProcess.file.signer
operator: excluded
type: exists
id: 323faa75-c657-4fa0-9084-8827612c207b
item_id: 80e6edf7-4b13-4414-858f-2fa74aa52b37
list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783
name: Sample Autogenerated Exception List Item ID
namespace_type: single
os_types: []
tags:
- malware
tie_breaker_id: d6799986-3a23-4213-bc6d-ed9463a32f23
type: simple
updated_at: '2025-01-09T01:16:23.322Z'
updated_by: elastic
detectionExceptionListItem:
value:
_version: WzQsMV0=
comments: []
created_at: '2025-01-07T20:07:33.119Z'
created_by: elastic
description: This is a sample detection type exception item.
entries:
- field: actingProcess.file.signer
operator: excluded
type: exists
id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2
item_id: simple_list_item
list_id: simple_list
name: Sample Exception List Item
namespace_type: single
os_types:
- linux
tags:
- malware
tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c
type: simple
updated_at: '2025-01-07T20:07:33.119Z'
updated_by: elastic
withExistEntry:
value:
_version: WzQsMV0=
comments: []
created_at: '2025-01-07T20:07:33.119Z'
created_by: elastic
description: This is a sample detection type exception item.
entries:
- field: actingProcess.file.signer
operator: excluded
type: exists
id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2
item_id: simple_list_item
list_id: simple_list
name: Sample Exception List Item
namespace_type: single
os_types:
- linux
tags:
- malware
tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c
type: simple
updated_at: '2025-01-07T20:07:33.119Z'
updated_by: elastic
withMatchAnyEntry:
value:
_version: WzQsMV0=
comments: []
created_at: '2025-01-07T20:07:33.119Z'
created_by: elastic
description: This is a sample detection type exception item.
entries:
- field: host.name
operator: included
type: match_any
value:
- saturn
- jupiter
id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2
item_id: simple_list_item
list_id: simple_list
name: Sample Exception List Item
namespace_type: single
os_types:
- linux
tags:
- malware
tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c
type: simple
updated_at: '2025-01-07T20:07:33.119Z'
updated_by: elastic
withMatchEntry:
value:
_version: WzQsMV0=
comments: []
created_at: '2025-01-07T20:07:33.119Z'
created_by: elastic
description: This is a sample detection type exception item.
entries:
- field: actingProcess.file.signer
operator: included
type: match
value: Elastic N.V.
id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2
item_id: simple_list_item
list_id: simple_list
name: Sample Exception List Item
namespace_type: single
os_types:
- linux
tags:
- malware
tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c
type: simple
updated_at: '2025-01-07T20:07:33.119Z'
updated_by: elastic
withNestedEntry:
value:
_version: WzQsMV0=
comments: []
created_at: '2025-01-07T20:07:33.119Z'
created_by: elastic
description: This is a sample detection type exception item.
entries:
- entries:
- field: signer
operator: included
type: match
value: Evil
- field: trusted
operator: included
type: match
value: true
field: file.signature
type: nested
id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2
item_id: simple_list_item
list_id: simple_list
name: Sample Exception List Item
namespace_type: single
os_types:
- linux
tags:
- malware
tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c
type: simple
updated_at: '2025-01-07T20:07:33.119Z'
updated_by: elastic
withValueListEntry:
value:
_version: WzcsMV0=
comments: []
created_at: '2025-01-09T01:31:12.614Z'
created_by: elastic
description: Don't signal when agent.name is rock01 and source.ip is in the goodguys.txt list
entries:
- field: source.ip
list:
id: goodguys.txt
type: ip
operator: excluded
type: list
id: deb26876-297d-4677-8a1f-35467d2f1c4f
item_id: 686b129e-9b8d-4c59-8d8d-c93a9ea82c71
list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783
name: Filter out good guys ip and agent.name rock01
namespace_type: single
os_types: []
tags:
- malware
tie_breaker_id: 5e0288ce-6657-4c18-9dcc-00ec9e8cc6c8
type: simple
updated_at: '2025-01-09T01:31:12.614Z'
updated_by: elastic
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem'
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request,
message: '[request body]: list_id: Expected string, received number'
statusCode: 400,
schema:
oneOf:
- $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [POST /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Not enough privileges response
'409':
content:
application/json:
examples:
alreadyExists:
value:
message: 'exception list item id: \"simple_list_item\" already exists'
status_code: 409
schema:
$ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Exception list item already exists response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Internal server error response
summary: Create an exception list item
tags:
- Security Exceptions API
x-metaTags:
- content: Kibana
name: product_name
put:
description: |-
**Spaces method and path for this operation:**
put/s/{space_id}/api/exception_lists/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update an exception list item using the `id` or `item_id` field.
operationId: UpdateExceptionListItem
requestBody:
content:
application/json:
examples:
updateItem:
value:
description: Updated description
id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2
name: Updated name
namespace_type: single
type: simple
schema:
oneOf:
- $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemGeneric'
- $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEndpointList'
- $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows'
- $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac'
- $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux'
- $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows'
- $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac'
- $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac'
- $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemEventFilters'
- $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemHostIsolation'
- $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows'
- $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux'
- $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBlocklistMac'
description: Exception list item's properties
required: true
responses:
'200':
content:
application/json:
examples:
simpleListItem:
value:
_version: WzEyLDFd
comments: []
created_at: '2025-01-07T21:12:25.512Z'
created_by: elastic
description: Updated description
entries:
- field: host.name
operator: included
type: match
value: rock01
id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da
item_id: simple_list_item
list_id: simple_list
name: Updated name
namespace_type: single
os_types: []
tags: []
tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0
type: simple
updated_at: '2025-01-07T21:34:50.233Z'
updated_by: elastic
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem'
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request
message: '[request body]: item_id: Expected string, received number'
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [PUT /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Not enough privileges response
'404':
content:
application/json:
examples:
notFound:
value:
message: 'exception list item item_id: \"foo\" does not exist'
status_code: 404
schema:
$ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Exception list item not found response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Internal server error response
summary: Update an exception list item
tags:
- Security Exceptions API
x-metaTags:
- content: Kibana
name: product_name
/api/exception_lists/items/_find:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/exception_lists/items/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a list of all exception list items in the specified list.
operationId: FindExceptionListItems
parameters:
- description: The `list_id`s of the items to fetch.
in: query
name: list_id
required: true
schema:
items:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId'
type: array
- description: |
Filters the returned results according to the value of the specified field,
using the `:` syntax.
examples:
singleFilter:
value:
- exception-list.attributes.name:%My%20item
in: query
name: filter
required: false
schema:
default: []
items:
$ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
type: array
- description: |
Determines whether the returned containers are Kibana associated with a Kibana space
or available in all spaces (`agnostic` or `single`)
examples:
single:
value:
- single
in: query
name: namespace_type
required: false
schema:
default:
- single
items:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
type: array
- description: |
Free-text search term applied to exception list item fields (for example a hostname or file path fragment).
in: query
name: search
required: false
schema:
example: host.name
type: string
- description: The page number to return
in: query
name: page
required: false
schema:
example: 1
minimum: 0
type: integer
- description: The number of exception list items to return per page
in: query
name: per_page
required: false
schema:
example: 20
minimum: 0
type: integer
- description: Determines which field is used to sort the results.
example: name
in: query
name: sort_field
required: false
schema:
$ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
- description: Determines the sort order, which can be `desc` or `asc`.
in: query
name: sort_order
required: false
schema:
enum:
- desc
- asc
example: desc
type: string
responses:
'200':
content:
application/json:
examples:
simpleListItems:
value:
data:
- _version: WzgsMV0=
comments: []
created_at: '2025-01-07T21:12:25.512Z'
created_by: elastic
description: This is a sample exception item.
entries:
- field: actingProcess.file.signer
operator: excluded
type: exists
- field: host.name
operator: included
type: match_any
value:
- jupiter
- saturn
id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da
item_id: simple_list_item
list_id: simple_list
name: Sample Exception List Item
namespace_type: single
os_types:
- linux
tags:
- malware
tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0
type: simple
updated_at: '2025-01-07T21:12:25.512Z'
updated_by: elastic
page: 1
per_page: 20
total: 1
schema:
type: object
properties:
data:
items:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem'
type: array
page:
minimum: 1
type: integer
per_page:
minimum: 1
type: integer
pit:
type: string
total:
minimum: 0
type: integer
required:
- data
- page
- per_page
- total
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request
message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob'''
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [GET /api/exception_lists/items/_find?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Not enough privileges response
'404':
content:
application/json:
examples:
notFound:
value:
message: 'exception list list_id: "foo" does not exist'
status_code: 404
schema:
$ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Exception list not found response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Internal server error response
summary: Get exception list items
tags:
- Security Exceptions API
x-metaTags:
- content: Kibana
name: product_name
/api/exception_lists/summary:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/exception_lists/summary
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a summary of the specified exception list.
operationId: ReadExceptionListSummary
parameters:
- description: Exception list's identifier generated upon creation.
in: query
name: id
required: false
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId'
- description: Exception list's human readable identifier.
in: query
name: list_id
required: false
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId'
- description: |
`single` returns summary for a list in the current space; `agnostic` for a space-agnostic list. Must
line up with `id` / `list_id` used to look up the list.
examples:
agnostic:
value: agnostic
single:
value: single
in: query
name: namespace_type
required: false
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
default: single
- description: Search filter clause
in: query
name: filter
required: false
schema:
example: exception-list-agnostic.attributes.tags:"policy:policy-1" OR exception-list-agnostic.attributes.tags:"policy:all"
type: string
responses:
'200':
content:
application/json:
examples:
summary:
value:
linux: 0
macos: 0
total: 0
windows: 0
schema:
type: object
properties:
linux:
minimum: 0
type: integer
macos:
minimum: 0
type: integer
total:
minimum: 0
type: integer
windows:
minimum: 0
type: integer
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request
message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob'''
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [GET /api/exception_lists/summary?list_id=simple_list&namespace_type=agnostic] is unauthorized for user, this action is granted by the Kibana privileges [lists-summary]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Not enough privileges response
'404':
content:
application/json:
examples:
notFound:
value:
message": 'exception list id: "foo" does not exist'
status_code": 404
schema:
$ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Exception list not found response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Internal server error response
summary: Get an exception list summary
tags:
- Security Exceptions API
x-metaTags:
- content: Kibana
name: product_name
/api/exceptions/shared:
post:
description: |
**Spaces method and path for this operation:**
post/s/{space_id}/api/exceptions/shared
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
An exception list groups exception items and can be associated with detection rules. A shared exception list can apply to multiple detection rules.
> info
> All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item.
operationId: CreateSharedExceptionList
requestBody:
content:
application/json:
examples:
createSharedExceptionList:
value:
description: This is a sample detection type exception list.
list_id: simple_list
name: Sample Detection Exception List
namespace_type: single
os_types:
- linux
tags:
- malware
schema:
type: object
properties:
description:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription'
name:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName'
required:
- name
- description
required: true
responses:
'200':
content:
application/json:
examples:
sharedList:
value:
_version: WzIsMV0=
created_at: '2025-01-07T19:34:27.942Z'
created_by: elastic
description: This is a sample detection type exception list.
id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85
immutable: false
list_id: simple_list
name: Sample Detection Exception List
namespace_type: single
os_types:
- linux
tags:
- malware
tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3
type: detection
updated_at: '2025-01-07T19:34:27.942Z'
updated_by: elastic
version: 1
schema:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionList'
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request
message: '[request body]: list_id: Expected string, received number'
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]"
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
message: Unable to create exception-list
status_code: 403
schema:
$ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
description: Not enough privileges response
'409':
content:
application/json:
examples:
alreadyExists:
value:
message: 'exception list id: "simple_list" already exists'
status_code: 409
schema:
$ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Exception list already exists response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
description: Internal server error response
summary: Create a shared exception list
tags:
- Security Exceptions API
x-metaTags:
- content: Kibana
name: product_name
/api/features:
get:
description: |
Get information about all Kibana features. Features are used by spaces and security to refine and secure access to Kibana.
operationId: get-features
responses:
'200':
content:
application/json:
examples:
getFeaturesExample:
value: |
{
"features": [
{
"name": "tasks",
"description": "Manages task results"
},
{
"name": "security",
"description": "Manages configuration for Security features, such as users and roles"
},
{
"name": "searchable_snapshots",
"description": "Manages caches and configuration for searchable snapshots"
},
{
"name": "logstash_management",
"description": "Enables Logstash Central Management pipeline storage"
},
{
"name": "transform",
"description": "Manages configuration and state for transforms"
},
{
"name": "kibana",
"description": "Manages Kibana configuration and reports"
},
{
"name": "synonyms",
"description": "Manages synonyms"
},
{
"name": "async_search",
"description": "Manages results of async searches"
},
{
"name": "ent_search",
"description": "Manages configuration for Enterprise Search features"
},
{
"name": "machine_learning",
"description": "Provides anomaly detection and forecasting functionality"
},
{
"name": "geoip",
"description": "Manages data related to GeoIP database downloader"
},
{
"name": "watcher",
"description": "Manages Watch definitions and state"
},
{
"name": "fleet",
"description": "Manages configuration for Fleet"
},
{
"name": "enrich",
"description": "Manages data related to Enrich policies"
},
{
"name": "inference_plugin",
"description": "Inference plugin for managing inference services and inference"
}
]
}
schema:
type: object
description: Indicates a successful call
summary: Get features
tags:
- system
x-state: Technical Preview
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/agent_download_sources:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/fleet/agent_download_sources
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
List all agent binary download sources.
[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read.
operationId: get-fleet-agent-download-sources
parameters: []
responses:
'200':
content:
application/json:
examples:
getDownloadSourcesExample:
description: List of agent binary download sources
value:
items:
- host: https://artifacts.elastic.co/downloads/
id: download-source-id-1
is_default: true
name: Elastic Artifacts
page: 1
perPage: 20
total: 1
schema:
additionalProperties: false
type: object
properties:
items:
items:
additionalProperties: false
type: object
properties:
auth:
additionalProperties: false
nullable: true
type: object
properties:
api_key:
type: string
headers:
items:
additionalProperties: false
type: object
properties:
key:
type: string
value:
type: string
required:
- key
- value
maxItems: 100
type: array
password:
type: string
username:
type: string
host:
format: uri
type: string
id:
type: string
is_default:
default: false
type: boolean
name:
type: string
proxy_id:
description: The ID of the proxy to use for this download source. See the proxies API for more information.
nullable: true
type: string
secrets:
additionalProperties: false
type: object
properties:
auth:
additionalProperties: false
type: object
properties:
api_key:
anyOf:
- additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
- type: string
password:
anyOf:
- additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
- type: string
ssl:
additionalProperties: false
type: object
properties:
key:
anyOf:
- additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
- type: string
ssl:
additionalProperties: false
type: object
properties:
certificate:
type: string
certificate_authorities:
items:
type: string
maxItems: 10
type: array
key:
type: string
required:
- id
- name
- host
maxItems: 10000
type: array
page:
type: number
perPage:
type: number
total:
type: number
required:
- items
- total
- page
- perPage
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Get agent binary download sources
tags:
- Elastic Agent binary download sources
x-metaTags:
- content: Kibana
name: product_name
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the auto-upgrade status for agents assigned to an agent policy.
[Required authorization] Route required privileges: fleet-agents-read.
operationId: get-fleet-agent-policies-agentpolicyid-auto-upgrade-agents-status
parameters:
- description: The ID of the agent policy
in: path
name: agentPolicyId
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getAutoUpgradeAgentsStatusExample:
description: Auto-upgrade status for agents in the policy
value:
agentsCount: 5
currentVersion: 8.16.0
failedAgentsCount: 0
upgradedAgentsCount: 3
upgradingAgentsCount: 1
schema:
additionalProperties: false
type: object
properties:
currentVersions:
items:
additionalProperties: false
type: object
properties:
agents:
description: Number of agents that upgraded to this version
type: number
failedUpgradeActionIds:
description: List of action IDs related to failed upgrades
items:
type: string
maxItems: 1000
type: array
failedUpgradeAgents:
description: Number of agents that failed to upgrade to this version
type: number
inProgressUpgradeActionIds:
description: List of action IDs related to in-progress upgrades
items:
type: string
maxItems: 1000
type: array
inProgressUpgradeAgents:
description: Number of agents that are upgrading to this version
type: number
version:
description: Agent version
type: string
required:
- version
- agents
- failedUpgradeAgents
- inProgressUpgradeAgents
maxItems: 10000
type: array
totalAgents:
type: number
required:
- currentVersions
- totalAgents
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Get auto upgrade agent status
tags:
- Elastic Agent policies
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/agent_policies/{agentPolicyId}/copy:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a list of outputs associated with agent policy by policy id.
[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read.
operationId: get-fleet-agent-policies-agentpolicyid-outputs
parameters:
- description: The ID of the agent policy
in: path
name: agentPolicyId
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getAgentPolicyOutputsExample:
description: Outputs associated with the agent policy
value:
item:
data_output:
id: output-id-1
name: Default output
type: elasticsearch
monitoring_output:
id: output-id-1
name: Default output
type: elasticsearch
schema:
additionalProperties: false
type: object
properties:
item:
additionalProperties: false
type: object
properties:
agentPolicyId:
type: string
data:
additionalProperties: false
type: object
properties:
integrations:
items:
additionalProperties: false
type: object
properties:
id:
type: string
integrationPolicyName:
type: string
name:
type: string
pkgName:
type: string
maxItems: 1000
type: array
output:
additionalProperties: false
type: object
properties:
id:
type: string
name:
type: string
required:
- id
- name
required:
- output
monitoring:
additionalProperties: false
type: object
properties:
output:
additionalProperties: false
type: object
properties:
id:
type: string
name:
type: string
required:
- id
- name
required:
- output
required:
- monitoring
- data
required:
- item
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
'404':
content:
application/json:
examples:
notFoundExample:
description: No agent policy was found with the given ID
value:
error: Not Found
message: Agent policy not found
statusCode: 404
description: Not Found
summary: Get outputs for an agent policy
tags:
- Elastic Agent policies
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/agent_policies/delete:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/fleet/agent_policies/delete
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete an agent policy by ID.
[Required authorization] Route required privileges: fleet-agent-policies-all.
operationId: post-fleet-agent-policies-delete
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
postDeleteAgentPolicyRequestExample:
description: Delete an agent policy by ID
value:
agentPolicyId: agent-policy-id-1
schema:
additionalProperties: false
type: object
properties:
agentPolicyId:
description: The ID of the agent policy
type: string
force:
description: bypass validation checks that can prevent agent policy deletion
type: boolean
required:
- agentPolicyId
responses:
'200':
content:
application/json:
examples:
postDeleteAgentPolicyExample:
description: The agent policy was successfully deleted
value:
id: agent-policy-id-1
name: My agent policy
schema:
additionalProperties: false
type: object
properties:
id:
type: string
name:
type: string
required:
- id
- name
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Delete an agent policy
tags:
- Elastic Agent policies
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/agent_policies/outputs:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a summary of agent statuses for a given agent policy.
operationId: get-fleet-agent-status
parameters:
- description: Filter by agent policy ID
in: query
name: policyId
required: false
schema:
type: string
- description: Filter by one or more agent policy IDs
in: query
name: policyIds
required: false
schema:
items:
type: string
maxItems: 1000
type: array
- description: A KQL query string to filter results
in: query
name: kuery
required: false
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getAgentStatusExample:
description: Agent status summary for an agent policy
value:
results:
error: 1
offline: 2
online: 5
other: 0
updating: 0
totalInactive: 0
schema:
additionalProperties: false
type: object
properties:
results:
additionalProperties: false
type: object
properties:
active:
type: number
all:
type: number
error:
type: number
events:
type: number
inactive:
type: number
offline:
type: number
online:
type: number
orphaned:
type: number
other:
type: number
unenrolled:
type: number
uninstalled:
type: number
updating:
type: number
required:
- events
- online
- error
- offline
- other
- updating
- inactive
- unenrolled
- all
- active
required:
- results
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Get an agent status summary
tags:
- Elastic Agent status
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/agent_status/data:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/fleet/agent_status/data
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the data streams that an agent is actively sending data to.
[Required authorization] Route required privileges: fleet-agents-read.
operationId: get-fleet-agent-status-data
parameters:
- description: Agent IDs to check data for, as an array or comma-separated string
in: query
name: agentsIds
required: true
schema:
items:
type: string
maxItems: 10000
type: array
- description: Filter by integration package name
in: query
name: pkgName
required: false
schema:
type: string
- description: Filter by integration package version
in: query
name: pkgVersion
required: false
schema:
type: string
- description: When true, return a preview of the ingested data
in: query
name: previewData
required: false
schema:
default: false
type: boolean
responses:
'200':
content:
application/json:
examples:
getAgentDataExample:
description: Data streams the agent is actively sending data to
value:
items:
- data:
logs-nginx.access-default:
- id: agent-id-1
name: my-host
total: 1
totalMonitoring: 0
schema:
additionalProperties: false
type: object
properties:
dataPreview:
items:
nullable: true
maxItems: 10000
type: array
items:
items:
additionalProperties:
additionalProperties: false
type: object
properties:
data:
type: boolean
required:
- data
type: object
maxItems: 10000
type: array
required:
- items
- dataPreview
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Get incoming agent data
tags:
- Elastic Agents
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/agentless_policies:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/fleet/agentless_policies
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create an agentless policy
operationId: post-fleet-agentless-policies
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The format of the response package policy.
in: query
name: format
required: false
schema:
default: simplified
enum:
- legacy
- simplified
type: string
requestBody:
content:
application/json:
examples:
createAgentlessPoliciesRequestExample:
description: Example request to create agentless policies
value:
description: test
inputs:
ESS Billing-cel:
enabled: true
streams:
ess_billing.billing:
enabled: true
vars:
hide_sensitive: true
http_client_timeout: 30s
lookbehind: 365
tags:
- forwarded
- billing
ess_billing.credits:
enabled: false
vars:
api_key:
organization_id: '1234'
name: ess_billing-1
namespace: default
package:
name: ess_billing
version: 1.6.0
createAgentlessPoliciesReuseAWSCloudConnectorExample:
description: Example request to create agentless policy reusing an existing AWS cloud connector
value:
cloud_connector:
cloud_connector_id: existing-aws-connector-id
target_csp: aws
description: CSPM integration for AWS reusing existing cloud connector
inputs:
cspm-cloudbeat/cis_aws:
enabled: true
streams:
cloud_security_posture.findings:
enabled: true
vars:
aws.account_type: organization-account
aws.credentials.type: cloud_connector
aws.supports_cloud_connectors: true
external_id:
id: ABCDEFGHIJKLMNOPQRST
isSecretRef: true
role_arn: arn:aws:iam::123456789012:role/TestRole
vars:
cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml
cspm-cloudbeat/cis_azure:
enabled: false
cspm-cloudbeat/cis_gcp:
enabled: false
name: cspm-aws-reuse-policy
namespace: default
package:
name: cloud_security_posture
version: 3.1.1
vars:
deployment: aws
posture: cspm
createAgentlessPoliciesWithAWSCloudConnectorExample:
description: Example request to create agentless policy with AWS cloud connector
value:
cloud_connector:
target_csp: aws
description: CSPM integration for AWS with cloud connector
inputs:
cspm-cloudbeat/cis_aws:
enabled: true
streams:
cloud_security_posture.findings:
enabled: true
vars:
aws.account_type: organization-account
aws.credentials.type: cloud_connector
aws.supports_cloud_connectors: true
external_id:
id: ABCDEFGHIJKLMNOPQRST
isSecretRef: true
role_arn: arn:aws:iam::123456789012:role/TestRole
vars:
cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml
cspm-cloudbeat/cis_azure:
enabled: false
cspm-cloudbeat/cis_gcp:
enabled: false
name: cspm-aws-policy
namespace: default
package:
name: cloud_security_posture
version: 3.1.1
vars:
deployment: aws
posture: cspm
createAgentlessPoliciesWithAzureCloudConnectorExample:
description: Example request to create agentless policy with Azure cloud connector
value:
cloud_connector:
target_csp: azure
description: CSPM integration for Azure with cloud connector
inputs:
cspm-cloudbeat/cis_aws:
enabled: false
cspm-cloudbeat/cis_azure:
enabled: true
streams:
cloud_security_posture.findings:
enabled: true
vars:
azure_credentials_cloud_connector_id:
type: text
value: existing-azure-credentials-connector-id
azure.account_type: organization-account
client_id:
id: client-secret-id
isSecretRef: true
tenant_id:
id: tenant-secret-id
isSecretRef: true
cspm-cloudbeat/cis_gcp:
enabled: false
name: cspm-azure-policy
namespace: default
package:
name: cloud_security_posture
version: 3.1.1
vars:
deployment: azure
posture: cspm
schema:
additionalProperties: false
type: object
properties:
additional_datastreams_permissions:
description: Additional datastream permissions, that will be added to the agent policy.
items:
type: string
maxItems: 100
nullable: true
type: array
cloud_connector:
additionalProperties: false
type: object
properties:
cloud_connector_id:
description: ID of an existing cloud connector to reuse. If not provided, a new connector will be created.
type: string
enabled:
default: false
description: Whether cloud connectors are enabled for this policy.
type: boolean
name:
description: Optional name for the cloud connector. If not provided, will be auto-generated from credentials.
maxLength: 255
minLength: 1
type: string
target_csp:
description: Target cloud service provider. If not provided, will be auto-detected from inputs.
enum:
- aws
- azure
- gcp
type: string
description:
description: Policy description.
type: string
force:
description: Force package policy creation even if the package is not verified, or if the agent policy is managed.
type: boolean
global_data_tags:
items:
additionalProperties: false
type: object
properties:
name:
description: The name of the custom field. Cannot contain spaces.
type: string
value:
anyOf:
- type: string
- type: number
description: The value of the custom field.
required:
- name
- value
maxItems: 100
type: array
id:
description: Policy unique identifier.
type: string
inputs:
additionalProperties:
additionalProperties: false
type: object
properties:
deprecated:
additionalProperties: false
type: object
properties:
description:
type: string
replaced_by:
additionalProperties:
type: string
type: object
since:
type: string
required:
- description
enabled:
description: Enable or disable that input. Defaults to `true` (enabled).
type: boolean
streams:
additionalProperties:
additionalProperties: false
type: object
properties:
deprecated:
additionalProperties: false
type: object
properties:
description:
type: string
replaced_by:
additionalProperties:
type: string
type: object
since:
type: string
required:
- description
enabled:
description: Enable or disable that stream. Defaults to `true` (enabled).
type: boolean
var_group_selections:
additionalProperties:
type: string
description: Variable group selections. Maps var_group name to the selected option name within that group.
type: object
vars:
additionalProperties:
anyOf:
- type: string
- type: number
- type: boolean
- items:
type: string
maxItems: 100
type: array
- items:
type: number
maxItems: 100
type: array
- additionalProperties: false
type: object
properties:
id:
type: string
isSecretRef:
type: boolean
required:
- id
- isSecretRef
nullable: true
description: Input/stream level variable. Refer to the integration documentation for more information.
type: object
description: Input streams. Refer to the integration documentation to know which streams are available.
type: object
vars:
additionalProperties:
anyOf:
- type: string
- type: number
- type: boolean
- items:
type: string
maxItems: 100
type: array
- items:
type: number
maxItems: 100
type: array
- additionalProperties: false
type: object
properties:
id:
type: string
isSecretRef:
type: boolean
required:
- id
- isSecretRef
nullable: true
description: Input/stream level variable. Refer to the integration documentation for more information.
type: object
description: Package policy inputs. Refer to the integration documentation to know which inputs are available.
type: object
name:
description: Unique name for the policy.
type: string
namespace:
description: Policy namespace. When not specified, it inherits the agent policy namespace.
type: string
package:
additionalProperties: false
type: object
properties:
experimental_data_stream_features:
items:
additionalProperties: false
type: object
properties:
data_stream:
type: string
features:
additionalProperties: false
type: object
properties:
doc_value_only_numeric:
type: boolean
doc_value_only_other:
type: boolean
synthetic_source:
type: boolean
tsdb:
type: boolean
required:
- data_stream
- features
maxItems: 100
type: array
fips_compatible:
type: boolean
name:
description: Package name
type: string
requires_root:
type: boolean
title:
type: string
version:
description: Package version
type: string
required:
- name
- version
policy_template:
description: The policy template to use for the agentless package policy. If not provided, the default policy template will be used.
type: string
var_group_selections:
additionalProperties:
type: string
description: Variable group selections. Maps var_group name to the selected option name within that group.
type: object
vars:
additionalProperties:
anyOf:
- type: string
- type: number
- type: boolean
- items:
type: string
maxItems: 100
type: array
- items:
type: number
maxItems: 100
type: array
- additionalProperties: false
type: object
properties:
id:
type: string
isSecretRef:
type: boolean
required:
- id
- isSecretRef
nullable: true
description: Input/stream level variable. Refer to the integration documentation for more information.
type: object
required:
- name
- package
responses:
'200':
content:
application/json:
examples:
createAgentlessPoliciesResponseExample:
description: Example response showing the successful result of communication initialisation over MCP protocol
value:
item:
created_at: '2025-11-06T18:27:43.541Z'
created_by: test_user
description: test
enabled: true
id: d52a7812-5736-4fdc-aed8-72152afa1ffa
inputs:
ESS Billing-cel:
enabled: true
streams:
ess_billing.billing:
enabled: true
vars:
hide_sensitive: true
http_client_timeout: 30s
lookbehind: 365
tags:
- forwarded
- billing
ess_billing.credits:
enabled: false
vars:
api_key:
id: QY1sWpoBbWcMW-edr0Ee
isSecretRef: true
organization_id: '1234'
url: https://billing.elastic-cloud.com
name: ess_billing-1
namespace: default
package:
name: ess_billing
title: Elasticsearch Service Billing
version: 1.6.0
revision: 1
secret_references:
- id: QY1sWpoBbWcMW-edr0Ee
supports_agentless: true
updated_at: '2025-11-06T18:27:43.541Z'
updated_by: test_user
version: WzE0OTgsMV0=
createAgentlessPoliciesWithAWSCloudConnectorResponseExample:
description: Example response for AWS cloud connector integration
value:
item:
cloud_connector_id: aws-connector-67890
created_at: '2025-11-06T18:27:43.541Z'
created_by: test_user
description: CSPM integration for AWS with cloud connector
enabled: true
id: aws-policy-12345
inputs:
cspm-cloudbeat/cis_aws:
enabled: true
streams:
cloud_security_posture.findings:
enabled: true
vars:
aws.account_type: organization-account
aws.credentials.type: cloud_connector
external_id:
id: secret-external-id-123
isSecretRef: true
role_arn: arn:aws:iam::123456789012:role/TestRole
vars:
cloud_formation_template: https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml
cspm-cloudbeat/cis_azure:
enabled: false
cspm-cloudbeat/cis_gcp:
enabled: false
name: cspm-aws-policy
namespace: default
package:
name: cloud_security_posture
title: Cloud Security Posture Management
version: 3.1.1
revision: 1
secret_references:
- id: secret-external-id-123
supports_agentless: true
supports_cloud_connector: true
updated_at: '2025-11-06T18:27:43.541Z'
updated_by: test_user
vars:
deployment: aws
posture: cspm
version: WzE0OTgsMV0=
createAgentlessPoliciesWithAzureCloudConnectorResponseExample:
description: Example response for Azure cloud connector integration
value:
item:
cloud_connector_id: azure-connector-67890
created_at: '2025-11-06T18:27:43.541Z'
created_by: test_user
description: CSPM integration for Azure with cloud connector
enabled: true
id: azure-policy-12345
inputs:
cspm-cloudbeat/cis_aws:
enabled: false
cspm-cloudbeat/cis_azure:
enabled: true
streams:
cloud_security_posture.findings:
enabled: true
vars:
azure_credentials_cloud_connector_id:
type: text
value: existing-azure-credentials-connector-id
azure.account_type: organization-account
client_id:
id: client-secret-id-456
isSecretRef: true
tenant_id:
id: tenant-secret-id-123
isSecretRef: true
cspm-cloudbeat/cis_gcp:
enabled: false
name: cspm-azure-policy
namespace: default
package:
name: cloud_security_posture
title: Cloud Security Posture Management
version: 3.1.1
revision: 1
secret_references:
- id: tenant-secret-id-123
- id: client-secret-id-456
supports_agentless: true
supports_cloud_connector: true
updated_at: '2025-11-06T18:27:43.541Z'
updated_by: test_user
vars:
deployment: azure
posture: cspm
version: WzE0OTgsMV0=
schema:
additionalProperties: false
type: object
properties:
item:
additionalProperties: false
description: The created agentless package policy.
type: object
properties:
additional_datastreams_permissions:
description: Additional datastream permissions, that will be added to the agent policy.
items:
type: string
maxItems: 1000
nullable: true
type: array
agents:
type: number
cloud_connector_id:
description: ID of the cloud connector associated with this package policy.
nullable: true
type: string
cloud_connector_name:
description: Transient field for cloud connector name during creation.
maxLength: 255
minLength: 1
nullable: true
type: string
created_at:
type: string
created_by:
type: string
description:
description: Package policy description
type: string
elasticsearch:
additionalProperties: true
type: object
properties:
privileges:
additionalProperties: true
type: object
properties:
cluster:
items:
type: string
maxItems: 100
type: array
enabled:
type: boolean
global_data_tags:
items:
additionalProperties: false
type: object
properties:
name:
description: The name of the custom field. Cannot contain spaces.
type: string
value:
anyOf:
- type: string
- type: number
description: The value of the custom field.
required:
- name
- value
maxItems: 100
nullable: true
type: array
id:
description: Package policy unique identifier.
type: string
inputs:
anyOf:
- items:
additionalProperties: false
type: object
properties:
compiled_input:
nullable: true
config:
additionalProperties:
additionalProperties: false
type: object
properties:
frozen:
type: boolean
type:
type: string
value:
nullable: true
required:
- value
description: Package variable (see integration documentation for more information)
type: object
deprecated:
additionalProperties: false
type: object
properties:
description:
type: string
replaced_by:
additionalProperties:
type: string
type: object
since:
type: string
required:
- description
enabled:
type: boolean
id:
type: string
keep_enabled:
type: boolean
migrate_from:
type: string
name:
type: string
policy_template:
type: string
streams:
items:
additionalProperties: false
type: object
properties:
compiled_stream:
nullable: true
config:
additionalProperties:
additionalProperties: false
type: object
properties:
frozen:
type: boolean
type:
type: string
value:
nullable: true
required:
- value
description: Package variable (see integration documentation for more information)
type: object
data_stream:
additionalProperties: false
type: object
properties:
dataset:
type: string
elasticsearch:
additionalProperties: false
type: object
properties:
dynamic_dataset:
type: boolean
dynamic_namespace:
type: boolean
privileges:
additionalProperties: false
type: object
properties:
indices:
items:
type: string
maxItems: 100
type: array
type:
type: string
required:
- dataset
deprecated:
additionalProperties: false
type: object
properties:
description:
type: string
replaced_by:
additionalProperties:
type: string
type: object
since:
type: string
required:
- description
enabled:
type: boolean
id:
type: string
keep_enabled:
type: boolean
migrate_from:
type: string
release:
enum:
- ga
- beta
- experimental
type: string
var_group_selections:
additionalProperties:
type: string
description: Variable group selections. Maps var_group name to the selected option name within that group.
type: object
vars:
additionalProperties:
additionalProperties: false
type: object
properties:
frozen:
type: boolean
type:
type: string
value:
nullable: true
required:
- value
description: Package variable (see integration documentation for more information)
type: object
required:
- enabled
- data_stream
- compiled_stream
maxItems: 1000
type: array
type:
type: string
var_group_selections:
additionalProperties:
type: string
description: Variable group selections. Maps var_group name to the selected option name within that group.
type: object
vars:
additionalProperties:
additionalProperties: false
type: object
properties:
frozen:
type: boolean
type:
type: string
value:
nullable: true
required:
- value
description: Package variable (see integration documentation for more information)
type: object
required:
- type
- enabled
- streams
- compiled_input
maxItems: 100
type: array
- additionalProperties:
additionalProperties: false
type: object
properties:
deprecated:
additionalProperties: false
type: object
properties:
description:
type: string
replaced_by:
additionalProperties:
type: string
type: object
since:
type: string
required:
- description
enabled:
description: Enable or disable that input. Defaults to `true` (enabled).
type: boolean
streams:
additionalProperties:
additionalProperties: false
type: object
properties:
deprecated:
additionalProperties: false
type: object
properties:
description:
type: string
replaced_by:
additionalProperties:
type: string
type: object
since:
type: string
required:
- description
enabled:
description: Enable or disable that stream. Defaults to `true` (enabled).
type: boolean
var_group_selections:
additionalProperties:
type: string
description: Variable group selections. Maps var_group name to the selected option name within that group.
type: object
vars:
additionalProperties:
anyOf:
- type: string
- type: number
- type: boolean
- items:
type: string
maxItems: 100
type: array
- items:
type: number
maxItems: 100
type: array
- additionalProperties: false
type: object
properties:
id:
type: string
isSecretRef:
type: boolean
required:
- id
- isSecretRef
nullable: true
description: Input/stream level variable. Refer to the integration documentation for more information.
type: object
description: Input streams. Refer to the integration documentation to know which streams are available.
type: object
vars:
additionalProperties:
anyOf:
- type: string
- type: number
- type: boolean
- items:
type: string
maxItems: 100
type: array
- items:
type: number
maxItems: 100
type: array
- additionalProperties: false
type: object
properties:
id:
type: string
isSecretRef:
type: boolean
required:
- id
- isSecretRef
nullable: true
description: Input/stream level variable. Refer to the integration documentation for more information.
type: object
description: Package policy inputs. Refer to the integration documentation to know which inputs are available.
type: object
x-oas-optional: true
description: Package policy inputs.
is_managed:
type: boolean
name:
description: Unique name for the package policy.
type: string
namespace:
description: The package policy namespace. Leave blank to inherit the agent policy's namespace.
type: string
output_id:
nullable: true
type: string
overrides:
additionalProperties: false
description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
nullable: true
type: object
properties:
inputs:
additionalProperties:
nullable: true
type: object
package:
additionalProperties: false
type: object
properties:
experimental_data_stream_features:
items:
additionalProperties: false
type: object
properties:
data_stream:
type: string
features:
additionalProperties: false
type: object
properties:
doc_value_only_numeric:
type: boolean
doc_value_only_other:
type: boolean
synthetic_source:
type: boolean
tsdb:
type: boolean
required:
- data_stream
- features
maxItems: 100
type: array
fips_compatible:
type: boolean
name:
description: Package name
type: string
requires_root:
type: boolean
title:
type: string
version:
description: Package version
type: string
required:
- name
- version
package_agent_version_condition:
type: string
policy_id:
deprecated: true
description: ID of the agent policy which the package policy will be added to.
nullable: true
type: string
policy_ids:
items:
description: IDs of the agent policies which that package policy will be added to.
type: string
maxItems: 1000
type: array
revision:
description: Package policy revision.
type: number
secret_references:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 1000
type: array
spaceIds:
items:
type: string
maxItems: 100
type: array
supports_agentless:
default: false
description: Indicates whether the package policy belongs to an agentless agent policy.
nullable: true
type: boolean
supports_cloud_connector:
default: false
description: Indicates whether the package policy supports cloud connectors.
nullable: true
type: boolean
updated_at:
type: string
updated_by:
type: string
var_group_selections:
additionalProperties:
type: string
description: Variable group selections. Maps var_group name to the selected option name within that group.
type: object
vars:
anyOf:
- additionalProperties:
additionalProperties: false
type: object
properties:
frozen:
type: boolean
type:
type: string
value:
nullable: true
required:
- value
description: Package variable (see integration documentation for more information)
type: object
- additionalProperties:
anyOf:
- type: string
- type: number
- type: boolean
- items:
type: string
maxItems: 100
type: array
- items:
type: number
maxItems: 100
type: array
- additionalProperties: false
type: object
properties:
id:
type: string
isSecretRef:
type: boolean
required:
- id
- isSecretRef
nullable: true
description: Input/stream level variable. Refer to the integration documentation for more information.
type: object
x-oas-optional: true
description: Package level variable.
version:
description: Package policy ES version.
type: string
required:
- name
- enabled
- inputs
- id
- revision
- updated_at
- updated_by
- created_at
- created_by
required:
- item
description: Indicates a successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
'409':
content:
application/json:
examples:
conflictErrorResponseExample:
description: Example of a conflict error response
value:
error: Conflict
message: An error message describing what went wrong
statusCode: 409
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Conflict
summary: Create an agentless policy
tags:
- Fleet agentless policies
x-state: Technical Preview; added in 9.3.0
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/agentless_policies/{policyId}:
delete:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Change the privilege level of a single agent to unprivileged.
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Unenroll a specific agent, optionally revoking its enrollment API key.
[Required authorization] Route required privileges: fleet-agents-all.
operationId: post-fleet-agents-agentid-unenroll
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The agent ID
in: path
name: agentId
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
postUnenrollAgentRequestExample:
description: Unenroll an agent, optionally revoking the enrollment API key
value:
revoke: false
schema:
additionalProperties: false
nullable: true
type: object
properties:
force:
type: boolean
revoke:
type: boolean
responses:
'200':
content:
application/json:
examples:
postUnenrollAgentExample:
description: Agent successfully unenrolled
value: {}
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
description: Bad Request
summary: Unenroll an agent
tags:
- Elastic Agent actions
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/agents/{agentId}/upgrade:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a list of Elastic Agent versions available for upgrade.
[Required authorization] Route required privileges: fleet-agents-read.
operationId: get-fleet-agents-available-versions
parameters: []
responses:
'200':
content:
application/json:
examples:
getAvailableVersionsExample:
description: List of available agent versions for upgrade
value:
items:
- 8.17.0
- 8.16.3
- 8.16.2
schema:
additionalProperties: false
type: object
properties:
items:
items:
type: string
maxItems: 10000
type: array
required:
- items
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Get available agent versions
tags:
- Elastic Agents
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/agents/bulk_migrate:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/fleet/agents/bulk_migrate
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Bulk migrate agents to another cluster.
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Change multiple agents' privilege level to unprivileged.
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Unenroll multiple agents, optionally revoking their enrollment API keys.
[Required authorization] Route required privileges: fleet-agents-all.
operationId: post-fleet-agents-bulk-unenroll
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
postBulkUnenrollAgentsRequestExample:
description: Unenroll multiple agents
value:
agents:
- agent-id-1
- agent-id-2
revoke: false
schema:
additionalProperties: false
type: object
properties:
agents:
anyOf:
- items:
description: list of agent IDs
type: string
maxItems: 10000
type: array
- description: KQL query string, leave empty to action all agents
type: string
batchSize:
type: number
force:
description: Unenrolls hosted agents too
type: boolean
includeInactive:
description: When passing agents by KQL query, unenrolls inactive agents too
type: boolean
revoke:
description: Revokes API keys of agents
type: boolean
required:
- agents
responses:
'200':
content:
application/json:
examples:
postBulkUnenrollAgentsExample:
description: Bulk unenroll action result
value:
actionId: action-id-1
schema:
additionalProperties: false
type: object
properties:
actionId:
type: string
required:
- actionId
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Bulk unenroll agents
tags:
- Elastic Agent actions
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/agents/bulk_update_agent_tags:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Upgrade multiple agents to a newer version, with optional rollout controls.
[Required authorization] Route required privileges: fleet-agents-all.
operationId: post-fleet-agents-bulk-upgrade
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
postBulkUpgradeAgentsRequestExample:
description: Upgrade multiple agents to a specific version
value:
agents:
- agent-id-1
- agent-id-2
rollout_duration_seconds: 3600
version: 8.17.0
schema:
additionalProperties: false
type: object
properties:
agents:
anyOf:
- items:
type: string
maxItems: 10000
type: array
- type: string
batchSize:
type: number
force:
type: boolean
includeInactive:
default: false
type: boolean
rollout_duration_seconds:
minimum: 600
type: number
skipRateLimitCheck:
type: boolean
source_uri:
type: string
start_time:
type: string
version:
type: string
required:
- agents
- version
responses:
'200':
content:
application/json:
examples:
postBulkUpgradeAgentsExample:
description: Bulk upgrade action result
value:
actionId: action-id-1
schema:
additionalProperties: false
type: object
properties:
actionId:
type: string
required:
- actionId
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Bulk upgrade agents
tags:
- Elastic Agent actions
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/agents/files/{fileId}:
delete:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a file uploaded by an agent.
[Required authorization] Route required privileges: fleet-agents-read.
operationId: get-fleet-agents-files-fileid-filename
parameters:
- description: The ID of the uploaded file
in: path
name: fileId
required: true
schema:
type: string
- description: The name of the uploaded file
in: path
name: fileName
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getAgentUploadFileExample:
description: The uploaded file content as a stream
value:
schema:
type: object
description: Successful response — returns the uploaded file content
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Get an uploaded file
tags:
- Elastic Agents
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/agents/setup:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/fleet/agents/setup
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the current Fleet setup status, including whether Fleet is ready to enroll agents and which requirements or optional features are missing.
[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.
operationId: get-fleet-agents-setup
parameters: []
responses:
'200':
content:
application/json:
examples:
agentsSetupNotReadyExample:
description: Fleet is not ready — a Fleet Server and API keys are required
value:
is_action_secrets_storage_enabled: false
is_secrets_storage_enabled: false
is_space_awareness_enabled: false
is_ssl_secrets_storage_enabled: false
isReady: false
missing_optional_features:
- encrypted_saved_object_encryption_key_required
missing_requirements:
- fleet_server
- api_keys
agentsSetupReadyExample:
description: Fleet is ready to enroll agents — all requirements are met
value:
is_action_secrets_storage_enabled: true
is_secrets_storage_enabled: true
is_space_awareness_enabled: false
is_ssl_secrets_storage_enabled: false
isReady: true
missing_optional_features: []
missing_requirements: []
package_verification_key_id: D88DB4CC
schema:
additionalProperties: false
description: A summary of the agent setup status. `isReady` indicates whether the setup is ready. If the setup is not ready, `missing_requirements` lists which requirements are missing.
type: object
properties:
is_action_secrets_storage_enabled:
type: boolean
is_secrets_storage_enabled:
type: boolean
is_space_awareness_enabled:
type: boolean
is_ssl_secrets_storage_enabled:
type: boolean
isReady:
type: boolean
missing_optional_features:
items:
enum:
- encrypted_saved_object_encryption_key_required
type: string
maxItems: 1
type: array
missing_requirements:
items:
enum:
- security_required
- tls_required
- api_keys
- fleet_admin_user
- fleet_server
type: string
maxItems: 5
type: array
package_verification_key_id:
type: string
required:
- isReady
- missing_requirements
- missing_optional_features
description: Fleet setup status
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Get agent setup info
tags:
- Elastic Agents
x-metaTags:
- content: Kibana
name: product_name
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/fleet/agents/setup
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Initialize Fleet. This endpoint is used by Elastic Agents to trigger Fleet setup. Safe to call multiple times; subsequent calls are idempotent.
[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.
operationId: post-fleet-agents-setup
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
responses:
'200':
content:
application/json:
examples:
agentsSetupSuccessExample:
description: Fleet setup initialized successfully with no non-fatal errors
value:
isInitialized: true
nonFatalErrors: []
schema:
additionalProperties: false
description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup.
type: object
properties:
isInitialized:
type: boolean
nonFatalErrors:
items:
additionalProperties: false
type: object
properties:
message:
type: string
name:
type: string
required:
- name
- message
maxItems: 10000
type: array
required:
- isInitialized
- nonFatalErrors
description: Fleet setup completed
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Initiate Fleet setup
tags:
- Elastic Agents
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/agents/tags:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/fleet/agents/tags
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a list of all tags used across enrolled agents.
[Required authorization] Route required privileges: fleet-agents-read.
operationId: get-fleet-agents-tags
parameters:
- description: A KQL query string to filter results
in: query
name: kuery
required: false
schema:
type: string
- description: When true, include tags from inactive agents
in: query
name: showInactive
required: false
schema:
default: false
type: boolean
responses:
'200':
content:
application/json:
examples:
getAgentTagsExample:
description: List of tags used across agents
value:
items:
- production
- linux
- datacenter-1
schema:
additionalProperties: false
type: object
properties:
items:
items:
type: string
maxItems: 10000
type: array
required:
- items
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Get agent tags
tags:
- Elastic Agents
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/check-permissions:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/fleet/check-permissions
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Check whether the current user has the required permissions to use Fleet. Optionally verifies Fleet Server setup privileges.
operationId: get-fleet-check-permissions
parameters:
- description: When true, check Fleet Server setup privileges in addition to standard Fleet privileges
in: query
name: fleetServerSetup
required: false
schema:
type: boolean
responses:
'200':
content:
application/json:
examples:
checkPermissionsMissingPrivilegesExample:
description: The current user is missing Fleet privileges
value:
error: MISSING_PRIVILEGES
success: false
checkPermissionsSuccessExample:
description: The current user has all required Fleet permissions
value:
success: true
schema:
additionalProperties: false
type: object
properties:
error:
enum:
- MISSING_SECURITY
- MISSING_PRIVILEGES
- MISSING_FLEET_SERVER_SETUP_PRIVILEGES
type: string
success:
type: boolean
required:
- success
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Check permissions
tags:
- Fleet internals
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/cloud_connectors:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/fleet/cloud_connectors
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
List all Fleet cloud connectors.
[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read.
operationId: get-fleet-cloud-connectors
parameters:
- description: The page number for pagination.
in: query
name: page
required: false
schema:
type: string
- description: The number of items per page.
in: query
name: perPage
required: false
schema:
type: string
- description: KQL query to filter cloud connectors.
in: query
name: kuery
required: false
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getCloudConnectorsExample:
description: List of Fleet cloud connectors
value:
items:
- accountType: single-account
cloudProvider: aws
created_at: '2024-01-15T10:00:00.000Z'
id: cloud-connector-id-1
name: My AWS connector
packagePolicyCount: 2
updated_at: '2024-01-15T10:00:00.000Z'
vars: {}
schema:
additionalProperties: false
type: object
properties:
items:
items:
additionalProperties: false
type: object
properties:
accountType:
type: string
cloudProvider:
type: string
created_at:
type: string
id:
type: string
name:
type: string
namespace:
type: string
packagePolicyCount:
type: number
updated_at:
type: string
vars:
additionalProperties:
nullable: true
type: object
verification_failed_at:
type: string
verification_started_at:
type: string
verification_status:
type: string
required:
- id
- name
- cloudProvider
- vars
- packagePolicyCount
- created_at
- updated_at
maxItems: 10000
type: array
required:
- items
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Get cloud connectors
tags:
- Fleet cloud connectors
x-state: Technical Preview; added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/fleet/cloud_connectors
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create a new Fleet cloud connector.
[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all.
operationId: post-fleet-cloud-connectors
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
postCloudConnectorRequestExample:
description: Create a new AWS cloud connector
value:
accountType: single-account
cloudProvider: aws
name: My AWS connector
vars: {}
schema:
additionalProperties: false
type: object
properties:
accountType:
description: 'The account type: single-account (single account/subscription) or organization-account (organization-wide).'
enum:
- single-account
- organization-account
type: string
cloudProvider:
description: 'The cloud provider type: aws, azure, or gcp.'
enum:
- aws
- azure
- gcp
type: string
name:
description: The name of the cloud connector.
maxLength: 255
minLength: 1
type: string
vars:
additionalProperties:
anyOf:
- maxLength: 1000
type: string
- type: number
- type: boolean
- additionalProperties: false
type: object
properties:
frozen:
type: boolean
type:
maxLength: 50
type: string
value:
anyOf:
- maxLength: 1000
type: string
- additionalProperties: false
type: object
properties:
id:
maxLength: 255
type: string
isSecretRef:
type: boolean
required:
- isSecretRef
- id
required:
- type
- value
type: object
required:
- name
- cloudProvider
- vars
responses:
'200':
content:
application/json:
examples:
postCloudConnectorExample:
description: The created Fleet cloud connector
value:
item:
accountType: single-account
cloudProvider: aws
created_at: '2024-01-15T10:00:00.000Z'
id: cloud-connector-id-2
name: My AWS connector
packagePolicyCount: 0
updated_at: '2024-01-15T10:00:00.000Z'
vars: {}
schema:
additionalProperties: false
type: object
properties:
item:
additionalProperties: false
type: object
properties:
accountType:
type: string
cloudProvider:
type: string
created_at:
type: string
id:
type: string
name:
type: string
namespace:
type: string
packagePolicyCount:
type: number
updated_at:
type: string
vars:
additionalProperties:
nullable: true
type: object
verification_failed_at:
type: string
verification_started_at:
type: string
verification_status:
type: string
required:
- id
- name
- cloudProvider
- vars
- packagePolicyCount
- created_at
- updated_at
required:
- item
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Create cloud connector
tags:
- Fleet cloud connectors
x-state: Technical Preview; added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/cloud_connectors/{cloudConnectorId}:
delete:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete a cloud connector by ID. Use the `force` query parameter to delete even if package policies are still using it.
[Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all.
operationId: delete-fleet-cloud-connectors-cloudconnectorid
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The unique identifier of the cloud connector to delete.
in: path
name: cloudConnectorId
required: true
schema:
type: string
- description: If true, forces deletion even if the cloud connector is in use.
in: query
name: force
required: false
schema:
type: boolean
responses:
'200':
content:
application/json:
examples:
deleteCloudConnectorExample:
description: The cloud connector was successfully deleted
value:
id: cloud-connector-id-1
schema:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Delete cloud connector (supports force deletion)
tags:
- Fleet cloud connectors
x-state: Technical Preview; added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a list of package policies that are using a given cloud connector.
[Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read.
operationId: get-fleet-cloud-connectors-cloudconnectorid-usage
parameters:
- description: The unique identifier of the cloud connector.
in: path
name: cloudConnectorId
required: true
schema:
type: string
- description: The page number for pagination.
in: query
name: page
required: false
schema:
minimum: 1
type: number
- description: The number of items per page.
in: query
name: perPage
required: false
schema:
minimum: 1
type: number
responses:
'200':
content:
application/json:
examples:
getCloudConnectorUsageResponseExample:
description: Example response showing package policies using the cloud connector
value:
items:
- created_at: '2025-01-16T09:00:00.000Z'
id: package-policy-1
name: CSPM AWS Policy
package:
name: cloud_security_posture
title: Cloud Security Posture Management
version: 3.1.1
policy_ids:
- policy-id-123
- policy-id-456
updated_at: '2025-01-16T09:00:00.000Z'
page: 1
perPage: 20
total: 2
schema:
additionalProperties: false
type: object
properties:
items:
items:
additionalProperties: false
type: object
properties:
created_at:
type: string
id:
type: string
name:
type: string
package:
additionalProperties: false
type: object
properties:
name:
type: string
title:
type: string
version:
type: string
required:
- name
- title
- version
policy_ids:
items:
type: string
maxItems: 10000
type: array
updated_at:
type: string
required:
- id
- name
- policy_ids
- created_at
- updated_at
maxItems: 10000
type: array
page:
type: number
perPage:
type: number
total:
type: number
required:
- items
- total
- page
- perPage
description: 'OK: A successful request.'
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: Cloud connector not found
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: A bad request.
summary: Get cloud connector usage (package policies using the connector)
tags:
- Fleet cloud connectors
x-state: Technical Preview; added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/data_streams:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/fleet/data_streams
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
List all Fleet-managed data streams with metadata including package, namespace, size, and last activity.
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
List all enrollment API keys.
[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup.
operationId: get-fleet-enrollment-api-keys
parameters:
- description: Page number
in: query
name: page
required: false
schema:
default: 1
type: number
- description: Number of results per page
in: query
name: perPage
required: false
schema:
default: 20
type: number
- description: A KQL query string to filter results
in: query
name: kuery
required: false
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getEnrollmentApiKeysExample:
description: List of enrollment API keys
value:
items:
- active: true
api_key: api-key-value-1
api_key_id: api-key-id-1
created_at: '2024-01-01T00:00:00.000Z'
id: key-id-1
name: Default policy enrollment key
policy_id: policy-id-1
list:
- active: true
api_key: api-key-value-1
api_key_id: api-key-id-1
created_at: '2024-01-01T00:00:00.000Z'
id: key-id-1
name: Default policy enrollment key
policy_id: policy-id-1
page: 1
perPage: 20
total: 1
schema:
additionalProperties: false
type: object
properties:
items:
items:
additionalProperties: false
type: object
properties:
active:
description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.
type: boolean
api_key:
description: The enrollment API key (token) used for enrolling Elastic Agents.
type: string
api_key_id:
description: The ID of the API key in the Security API.
type: string
created_at:
type: string
hidden:
type: boolean
id:
type: string
name:
description: The name of the enrollment API key.
type: string
policy_id:
description: The ID of the agent policy the Elastic Agent will be enrolled in.
type: string
required:
- id
- api_key_id
- api_key
- active
- created_at
maxItems: 10000
type: array
list:
deprecated: true
items:
additionalProperties: false
type: object
properties:
active:
description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.
type: boolean
api_key:
description: The enrollment API key (token) used for enrolling Elastic Agents.
type: string
api_key_id:
description: The ID of the API key in the Security API.
type: string
created_at:
type: string
hidden:
type: boolean
id:
type: string
name:
description: The name of the enrollment API key.
type: string
policy_id:
description: The ID of the agent policy the Elastic Agent will be enrolled in.
type: string
required:
- id
- api_key_id
- api_key
- active
- created_at
maxItems: 10000
type: array
page:
type: number
perPage:
type: number
total:
type: number
required:
- items
- total
- page
- perPage
- list
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Get enrollment API keys
tags:
- Fleet enrollment API keys
x-metaTags:
- content: Kibana
name: product_name
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/fleet/enrollment_api_keys
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create an enrollment API key for a given agent policy.
[Required authorization] Route required privileges: fleet-agents-all.
operationId: post-fleet-enrollment-api-keys
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
postEnrollmentApiKeyRequestExample:
description: Create an enrollment API key for an agent policy
value:
expiration: '2025-01-01T00:00:00.000Z'
name: My enrollment key
policy_id: policy-id-1
schema:
additionalProperties: false
type: object
properties:
expiration:
type: string
name:
type: string
policy_id:
type: string
required:
- policy_id
responses:
'200':
content:
application/json:
examples:
postEnrollmentApiKeyExample:
description: The created enrollment API key
value:
action: created
item:
active: true
api_key: api-key-value-1
api_key_id: api-key-id-1
created_at: '2024-01-01T00:00:00.000Z'
id: key-id-1
name: My enrollment key
policy_id: policy-id-1
schema:
additionalProperties: false
type: object
properties:
action:
enum:
- created
type: string
item:
additionalProperties: false
type: object
properties:
active:
description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.
type: boolean
api_key:
description: The enrollment API key (token) used for enrolling Elastic Agents.
type: string
api_key_id:
description: The ID of the API key in the Security API.
type: string
created_at:
type: string
hidden:
type: boolean
id:
type: string
name:
description: The name of the enrollment API key.
type: string
policy_id:
description: The ID of the agent policy the Elastic Agent will be enrolled in.
type: string
required:
- id
- api_key_id
- api_key
- active
- created_at
required:
- item
- action
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Create an enrollment API key
tags:
- Fleet enrollment API keys
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/enrollment_api_keys/_bulk_delete:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Revoke or delete an enrollment API key by ID. Use `forceDelete=true` to remove the document.
[Required authorization] Route required privileges: fleet-agents-all.
operationId: delete-fleet-enrollment-api-keys-keyid
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The ID of the enrollment API key
in: path
name: keyId
required: true
schema:
type: string
- description: When false (default), invalidate the API key and mark the token as inactive. When true, also delete the token document.
in: query
name: forceDelete
required: false
schema:
default: false
type: boolean
- description: When true, allow deletion of hidden enrollment tokens (managed/agentless policies). Defaults to false.
in: query
name: includeHidden
required: false
schema:
default: false
type: boolean
responses:
'200':
content:
application/json:
examples:
deleteEnrollmentApiKeyExample:
description: The enrollment API key was successfully revoked
value:
action: deleted
schema:
additionalProperties: false
type: object
properties:
action:
enum:
- deleted
type: string
required:
- action
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
'404':
content:
application/json:
examples:
notFoundExample:
description: No enrollment API key was found with the given ID
value:
error: Not Found
message: EnrollmentAPIKey key-id-1 not found
statusCode: 404
description: Not Found
summary: Revoke or delete an enrollment API key
tags:
- Fleet enrollment API keys
x-metaTags:
- content: Kibana
name: product_name
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get an enrollment API key by ID.
[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup.
operationId: get-fleet-enrollment-api-keys-keyid
parameters:
- description: The ID of the enrollment API key
in: path
name: keyId
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getEnrollmentApiKeyExample:
description: An enrollment API key
value:
item:
active: true
api_key: api-key-value-1
api_key_id: api-key-id-1
created_at: '2024-01-01T00:00:00.000Z'
id: key-id-1
name: Default policy enrollment key
policy_id: policy-id-1
schema:
additionalProperties: false
type: object
properties:
item:
additionalProperties: false
type: object
properties:
active:
description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.
type: boolean
api_key:
description: The enrollment API key (token) used for enrolling Elastic Agents.
type: string
api_key_id:
description: The ID of the API key in the Security API.
type: string
created_at:
type: string
hidden:
type: boolean
id:
type: string
name:
description: The name of the enrollment API key.
type: string
policy_id:
description: The ID of the agent policy the Elastic Agent will be enrolled in.
type: string
required:
- id
- api_key_id
- api_key
- active
- created_at
required:
- item
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
'404':
content:
application/json:
examples:
notFoundExample:
description: No enrollment API key was found with the given ID
value:
error: Not Found
message: EnrollmentAPIKey key-id-1 not found
statusCode: 404
description: Not Found
summary: Get an enrollment API key
tags:
- Fleet enrollment API keys
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/epm/bulk_assets:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/fleet/epm/bulk_assets
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieve multiple Kibana saved object assets by their IDs and types.
[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.
operationId: post-fleet-epm-bulk-assets
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
postBulkGetAssetsRequestExample:
description: Retrieve multiple assets by their IDs and types
value:
assetIds:
- id: dashboard-id-1
type: dashboard
- id: index-pattern-id-1
type: index_pattern
schema:
additionalProperties: false
type: object
properties:
assetIds:
items:
additionalProperties: false
type: object
properties:
id:
type: string
type:
type: string
required:
- id
- type
maxItems: 10000
type: array
required:
- assetIds
responses:
'200':
content:
application/json:
examples:
postBulkGetAssetsExample:
description: Requested assets
value:
items:
- appLink: /app/dashboards#/view/dashboard-id-1
attributes:
title: My Dashboard
id: dashboard-id-1
type: dashboard
schema:
additionalProperties: false
type: object
properties:
items:
items:
additionalProperties: false
type: object
properties:
appLink:
type: string
attributes:
additionalProperties: false
type: object
properties:
description:
type: string
service:
type: string
title:
type: string
id:
type: string
type:
type: string
updatedAt:
type: string
required:
- id
- type
- attributes
maxItems: 10000
type: array
required:
- items
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Bulk get assets
tags:
- Elastic Package Manager (EPM)
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/epm/categories:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/fleet/epm/categories
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a list of integration categories.
[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.
operationId: get-fleet-epm-categories
parameters:
- description: When true, include prerelease packages in the results
in: query
name: prerelease
required: false
schema:
type: boolean
- description: When true, include categories that only contain policy templates
in: query
name: include_policy_templates
required: false
schema:
type: boolean
responses:
'200':
content:
application/json:
examples:
getCategoriesExample:
description: List of integration categories
value:
items:
- count: 42
id: security
title: Security
- count: 38
id: observability
title: Observability
schema:
additionalProperties: false
type: object
properties:
items:
items:
additionalProperties: false
type: object
properties:
count:
type: number
id:
type: string
parent_id:
type: string
parent_title:
type: string
title:
type: string
required:
- id
- title
- count
maxItems: 10000
type: array
required:
- items
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Get package categories
tags:
- Elastic Package Manager (EPM)
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/epm/custom_integrations:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create a new custom integration package with user-defined data streams.
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update the datasets of an existing custom integration package.
[Required authorization] Route required privileges: fleet-settings-all AND integrations-all.
operationId: put-fleet-epm-custom-integrations-pkgname
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: Package name
in: path
name: pkgName
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
putUpdateCustomIntegrationRequestExample:
description: Update a custom integration
value:
datasets:
- name: my_custom_logs.access
type: logs
integrationName: my_custom_logs
schema:
additionalProperties: false
type: object
properties:
categories:
items:
type: string
maxItems: 10
type: array
readMeData:
type: string
required:
- readMeData
responses:
'200':
content:
application/json:
examples:
putUpdateCustomIntegrationExample:
description: Custom integration successfully updated
value: {}
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Update a custom integration
tags:
- Elastic Package Manager (EPM)
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/epm/data_streams:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/fleet/epm/data_streams
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a list of data streams created by installed integration packages.
[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.
operationId: get-fleet-epm-data-streams
parameters:
- description: Filter by data stream type
in: query
name: type
required: false
schema:
enum:
- logs
- metrics
- traces
- synthetics
- profiling
type: string
- description: Filter data streams by dataset name
in: query
name: datasetQuery
required: false
schema:
type: string
- description: Sort order, ascending or descending
in: query
name: sortOrder
required: false
schema:
default: asc
enum:
- asc
- desc
type: string
- description: When true, only return data streams that are not associated with a package
in: query
name: uncategorisedOnly
required: false
schema:
default: false
type: boolean
responses:
'200':
content:
application/json:
examples:
getDataStreamsExample:
description: List of data streams from installed packages
value:
data_streams:
- ilm_policy: logs-default
index_template: logs-system.syslog
name: logs-system.syslog-default
package: system
package_version: 1.55.0
title: System syslog logs
schema:
additionalProperties: false
type: object
properties:
items:
items:
additionalProperties: false
type: object
properties:
name:
type: string
required:
- name
maxItems: 10000
type: array
required:
- items
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Get data streams
tags:
- Data streams
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/epm/packages:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/fleet/epm/packages
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a list of integration packages available in the registry.
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Install a package by uploading a .zip or .tar.gz archive (max 100MB). Only available to superusers.
[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.
operationId: post-fleet-epm-packages
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: When true, ignore mapping update errors during installation
in: query
name: ignoreMappingUpdateErrors
required: false
schema:
default: false
type: boolean
- description: When true, skip data stream rollover after installation
in: query
name: skipDataStreamRollover
required: false
schema:
default: false
type: boolean
requestBody:
content:
application/gzip:
examples:
postInstallByUploadRequestExample:
description: Upload a .zip or .tar.gz package archive (max 100MB)
value:
application/gzip; application/zip:
examples:
postInstallByUploadRequestExample:
description: Upload a .zip or .tar.gz package archive (max 100MB)
value:
schema:
format: binary
type: string
responses:
'200':
content:
application/gzip; application/zip:
examples:
postInstallByUploadExample:
description: Package successfully installed from upload
value:
_meta:
install_source: upload
items:
- id: my-custom-package-logs-default
type: index_template
schema:
additionalProperties: false
type: object
properties:
_meta:
additionalProperties: false
type: object
properties:
install_source:
type: string
name:
type: string
required:
- install_source
- name
items:
items:
anyOf:
- additionalProperties: false
type: object
properties:
deferred:
type: boolean
id:
type: string
originId:
type: string
type:
anyOf:
- enum:
- dashboard
- lens
- visualization
- search
- index-pattern
- map
- ml-module
- security-rule
- csp-rule-template
- osquery-pack-asset
- osquery-saved-query
- tag
type: string
- type: string
required:
- id
- type
- additionalProperties: false
type: object
properties:
deferred:
type: boolean
id:
type: string
type:
enum:
- index
- index_template
- component_template
- ingest_pipeline
- ilm_policy
- data_stream_ilm_policy
- transform
- ml_model
- knowledge_base
- esql_view
type: string
version:
type: string
required:
- id
- type
maxItems: 10000
type: array
required:
- items
- _meta
application/json:
examples:
postInstallByUploadExample:
description: Package successfully installed from upload
value:
_meta:
install_source: upload
items:
- id: my-custom-package-logs-default
type: index_template
description: Successful response
'400':
content:
application/gzip; application/zip:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
description: Bad Request
summary: Install a package by upload
tags:
- Elastic Package Manager (EPM)
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/epm/packages/_bulk:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/fleet/epm/packages/_bulk
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Install multiple packages from the Elastic Package Registry in a single request.
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Rollback multiple packages to their previous versions.
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the status and results of a bulk package rollback operation.
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the status and results of a bulk package uninstall operation.
[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.
operationId: get-fleet-epm-packages-bulk-uninstall-taskid
parameters:
- description: Task ID of the bulk operation
in: path
name: taskId
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getBulkOperationDetailsExample:
description: Details of the bulk operation task
value:
packages:
- name: system
result: installed
- name: elastic_agent
result: installed
status: success
schema:
additionalProperties: false
type: object
properties:
error:
additionalProperties: false
type: object
properties:
message:
type: string
required:
- message
results:
items:
additionalProperties: false
type: object
properties:
error:
additionalProperties: false
type: object
properties:
message:
type: string
required:
- message
name:
type: string
success:
type: boolean
required:
- name
- success
maxItems: 10000
type: array
status:
type: string
required:
- status
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Get Bulk uninstall packages details
tags:
- Elastic Package Manager (EPM)
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/epm/packages/_bulk_upgrade:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the status and results of a bulk package upgrade operation.
[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.
operationId: get-fleet-epm-packages-bulk-upgrade-taskid
parameters:
- description: Task ID of the bulk operation
in: path
name: taskId
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getBulkOperationDetailsExample:
description: Details of the bulk operation task
value:
packages:
- name: system
result: installed
- name: elastic_agent
result: installed
status: success
schema:
additionalProperties: false
type: object
properties:
error:
additionalProperties: false
type: object
properties:
message:
type: string
required:
- message
results:
items:
additionalProperties: false
type: object
properties:
error:
additionalProperties: false
type: object
properties:
message:
type: string
required:
- message
name:
type: string
success:
type: boolean
required:
- name
- success
maxItems: 10000
type: array
status:
type: string
required:
- status
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Get Bulk upgrade packages details
tags:
- Elastic Package Manager (EPM)
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/epm/packages/{pkgName}:
delete:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Install the latest version of a package from the Elastic Package Registry.
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update settings for a package, such as whether policies are kept up to date automatically.
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Uninstall a specific version of a package and remove all its assets.
[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.
operationId: delete-fleet-epm-packages-pkgname-pkgversion
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: Package name
in: path
name: pkgName
required: true
schema:
type: string
- description: Package version
in: path
name: pkgVersion
required: true
schema:
type: string
- description: When true, delete the package even if it has active package policies
in: query
name: force
required: false
schema:
type: boolean
responses:
'200':
content:
application/json:
examples:
deletePackageExample:
description: Package successfully deleted
value:
items:
- id: aws-logs-aws.cloudwatch_logs-default
type: index_template
schema:
additionalProperties: false
type: object
properties:
items:
items:
anyOf:
- additionalProperties: false
type: object
properties:
deferred:
type: boolean
id:
type: string
originId:
type: string
type:
anyOf:
- enum:
- dashboard
- lens
- visualization
- search
- index-pattern
- map
- ml-module
- security-rule
- csp-rule-template
- osquery-pack-asset
- osquery-saved-query
- tag
type: string
- type: string
required:
- id
- type
- additionalProperties: false
type: object
properties:
deferred:
type: boolean
id:
type: string
type:
enum:
- index
- index_template
- component_template
- ingest_pipeline
- ilm_policy
- data_stream_ilm_policy
- transform
- ml_model
- knowledge_base
- esql_view
type: string
version:
type: string
required:
- id
- type
maxItems: 10000
type: array
required:
- items
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Delete a package
tags:
- Elastic Package Manager (EPM)
x-metaTags:
- content: Kibana
name: product_name
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Install a specific version of a package from the Elastic Package Registry.
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete datastream assets for a specific input package, by data stream name.
[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.
operationId: delete-fleet-epm-packages-pkgname-pkgversion-datastream-assets
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: Package name
in: path
name: pkgName
required: true
schema:
type: string
- description: Package version
in: path
name: pkgVersion
required: true
schema:
type: string
- description: The ID of the package policy
in: query
name: packagePolicyId
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
deletePackageDatastreamAssetsExample:
description: Package datastream assets successfully deleted
value:
items:
- id: logs-my_package.access-default
type: index_template
schema:
additionalProperties: false
type: object
properties:
success:
type: boolean
required:
- success
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Delete assets for an input package
tags:
- Elastic Package Manager (EPM)
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/epm/packages/{pkgName}/{pkgVersion}/dependencies:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the list of packages that a specific package depends on.
[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.
operationId: get-fleet-epm-packages-pkgname-pkgversion-dependencies
parameters:
- description: Package name
in: path
name: pkgName
required: true
schema:
type: string
- description: Package version
in: path
name: pkgVersion
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
dependenciesResponse:
value:
items:
- name: aws
title: AWS
version: ^2.0.0
- name: system
title: System
version: ^1.0.0
noDependenciesResponse:
value:
items: []
schema:
additionalProperties: false
type: object
properties:
items:
items:
additionalProperties: false
type: object
properties:
name:
type: string
title:
type: string
version:
type: string
required:
- name
- version
- title
maxItems: 1000
type: array
required:
- items
description: 'OK: A successful request.'
'400':
content:
application/json:
examples:
packageNotFoundResponse:
value:
message: '[my-package-1.0.0] package not found in registry'
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: A bad request.
summary: Get package dependencies
tags:
- Elastic Package Manager (EPM)
x-state: Generally available; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets:
delete:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete Kibana assets (dashboards, visualizations, etc.) for a specific package version.
[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.
operationId: delete-fleet-epm-packages-pkgname-pkgversion-kibana-assets
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: Package name
in: path
name: pkgName
required: true
schema:
type: string
- description: Package version
in: path
name: pkgVersion
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
deleteKibanaAssetsExample:
description: Kibana assets successfully deleted
value:
items:
- id: dashboard-id-1
type: dashboard
schema:
additionalProperties: false
type: object
properties:
success:
type: boolean
required:
- success
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Delete Kibana assets for a package
tags:
- Elastic Package Manager (EPM)
x-metaTags:
- content: Kibana
name: product_name
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Install Kibana assets (dashboards, visualizations, etc.) for a specific package version.
[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.
operationId: post-fleet-epm-packages-pkgname-pkgversion-kibana-assets
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: Package name
in: path
name: pkgName
required: true
schema:
type: string
- description: Package version
in: path
name: pkgVersion
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
postInstallKibanaAssetsRequestExample:
description: Install Kibana assets for a specific package version
value: {}
schema:
additionalProperties: false
nullable: true
type: object
properties:
force:
type: boolean
space_ids:
description: When provided install assets in the specified spaces instead of the current space.
items:
type: string
maxItems: 100
minItems: 1
type: array
responses:
'200':
content:
application/json:
examples:
postInstallKibanaAssetsExample:
description: Kibana assets successfully installed
value:
items:
- id: dashboard-id-1
type: dashboard
schema:
additionalProperties: false
type: object
properties:
success:
type: boolean
required:
- success
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Install Kibana assets for a package
tags:
- Elastic Package Manager (EPM)
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Install Kibana alert rule assets for a specific package version.
[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.
operationId: post-fleet-epm-packages-pkgname-pkgversion-rule-assets
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: Package name
in: path
name: pkgName
required: true
schema:
type: string
- description: Package version
in: path
name: pkgVersion
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
postInstallRuleAssetsRequestExample:
description: Install alert rule assets for a specific package version
value: {}
schema:
additionalProperties: false
nullable: true
type: object
properties:
force:
type: boolean
responses:
'200':
content:
application/json:
examples:
postInstallRuleAssetsExample:
description: Rule assets successfully installed
value:
items:
- id: rule-asset-id-1
type: security_rule
schema:
additionalProperties: false
type: object
properties:
success:
type: boolean
required:
- success
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Install Kibana alert rule for a package
tags:
- Elastic Package Manager (EPM)
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Review and accept or reject a pending policy upgrade for a package that contains deprecations.
[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.
operationId: post-fleet-epm-packages-pkgname-review-upgrade
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: Package name to review upgrade for
in: path
name: pkgName
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
acceptUpgrade:
value:
action: accept
target_version: 2.0.0
schema:
additionalProperties: false
type: object
properties:
action:
enum:
- accept
- decline
- pending
type: string
target_version:
type: string
required:
- action
- target_version
responses:
'200':
content:
application/json:
examples:
successResponse:
value:
success: true
schema:
additionalProperties: false
type: object
properties:
success:
type: boolean
required:
- success
description: 'OK: A successful request.'
'400':
content:
application/json:
examples:
badRequestResponse:
value:
message: Bad Request
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: A bad request.
summary: Review a pending policy upgrade for a package with deprecations
tags:
- Elastic Package Manager (EPM)
x-state: Generally available; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/epm/packages/{pkgName}/rollback:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Rollback a package to its previously installed version.
[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.
operationId: post-fleet-epm-packages-pkgname-rollback
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: Package name to roll back
in: path
name: pkgName
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
successResponse:
value:
success: true
version: 1.0.0
schema:
additionalProperties: false
type: object
properties:
success:
type: boolean
version:
type: string
required:
- version
- success
description: 'OK: A successful request.'
'400':
content:
application/json:
examples:
badRequestResponse:
value:
message: Bad Request
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: A bad request.
summary: Rollback a package to previous version
tags:
- Elastic Package Manager (EPM)
x-state: Technical Preview; added in 9.1.0
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/epm/packages/{pkgName}/stats:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get usage statistics for a specific package, such as the number of agent policies using it.
[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.
operationId: get-fleet-epm-packages-pkgname-stats
parameters:
- description: Package name
in: path
name: pkgName
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getPackageStatsExample:
description: Usage stats for a specific package
value:
response:
agent_policy_count: 3
schema:
additionalProperties: false
type: object
properties:
response:
additionalProperties: false
type: object
properties:
agent_policy_count:
type: number
package_policy_count:
type: number
required:
- agent_policy_count
- package_policy_count
required:
- response
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Get package stats
tags:
- Elastic Package Manager (EPM)
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/epm/packages/installed:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/fleet/epm/packages/installed
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a list of all currently installed integration packages.
[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.
operationId: get-fleet-epm-packages-installed
parameters:
- description: Filter by data stream type
in: query
name: dataStreamType
required: false
schema:
enum:
- logs
- metrics
- traces
- synthetics
- profiling
type: string
- description: When true, only return packages with active data streams
in: query
name: showOnlyActiveDataStreams
required: false
schema:
type: boolean
- description: Filter packages by name
in: query
name: nameQuery
required: false
schema:
type: string
- description: Sort values from the previous page for `search_after` pagination
in: query
name: searchAfter
required: false
schema:
items:
anyOf:
- type: string
- type: number
maxItems: 10
type: array
- description: Number of results per page
in: query
name: perPage
required: false
schema:
default: 15
type: number
- description: Sort order, ascending or descending
in: query
name: sortOrder
required: false
schema:
default: asc
enum:
- asc
- desc
type: string
responses:
'200':
content:
application/json:
examples:
getInstalledPackagesExample:
description: List of installed integration packages
value:
items:
- name: system
status: installed
title: System
version: 1.55.0
- name: elastic_agent
status: installed
title: Elastic Agent
version: 1.15.0
searchExcluded: 0
total: 2
schema:
additionalProperties: false
type: object
properties:
items:
items:
additionalProperties: false
type: object
properties:
dataStreams:
items:
additionalProperties: false
type: object
properties:
name:
type: string
title:
type: string
required:
- name
- title
maxItems: 10000
type: array
description:
type: string
icons:
items:
additionalProperties: false
type: object
properties:
dark_mode:
type: boolean
path:
type: string
size:
type: string
src:
type: string
title:
type: string
type:
type: string
required:
- src
maxItems: 100
type: array
name:
type: string
status:
type: string
title:
type: string
version:
type: string
required:
- name
- version
- status
- dataStreams
maxItems: 10000
type: array
searchAfter:
items:
anyOf:
- type: string
- type: number
- type: boolean
- nullable: true
nullable: true
maxItems: 2
type: array
total:
type: number
required:
- items
- total
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Get installed packages
tags:
- Elastic Package Manager (EPM)
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/epm/packages/limited:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/fleet/epm/packages/limited
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the list of packages that cannot be uninstalled (e.g. elastic_agent, fleet_server).
[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.
operationId: get-fleet-epm-packages-limited
parameters: []
responses:
'200':
content:
application/json:
examples:
getLimitedPackagesExample:
description: List of packages that cannot be uninstalled
value:
items:
- elastic_agent
- fleet_server
schema:
additionalProperties: false
type: object
properties:
items:
items:
type: string
maxItems: 10000
type: array
required:
- items
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Get a limited package list
tags:
- Elastic Package Manager (EPM)
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get an inputs template for a package, used to pre-populate package policy forms.
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the GPG key ID used to verify the signatures of packages from the Elastic Package Registry.
[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.
operationId: get-fleet-epm-verification-key-id
parameters: []
responses:
'200':
content:
application/json:
examples:
getVerificationKeyIdExample:
description: The GPG key ID used to verify package signatures
value:
id: D27D666CD88E42B4
schema:
additionalProperties: false
type: object
properties:
id:
nullable: true
type: string
required:
- id
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Get a package signature verification key ID
tags:
- Elastic Package Manager (EPM)
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/fleet_server_hosts:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/fleet/fleet_server_hosts
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
List all Fleet Server hosts.
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete a Fleet Server host by ID.
[Required authorization] Route required privileges: fleet-settings-all.
operationId: delete-fleet-fleet-server-hosts-itemid
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The ID of the Fleet Server host
in: path
name: itemId
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
deleteFleetServerHostExample:
description: The Fleet Server host was successfully deleted
value:
id: fleet-server-host-id-1
schema:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
'404':
content:
application/json:
examples:
notFoundExample:
description: No Fleet Server host was found with the given ID
value:
error: Not Found
message: Fleet server fleet-server-host-id-1 not found
statusCode: 404
description: Not Found
summary: Delete a Fleet Server host
tags:
- Fleet Server hosts
x-metaTags:
- content: Kibana
name: product_name
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Check the health status of a Fleet Server instance by its host ID. Returns the server status and name if available.
[Required authorization] Route required privileges: fleet-settings-all.
operationId: post-fleet-health-check
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
postHealthCheckRequestExample:
description: Check the health of a Fleet Server instance by its host ID
value:
id: fleet-server-host-id-1
schema:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
responses:
'200':
content:
application/json:
examples:
postHealthCheckHealthyExample:
description: Fleet Server is online and healthy
value:
name: fleet-server-1
status: ONLINE
postHealthCheckUnreachableExample:
description: Fleet Server host is not reachable (request timed out or aborted)
value:
host_id: fleet-server-host-id-1
status: OFFLINE
schema:
additionalProperties: false
type: object
properties:
host_id:
type: string
name:
type: string
status:
type: string
required:
- status
description: Successful health check response
'400':
content:
application/json:
examples:
badRequestExample:
description: The host ID exists but has no associated host URLs configured
value:
error: Bad Request
message: The requested host id fleet-server-host-id-1 does not have associated host urls.
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
'404':
content:
application/json:
examples:
notFoundExample:
description: No Fleet Server host was found with the given ID
value:
error: Not Found
message: The requested host id fleet-server-host-id-1 does not exist.
statusCode: 404
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Not Found
summary: Check Fleet Server health
tags:
- Fleet internals
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/kubernetes:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/fleet/kubernetes
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the Kubernetes manifest for deploying Elastic Agent.
[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup.
operationId: get-fleet-kubernetes
parameters:
- description: If true, returns the manifest as a downloadable file
in: query
name: download
required: false
schema:
type: boolean
- description: Fleet Server host URL to include in the manifest
in: query
name: fleetServer
required: false
schema:
type: string
- description: Enrollment token to include in the manifest
in: query
name: enrolToken
required: false
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getK8sManifestExample:
description: The Kubernetes manifest for deploying Elastic Agent
value:
item: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n'
schema:
additionalProperties: false
type: object
properties:
item:
type: string
required:
- item
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Get a full K8s agent manifest
tags:
- Elastic Agent policies
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/kubernetes/download:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/fleet/kubernetes/download
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Download the Kubernetes manifest for deploying Elastic Agent.
[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup.
operationId: get-fleet-kubernetes-download
parameters:
- description: If true, returns the manifest as a downloadable file
in: query
name: download
required: false
schema:
type: boolean
- description: Fleet Server host URL to include in the manifest
in: query
name: fleetServer
required: false
schema:
type: string
- description: Enrollment token to include in the manifest
in: query
name: enrolToken
required: false
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getDownloadK8sManifestExample:
description: The Kubernetes manifest download
value: 'apiVersion: v1\nkind: ConfigMap\nmetadata:\n name: agent-node-datastreams\n namespace: kube-system\n'
schema:
type: string
description: Successful response — returns the Kubernetes manifest as a YAML file download
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
'404':
content:
application/json:
examples:
notFoundExample:
description: No manifest was found
value:
error: Not Found
message: Agent manifest not found
statusCode: 404
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Not Found
summary: Download an agent manifest
tags:
- Elastic Agent policies
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/logstash_api_keys:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/fleet/logstash_api_keys
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Generate an API key for Logstash to use with a Fleet output.
[Required authorization] Route required privileges: fleet-settings-all.
operationId: post-fleet-logstash-api-keys
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
responses:
'200':
content:
application/json:
examples:
postLogstashApiKeyExample:
description: The generated Logstash API key
value:
api_key: TiNAGG4BaaMdaH1tRfuU:KnR6yE41RrSowb0kQ0HWoA
schema:
additionalProperties: false
type: object
properties:
api_key:
type: string
required:
- api_key
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Generate a Logstash API key
tags:
- Fleet outputs
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/message_signing_service/rotate_key_pair:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Rotate the key pair used by Fleet to sign messages sent to Elastic Agents. This operation is irreversible and requires all agents in the Fleet to be re-enrolled after rotation. You must explicitly acknowledge the risk by passing `acknowledge=true` as a query parameter.
[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all.
operationId: post-fleet-message-signing-service-rotate-key-pair
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: Set to true to confirm you understand the risks of rotating the key pair
in: query
name: acknowledge
required: false
schema:
default: false
type: boolean
responses:
'200':
content:
application/json:
examples:
rotateKeyPairSuccessExample:
description: The key pair was rotated. All agents must be re-enrolled to receive the new signing key.
value:
message: Key pair rotated successfully.
schema:
additionalProperties: false
type: object
properties:
message:
type: string
required:
- message
description: Key pair rotated successfully
'400':
content:
application/json:
examples:
acknowledgeRequiredExample:
description: Request was rejected because the acknowledge query parameter was not set to true
value:
error: Bad Request
message: 'Warning: this API will cause a key pair to rotate and should not be necessary in normal operation. If you proceed, you may need to reinstall Agents in your network. You must acknowledge the risks of rotating the key pair with acknowledge=true in the request parameters. For more information, reach out to your administrator.'
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
'500':
content:
application/json:
examples:
serviceUnavailableExample:
description: The message signing service is not available
value:
error: Internal Server Error
message: Failed to rotate key pair. Message signing service is unavailable!
statusCode: 500
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Internal Server Error
summary: Rotate a Fleet message signing key pair
tags:
- Message Signing Service
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/outputs:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/fleet/outputs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
List all Fleet outputs.
[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read.
operationId: get-fleet-outputs
parameters: []
responses:
'200':
content:
application/json:
examples:
getOutputsExample:
description: List of Fleet outputs
value:
items:
- hosts:
- https://elasticsearch.example.com:9200
id: output-id-1
is_default: true
is_default_monitoring: true
name: Default output
type: elasticsearch
page: 1
perPage: 20
total: 1
schema:
additionalProperties: false
type: object
properties:
items:
items:
anyOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka'
maxItems: 10000
type: array
page:
type: number
perPage:
type: number
total:
type: number
required:
- items
- total
- page
- perPage
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Get outputs
tags:
- Fleet outputs
x-metaTags:
- content: Kibana
name: product_name
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/fleet/outputs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create a new Fleet output.
[Required authorization] Route required privileges: fleet-settings-all.
operationId: post-fleet-outputs
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
postOutputRequestExample:
description: Create a new Elasticsearch output
value:
hosts:
- https://elasticsearch.example.com:9200
is_default: false
is_default_monitoring: false
name: My output
type: elasticsearch
schema:
anyOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_elasticsearch'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_remote_elasticsearch'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_logstash'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_new_output_kafka'
responses:
'200':
content:
application/json:
examples:
postOutputExample:
description: The created Fleet output
value:
item:
hosts:
- https://elasticsearch.example.com:9200
id: output-id-2
is_default: false
is_default_monitoring: false
name: My output
type: elasticsearch
schema:
additionalProperties: false
type: object
properties:
item:
anyOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka'
required:
- item
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Create output
tags:
- Fleet outputs
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/outputs/{outputId}:
delete:
description: |-
**Spaces method and path for this operation:**
delete/s/{space_id}/api/fleet/outputs/{outputId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete output by ID.
[Required authorization] Route required privileges: fleet-settings-all.
operationId: delete-fleet-outputs-outputid
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The ID of the output
in: path
name: outputId
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
deleteOutputExample:
description: The output was successfully deleted
value:
id: output-id-1
schema:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
'404':
content:
application/json:
examples:
notFoundExample:
description: No output was found with the given ID
value:
error: Not Found
message: Output output-id-1 not found
statusCode: 404
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Not Found
summary: Delete output
tags:
- Fleet outputs
x-metaTags:
- content: Kibana
name: product_name
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/fleet/outputs/{outputId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get output by ID.
[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read.
operationId: get-fleet-outputs-outputid
parameters:
- description: The ID of the output
in: path
name: outputId
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getOutputExample:
description: A Fleet output
value:
item:
hosts:
- https://elasticsearch.example.com:9200
id: output-id-1
is_default: true
is_default_monitoring: true
name: Default output
type: elasticsearch
schema:
additionalProperties: false
type: object
properties:
item:
anyOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka'
required:
- item
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
'404':
content:
application/json:
examples:
notFoundExample:
description: No output was found with the given ID
value:
error: Not Found
message: Output output-id-1 not found
statusCode: 404
description: Not Found
summary: Get output
tags:
- Fleet outputs
x-metaTags:
- content: Kibana
name: product_name
put:
description: |-
**Spaces method and path for this operation:**
put/s/{space_id}/api/fleet/outputs/{outputId}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update output by ID.
[Required authorization] Route required privileges: fleet-settings-all OR fleet-agent-policies-all.
operationId: put-fleet-outputs-outputid
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The ID of the output
in: path
name: outputId
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
putOutputRequestExample:
description: Update a Fleet output
value:
hosts:
- https://updated-elasticsearch.example.com:9200
name: Updated output
schema:
anyOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_elasticsearch'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_remote_elasticsearch'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_logstash'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_update_output_kafka'
responses:
'200':
content:
application/json:
examples:
putOutputExample:
description: The updated Fleet output
value:
item:
hosts:
- https://updated-elasticsearch.example.com:9200
id: output-id-1
is_default: true
is_default_monitoring: true
name: Updated output
type: elasticsearch
schema:
additionalProperties: false
type: object
properties:
item:
anyOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_elasticsearch'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_remote_elasticsearch'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_logstash'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_kafka'
required:
- item
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
'404':
content:
application/json:
examples:
notFoundExample:
description: No output was found with the given ID
value:
error: Not Found
message: Output output-id-1 not found
statusCode: 404
description: Not Found
summary: Update output
tags:
- Fleet outputs
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/outputs/{outputId}/health:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Preview the changes that would be applied by upgrading a package policy to a newer package version.
[Required authorization] Route required privileges: fleet-agent-policies-read AND integrations-read.
operationId: post-fleet-package-policies-upgrade-dryrun
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
postDryRunPackagePoliciesRequestExample:
description: Dry run an upgrade of a package policy
value:
packagePolicyIds:
- package-policy-id-1
schema:
additionalProperties: false
type: object
properties:
packagePolicyIds:
items:
type: string
maxItems: 1000
type: array
packageVersion:
type: string
required:
- packagePolicyIds
responses:
'200':
content:
application/json:
examples:
postDryRunPackagePoliciesExample:
description: Preview of the package policy upgrade diff
value:
- diff:
- id: package-policy-id-1
name: nginx-1
package:
name: nginx
version: 1.20.0
- name: nginx-1
package:
name: nginx
version: 1.21.0
hasErrors: false
name: nginx-1
schema:
items:
additionalProperties: false
type: object
properties:
agent_diff:
items:
items:
additionalProperties: true
type: object
properties:
data_stream:
additionalProperties: true
type: object
properties:
namespace:
type: string
required:
- namespace
id:
type: string
meta:
additionalProperties: true
type: object
properties:
package:
additionalProperties: true
type: object
properties:
name:
type: string
version:
type: string
required:
- name
- version
required:
- package
name:
type: string
package_policy_id:
type: string
processors:
items:
additionalProperties: true
type: object
properties:
add_fields:
additionalProperties: true
type: object
properties:
fields:
additionalProperties:
anyOf:
- type: string
- type: number
type: object
target:
type: string
required:
- target
- fields
required:
- add_fields
maxItems: 10000
type: array
revision:
type: number
streams:
items:
additionalProperties: true
type: object
properties:
data_stream:
additionalProperties: true
type: object
properties:
dataset:
type: string
type:
type: string
required:
- dataset
id:
type: string
required:
- data_stream
maxItems: 10000
type: array
type:
type: string
use_output:
type: string
required:
- id
- name
- revision
- type
- data_stream
- use_output
- package_policy_id
maxItems: 10000
type: array
maxItems: 1
type: array
body:
additionalProperties: false
type: object
properties:
message:
type: string
required:
- message
diff:
items:
anyOf:
- additionalProperties: false
type: object
properties:
additional_datastreams_permissions:
description: Additional datastream permissions, that will be added to the agent policy.
items:
type: string
maxItems: 1000
nullable: true
type: array
agents:
type: number
cloud_connector_id:
description: ID of the cloud connector associated with this package policy.
nullable: true
type: string
cloud_connector_name:
description: Transient field for cloud connector name during creation.
maxLength: 255
minLength: 1
nullable: true
type: string
created_at:
type: string
created_by:
type: string
description:
description: Package policy description
type: string
elasticsearch:
additionalProperties: true
type: object
properties:
privileges:
additionalProperties: true
type: object
properties:
cluster:
items:
type: string
maxItems: 100
type: array
enabled:
type: boolean
global_data_tags:
items:
additionalProperties: false
type: object
properties:
name:
description: The name of the custom field. Cannot contain spaces.
type: string
value:
anyOf:
- type: string
- type: number
description: The value of the custom field.
required:
- name
- value
maxItems: 100
nullable: true
type: array
id:
type: string
inputs:
anyOf:
- items:
additionalProperties: false
type: object
properties:
compiled_input:
nullable: true
config:
additionalProperties:
additionalProperties: false
type: object
properties:
frozen:
type: boolean
type:
type: string
value:
nullable: true
required:
- value
description: Package variable (see integration documentation for more information)
type: object
deprecated:
additionalProperties: false
type: object
properties:
description:
type: string
replaced_by:
additionalProperties:
type: string
type: object
since:
type: string
required:
- description
enabled:
type: boolean
id:
type: string
keep_enabled:
type: boolean
migrate_from:
type: string
name:
type: string
policy_template:
type: string
streams:
items:
additionalProperties: false
type: object
properties:
compiled_stream:
nullable: true
config:
additionalProperties:
additionalProperties: false
type: object
properties:
frozen:
type: boolean
type:
type: string
value:
nullable: true
required:
- value
description: Package variable (see integration documentation for more information)
type: object
data_stream:
additionalProperties: false
type: object
properties:
dataset:
type: string
elasticsearch:
additionalProperties: false
type: object
properties:
dynamic_dataset:
type: boolean
dynamic_namespace:
type: boolean
privileges:
additionalProperties: false
type: object
properties:
indices:
items:
type: string
maxItems: 100
type: array
type:
type: string
required:
- dataset
deprecated:
additionalProperties: false
type: object
properties:
description:
type: string
replaced_by:
additionalProperties:
type: string
type: object
since:
type: string
required:
- description
enabled:
type: boolean
id:
type: string
keep_enabled:
type: boolean
migrate_from:
type: string
release:
enum:
- ga
- beta
- experimental
type: string
var_group_selections:
additionalProperties:
type: string
description: Variable group selections. Maps var_group name to the selected option name within that group.
type: object
vars:
additionalProperties:
additionalProperties: false
type: object
properties:
frozen:
type: boolean
type:
type: string
value:
nullable: true
required:
- value
description: Package variable (see integration documentation for more information)
type: object
required:
- enabled
- data_stream
- compiled_stream
maxItems: 1000
type: array
type:
type: string
var_group_selections:
additionalProperties:
type: string
description: Variable group selections. Maps var_group name to the selected option name within that group.
type: object
vars:
additionalProperties:
additionalProperties: false
type: object
properties:
frozen:
type: boolean
type:
type: string
value:
nullable: true
required:
- value
description: Package variable (see integration documentation for more information)
type: object
required:
- type
- enabled
- streams
- compiled_input
maxItems: 100
type: array
- additionalProperties:
additionalProperties: false
type: object
properties:
deprecated:
additionalProperties: false
type: object
properties:
description:
type: string
replaced_by:
additionalProperties:
type: string
type: object
since:
type: string
required:
- description
enabled:
description: Enable or disable that input. Defaults to `true` (enabled).
type: boolean
streams:
additionalProperties:
additionalProperties: false
type: object
properties:
deprecated:
additionalProperties: false
type: object
properties:
description:
type: string
replaced_by:
additionalProperties:
type: string
type: object
since:
type: string
required:
- description
enabled:
description: Enable or disable that stream. Defaults to `true` (enabled).
type: boolean
var_group_selections:
additionalProperties:
type: string
description: Variable group selections. Maps var_group name to the selected option name within that group.
type: object
vars:
additionalProperties:
anyOf:
- type: string
- type: number
- type: boolean
- items:
type: string
maxItems: 100
type: array
- items:
type: number
maxItems: 100
type: array
- additionalProperties: false
type: object
properties:
id:
type: string
isSecretRef:
type: boolean
required:
- id
- isSecretRef
nullable: true
description: Input/stream level variable. Refer to the integration documentation for more information.
type: object
description: Input streams. Refer to the integration documentation to know which streams are available.
type: object
vars:
additionalProperties:
anyOf:
- type: string
- type: number
- type: boolean
- items:
type: string
maxItems: 100
type: array
- items:
type: number
maxItems: 100
type: array
- additionalProperties: false
type: object
properties:
id:
type: string
isSecretRef:
type: boolean
required:
- id
- isSecretRef
nullable: true
description: Input/stream level variable. Refer to the integration documentation for more information.
type: object
description: Package policy inputs. Refer to the integration documentation to know which inputs are available.
type: object
x-oas-optional: true
description: Package policy inputs.
is_managed:
type: boolean
name:
description: Unique name for the package policy.
type: string
namespace:
description: The package policy namespace. Leave blank to inherit the agent policy's namespace.
type: string
output_id:
nullable: true
type: string
overrides:
additionalProperties: false
description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
nullable: true
type: object
properties:
inputs:
additionalProperties:
nullable: true
type: object
package:
additionalProperties: false
type: object
properties:
experimental_data_stream_features:
items:
additionalProperties: false
type: object
properties:
data_stream:
type: string
features:
additionalProperties: false
type: object
properties:
doc_value_only_numeric:
type: boolean
doc_value_only_other:
type: boolean
synthetic_source:
type: boolean
tsdb:
type: boolean
required:
- data_stream
- features
maxItems: 100
type: array
fips_compatible:
type: boolean
name:
description: Package name
type: string
requires_root:
type: boolean
title:
type: string
version:
description: Package version
type: string
required:
- name
- version
package_agent_version_condition:
type: string
policy_id:
deprecated: true
description: ID of the agent policy which the package policy will be added to.
nullable: true
type: string
policy_ids:
items:
description: IDs of the agent policies which that package policy will be added to.
type: string
maxItems: 1000
type: array
revision:
description: Package policy revision.
type: number
secret_references:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 1000
type: array
spaceIds:
items:
type: string
maxItems: 100
type: array
supports_agentless:
default: false
description: Indicates whether the package policy belongs to an agentless agent policy.
nullable: true
type: boolean
supports_cloud_connector:
default: false
description: Indicates whether the package policy supports cloud connectors.
nullable: true
type: boolean
updated_at:
type: string
updated_by:
type: string
var_group_selections:
additionalProperties:
type: string
description: Variable group selections. Maps var_group name to the selected option name within that group.
type: object
vars:
anyOf:
- additionalProperties:
additionalProperties: false
type: object
properties:
frozen:
type: boolean
type:
type: string
value:
nullable: true
required:
- value
description: Package variable (see integration documentation for more information)
type: object
- additionalProperties:
anyOf:
- type: string
- type: number
- type: boolean
- items:
type: string
maxItems: 100
type: array
- items:
type: number
maxItems: 100
type: array
- additionalProperties: false
type: object
properties:
id:
type: string
isSecretRef:
type: boolean
required:
- id
- isSecretRef
nullable: true
description: Input/stream level variable. Refer to the integration documentation for more information.
type: object
x-oas-optional: true
description: Package level variable.
version:
description: Package policy ES version.
type: string
required:
- name
- enabled
- inputs
- revision
- updated_at
- updated_by
- created_at
- created_by
- additionalProperties: true
type: object
properties:
additional_datastreams_permissions:
description: Additional datastream permissions, that will be added to the agent policy.
items:
type: string
maxItems: 1000
nullable: true
type: array
cloud_connector_id:
description: ID of the cloud connector associated with this package policy.
nullable: true
type: string
cloud_connector_name:
description: Transient field for cloud connector name during creation.
maxLength: 255
minLength: 1
nullable: true
type: string
created_at:
type: string
created_by:
type: string
description:
description: Package policy description
type: string
elasticsearch:
additionalProperties: true
type: object
properties:
privileges:
additionalProperties: true
type: object
properties:
cluster:
items:
type: string
maxItems: 100
type: array
enabled:
type: boolean
errors:
items:
additionalProperties: false
type: object
properties:
key:
type: string
message:
type: string
required:
- message
maxItems: 10
type: array
force:
type: boolean
global_data_tags:
items:
additionalProperties: false
type: object
properties:
name:
description: The name of the custom field. Cannot contain spaces.
type: string
value:
anyOf:
- type: string
- type: number
description: The value of the custom field.
required:
- name
- value
maxItems: 100
nullable: true
type: array
id:
type: string
inputs:
items:
additionalProperties: false
type: object
properties:
compiled_input:
nullable: true
config:
additionalProperties:
additionalProperties: false
type: object
properties:
frozen:
type: boolean
type:
type: string
value:
nullable: true
required:
- value
description: Package variable (see integration documentation for more information)
type: object
deprecated:
additionalProperties: false
type: object
properties:
description:
type: string
replaced_by:
additionalProperties:
type: string
type: object
since:
type: string
required:
- description
enabled:
type: boolean
id:
type: string
keep_enabled:
type: boolean
migrate_from:
type: string
name:
type: string
policy_template:
type: string
streams:
items:
additionalProperties: false
type: object
properties:
compiled_stream:
nullable: true
config:
additionalProperties:
additionalProperties: false
type: object
properties:
frozen:
type: boolean
type:
type: string
value:
nullable: true
required:
- value
description: Package variable (see integration documentation for more information)
type: object
data_stream:
additionalProperties: false
type: object
properties:
dataset:
type: string
elasticsearch:
additionalProperties: false
type: object
properties:
dynamic_dataset:
type: boolean
dynamic_namespace:
type: boolean
privileges:
additionalProperties: false
type: object
properties:
indices:
items:
type: string
maxItems: 100
type: array
type:
type: string
required:
- dataset
deprecated:
additionalProperties: false
type: object
properties:
description:
type: string
replaced_by:
additionalProperties:
type: string
type: object
since:
type: string
required:
- description
enabled:
type: boolean
id:
type: string
keep_enabled:
type: boolean
migrate_from:
type: string
release:
enum:
- ga
- beta
- experimental
type: string
var_group_selections:
additionalProperties:
type: string
description: Variable group selections. Maps var_group name to the selected option name within that group.
type: object
vars:
additionalProperties:
additionalProperties: false
type: object
properties:
frozen:
type: boolean
type:
type: string
value:
nullable: true
required:
- value
description: Package variable (see integration documentation for more information)
type: object
required:
- enabled
- data_stream
- compiled_stream
maxItems: 1000
type: array
type:
type: string
var_group_selections:
additionalProperties:
type: string
description: Variable group selections. Maps var_group name to the selected option name within that group.
type: object
vars:
additionalProperties:
additionalProperties: false
type: object
properties:
frozen:
type: boolean
type:
type: string
value:
nullable: true
required:
- value
description: Package variable (see integration documentation for more information)
type: object
required:
- type
- enabled
- streams
- compiled_input
maxItems: 100
type: array
is_managed:
type: boolean
missingVars:
items:
type: string
maxItems: 100
type: array
name:
description: Unique name for the package policy.
type: string
namespace:
description: The package policy namespace. Leave blank to inherit the agent policy's namespace.
type: string
output_id:
nullable: true
type: string
overrides:
additionalProperties: false
description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
nullable: true
type: object
properties:
inputs:
additionalProperties:
nullable: true
type: object
package:
additionalProperties: false
type: object
properties:
experimental_data_stream_features:
items:
additionalProperties: false
type: object
properties:
data_stream:
type: string
features:
additionalProperties: false
type: object
properties:
doc_value_only_numeric:
type: boolean
doc_value_only_other:
type: boolean
synthetic_source:
type: boolean
tsdb:
type: boolean
required:
- data_stream
- features
maxItems: 100
type: array
fips_compatible:
type: boolean
name:
description: Package name
type: string
requires_root:
type: boolean
title:
type: string
version:
description: Package version
type: string
required:
- name
- version
package_agent_version_condition:
type: string
policy_id:
deprecated: true
description: ID of the agent policy which the package policy will be added to.
nullable: true
type: string
policy_ids:
items:
description: IDs of the agent policies which that package policy will be added to.
type: string
maxItems: 1000
type: array
revision:
type: number
secret_references:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 1000
type: array
supports_agentless:
default: false
description: Indicates whether the package policy belongs to an agentless agent policy.
nullable: true
type: boolean
supports_cloud_connector:
default: false
description: Indicates whether the package policy supports cloud connectors.
nullable: true
type: boolean
updated_at:
type: string
updated_by:
type: string
var_group_selections:
additionalProperties:
type: string
description: Variable group selections. Maps var_group name to the selected option name within that group.
type: object
vars:
additionalProperties:
additionalProperties: false
type: object
properties:
frozen:
type: boolean
type:
type: string
value:
nullable: true
required:
- value
description: Package variable (see integration documentation for more information)
type: object
version:
description: Package policy ES version.
type: string
required:
- name
- enabled
- inputs
maxItems: 2
type: array
hasErrors:
type: boolean
name:
type: string
statusCode:
type: number
required:
- hasErrors
maxItems: 10000
type: array
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Dry run a package policy upgrade
tags:
- Fleet package policies
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/proxies:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/fleet/proxies
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
List all Fleet proxies.
[Required authorization] Route required privileges: fleet-settings-read.
operationId: get-fleet-proxies
parameters: []
responses:
'200':
content:
application/json:
examples:
getFleetProxiesExample:
description: List of Fleet proxies
value:
items:
- id: proxy-id-1
is_preconfigured: false
name: My proxy
url: http://proxy.example.com:3128
page: 1
perPage: 20
total: 1
schema:
additionalProperties: false
type: object
properties:
items:
items:
additionalProperties: false
type: object
properties:
certificate:
nullable: true
type: string
certificate_authorities:
nullable: true
type: string
certificate_key:
nullable: true
type: string
id:
type: string
is_preconfigured:
default: false
type: boolean
name:
type: string
proxy_headers:
additionalProperties:
anyOf:
- type: string
- type: boolean
- type: number
nullable: true
type: object
url:
type: string
required:
- id
- url
- name
maxItems: 10000
type: array
page:
type: number
perPage:
type: number
total:
type: number
required:
- items
- total
- page
- perPage
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Get proxies
tags:
- Fleet proxies
x-metaTags:
- content: Kibana
name: product_name
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/fleet/proxies
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create a new Fleet proxy.
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the synchronization status of remote integrations for a specific output by its ID.
[Required authorization] Route required privileges: fleet-settings-read AND integrations-read.
operationId: get-fleet-remote-synced-integrations-outputid-remote-status
parameters:
- description: The ID of the output
in: path
name: outputId
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getRemoteSyncedIntegrationsInfoExample:
description: Synchronization status of remote integrations for a specific output
value:
integrations:
- id: nginx-remote
install_status:
main: installed
remote: installed
package_name: nginx
package_version: 1.20.0
sync_status: COMPLETED
updated_at: '2024-01-01T00:00:00.000Z'
schema:
additionalProperties: false
type: object
properties:
custom_assets:
additionalProperties:
additionalProperties: false
type: object
properties:
error:
type: string
is_deleted:
type: boolean
name:
type: string
package_name:
type: string
package_version:
type: string
sync_status:
enum:
- completed
- synchronizing
- failed
- warning
type: string
type:
type: string
warning:
additionalProperties: false
type: object
properties:
message:
type: string
title:
type: string
required:
- title
required:
- type
- name
- package_name
- package_version
- sync_status
type: object
error:
type: string
integrations:
items:
additionalProperties: false
type: object
properties:
error:
type: string
id:
type: string
install_status:
additionalProperties: false
type: object
properties:
main:
type: string
remote:
type: string
required:
- main
package_name:
type: string
package_version:
type: string
sync_status:
enum:
- completed
- synchronizing
- failed
- warning
type: string
updated_at:
type: string
warning:
additionalProperties: false
type: object
properties:
message:
type: string
title:
type: string
required:
- title
required:
- sync_status
- install_status
maxItems: 10000
type: array
warning:
additionalProperties: false
type: object
properties:
message:
type: string
title:
type: string
required:
- title
required:
- integrations
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Get remote synced integrations status by outputId
tags:
- Fleet remote synced integrations
x-state: Generally available; added in 9.1.0
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/remote_synced_integrations/status:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the synchronization status of all remote integrations across connected remote clusters.
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create a Fleet Server service token. The token is used to enroll Fleet Server instances with Kibana.
[Required authorization] Route required privileges: fleet-agents-all.
operationId: post-fleet-service-tokens
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
postGenerateServiceTokenRequestExample:
description: Generate a service token for a remote Fleet Server
value:
remote: true
schema:
additionalProperties: false
nullable: true
type: object
properties:
remote:
default: false
type: boolean
responses:
'200':
content:
application/json:
examples:
postGenerateServiceTokenExample:
description: The generated Fleet Server service token
value:
name: elastic/fleet-server/token-1234567890
value: AAEAAWVsYXN0aWMvZmxlZXQtc2VydmVyL3Rva2VuLTEyMzQ1Njc4OTA6QUJDREVGR0hJSktMTU5P
schema:
additionalProperties: false
type: object
properties:
name:
type: string
value:
type: string
required:
- name
- value
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Create a service token
tags:
- Fleet service tokens
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/settings:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/fleet/settings
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the global Fleet settings.
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Initialize Fleet and create the necessary Elasticsearch resources for Fleet to operate. Safe to call multiple times (idempotent). Returns the initialization status and any non-fatal errors encountered during setup.
[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.
operationId: post-fleet-setup
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
responses:
'200':
content:
application/json:
examples:
fleetSetupSuccessExample:
description: Fleet initialized successfully with no non-fatal errors
value:
isInitialized: true
nonFatalErrors: []
fleetSetupWithNonFatalErrorsExample:
description: Fleet initialized but encountered non-fatal errors during setup
value:
isInitialized: true
nonFatalErrors:
- message: Package fleet_server not found in registry
name: PackageNotFoundError
schema:
additionalProperties: false
description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup.
type: object
properties:
isInitialized:
type: boolean
nonFatalErrors:
items:
additionalProperties: false
type: object
properties:
message:
type: string
name:
type: string
required:
- name
- message
maxItems: 10000
type: array
required:
- isInitialized
- nonFatalErrors
description: Fleet setup completed
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
'500':
content:
application/json:
examples:
internalErrorResponseExample:
description: Example of an internal server error response
value:
error: Internal Server Error
message: An error message describing what went wrong
statusCode: 500
schema:
additionalProperties: false
description: Internal Server Error
type: object
properties:
message:
type: string
required:
- message
description: Internal Server Error
summary: Initiate Fleet setup
tags:
- Fleet internals
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/space_settings:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/fleet/space_settings
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the Fleet settings for the current Kibana space.
operationId: get-fleet-space-settings
parameters: []
responses:
'200':
content:
application/json:
examples:
getSpaceSettingsExample:
description: The Fleet settings for the current Kibana space
value:
item:
allowed_namespace_prefixes:
- team-a
- team-b
schema:
additionalProperties: false
type: object
properties:
item:
additionalProperties: false
type: object
properties:
allowed_namespace_prefixes:
items:
type: string
maxItems: 100
type: array
managed_by:
type: string
required:
- allowed_namespace_prefixes
required:
- item
description: Successful response
summary: Get space settings
tags: []
x-state: Generally available; added in 9.1.0
x-metaTags:
- content: Kibana
name: product_name
put:
description: |-
**Spaces method and path for this operation:**
put/s/{space_id}/api/fleet/space_settings
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create or update Fleet settings for the current Kibana space.
[Required authorization] Route required privileges: fleet-settings-all.
operationId: put-fleet-space-settings
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
putSpaceSettingsRequestExample:
description: Update allowed namespace prefixes for the current Kibana space
value:
allowed_namespace_prefixes:
- team-a
- team-b
schema:
additionalProperties: false
type: object
properties:
allowed_namespace_prefixes:
items:
type: string
maxItems: 10
type: array
responses:
'200':
content:
application/json:
examples:
putSpaceSettingsExample:
description: The updated Fleet settings for the current Kibana space
value:
item:
allowed_namespace_prefixes:
- team-a
- team-b
schema:
additionalProperties: false
type: object
properties:
item:
additionalProperties: false
type: object
properties:
allowed_namespace_prefixes:
items:
type: string
maxItems: 100
type: array
managed_by:
type: string
required:
- allowed_namespace_prefixes
required:
- item
description: Successful response
summary: Create space settings
tags: []
x-state: Generally available; added in 9.1.0
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/uninstall_tokens:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/fleet/uninstall_tokens
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
List the metadata for the latest uninstall tokens per agent policy.
[Required authorization] Route required privileges: fleet-agents-all.
operationId: get-fleet-uninstall-tokens
parameters:
- description: Partial match filtering for policy IDs
in: query
name: policyId
required: false
schema:
maxLength: 50
type: string
- description: Partial match filtering for uninstall token values
in: query
name: search
required: false
schema:
maxLength: 50
type: string
- description: The number of items to return
in: query
name: perPage
required: false
schema:
minimum: 5
type: number
- description: Page number
in: query
name: page
required: false
schema:
minimum: 1
type: number
responses:
'200':
content:
application/json:
examples:
getUninstallTokensExample:
description: List of uninstall token metadata for agent policies
value:
items:
- created_at: '2024-01-01T00:00:00.000Z'
id: token-id-1
namespaces:
- default
policy_id: policy-id-1
policy_name: Default policy
- created_at: '2024-01-02T00:00:00.000Z'
id: token-id-2
namespaces:
- production
policy_id: policy-id-2
policy_name: Production policy
page: 1
perPage: 20
total: 2
schema:
additionalProperties: false
type: object
properties:
items:
items:
additionalProperties: false
type: object
properties:
created_at:
type: string
id:
type: string
namespaces:
items:
type: string
maxItems: 100
type: array
policy_id:
type: string
policy_name:
nullable: true
type: string
required:
- id
- policy_id
- created_at
maxItems: 10000
type: array
page:
type: number
perPage:
type: number
total:
type: number
required:
- items
- total
- page
- perPage
description: Successful response
'400':
content:
application/json:
examples:
conflictingQueryParamsExample:
description: Both policyId and search query parameters were provided
value:
error: Bad Request
message: Query parameters `policyId` and `search` cannot be used at the same time.
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
summary: Get metadata for latest uninstall tokens
tags:
- Fleet uninstall tokens
x-metaTags:
- content: Kibana
name: product_name
/api/fleet/uninstall_tokens/{uninstallTokenId}:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get one decrypted uninstall token by its ID.
[Required authorization] Route required privileges: fleet-agents-all.
operationId: get-fleet-uninstall-tokens-uninstalltokenid
parameters:
- description: The ID of the uninstall token
in: path
name: uninstallTokenId
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getUninstallTokenExample:
description: Decrypted uninstall token for an agent policy
value:
item:
created_at: '2024-01-01T00:00:00.000Z'
id: token-id-1
namespaces:
- default
policy_id: policy-id-1
policy_name: Default policy
token: CKHJsJcBqNwIRcRBNDaE
schema:
additionalProperties: false
type: object
properties:
item:
additionalProperties: false
type: object
properties:
created_at:
type: string
id:
type: string
namespaces:
items:
type: string
maxItems: 100
type: array
policy_id:
type: string
policy_name:
nullable: true
type: string
token:
type: string
required:
- id
- policy_id
- created_at
- token
required:
- item
description: Successful response
'400':
content:
application/json:
examples:
genericErrorResponseExample:
description: Example of a generic error response
value:
error: Bad Request
message: An error message describing what went wrong
statusCode: 400
schema:
additionalProperties: false
description: Generic Error
type: object
properties:
attributes:
nullable: true
error:
type: string
errorType:
type: string
message:
type: string
statusCode:
type: number
required:
- message
- attributes
description: Bad Request
'404':
content:
application/json:
examples:
notFoundExample:
description: No uninstall token was found with the given ID
value:
error: Not Found
message: Uninstall Token not found with ID token-id-1
statusCode: 404
description: Not Found
summary: Get a decrypted uninstall token
tags:
- Fleet uninstall tokens
x-metaTags:
- content: Kibana
name: product_name
/api/lists:
delete:
description: |
**Spaces method and path for this operation:**
delete/s/{space_id}/api/lists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete a value list using the list ID.
> info
> When you delete a list, all of its list items are also deleted.
operationId: DeleteList
parameters:
- description: Value list identifier to delete, including all of its list items.
in: query
name: id
required: true
schema:
$ref: '#/components/schemas/Security_Lists_API_ListId'
- description: Determines whether exception items referencing this value list should be deleted.
in: query
name: deleteReferences
required: false
schema:
default: false
example: false
type: boolean
- description: Determines whether to delete value list without performing any additional checks of where this list may be utilized.
in: query
name: ignoreReferences
required: false
schema:
default: false
example: false
type: boolean
responses:
'200':
content:
application/json:
examples:
ipList:
value:
_version: WzIsMV0=
'@timestamp': '2025-01-08T04:47:34.273Z'
created_at: '2025-01-08T04:47:34.273Z'
created_by: elastic
description: List of bad internet ips.
id: 21b01cfb-058d-44b9-838c-282be16c91cd
immutable: false
name: Bad ips
tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899
type: ip
updated_at: '2025-01-08T05:39:39.292Z'
updated_by: elastic
version: 3
schema:
$ref: '#/components/schemas/Security_Lists_API_List'
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request
message: '[request query]: id: Required'
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [DELETE /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Not enough privileges response
'404':
content:
application/json:
examples:
notFound:
value:
message: 'list id: \"ip_list\" was not found'
status_code: 404
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: List not found response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Internal server error response
summary: Delete a value list
tags:
- Security Lists API
x-metaTags:
- content: Kibana
name: product_name
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/lists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the details of a value list using the list ID.
operationId: ReadList
parameters:
- description: Value list identifier (`id`) returned when the list was created.
in: query
name: id
required: true
schema:
$ref: '#/components/schemas/Security_Lists_API_ListId'
responses:
'200':
content:
application/json:
examples:
ip:
value:
_version: WzEsMV0=
'@timestamp': '2025-01-08T04:47:34.273Z'
created_at: '2025-01-08T04:47:34.273Z'
created_by: elastic
description: This list describes bad internet ip
id: ip_list
immutable: false
name: My bad ips
tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899
type: ip
updated_at: '2025-01-08T05:21:53.843Z'
updated_by: elastic
version: 1
schema:
$ref: '#/components/schemas/Security_Lists_API_List'
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request
message: '[request query]: id: Required'
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]"
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [GET /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Not enough privileges response
'404':
content:
application/json:
examples:
notFound:
value:
message: 'list id: \"foo\" not found'
status_code: 404
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: List not found response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Internal server error response
summary: Get value list details
tags:
- Security Lists API
x-metaTags:
- content: Kibana
name: product_name
patch:
description: |-
**Spaces method and path for this operation:**
patch/s/{space_id}/api/lists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update specific fields of an existing list using the list `id`.
operationId: PatchList
requestBody:
content:
application/json:
examples:
patchName:
value:
id: ip_list
name: Bad ips list - UPDATED
schema:
example:
id: ip_list
name: Bad ips list - UPDATED
type: object
properties:
_version:
$ref: '#/components/schemas/Security_Lists_API_ListVersionId'
description:
$ref: '#/components/schemas/Security_Lists_API_ListDescription'
id:
$ref: '#/components/schemas/Security_Lists_API_ListId'
meta:
$ref: '#/components/schemas/Security_Lists_API_ListMetadata'
name:
$ref: '#/components/schemas/Security_Lists_API_ListName'
version:
$ref: '#/components/schemas/Security_Lists_API_ListVersion'
required:
- id
description: Value list's properties
required: true
responses:
'200':
content:
application/json:
examples:
ip:
value:
_version: WzEsMV0=
'@timestamp': '2025-01-08T04:47:34.273Z'
created_at: '2025-01-08T04:47:34.273Z'
created_by: elastic
description: This list describes bad internet ips
id: ip_list
immutable: false
name: Bad ips list - UPDATED
tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899
type: ip
updated_at: '2025-01-08T05:21:53.843Z'
updated_by: elastic
version: 2
schema:
$ref: '#/components/schemas/Security_Lists_API_List'
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request
message: '[request body]: name: Expected string, received number'
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [PATCH /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Not enough privileges response
'404':
content:
application/json:
examples:
notFound:
value:
message: 'list id: \"foo\" not found'
status_code: 404
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: List not found response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Internal server error response
summary: Patch a value list
tags:
- Security Lists API
x-metaTags:
- content: Kibana
name: product_name
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/lists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create a new value list.
operationId: CreateList
requestBody:
content:
application/json:
examples:
ip:
value:
description: This list describes bad internet ips
id: ip_list
name: Simple list with ips
type: ip
ip_range:
value:
description: This list has ip ranges
id: ip_range_list
name: Simple list with ip ranges
type: ip_range
keyword:
value:
description: This list describes bad host names
id: keyword_list
name: Simple list with a keyword
type: keyword
keyword_custom_format:
value:
description: This parses the first found ipv4 only
id: keyword_custom_format_list
name: Simple list with a keyword using a custom format
type: keyword
schema:
type: object
properties:
description:
$ref: '#/components/schemas/Security_Lists_API_ListDescription'
id:
$ref: '#/components/schemas/Security_Lists_API_ListId'
meta:
$ref: '#/components/schemas/Security_Lists_API_ListMetadata'
name:
$ref: '#/components/schemas/Security_Lists_API_ListName'
type:
$ref: '#/components/schemas/Security_Lists_API_ListType'
version:
default: 1
minimum: 1
type: integer
required:
- name
- description
- type
description: Value list's properties
required: true
responses:
'200':
content:
application/json:
examples:
ip:
value:
_version: WzAsMV0=
'@timestamp': '2025-01-08T04:47:34.273Z'
created_at: '2025-01-08T04:47:34.273Z'
created_by: elastic
description: This list describes bad internet ips
id: ip_list
immutable: false
name: Simple list with ips
tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899
type: ip
updated_at: '2025-01-08T04:47:34.273Z'
updated_by: elastic
version: 1
ip_range:
value:
_version: WzAsMV0=
'@timestamp': '2025-01-09T18:23:52.241Z'
created_at: '2025-01-09T18:23:52.241Z'
created_by: elastic
description: This list has ip ranges
id: ip_range_list
immutable: false
name: Simple list with ip ranges
tie_breaker_id: 74aebdaf-601f-4940-b351-155728ff7003
type: ip_range
updated_at: '2025-01-09T18:23:52.241Z'
updated_by: elastic
version: 1
keyword:
value:
_version: WzEsMV0=
'@timestamp': '2025-01-09T18:24:55.786Z'
created_at: '2025-01-09T18:24:55.786Z'
created_by: elastic
description: This list describes bad host names
id: keyword_list
immutable: false
name: Simple list with a keyword
tie_breaker_id: f7e7dbaa-daf7-4c9a-a3dc-56643923ef68
type: keyword
updated_at: '2025-01-09T18:24:55.786Z'
updated_by: elastic
version: 1
keyword_custom_format:
value:
_version: WzIsMV0=
'@timestamp': '2025-01-09T18:25:39.604Z'
created_at: '2025-01-09T18:25:39.604Z'
created_by: elastic
description: This parses the first found ipv4 only
id: keyword_custom_format_list
immutable: false
name: Simple list with a keyword using a custom format
tie_breaker_id: 8247ae63-b780-47b8-9a89-948b643e9ec2
type: keyword
updated_at: '2025-01-09T18:25:39.604Z'
updated_by: elastic
version: 1
schema:
$ref: '#/components/schemas/Security_Lists_API_List'
description: Successful response
'400':
content:
application/json:
examples:
notFound:
value:
message: To create a list, the data stream must exist first. Data stream \".lists-default\" does not exist
status_code: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [POST /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Not enough privileges response
'409':
content:
application/json:
examples:
alreadyExists:
value:
message: 'list id: "keyword_custom_format_list" already exists'
status_code: 409
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: List already exists response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Internal server error response
summary: Create a value list
tags:
- Security Lists API
x-metaTags:
- content: Kibana
name: product_name
put:
description: |
**Spaces method and path for this operation:**
put/s/{space_id}/api/lists
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update a value list using the list `id`. The original list is replaced, and all unspecified fields are deleted.
> info
> You cannot modify the `id` value.
operationId: UpdateList
requestBody:
content:
application/json:
examples:
replaceList:
value:
description: Latest list of bad ips
id: ip_list
name: Bad ips - updated
schema:
example:
description: Latest list of bad ips
id: ip_list
name: Bad ips - updated
type: object
properties:
_version:
$ref: '#/components/schemas/Security_Lists_API_ListVersionId'
description:
$ref: '#/components/schemas/Security_Lists_API_ListDescription'
id:
$ref: '#/components/schemas/Security_Lists_API_ListId'
meta:
$ref: '#/components/schemas/Security_Lists_API_ListMetadata'
name:
$ref: '#/components/schemas/Security_Lists_API_ListName'
version:
$ref: '#/components/schemas/Security_Lists_API_ListVersion'
required:
- id
- name
- description
description: Value list's properties
required: true
responses:
'200':
content:
application/json:
examples:
ip:
value:
_version: WzIsMV0=
'@timestamp': '2025-01-08T04:47:34.273Z'
created_at: '2025-01-08T04:47:34.273Z'
created_by: elastic
description: Latest list of bad ips
id: ip_list
immutable: false
name: Bad ips - updated
tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899
type: ip
updated_at: '2025-01-08T05:39:39.292Z'
updated_by: elastic
version: 3
schema:
$ref: '#/components/schemas/Security_Lists_API_List'
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request
message: '[request body]: id: Expected string, received number'
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [PUT /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Not enough privileges response
'404':
content:
application/json:
examples:
notFound:
value:
message: 'list id: \"foo\" not found'
status_code: 404
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: List not found response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Internal server error response
summary: Update a value list
tags:
- Security Lists API
x-metaTags:
- content: Kibana
name: product_name
/api/lists/_find:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/lists/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a paginated subset of value lists. By default, the first page is returned, with 20 results per page.
operationId: FindLists
parameters:
- description: The page number to return.
in: query
name: page
required: false
schema:
example: 1
type: integer
- description: The number of value lists to return per page.
in: query
name: per_page
required: false
schema:
example: 20
type: integer
- description: Determines which field is used to sort the results.
in: query
name: sort_field
required: false
schema:
example: name
format: nonempty
minLength: 1
type: string
- description: Determines the sort order, which can be `desc` or `asc`
in: query
name: sort_order
required: false
schema:
enum:
- desc
- asc
example: asc
type: string
- description: Returns the lists that come after the last lists returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all lists are sorted and returned correctly.
in: query
name: cursor
required: false
schema:
$ref: '#/components/schemas/Security_Lists_API_FindListsCursor'
- description: |
Filters the returned results according to the value of the specified field,
using the : syntax.
in: query
name: filter
required: false
schema:
$ref: '#/components/schemas/Security_Lists_API_FindListsFilter'
responses:
'200':
content:
application/json:
examples:
ipList:
value:
cursor: WzIwLFsiZjU1MDgxODgtYjFlOS00ZTZlLTk2NjItZDAzOWE3ZDg5ODk5Il1d
data:
- _version: WzAsMV0=
'@timestamp': |
2025-01-08T04:47:34.273Z
created_at: |
2025-01-08T04:47:34.273Z
created_by: elastic
description: This list describes bad internet ip
id: ip_list
immutable: false
name: Simple list with an ip
tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899
type: ip
updated_at: |
2025-01-08T04:47:34.273Z
updated_by: elastic
version: 1
page: 1
per_page: 20
total: 1
schema:
type: object
properties:
cursor:
$ref: '#/components/schemas/Security_Lists_API_FindListsCursor'
data:
items:
$ref: '#/components/schemas/Security_Lists_API_List'
type: array
page:
minimum: 0
type: integer
per_page:
minimum: 0
type: integer
total:
minimum: 0
type: integer
required:
- data
- page
- per_page
- total
- cursor
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request
message: '[request query]: page: Expected number, received nan'
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [GET /api/lists/_find?page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Not enough privileges response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Internal server error response
summary: Get value lists
tags:
- Security Lists API
x-metaTags:
- content: Kibana
name: product_name
/api/lists/index:
delete:
description: |-
**Spaces method and path for this operation:**
delete/s/{space_id}/api/lists/index
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete the `.lists` and `.items` data streams.
operationId: DeleteListIndex
responses:
'200':
content:
application/json:
examples:
acknowledged:
value:
acknowledged: true
schema:
type: object
properties:
acknowledged:
type: boolean
required:
- acknowledged
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
message: 'Unable to delete value list data streams: invalid or missing index metadata'
status_code: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [DELETE /api/lists/index] is not authorized; lists-all (or equivalent) is required to delete data streams
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Not enough privileges response
'404':
content:
application/json:
examples:
notFound:
value:
message: The value list data stream was not found in this space
status_code: 404
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: List data stream not found response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Internal server error response
summary: Delete value list data streams
tags:
- Security Lists API
x-metaTags:
- content: Kibana
name: product_name
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/lists/index
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Verify that `.lists` and `.items` data streams exist.
operationId: ReadListIndex
responses:
'200':
content:
application/json:
examples:
bothExist:
value:
list_index: true
list_item_index: true
schema:
type: object
properties:
list_index:
type: boolean
list_item_index:
type: boolean
required:
- list_index
- list_item_index
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
message: Unable to read value list data stream status for this space
status_code: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [GET /api/lists/index] is not authorized; list read permissions are required
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Not enough privileges response
'404':
content:
application/json:
examples:
notFound:
value:
message: Value list backing indices were not found for this space
status_code: 404
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: List data stream(s) not found response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Internal server error response
summary: Get status of value list data streams
tags:
- Security Lists API
x-metaTags:
- content: Kibana
name: product_name
post:
deprecated: true
description: |
**Spaces method and path for this operation:**
post/s/{space_id}/api/lists/index
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
**DEPRECATED.** `deprecated: true` is set on this operation. Value list backing data streams for the space
are now created as part of supported workflows; calling this explicitly is rarely required.
**WARNING:** Do not use for new integrations. Prefer the UI or the list and list-item APIs after confirming
indices exist with `GET /api/lists/index`.
Creates the `.lists` and `.items` data streams in the current Kibana space.
operationId: CreateListIndex
responses:
'200':
content:
application/json:
examples:
acknowledged:
value:
acknowledged: true
schema:
type: object
properties:
acknowledged:
type: boolean
required:
- acknowledged
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
message: Indices exist but the request could not be completed for the current space. Check that Elasticsearch and Kibana privileges allow index creation for lists.
status_code: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: |
[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [POST /api/lists/index] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Not enough privileges response
'409':
content:
application/json:
examples:
alreadyExists:
value:
message: 'data stream: \".lists-default\" and \".items-default\" already exists'
status_code: 409
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: List data stream exists response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Internal server error response
summary: Create list data streams
tags:
- Security Lists API
x-metaTags:
- content: Kibana
name: product_name
/api/lists/items:
delete:
description: |-
**Spaces method and path for this operation:**
delete/s/{space_id}/api/lists/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete a value list item using its `id`, or its `list_id` and `value` fields.
operationId: DeleteListItem
parameters:
- description: Value list item's identifier. Required if `list_id` and `value` are not specified.
in: query
name: id
required: false
schema:
$ref: '#/components/schemas/Security_Lists_API_ListItemId'
- description: Value list's identifier. Required if `id` is not specified.
in: query
name: list_id
required: false
schema:
$ref: '#/components/schemas/Security_Lists_API_ListId'
- description: The value used to evaluate exceptions. Required if `id` is not specified.
in: query
name: value
required: false
schema:
example: 255.255.255.255
type: string
- description: Determines when changes made by the request are made visible to search.
in: query
name: refresh
required: false
schema:
default: 'false'
enum:
- 'true'
- 'false'
- wait_for
example: false
type: string
responses:
'200':
content:
application/json:
examples:
ip:
value:
_version: WzIwLDFd
'@timestamp': '2025-01-08T05:15:05.159Z'
created_at: '2025-01-08T05:15:05.159Z'
created_by: elastic
id: pd1WRJQBs4HAK3VQeHFI
list_id: ip_list
tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3
type: ip
updated_at: '2025-01-08T05:44:14.009Z'
updated_by: elastic
value: 255.255.255.255
schema:
oneOf:
- $ref: '#/components/schemas/Security_Lists_API_ListItem'
- items:
$ref: '#/components/schemas/Security_Lists_API_ListItem'
type: array
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
message: Either \"list_id\" or \"id\" needs to be defined in the request
status_code: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [DELETE /api/lists/items?id=pd1WRJQBs4HAK3VQeHFI] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Not enough privileges response
'404':
content:
application/json:
examples:
notFound:
value:
message: 'list item with id: \"pd1WRJQBs4HAK3VQeHFI\" not found'
status_code: 404
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: List item not found response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Internal server error response
summary: Delete a value list item
tags:
- Security Lists API
x-metaTags:
- content: Kibana
name: product_name
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/lists/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the details of a value list item.
operationId: ReadListItem
parameters:
- description: Value list item identifier. Required if `list_id` and `value` are not specified.
in: query
name: id
required: false
schema:
$ref: '#/components/schemas/Security_Lists_API_ListId'
- description: Value list item list's `id` identfier. Required if `id` is not specified.
in: query
name: list_id
required: false
schema:
$ref: '#/components/schemas/Security_Lists_API_ListId'
- description: The value used to evaluate exceptions. Required if `id` is not specified.
in: query
name: value
required: false
schema:
example: 127.0.0.2
type: string
responses:
'200':
content:
application/json:
examples:
ip:
value:
_version: WzExLDFd
'@timestamp': '2025-01-08T05:16:25.882Z'
created_at: '2025-01-08T05:16:25.882Z'
created_by: elastic
id: qN1XRJQBs4HAK3VQs3Gc
list_id: ip_list
tie_breaker_id: a9a34c02-a385-436e-86a0-02a3942f3537
type: ip
updated_at: '2025-01-08T05:16:25.882Z'
updated_by: elastic
value: 127.0.0.2
schema:
oneOf:
- $ref: '#/components/schemas/Security_Lists_API_ListItem'
- items:
$ref: '#/components/schemas/Security_Lists_API_ListItem'
type: array
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
message: Either \"list_id\" or \"id\" needs to be defined in the request
status_code: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [GET /api/lists/items?id=qN1XRJQBs4HAK3VQs3Gc] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Not enough privileges response
'404':
content:
application/json:
examples:
notFound:
value:
message: 'list item id: \"foo\" not found'
status_code: 404
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: List item not found response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Internal server error response
summary: Get a value list item
tags:
- Security Lists API
x-metaTags:
- content: Kibana
name: product_name
patch:
description: |-
**Spaces method and path for this operation:**
patch/s/{space_id}/api/lists/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update specific fields of an existing value list item using the item `id`.
operationId: PatchListItem
requestBody:
content:
application/json:
examples:
changeValue:
value:
id: pd1WRJQBs4HAK3VQeHFI
value: 255.255.255.255
schema:
type: object
properties:
_version:
$ref: '#/components/schemas/Security_Lists_API_ListVersionId'
id:
$ref: '#/components/schemas/Security_Lists_API_ListItemId'
meta:
$ref: '#/components/schemas/Security_Lists_API_ListItemMetadata'
refresh:
description: Determines when changes made by the request are made visible to search.
enum:
- 'true'
- 'false'
- wait_for
type: string
value:
$ref: '#/components/schemas/Security_Lists_API_ListItemValue'
required:
- id
description: Value list item's properties
required: true
responses:
'200':
content:
application/json:
examples:
ipItem:
value:
_version: WzE5LDFd
'@timestamp': '2025-01-08T05:15:05.159Z'
created_at: '2025-01-08T05:15:05.159Z'
created_by: elastic
id: pd1WRJQBs4HAK3VQeHFI
list_id: ip_list
tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3
type: ip
updated_at: '2025-01-08T05:23:37.602Z'
updated_by: elastic
value: 255.255.255.255
schema:
$ref: '#/components/schemas/Security_Lists_API_ListItem'
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
message: '{"took":15,"timed_out":false,"total":1,"updated":0,"deleted":0,"batches":1,"version_conflicts":0,"noops":0,"retries":{"bulk":0,"search":0},"throttled_millis":0,"requests_per_second":-1,"throttled_until_millis":0,"failures":[{"index":".ds-.items-default-2025.01.09-000001","id":"ip_item","cause":{"type":"document_parsing_exception","reason":"[1:107] failed to parse field [ip] of type [ip] in document with id ip_item. Preview of fields value: 2","caused_by":{"type":"illegal_argument_exception","reason":"2 is not an IP string literal."}},"status":400}]}'
status_code: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Not enough privileges response
'404':
content:
application/json:
examples:
notFound:
value:
message: 'list item id: \"foo\" not found'
status_code: 404
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: List item not found response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Internal server error response
summary: Patch a value list item
tags:
- Security Lists API
x-metaTags:
- content: Kibana
name: product_name
post:
description: |
**Spaces method and path for this operation:**
post/s/{space_id}/api/lists/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create a value list item and associate it with the specified value list.
All value list items in the same list must be the same type. For example, each list item in an `ip` list must define a specific IP address.
> info
> Before creating a list item, you must create a list.
operationId: CreateListItem
requestBody:
content:
application/json:
examples:
ip:
value:
list_id: ip_list
value: 127.0.0.1
ip_range:
value:
list_id: ip_range_list
value: 192.168.0.0/16
keyword:
value:
list_id: keyword_list
value: zeek
schema:
type: object
properties:
id:
$ref: '#/components/schemas/Security_Lists_API_ListItemId'
list_id:
$ref: '#/components/schemas/Security_Lists_API_ListId'
meta:
$ref: '#/components/schemas/Security_Lists_API_ListItemMetadata'
refresh:
description: Determines when changes made by the request are made visible to search.
enum:
- 'true'
- 'false'
- wait_for
example: wait_for
type: string
value:
$ref: '#/components/schemas/Security_Lists_API_ListItemValue'
required:
- list_id
- value
description: Value list item's properties
required: true
responses:
'200':
content:
application/json:
examples:
ip:
value:
_version: WzAsMV0=
'@timestamp': '2025-01-08T04:59:06.154Z'
created_at: '2025-01-08T04:59:06.154Z'
created_by: elastic
id: 21b01cfb-058d-44b9-838c-282be16c91cc
list_id: ip_list
tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a
type: ip
updated_at: '2025-01-08T04:59:06.154Z'
updated_by: elastic
value: 127.0.0.1
ip_range:
value:
_version: WzEsMV0=
'@timestamp': '2025-01-09T18:33:08.202Z'
created_at: '2025-01-09T18:33:08.202Z'
created_by: elastic
id: ip_range_item
list_id: ip_range_list
tie_breaker_id: ea1b4189-efda-4637-b8f9-74655a5ebb61
type: ip_range
updated_at: '2025-01-09T18:33:08.202Z'
updated_by: elastic
value: 192.168.0.0/16
keyword:
value:
_version: WzIsMV0=
'@timestamp': '2025-01-09T18:34:29.422Z'
created_at: '2025-01-09T18:34:29.422Z'
created_by: elastic
id: 7f24737d-1da8-4626-a568-33070591bb4e
list_id: keyword_list
tie_breaker_id: 2108ced2-5e5d-401e-a88e-4dd69fc5fa27
type: keyword
updated_at: '2025-01-09T18:34:29.422Z'
updated_by: elastic
value: zeek
schema:
$ref: '#/components/schemas/Security_Lists_API_ListItem'
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request
message: uri [/api/lists/items] with method [post] exists but is not available with the current configuration
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [POST /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Not enough privileges response
'404':
content:
application/json:
examples:
listNotFound:
value:
message: 'list id: \"ip_list\" does not exist'
status_code: 404
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Not enough privileges response
'409':
content:
application/json:
examples:
alreadyExists:
value:
message: 'list item id: \"ip_item\" already exists'
status_code: 409
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: List item already exists response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Internal server error response
summary: Create a value list item
tags:
- Security Lists API
x-metaTags:
- content: Kibana
name: product_name
put:
description: |
**Spaces method and path for this operation:**
put/s/{space_id}/api/lists/items
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update a value list item using the list item ID. The original list item is replaced, and all unspecified fields are deleted.
> info
> You cannot modify the `id` value.
operationId: UpdateListItem
requestBody:
content:
application/json:
examples:
fullReplace:
value:
id: ip_item
value: 255.255.255.255
schema:
example:
id: ip_item
value: 255.255.255.255
type: object
properties:
_version:
$ref: '#/components/schemas/Security_Lists_API_ListVersionId'
id:
$ref: '#/components/schemas/Security_Lists_API_ListItemId'
meta:
$ref: '#/components/schemas/Security_Lists_API_ListItemMetadata'
value:
$ref: '#/components/schemas/Security_Lists_API_ListItemValue'
required:
- id
- value
description: Value list item's properties
required: true
responses:
'200':
content:
application/json:
examples:
ip:
value:
_version: WzIwLDFd
'@timestamp': '2025-01-08T05:15:05.159Z'
created_at: '2025-01-08T05:15:05.159Z'
created_by: elastic
id: pd1WRJQBs4HAK3VQeHFI
list_id: ip_list
tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3
type: ip
updated_at: '2025-01-08T05:44:14.009Z'
updated_by: elastic
value: 255.255.255.255
schema:
$ref: '#/components/schemas/Security_Lists_API_ListItem'
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request
message: '[request body]: id: Expected string, received number'
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Not enough privileges response
'404':
content:
application/json:
examples:
notFound:
value:
message: 'list item id: \"foo\" not found'
status_code: 404
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: List item not found response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Internal server error response
summary: Update a value list item
tags:
- Security Lists API
x-metaTags:
- content: Kibana
name: product_name
/api/lists/items/_export:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/lists/items/_export
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Export list item values from the specified value list.
operationId: ExportListItems
parameters:
- description: Value list's `id` to export.
in: query
name: list_id
required: true
schema:
$ref: '#/components/schemas/Security_Lists_API_ListId'
responses:
'200':
content:
application/ndjson:
examples:
ipLines:
value: |
127.0.0.1
127.0.0.2
127.0.0.3
schema:
description: A `.txt` file containing list items from the specified list
example: |
127.0.0.1
127.0.0.2
127.0.0.3
127.0.0.4
127.0.0.5
127.0.0.6
127.0.0.7
127.0.0.8
127.0.0.9
format: binary
type: string
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: 'Bad Request","message":"[request query]: list_id: Required'
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [POST /api/lists/items/_export?list_id=ips.txt] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Not enough privileges response
'404':
content:
application/json:
examples:
notFound:
value:
message: 'list id: "unknown_list" not found'
status_code: 404
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: List not found response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Internal server error response
summary: Export value list items
tags:
- Security Lists API
x-metaTags:
- content: Kibana
name: product_name
/api/lists/items/_find:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/lists/items/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get all value list items in the specified list.
operationId: FindListItems
parameters:
- description: Parent value list's `id` to page through items for.
in: query
name: list_id
required: true
schema:
$ref: '#/components/schemas/Security_Lists_API_ListId'
- description: The page number to return.
in: query
name: page
required: false
schema:
example: 1
type: integer
- description: The number of list items to return per page.
in: query
name: per_page
required: false
schema:
example: 20
type: integer
- description: Determines which field is used to sort the results.
in: query
name: sort_field
required: false
schema:
example: value
format: nonempty
minLength: 1
type: string
- description: Determines the sort order, which can be `desc` or `asc`
in: query
name: sort_order
required: false
schema:
enum:
- desc
- asc
example: asc
type: string
- description: |
Opaque cursor returned in a previous response; pass it to continue listing from the next page. Omit on the first request.
in: query
name: cursor
required: false
schema:
$ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor'
- description: |
Filters the returned results according to the value of the specified field,
using the : syntax.
in: query
name: filter
required: false
schema:
$ref: '#/components/schemas/Security_Lists_API_FindListItemsFilter'
responses:
'200':
content:
application/json:
examples:
ip:
value:
cursor: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d
data:
- _version: WzAsMV0=
'@timestamp': '2025-01-08T04:59:06.154Z'
created_at: '2025-01-08T04:59:06.154Z'
created_by: elastic
id: 21b01cfb-058d-44b9-838c-282be16c91cc
list_id: ip_list
tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a
type: ip
updated_at: '2025-01-08T04:59:06.154Z'
updated_by: elastic
value: 127.0.0.1
page: 1
per_page: 20
total: 1
schema:
type: object
properties:
cursor:
$ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor'
data:
items:
$ref: '#/components/schemas/Security_Lists_API_ListItem'
type: array
page:
minimum: 0
type: integer
per_page:
minimum: 0
type: integer
total:
minimum: 0
type: integer
required:
- data
- page
- per_page
- total
- cursor
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request,
message: '[request query]: list_id: Required'
statusCode: 400,
schema:
oneOf:
- $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [GET /api/lists/items/_find?list_id=ip_list&page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Not enough privileges response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Internal server error response
summary: Get value list items
tags:
- Security Lists API
x-metaTags:
- content: Kibana
name: product_name
/api/lists/items/_import:
post:
description: |
**Spaces method and path for this operation:**
post/s/{space_id}/api/lists/items/_import
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Import value list items from a TXT or CSV file. The maximum file size is 9 million bytes.
You can import items to a new or existing list.
operationId: ImportListItems
parameters:
- description: |
List's id.
Required when importing to an existing list.
in: query
name: list_id
required: false
schema:
$ref: '#/components/schemas/Security_Lists_API_ListId'
- description: |
Type of the importing list.
Required when importing a new list whose list `id` is not specified.
examples:
ip:
value: ip
in: query
name: type
required: false
schema:
$ref: '#/components/schemas/Security_Lists_API_ListType'
- description: Determines when changes made by the request are made visible to search.
in: query
name: refresh
required: false
schema:
enum:
- 'true'
- 'false'
- wait_for
example: true
type: string
requestBody:
content:
multipart/form-data:
examples:
ipLinesFile:
value:
file: list_values.txt
schema:
type: object
properties:
file:
description: A `.txt` or `.csv` file containing newline separated list items.
example: |
127.0.0.1
127.0.0.2
127.0.0.3
127.0.0.4
127.0.0.5
127.0.0.6
127.0.0.7
127.0.0.8
127.0.0.9
format: binary
type: string
required: true
responses:
'200':
content:
application/json:
examples:
ip:
value:
_version: WzAsMV0=
'@timestamp': '2025-01-08T04:47:34.273Z'
created_at: '2025-01-08T04:47:34.273Z'
created_by: elastic
description: This list describes bad internet ip
id: ip_list
immutable: false
name: Simple list with an ip
tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899
type: ip
updated_at: '2025-01-08T04:47:34.273Z'
updated_by: elastic
version: 1
schema:
$ref: '#/components/schemas/Security_Lists_API_List'
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
message: Either type or list_id need to be defined in the query
status_code: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [POST /api/lists/items/_import?list_id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Not enough privileges response
'409':
content:
application/json:
examples:
conflict:
value:
message: List with the specified list_id does not exist, create the list or fix list_id to import to an existing one
status_code: 409
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: List with specified list_id does not exist response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Internal server error response
summary: Import value list items
tags:
- Security Lists API
x-metaTags:
- content: Kibana
name: product_name
/api/lists/privileges:
get:
description: |
**Spaces method and path for this operation:**
get/s/{space_id}/api/lists/privileges
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Returns the caller's authentication state and the Elasticsearch `cluster`, `index`, and `application`
privileges for `.lists` and `.items` data streams in the current Kibana space. Use this to decide which list
APIs (`read` vs `all` operations) are available before you create or import lists.
operationId: ReadListPrivileges
responses:
'200':
content:
application/json:
examples:
privileges:
value:
is_authenticated: true
listItems:
application: {}
cluster:
all: true
manage: true
manage_api_key: true
manage_index_templates: true
manage_ml: true
manage_own_api_key: true
manage_pipeline: true
manage_security: true
manage_transform: true
monitor: true
monitor_ml: true
monitor_transform: true
has_all_requested: true
index:
.items-default:
all: true
create: true
create_doc: true
create_index: true
delete: true
delete_index: true
index: true
maintenance: true
manage: true
monitor: true
read: true
view_index_metadata: true
write: true
username: elastic
lists:
application: {}
cluster:
all: true
manage: true
manage_api_key: true
manage_index_templates: true
manage_ml: true
manage_own_api_key: true
manage_pipeline: true
manage_security: true
manage_transform: true
monitor: true
monitor_ml: true
monitor_transform: true
has_all_requested: true
index:
.lists-default:
all: true
create: true
create_doc: true
create_index: true
delete: true
delete_index: true
index: true
maintenance: true
manage: true
monitor: true
read: true
view_index_metadata: true
write: true
username: elastic
schema:
type: object
properties:
is_authenticated:
type: boolean
listItems:
$ref: '#/components/schemas/Security_Lists_API_ListItemPrivileges'
lists:
$ref: '#/components/schemas/Security_Lists_API_ListPrivileges'
required:
- lists
- listItems
- is_authenticated
description: Successful response
'400':
content:
application/json:
examples:
badRequest:
value:
error: Bad Request
message: 'Unable to resolve list privileges: invalid or missing space context for this request'
statusCode: 400
schema:
oneOf:
- $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
- $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Invalid input data response
'401':
content:
application/json:
examples:
unauthorized:
value:
error: Unauthorized
message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]'
statusCode: 401
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Unsuccessful authentication response
'403':
content:
application/json:
examples:
forbidden:
value:
error: Forbidden
message: API [GET /api/lists/privileges] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]
statusCode: 403
schema:
$ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
description: Not enough privileges response
'500':
content:
application/json:
examples:
serverError:
value:
message: Internal Server Error
status_code: 500
schema:
$ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
description: Internal server error response
summary: Get value list privileges
tags:
- Security Lists API
x-metaTags:
- content: Kibana
name: product_name
/api/logstash/pipeline/{id}:
delete:
description: |
Delete a centrally-managed Logstash pipeline.
If your Elasticsearch cluster is protected with basic authentication, you must have either the `logstash_admin` built-in role or a customized Logstash writer role.
externalDocs:
description: Secure your connection
url: https://www.elastic.co/docs/reference/logstash/secure-connection
operationId: delete-logstash-pipeline
parameters:
- description: An identifier for the pipeline.
in: path
name: id
required: true
schema:
type: string
responses:
'204':
description: Indicates a successful call
summary: Delete a Logstash pipeline
tags:
- logstash
x-state: Technical Preview
x-metaTags:
- content: Kibana
name: product_name
get:
description: |
Get information for a centrally-managed Logstash pipeline.
To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash reader role.
externalDocs:
description: Secure your connection
url: https://www.elastic.co/docs/reference/logstash/secure-connection
operationId: get-logstash-pipeline
parameters:
- description: An identifier for the pipeline.
in: path
name: id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getLogstashPipelineResponseExample1:
value: |-
{
"id": "hello-world",
"description": "Just a simple pipeline",
"username": "elastic",
"pipeline": "input { stdin {} } output { stdout {} }",
"settings": {
"queue.type": "persistent"
}
}
schema:
type: object
description: Indicates a successful call
summary: Get a Logstash pipeline
tags:
- logstash
x-state: Technical Preview
x-metaTags:
- content: Kibana
name: product_name
put:
description: |
Create a centrally-managed Logstash pipeline or update a pipeline.
To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash writer role.
externalDocs:
description: Secure your connection
url: https://www.elastic.co/docs/reference/logstash/secure-connection
operationId: put-logstash-pipeline
parameters:
- description: |
An identifier for the pipeline. Pipeline ID must begin with a letter or underscore and can contain only letters, underscores, dashes, hyphens, and numbers.
in: path
name: id
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
putLogstashPipelineRequestExample1:
value: |-
{
"pipeline": "input { stdin {} } output { stdout {} }",
"settings": {
"queue.type": "persisted"
}
}
schema:
type: object
properties:
description:
description: A description of the pipeline.
type: string
pipeline:
description: A definition for the pipeline.
type: string
settings:
description: |
Supported settings, represented as object keys, include the following:
- `pipeline.workers`
- `pipeline.batch.size`
- `pipeline.batch.delay`
- `pipeline.ecs_compatibility`
- `pipeline.ordered`
- `queue.type`
- `queue.max_bytes`
- `queue.checkpoint.writes`
type: object
required:
- pipeline
responses:
'204':
description: Indicates a successful call
summary: Create or update a Logstash pipeline
tags:
- logstash
x-state: Technical Preview
x-metaTags:
- content: Kibana
name: product_name
/api/logstash/pipelines:
get:
description: |
Get a list of all centrally-managed Logstash pipelines.
To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash reader role.
> info
> Limit the number of pipelines to 10,000 or fewer. As the number of pipelines nears and surpasses 10,000, you may see performance issues on Kibana.
The `username` property appears in the response when security is enabled and depends on when the pipeline was created or last updated.
externalDocs:
description: Secure your connection
url: https://www.elastic.co/docs/reference/logstash/secure-connection
operationId: get-logstash-pipelines
responses:
'200':
content:
application/json:
examples:
getLogstashPipelinesResponseExample1:
value: |-
{
"pipelines": [
{
"id": "hello-world",
"description": "Just a simple pipeline",
"last_modified": "2018-04-14T12:23:29.772Z",
"username": "elastic"
},
{
"id": "sleepy-pipeline",
"description": "",
"last_modified": "2018-03-24T03:41:30.554Z"
}
]
}
schema:
type: object
description: Indicates a successful call
summary: Get all Logstash pipelines
tags:
- logstash
x-state: Technical Preview
x-metaTags:
- content: Kibana
name: product_name
/api/maintenance_window:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/maintenance_window
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
[Required authorization] Route required privileges: write-maintenance-window.
operationId: post-maintenance-window
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
createMaintenanceWindowRequest:
description: |
Create a maintenance window that recurs every week on Monday and Wednesday for two hours, with a scope that filters specific alerts using a KQL query.
summary: Create a maintenance window
value:
enabled: true
schedule:
custom:
duration: 2h
recurring:
every: 1w
occurrences: 10
onWeekDay:
- MO
- WE
start: '2025-03-01T08:00:00.000Z'
timezone: Europe/Amsterdam
scope:
alerting:
query:
kql: 'kibana.alert.tags: "infra"'
title: Weekly Maintenance Window
schema:
additionalProperties: false
type: object
properties:
enabled:
description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications.
type: boolean
schedule:
additionalProperties: false
type: object
properties:
custom:
additionalProperties: false
type: object
properties:
duration:
description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.'
type: string
recurring:
additionalProperties: false
type: object
properties:
end:
description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.'
type: string
every:
description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.'
type: string
occurrences:
description: The total number of recurrences of the schedule.
minimum: 1
type: number
onMonth:
description: The specific months for a recurring schedule. Valid values are 1-12.
items:
maximum: 12
minimum: 1
type: number
minItems: 1
type: array
onMonthDay:
description: The specific days of the month for a recurring schedule. Valid values are 1-31.
items:
maximum: 31
minimum: 1
type: number
minItems: 1
type: array
onWeekDay:
description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.
items:
type: string
minItems: 1
type: array
start:
description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.'
type: string
timezone:
description: The timezone of the schedule. The default timezone is UTC.
type: string
required:
- start
- duration
required:
- custom
scope:
additionalProperties: false
type: object
properties:
alerting:
additionalProperties: false
type: object
properties:
query:
additionalProperties: false
type: object
properties:
kql:
description: A filter written in Kibana Query Language (KQL). Only alerts matching this query will be supressed by the maintenance window.
type: string
required:
- kql
required:
- query
required:
- alerting
title:
description: The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window.
type: string
required:
- title
- schedule
responses:
'200':
content:
application/json:
examples:
createMaintenanceWindowResponse:
description: |
The response returned when a maintenance window is successfully created.
summary: Create a maintenance window response
value:
created_at: '2025-02-25T10:00:00.000Z'
created_by: elastic
enabled: true
id: f0cb1780-537a-4e34-8adf-3b4336862858
schedule:
custom:
duration: 2h
recurring:
every: 1w
occurrences: 10
onWeekDay:
- MO
- WE
start: '2025-03-01T08:00:00.000Z'
timezone: Europe/Amsterdam
scope:
alerting:
query:
kql: 'kibana.alert.tags: "infra"'
status: upcoming
title: Weekly Maintenance Window
updated_at: '2025-02-25T10:00:00.000Z'
updated_by: elastic
schema:
additionalProperties: false
type: object
properties:
created_at:
description: The date and time when the maintenance window was created.
type: string
created_by:
description: The identifier for the user that created the maintenance window.
nullable: true
type: string
enabled:
description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications.
type: boolean
id:
description: The identifier for the maintenance window.
type: string
schedule:
additionalProperties: false
type: object
properties:
custom:
additionalProperties: false
type: object
properties:
duration:
description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.'
type: string
recurring:
additionalProperties: false
type: object
properties:
end:
description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.'
type: string
every:
description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.'
type: string
occurrences:
description: The total number of recurrences of the schedule.
type: number
onMonth:
description: The specific months for a recurring schedule. Valid values are 1-12.
items:
type: number
type: array
onMonthDay:
description: The specific days of the month for a recurring schedule. Valid values are 1-31.
items:
type: number
type: array
onWeekDay:
description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.
items:
type: string
type: array
start:
description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.'
type: string
timezone:
description: The timezone of the schedule. The default timezone is UTC.
type: string
required:
- start
- duration
required:
- custom
scope:
additionalProperties: false
type: object
properties:
alerting:
additionalProperties: false
type: object
properties:
query:
additionalProperties: false
type: object
properties:
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
required:
- query
required:
- alerting
status:
description: The current status of the maintenance window.
enum:
- running
- upcoming
- finished
- archived
- disabled
type: string
title:
description: The name of the maintenance window.
type: string
updated_at:
description: The date and time when the maintenance window was last updated.
type: string
updated_by:
description: The identifier for the user that last updated this maintenance window.
nullable: true
type: string
required:
- id
- title
- enabled
- created_by
- updated_by
- created_at
- updated_at
- status
- schedule
description: Indicates a successful call.
'400':
description: Indicates an invalid schema or parameters.
'403':
description: Indicates that this call is forbidden.
summary: Create a maintenance window.
tags:
- maintenance-window
x-state: Generally available; added in 9.1.0
x-metaTags:
- content: Kibana
name: product_name
/api/maintenance_window/_find:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/maintenance_window/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
[Required authorization] Route required privileges: read-maintenance-window.
operationId: get-maintenance-window-find
parameters:
- description: The title of the maintenance window.
in: query
name: title
required: false
schema:
type: string
- description: The user who created the maintenance window.
in: query
name: created_by
required: false
schema:
type: string
- description: The status of the maintenance window. It can be "running", "upcoming", "finished", "archived", or "disabled".
in: query
name: status
required: false
schema:
items:
enum:
- running
- finished
- upcoming
- archived
- disabled
type: string
type: array
- description: The page number to return.
in: query
name: page
required: false
schema:
default: 1
maximum: 100
minimum: 1
type: number
- description: The number of maintenance windows to return per page.
in: query
name: per_page
required: false
schema:
default: 10
maximum: 100
minimum: 1
type: number
responses:
'200':
content:
application/json:
examples:
findMaintenanceWindowsResponse:
description: |
The response returned when maintenance windows are successfully found.
summary: Find maintenance windows response
value:
maintenanceWindows:
- created_at: '2025-02-25T10:00:00.000Z'
created_by: elastic
enabled: true
id: f0cb1780-537a-4e34-8adf-3b4336862858
schedule:
custom:
duration: 2h
recurring:
every: 1w
occurrences: 10
onWeekDay:
- MO
- WE
start: '2025-03-01T08:00:00.000Z'
timezone: Europe/Amsterdam
scope:
alerting:
query:
kql: 'kibana.alert.tags: "infra"'
status: upcoming
title: Weekly Maintenance Window
updated_at: '2025-02-25T10:00:00.000Z'
updated_by: elastic
- created_at: '2025-03-10T09:00:00.000Z'
created_by: elastic
enabled: true
id: a1c94560-6e3b-4ea1-9065-8e3f1b8c5f29
schedule:
custom:
duration: 1h
recurring:
end: '2025-12-31T00:00:00.000Z'
every: 2w
onWeekDay:
- FR
start: '2025-04-01T10:00:00.000Z'
timezone: US/Eastern
scope:
alerting:
query:
kql: 'kibana.alert.tags: "database"'
status: upcoming
title: Database Upgrade Window
updated_at: '2025-03-15T14:30:00.000Z'
updated_by: elastic
page: 1
per_page: 10
total: 2
schema:
additionalProperties: false
type: object
properties:
maintenanceWindows:
description: The list of maintenance windows.
items:
additionalProperties: false
type: object
properties:
created_at:
description: The date and time when the maintenance window was created.
type: string
created_by:
description: The identifier for the user that created the maintenance window.
nullable: true
type: string
enabled:
description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications.
type: boolean
id:
description: The identifier for the maintenance window.
type: string
schedule:
additionalProperties: false
type: object
properties:
custom:
additionalProperties: false
type: object
properties:
duration:
description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.'
type: string
recurring:
additionalProperties: false
type: object
properties:
end:
description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.'
type: string
every:
description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.'
type: string
occurrences:
description: The total number of recurrences of the schedule.
type: number
onMonth:
description: The specific months for a recurring schedule. Valid values are 1-12.
items:
type: number
type: array
onMonthDay:
description: The specific days of the month for a recurring schedule. Valid values are 1-31.
items:
type: number
type: array
onWeekDay:
description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.
items:
type: string
type: array
start:
description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.'
type: string
timezone:
description: The timezone of the schedule. The default timezone is UTC.
type: string
required:
- start
- duration
required:
- custom
scope:
additionalProperties: false
type: object
properties:
alerting:
additionalProperties: false
type: object
properties:
query:
additionalProperties: false
type: object
properties:
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
required:
- query
required:
- alerting
status:
description: The current status of the maintenance window.
enum:
- running
- upcoming
- finished
- archived
- disabled
type: string
title:
description: The name of the maintenance window.
type: string
updated_at:
description: The date and time when the maintenance window was last updated.
type: string
updated_by:
description: The identifier for the user that last updated this maintenance window.
nullable: true
type: string
required:
- id
- title
- enabled
- created_by
- updated_by
- created_at
- updated_at
- status
- schedule
type: array
page:
description: The current page number.
type: number
per_page:
description: The number of maintenance windows returned per page.
type: number
total:
description: The total number of maintenance windows that match the query.
type: number
required:
- page
- per_page
- total
- maintenanceWindows
description: Indicates a successful call.
'400':
description: Indicates an invalid schema or parameters.
'403':
description: Indicates that this call is forbidden.
summary: Search for a maintenance window.
tags:
- maintenance-window
x-state: Generally available; added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
/api/maintenance_window/{id}:
delete:
description: |-
**Spaces method and path for this operation:**
delete/s/{space_id}/api/maintenance_window/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
[Required authorization] Route required privileges: write-maintenance-window.
operationId: delete-maintenance-window-id
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The identifier for the maintenance window to be deleted.
in: path
name: id
required: true
schema:
type: string
responses:
'204':
description: Indicates a successful call.
'400':
description: Indicates an invalid schema or parameters.
'403':
description: Indicates that this call is forbidden.
'404':
description: Indicates a maintenance window with the given ID does not exist.
summary: Delete a maintenance window.
tags:
- maintenance-window
x-state: Generally available; added in 9.1.0
x-metaTags:
- content: Kibana
name: product_name
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/maintenance_window/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
[Required authorization] Route required privileges: read-maintenance-window.
operationId: get-maintenance-window-id
parameters:
- description: The identifier for the maintenance window.
in: path
name: id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getMaintenanceWindowResponse:
description: |
The response returned when a maintenance window is successfully retrieved.
summary: Get a maintenance window response
value:
created_at: '2025-02-25T10:00:00.000Z'
created_by: elastic
enabled: true
id: f0cb1780-537a-4e34-8adf-3b4336862858
schedule:
custom:
duration: 2h
recurring:
every: 1w
occurrences: 10
onWeekDay:
- MO
- WE
start: '2025-03-01T08:00:00.000Z'
timezone: Europe/Amsterdam
scope:
alerting:
query:
kql: 'kibana.alert.tags: "infra"'
status: upcoming
title: Weekly Maintenance Window
updated_at: '2025-02-25T10:00:00.000Z'
updated_by: elastic
schema:
additionalProperties: false
type: object
properties:
created_at:
description: The date and time when the maintenance window was created.
type: string
created_by:
description: The identifier for the user that created the maintenance window.
nullable: true
type: string
enabled:
description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications.
type: boolean
id:
description: The identifier for the maintenance window.
type: string
schedule:
additionalProperties: false
type: object
properties:
custom:
additionalProperties: false
type: object
properties:
duration:
description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.'
type: string
recurring:
additionalProperties: false
type: object
properties:
end:
description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.'
type: string
every:
description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.'
type: string
occurrences:
description: The total number of recurrences of the schedule.
type: number
onMonth:
description: The specific months for a recurring schedule. Valid values are 1-12.
items:
type: number
type: array
onMonthDay:
description: The specific days of the month for a recurring schedule. Valid values are 1-31.
items:
type: number
type: array
onWeekDay:
description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.
items:
type: string
type: array
start:
description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.'
type: string
timezone:
description: The timezone of the schedule. The default timezone is UTC.
type: string
required:
- start
- duration
required:
- custom
scope:
additionalProperties: false
type: object
properties:
alerting:
additionalProperties: false
type: object
properties:
query:
additionalProperties: false
type: object
properties:
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
required:
- query
required:
- alerting
status:
description: The current status of the maintenance window.
enum:
- running
- upcoming
- finished
- archived
- disabled
type: string
title:
description: The name of the maintenance window.
type: string
updated_at:
description: The date and time when the maintenance window was last updated.
type: string
updated_by:
description: The identifier for the user that last updated this maintenance window.
nullable: true
type: string
required:
- id
- title
- enabled
- created_by
- updated_by
- created_at
- updated_at
- status
- schedule
description: Indicates a successful call.
'400':
description: Indicates an invalid schema or parameters.
'403':
description: Indicates that this call is forbidden.
'404':
description: Indicates a maintenance window with the given ID does not exist.
summary: Get maintenance window details.
tags:
- maintenance-window
x-state: Generally available; added in 9.1.0
x-metaTags:
- content: Kibana
name: product_name
patch:
description: |-
**Spaces method and path for this operation:**
patch/s/{space_id}/api/maintenance_window/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
[Required authorization] Route required privileges: write-maintenance-window.
operationId: patch-maintenance-window-id
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The identifier for the maintenance window.
in: path
name: id
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
updateMaintenanceWindowRequest:
description: |
Update a maintenance window to change its title, schedule, and scope.
summary: Update a maintenance window
value:
enabled: true
schedule:
custom:
duration: 1h
recurring:
end: '2025-12-31T00:00:00.000Z'
every: 2w
onWeekDay:
- FR
start: '2025-04-01T10:00:00.000Z'
timezone: US/Eastern
scope:
alerting:
query:
kql: 'kibana.alert.tags: "database"'
title: Updated maintenance window
schema:
additionalProperties: false
type: object
properties:
enabled:
description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications.
type: boolean
schedule:
additionalProperties: false
type: object
properties:
custom:
additionalProperties: false
type: object
properties:
duration:
description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.'
type: string
recurring:
additionalProperties: false
type: object
properties:
end:
description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.'
type: string
every:
description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.'
type: string
occurrences:
description: The total number of recurrences of the schedule.
minimum: 1
type: number
onMonth:
description: The specific months for a recurring schedule. Valid values are 1-12.
items:
maximum: 12
minimum: 1
type: number
minItems: 1
type: array
onMonthDay:
description: The specific days of the month for a recurring schedule. Valid values are 1-31.
items:
maximum: 31
minimum: 1
type: number
minItems: 1
type: array
onWeekDay:
description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.
items:
type: string
minItems: 1
type: array
start:
description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.'
type: string
timezone:
description: The timezone of the schedule. The default timezone is UTC.
type: string
required:
- start
- duration
required:
- custom
scope:
additionalProperties: false
type: object
properties:
alerting:
additionalProperties: false
type: object
properties:
query:
additionalProperties: false
type: object
properties:
kql:
description: A filter written in Kibana Query Language (KQL). Only alerts matching this query will be supressed by the maintenance window.
type: string
required:
- kql
required:
- query
required:
- alerting
title:
description: The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window.
type: string
responses:
'200':
content:
application/json:
examples:
updateMaintenanceWindowResponse:
description: |
The response returned when a maintenance window is successfully updated.
summary: Update a maintenance window response
value:
created_at: '2025-02-25T10:00:00.000Z'
created_by: elastic
enabled: true
id: f0cb1780-537a-4e34-8adf-3b4336862858
schedule:
custom:
duration: 1h
recurring:
end: '2025-12-31T00:00:00.000Z'
every: 2w
onWeekDay:
- FR
start: '2025-04-01T10:00:00.000Z'
timezone: US/Eastern
scope:
alerting:
query:
kql: 'kibana.alert.tags: "database"'
status: upcoming
title: Updated maintenance window
updated_at: '2025-03-15T14:30:00.000Z'
updated_by: elastic
schema:
additionalProperties: false
type: object
properties:
created_at:
description: The date and time when the maintenance window was created.
type: string
created_by:
description: The identifier for the user that created the maintenance window.
nullable: true
type: string
enabled:
description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications.
type: boolean
id:
description: The identifier for the maintenance window.
type: string
schedule:
additionalProperties: false
type: object
properties:
custom:
additionalProperties: false
type: object
properties:
duration:
description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.'
type: string
recurring:
additionalProperties: false
type: object
properties:
end:
description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.'
type: string
every:
description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.'
type: string
occurrences:
description: The total number of recurrences of the schedule.
type: number
onMonth:
description: The specific months for a recurring schedule. Valid values are 1-12.
items:
type: number
type: array
onMonthDay:
description: The specific days of the month for a recurring schedule. Valid values are 1-31.
items:
type: number
type: array
onWeekDay:
description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.
items:
type: string
type: array
start:
description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.'
type: string
timezone:
description: The timezone of the schedule. The default timezone is UTC.
type: string
required:
- start
- duration
required:
- custom
scope:
additionalProperties: false
type: object
properties:
alerting:
additionalProperties: false
type: object
properties:
query:
additionalProperties: false
type: object
properties:
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
required:
- query
required:
- alerting
status:
description: The current status of the maintenance window.
enum:
- running
- upcoming
- finished
- archived
- disabled
type: string
title:
description: The name of the maintenance window.
type: string
updated_at:
description: The date and time when the maintenance window was last updated.
type: string
updated_by:
description: The identifier for the user that last updated this maintenance window.
nullable: true
type: string
required:
- id
- title
- enabled
- created_by
- updated_by
- created_at
- updated_at
- status
- schedule
description: Indicates a successful call.
'400':
description: Indicates an invalid schema or parameters.
'403':
description: Indicates that this call is forbidden.
'404':
description: Indicates a maintenance window with the given ID does not exist.
'409':
description: Indicates that the maintenance window has already been updated by another user.
summary: Update a maintenance window.
tags:
- maintenance-window
x-state: Generally available; added in 9.1.0
x-metaTags:
- content: Kibana
name: product_name
/api/maintenance_window/{id}/_archive:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
[Required authorization] Route required privileges: write-maintenance-window.
operationId: post-maintenance-window-id-archive
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The identifier for the maintenance window to be archived.
in: path
name: id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
archiveMaintenanceWindowResponse:
description: |
The response returned when a maintenance window is successfully archived.
summary: Archive a maintenance window response
value:
created_at: '2025-02-25T10:00:00.000Z'
created_by: elastic
enabled: true
id: f0cb1780-537a-4e34-8adf-3b4336862858
schedule:
custom:
duration: 2h
recurring:
every: 1w
occurrences: 10
onWeekDay:
- MO
- WE
start: '2025-03-01T08:00:00.000Z'
timezone: Europe/Amsterdam
scope:
alerting:
query:
kql: 'kibana.alert.tags: "infra"'
status: archived
title: Weekly Maintenance Window
updated_at: '2025-02-25T10:00:00.000Z'
updated_by: elastic
schema:
additionalProperties: false
type: object
properties:
created_at:
description: The date and time when the maintenance window was created.
type: string
created_by:
description: The identifier for the user that created the maintenance window.
nullable: true
type: string
enabled:
description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications.
type: boolean
id:
description: The identifier for the maintenance window.
type: string
schedule:
additionalProperties: false
type: object
properties:
custom:
additionalProperties: false
type: object
properties:
duration:
description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.'
type: string
recurring:
additionalProperties: false
type: object
properties:
end:
description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.'
type: string
every:
description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.'
type: string
occurrences:
description: The total number of recurrences of the schedule.
type: number
onMonth:
description: The specific months for a recurring schedule. Valid values are 1-12.
items:
type: number
type: array
onMonthDay:
description: The specific days of the month for a recurring schedule. Valid values are 1-31.
items:
type: number
type: array
onWeekDay:
description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.
items:
type: string
type: array
start:
description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.'
type: string
timezone:
description: The timezone of the schedule. The default timezone is UTC.
type: string
required:
- start
- duration
required:
- custom
scope:
additionalProperties: false
type: object
properties:
alerting:
additionalProperties: false
type: object
properties:
query:
additionalProperties: false
type: object
properties:
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
required:
- query
required:
- alerting
status:
description: The current status of the maintenance window.
enum:
- running
- upcoming
- finished
- archived
- disabled
type: string
title:
description: The name of the maintenance window.
type: string
updated_at:
description: The date and time when the maintenance window was last updated.
type: string
updated_by:
description: The identifier for the user that last updated this maintenance window.
nullable: true
type: string
required:
- id
- title
- enabled
- created_by
- updated_by
- created_at
- updated_at
- status
- schedule
description: Indicates a successful call.
'400':
description: Indicates an invalid schema or parameters.
'403':
description: Indicates that this call is forbidden.
'404':
description: Indicates a maintenance window with the given ID does not exist.
summary: Archive a maintenance window.
tags:
- maintenance-window
x-state: Generally available; added in 9.1.0
x-metaTags:
- content: Kibana
name: product_name
/api/maintenance_window/{id}/_unarchive:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
[Required authorization] Route required privileges: write-maintenance-window.
operationId: post-maintenance-window-id-unarchive
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The identifier for the maintenance window to be unarchived.
in: path
name: id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
unarchiveMaintenanceWindowResponse:
description: |
The response returned when a maintenance window is successfully unarchived.
summary: Unarchive a maintenance window response
value:
created_at: '2025-02-25T10:00:00.000Z'
created_by: elastic
enabled: true
id: f0cb1780-537a-4e34-8adf-3b4336862858
schedule:
custom:
duration: 2h
recurring:
every: 1w
occurrences: 10
onWeekDay:
- MO
- WE
start: '2025-03-01T08:00:00.000Z'
timezone: Europe/Amsterdam
scope:
alerting:
query:
kql: 'kibana.alert.tags: "infra"'
status: upcoming
title: Weekly Maintenance Window
updated_at: '2025-02-25T10:00:00.000Z'
updated_by: elastic
schema:
additionalProperties: false
type: object
properties:
created_at:
description: The date and time when the maintenance window was created.
type: string
created_by:
description: The identifier for the user that created the maintenance window.
nullable: true
type: string
enabled:
description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications.
type: boolean
id:
description: The identifier for the maintenance window.
type: string
schedule:
additionalProperties: false
type: object
properties:
custom:
additionalProperties: false
type: object
properties:
duration:
description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.'
type: string
recurring:
additionalProperties: false
type: object
properties:
end:
description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.'
type: string
every:
description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.'
type: string
occurrences:
description: The total number of recurrences of the schedule.
type: number
onMonth:
description: The specific months for a recurring schedule. Valid values are 1-12.
items:
type: number
type: array
onMonthDay:
description: The specific days of the month for a recurring schedule. Valid values are 1-31.
items:
type: number
type: array
onWeekDay:
description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule.
items:
type: string
type: array
start:
description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.'
type: string
timezone:
description: The timezone of the schedule. The default timezone is UTC.
type: string
required:
- start
- duration
required:
- custom
scope:
additionalProperties: false
type: object
properties:
alerting:
additionalProperties: false
type: object
properties:
query:
additionalProperties: false
type: object
properties:
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
required:
- query
required:
- alerting
status:
description: The current status of the maintenance window.
enum:
- running
- upcoming
- finished
- archived
- disabled
type: string
title:
description: The name of the maintenance window.
type: string
updated_at:
description: The date and time when the maintenance window was last updated.
type: string
updated_by:
description: The identifier for the user that last updated this maintenance window.
nullable: true
type: string
required:
- id
- title
- enabled
- created_by
- updated_by
- created_at
- updated_at
- status
- schedule
description: Indicates a successful call.
'400':
description: Indicates an invalid schema or parameters.
'403':
description: Indicates that this call is forbidden.
'404':
description: Indicates a maintenance window with the given ID does not exist.
summary: Unarchive a maintenance window.
tags:
- maintenance-window
x-state: Generally available; added in 9.1.0
x-metaTags:
- content: Kibana
name: product_name
/api/ml/saved_objects/sync:
get:
description: |
**Spaces method and path for this operation:**
get/s/{space_id}/api/ml/saved_objects/sync
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Synchronizes Kibana saved objects for machine learning jobs and trained models in the default space. You must have `all` privileges for the **Machine Learning** feature in the **Analytics** section of the Kibana feature privileges. This API runs automatically when you start Kibana and periodically thereafter.
operationId: mlSync
parameters:
- $ref: '#/components/parameters/Machine_learning_APIs_simulateParam'
responses:
'200':
content:
application/json:
examples:
syncExample:
$ref: '#/components/examples/Machine_learning_APIs_mlSyncExample'
schema:
$ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response'
description: Indicates a successful call
'401':
content:
application/json:
examples:
syncExample:
$ref: '#/components/examples/Machine_learning_APIs_mlSync401Example'
schema:
$ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse'
description: Authorization information is missing or invalid.
summary: Sync saved objects in the default space
tags:
- ml
x-metaTags:
- content: Kibana
name: product_name
/api/ml/saved_objects/update_jobs_spaces:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update a list of trained models to add and/or remove them from given spaces.
operationId: mlUpdateTrainedModelsSpaces
requestBody:
content:
application/json:
examples:
updateTrainedModelsSpacesRequest:
value:
modelIds:
- test-model
spacesToAdd:
- default
spacesToRemove:
- '*'
responses:
'200':
content:
application/json:
examples:
successTMResponse:
value:
test-model:
success: true
type: trained-model"
description: Indicates a successful call
summary: Update trained models spaces
tags:
- ml
x-metaTags:
- content: Kibana
name: product_name
/api/note:
delete:
description: |
**Spaces method and path for this operation:**
delete/s/{space_id}/api/note
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Deletes notes by saved object ID. Send either `noteId` (single ID) or `noteIds` (array of IDs) in the JSON body.
The response has HTTP 200 with an empty body on success.
Requires the **Timeline and Notes** write privilege (`notes_write`).
operationId: DeleteNote
requestBody:
content:
application/json:
examples:
deleteOne:
summary: Delete a single note by id
value:
noteId: 709f99c6-89b6-4953-9160-35945c8e174e
schema:
oneOf:
- nullable: true
type: object
properties:
noteId:
description: Saved object ID of the note to delete.
type: string
required:
- noteId
- nullable: true
type: object
properties:
noteIds:
description: Saved object IDs of the notes to delete.
items:
type: string
nullable: true
type: array
required:
- noteIds
description: |
Exactly one shape: `{ "noteId": "" }` for a single delete, or `{ "noteIds": ["", ...] }` for bulk delete.
`noteIds` may be null in some clients; prefer an empty array or omit unused fields when possible.
required: true
responses:
'200':
description: The notes were deleted successfully. Response body is empty.
summary: Delete one or more notes
tags:
- Security Timeline API
x-metaTags:
- content: Kibana
name: product_name
get:
description: |
**Spaces method and path for this operation:**
get/s/{space_id}/api/note
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Returns Security Timeline notes as saved objects.
**Query modes (mutually exclusive branches on the server):**
1. **`documentIds` is set** — Returns notes whose `eventId` matches the given Elasticsearch document `_id` (single string or array). Pagination query parameters (`page`, `perPage`, etc.) are **not** applied; the server uses a fixed page size (up to 10000 notes).
2. **`savedObjectIds` is set** — Returns notes linked to the given Timeline saved object id(s). Same fixed cap as above; list-mode query parameters are **not** applied.
3. **Neither `documentIds` nor `savedObjectIds`** — Lists notes using saved-objects find semantics: `page` (default 1), `perPage` (default 10), optional `search`, `sortField`, `sortOrder`, `filter`, `createdByFilter`, and `associatedFilter`.
Requires the **Timeline and Notes** read privilege (`notes_read`).
operationId: GetNotes
parameters:
- description: |
Event document `_id` values to match against each note's `eventId`. When this parameter is present, the response is all matching notes (up to the server's hard limit), not a paged list using `page`/`perPage`.
examples:
multiple:
summary: Multiple document ids (array)
value:
- id-one
- id-two
single:
summary: Single document id
value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b
in: query
name: documentIds
schema:
$ref: '#/components/schemas/Security_Timeline_API_DocumentIds'
- description: |
Timeline `savedObjectId` value(s). Returns notes that reference those timelines. When present, list-mode pagination parameters are not used; up to the server's hard limit of notes may be returned.
examples:
singleTimeline:
summary: Single timeline id
value: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
in: query
name: savedObjectIds
schema:
$ref: '#/components/schemas/Security_Timeline_API_SavedObjectIds'
- description: |
Page number for list mode (when `documentIds` and `savedObjectIds` are omitted). Passed as a string; default 1.
example: '1'
in: query
name: page
schema:
nullable: true
type: string
- description: |
Page size for list mode (when `documentIds` and `savedObjectIds` are omitted). Passed as a string; default 10.
example: '20'
in: query
name: perPage
schema:
nullable: true
type: string
- description: Search string for saved-objects find (list mode only).
in: query
name: search
schema:
nullable: true
type: string
- description: Field to sort by for saved-objects find (list mode only).
in: query
name: sortField
schema:
nullable: true
type: string
- description: Sort order (`asc` or `desc`) for saved-objects find (list mode only).
example: desc
in: query
name: sortOrder
schema:
nullable: true
type: string
- description: |
Kuery filter string combined with other list-mode filters (for example `createdByFilter` or `associatedFilter`). Typed as a string for API compatibility; interpreted by the saved-objects layer (list mode only).
in: query
name: filter
schema:
nullable: true
type: string
- description: |
Kibana user profile **UID** (UUID). The server resolves the user's display identifiers and returns notes whose `createdBy` matches any of them (list mode only).
example: f1c2d3e4-5b6a-7890-abcd-ef1234567890
in: query
name: createdByFilter
schema:
nullable: true
type: string
- description: |
Restricts notes by how they relate to a Timeline and/or an event document (list mode only). Some values apply extra filtering after the query. Ignored when `documentIds` or `savedObjectIds` is used.
in: query
name: associatedFilter
schema:
$ref: '#/components/schemas/Security_Timeline_API_AssociatedFilterType'
responses:
'200':
content:
application/json:
examples:
notesPage:
summary: Paged notes for a timeline
value:
notes:
- eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc
note: Escalated to tier-2 analyst
noteId: 709f99c6-89b6-4953-9160-35945c8e174e
timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
version: WzQ2LDFd
totalCount: 1
schema:
$ref: '#/components/schemas/Security_Timeline_API_GetNotesResult'
description: Notes and total count for the requested mode.
summary: Get notes
tags:
- Security Timeline API
x-metaTags:
- content: Kibana
name: product_name
patch:
description: |
**Spaces method and path for this operation:**
patch/s/{space_id}/api/note
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Creates a new note or updates an existing one.
**Create:** Send `note` and omit `noteId` to create a new saved object.
**Update:** Send `note` with the changed fields and set `noteId` to the note's saved object ID. Optionally include `version` for optimistic concurrency when the client has it from a prior read.
Requires the **Timeline and Notes** write privilege (`notes_write`).
externalDocs:
description: Add or update a note on a Timeline
url: https://www.elastic.co/guide/en/security/current/timeline-api-update.html
operationId: PersistNoteRoute
requestBody:
content:
application/json:
examples:
addNote:
summary: Add a note on an event
value:
note:
eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc
note: Escalated to tier-2 analyst
timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
schema:
type: object
properties:
note:
$ref: '#/components/schemas/Security_Timeline_API_BareNote'
description: Note payload (timeline, text, optional event linkage, metadata).
noteId:
description: The `savedObjectId` of the note to update. Omit when creating a new note.
example: 709f99c6-89b6-4953-9160-35945c8e174e
nullable: true
type: string
version:
description: Saved object version string from a previous read; optional on update.
example: WzQ2LDFd
nullable: true
type: string
required:
- note
description: |
Body must include the `note` object. For updates, include `noteId` (and optionally `version`).
To attach a note to a specific event, set `note.eventId` to that event's document `_id`; for a timeline-wide note, omit or clear `eventId` per product rules.
required: true
responses:
'200':
content:
application/json:
examples:
persisted:
summary: Persisted note wrapper
value:
note:
eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc
note: Escalated to tier-2 analyst
noteId: 709f99c6-89b6-4953-9160-35945c8e174e
timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
version: WzQ2LDFd
schema:
$ref: '#/components/schemas/Security_Timeline_API_ResponseNote'
description: The persisted note, including `noteId` and `version`.
summary: Add or update a note
tags:
- Security Timeline API
x-metaTags:
- content: Kibana
name: product_name
/api/observability_ai_assistant/chat/complete:
post:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create a new chat completion by using the Observability AI Assistant.
The API returns the model's response based on the current conversation context.
It also handles any tool requests within the conversation, which may trigger multiple calls to the underlying large language model (LLM).
This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
operationId: observability-ai-assistant-chat-complete
requestBody:
content:
application/json:
examples:
chatCompleteRequestExample:
$ref: '#/components/examples/Observability_AI_Assistant_API_ChatCompleteRequestExample'
schema:
type: object
properties:
actions:
items:
$ref: '#/components/schemas/Observability_AI_Assistant_API_Function'
type: array
connectorId:
description: A unique identifier for the connector.
type: string
conversationId:
description: A unique identifier for the conversation if you are continuing an existing conversation.
type: string
disableFunctions:
description: Flag indicating whether all function calls should be disabled for the conversation. If true, no calls to functions will be made.
type: boolean
instructions:
description: An array of instruction objects, which can be either simple strings or detailed objects.
items:
$ref: '#/components/schemas/Observability_AI_Assistant_API_Instruction'
type: array
messages:
description: An array of message objects containing the conversation history.
items:
$ref: '#/components/schemas/Observability_AI_Assistant_API_Message'
type: array
persist:
description: Indicates whether the conversation should be saved to storage. If true, the conversation will be saved and will be available in Kibana.
type: boolean
title:
description: A title for the conversation.
type: string
required:
- messages
- connectorId
- persist
responses:
'200':
content:
application/json:
examples:
chatCompleteResponseExample:
$ref: '#/components/examples/Observability_AI_Assistant_API_ChatCompleteResponseExample'
schema:
type: object
description: Successful response
summary: Generate a chat completion
tags:
- observability_ai_assistant
x-codeSamples:
- lang: cURL
source: |
curl --request POST 'localhost:5601/api/observability_ai_assistant/chat/complete' -u : -H 'kbn-xsrf: true' -H "Content-Type: application/json" --data '
{
"connectorId": "",
"disableFunctions": false,
"messages": [
{
"@timestamp": "2025-06-25T23:45:00.000Z",
"message": {
"role": "user",
"content": "Is my Elasticsearch cluster healthy right now?"
}
}
],
"persist": false,
"actions": [
{
"name": "get_cluster_health",
"description": "Fetch the current Elasticsearch cluster-health status and key metrics.",
"parameters": {
"type": "object",
"properties": {
"includeShardStats": {
"type": "boolean",
"default": false
}
}
}
}
],
"instructions": ["When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English."]
}'
x-state: Technical Preview
x-metaTags:
- content: Kibana
name: product_name
/api/osquery/history:
get:
description: |
**Spaces method and path for this operation:**
get/s/{space_id}/api/osquery/history
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a unified, time-sorted history of live, rule-triggered, and scheduled osquery executions. The response uses cursor-based pagination.
operationId: OsqueryGetUnifiedHistory
parameters:
- description: The number of results to return per page.
in: query
name: pageSize
required: false
schema:
default: 20
description: The number of results to return per page.
maximum: 100
minimum: 1
type: integer
- description: A base64-encoded cursor for pagination. Use the value from the previous response to fetch the next page.
in: query
name: nextPage
required: false
schema:
description: A base64-encoded cursor for pagination. Use the value from the previous response to fetch the next page.
type: string
- description: A search string to filter history entries by pack name, query text, or query ID.
in: query
name: kuery
required: false
schema:
description: A search string to filter history entries by pack name, query text, or query ID.
type: string
- description: Comma-separated list of user IDs to filter live query history.
in: query
name: userIds
required: false
schema:
description: Comma-separated list of user IDs to filter live query history.
example: elastic,admin
type: string
- description: Comma-separated list of source types to include. Valid values are `live`, `rule`, and `scheduled`.
in: query
name: sourceFilters
required: false
schema:
description: Comma-separated list of source types to include. Valid values are `live`, `rule`, and `scheduled`.
example: live,scheduled
type: string
- description: The start of the time range filter (ISO 8601).
in: query
name: startDate
required: false
schema:
description: The start of the time range filter (ISO 8601).
example: '2024-01-01T00:00:00Z'
type: string
- description: The end of the time range filter (ISO 8601).
in: query
name: endDate
required: false
schema:
description: The end of the time range filter (ISO 8601).
example: '2024-12-31T23:59:59Z'
type: string
responses:
'200':
content:
application/json:
examples:
unifiedHistoryExample:
summary: Example unified history response
value:
data:
- actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agentCount: 5
errorCount: 0
id: 3c42c847-eb30-4452-80e0-728584042334
queryName: uptime_query
queryText: select * from uptime;
source: Live
sourceType: live
successCount: 5
timestamp: '2024-07-26T09:59:32.220Z'
totalRows: 42
userId: elastic
- agentCount: 10
errorCount: 1
executionCount: 3
id: pack_my_pack_uptime_3
packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
packName: My Pack
plannedTime: '2024-07-26T09:00:00.000Z'
queryName: uptime
queryText: select * from uptime;
scheduleId: pack_my_pack_uptime
source: Scheduled
sourceType: scheduled
successCount: 9
timestamp: '2024-07-26T09:00:00.000Z'
totalRows: 100
hasMore: true
nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3...
schema:
$ref: '#/components/schemas/Security_Osquery_API_GetUnifiedHistoryResponse'
description: Indicates a successful call.
summary: Get unified query history
tags:
- Security Osquery API
x-state: Generally available; Added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/osquery/live_queries:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/osquery/live_queries
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a list of all live queries.
operationId: OsqueryFindLiveQueries
parameters:
- description: A KQL search string to filter live queries.
in: query
name: kuery
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined'
- description: The page number to return.
in: query
name: page
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
- description: The number of results to return per page.
in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
- description: The field to sort results by.
in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
- description: The sort order.
in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryResponse'
description: Indicates a successful call.
summary: Get live queries
tags:
- Security Osquery API
x-metaTags:
- content: Kibana
name: product_name
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/osquery/live_queries
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create and run a live query.
operationId: OsqueryCreateLiveQuery
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody'
required: true
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryResponse'
description: Indicates a successful call.
summary: Create a live query
tags:
- Security Osquery API
x-metaTags:
- content: Kibana
name: product_name
/api/osquery/live_queries/{id}:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/osquery/live_queries/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the details of a live query using the query ID.
operationId: OsqueryGetLiveQueryDetails
parameters:
- description: The ID of the live query.
in: path
name: id
required: true
schema:
description: The ID of the live query result you want to retrieve.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse'
description: Indicates a successful call.
summary: Get live query details
tags:
- Security Osquery API
x-metaTags:
- content: Kibana
name: product_name
/api/osquery/live_queries/{id}/results/{actionId}:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the results of a live query using the query action ID.
operationId: OsqueryGetLiveQueryResults
parameters:
- description: The ID of the live query.
in: path
name: id
required: true
schema:
description: The ID of the live query result you want to retrieve.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
- description: The ID of the query action.
in: path
name: actionId
required: true
schema:
description: The ID of the query action that generated the live query results.
example: 609c4c66-ba3d-43fa-afdd-53e244577aa0
type: string
- description: A KQL search string to filter results.
in: query
name: kuery
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined'
- description: The page number to return.
in: query
name: page
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
- description: The number of results to return per page.
in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
- description: The field to sort results by.
in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
- description: The sort order.
in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse'
description: Indicates a successful call.
summary: Get live query results
tags:
- Security Osquery API
x-metaTags:
- content: Kibana
name: product_name
/api/osquery/packs:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/osquery/packs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a list of all query packs.
operationId: OsqueryFindPacks
parameters:
- description: The page number to return.
in: query
name: page
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
- description: The number of results to return per page.
in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
- description: The field to sort results by.
in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
- description: The sort order.
in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_FindPacksResponse'
description: Indicates a successful call.
summary: Get packs
tags:
- Security Osquery API
x-metaTags:
- content: Kibana
name: product_name
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/osquery/packs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create a query pack.
operationId: OsqueryCreatePacks
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_CreatePacksRequestBody'
required: true
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_CreatePacksResponse'
description: Indicates a successful call.
summary: Create a pack
tags:
- Security Osquery API
x-metaTags:
- content: Kibana
name: product_name
/api/osquery/packs/{id}:
delete:
description: |-
**Spaces method and path for this operation:**
delete/s/{space_id}/api/osquery/packs/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete a query pack using the pack ID.
operationId: OsqueryDeletePacks
parameters:
- description: The pack ID.
in: path
name: id
required: true
schema:
$ref: '#/components/schemas/Security_Osquery_API_PackId'
responses:
'200':
content:
application/json:
schema:
example: {}
type: object
properties: {}
description: Indicates a successful call.
summary: Delete a pack
tags:
- Security Osquery API
x-metaTags:
- content: Kibana
name: product_name
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/osquery/packs/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the details of a query pack using the pack ID.
operationId: OsqueryGetPacksDetails
parameters:
- description: The pack ID.
in: path
name: id
required: true
schema:
$ref: '#/components/schemas/Security_Osquery_API_PackId'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_FindPackResponse'
description: Indicates a successful call.
summary: Get pack details
tags:
- Security Osquery API
x-metaTags:
- content: Kibana
name: product_name
put:
description: |
**Spaces method and path for this operation:**
put/s/{space_id}/api/osquery/packs/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update a query pack using the pack ID.
> info
> You cannot update a prebuilt pack.
operationId: OsqueryUpdatePacks
parameters:
- description: The pack ID.
in: path
name: id
required: true
schema:
$ref: '#/components/schemas/Security_Osquery_API_PackId'
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_UpdatePacksRequestBody'
required: true
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_UpdatePacksResponse'
description: Indicates a successful call.
summary: Update a pack
tags:
- Security Osquery API
x-metaTags:
- content: Kibana
name: product_name
/api/osquery/packs/{id}/copy:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/osquery/packs/{id}/copy
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create a copy of a query pack with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`). The copied pack is always created with `enabled` set to `false`.
operationId: OsqueryCopyPacks
parameters:
- description: The ID of the pack to copy.
in: path
name: id
required: true
schema:
$ref: '#/components/schemas/Security_Osquery_API_PackId'
responses:
'200':
content:
application/json:
examples:
copyPackExample:
summary: Example response for copying a pack
value:
data:
created_at: '2025-02-26T13:37:30.452Z'
created_by: elastic
description: My pack
enabled: false
name: my_pack_copy
policy_ids: []
queries:
- ecs_mapping:
- key: client.port
value:
field: port
id: ports
interval: 60
query: SELECT * FROM listening_ports;
removed: false
snapshot: true
timeout: 120
saved_object_id: 1c266590-381f-428c-878f-c80c1334f856
shards: []
updated_at: '2025-02-26T13:37:30.452Z'
updated_by: elastic
schema:
$ref: '#/components/schemas/Security_Osquery_API_CopyPacksResponse'
description: Indicates a successful call.
summary: Copy a pack
tags:
- Security Osquery API
x-state: Generally available; Added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/osquery/saved_queries:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/osquery/saved_queries
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a list of all saved queries.
operationId: OsqueryFindSavedQueries
parameters:
- description: The page number to return.
in: query
name: page
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
- description: The number of results to return per page.
in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
- description: The field to sort results by.
in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
- description: The sort order.
in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryResponse'
description: Indicates a successful call.
summary: Get saved queries
tags:
- Security Osquery API
x-metaTags:
- content: Kibana
name: product_name
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/osquery/saved_queries
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create and save a query for later use.
operationId: OsqueryCreateSavedQuery
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody'
required: true
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryResponse'
description: Indicates a successful call.
summary: Create a saved query
tags:
- Security Osquery API
x-metaTags:
- content: Kibana
name: product_name
/api/osquery/saved_queries/{id}:
delete:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete a saved query using the query ID.
operationId: OsqueryDeleteSavedQuery
parameters:
- description: The saved query ID.
in: path
name: id
required: true
schema:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryId'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
description: Indicates a successful call.
summary: Delete a saved query
tags:
- Security Osquery API
x-metaTags:
- content: Kibana
name: product_name
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/osquery/saved_queries/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the details of a saved query using the query ID.
operationId: OsqueryGetSavedQueryDetails
parameters:
- description: The saved query ID.
in: path
name: id
required: true
schema:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryId'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse'
description: Indicates a successful call.
summary: Get saved query details
tags:
- Security Osquery API
x-metaTags:
- content: Kibana
name: product_name
put:
description: |
**Spaces method and path for this operation:**
put/s/{space_id}/api/osquery/saved_queries/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update a saved query using the query ID.
> info
> You cannot update a prebuilt saved query.
operationId: OsqueryUpdateSavedQuery
parameters:
- description: The saved query ID.
in: path
name: id
required: true
schema:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryId'
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody'
required: true
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse'
description: Indicates a successful call.
summary: Update a saved query
tags:
- Security Osquery API
x-metaTags:
- content: Kibana
name: product_name
/api/osquery/saved_queries/{id}/copy:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create a copy of a saved query with a unique name by appending a `_copy` suffix. If the name already exists, a numeric suffix is added (e.g., `_copy_2`).
operationId: OsqueryCopySavedQuery
parameters:
- description: The ID of the saved query to copy.
in: path
name: id
required: true
schema:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryId'
responses:
'200':
content:
application/json:
examples:
copySavedQueryExample:
summary: Example response for copying a saved query
value:
data:
created_at: '2025-02-26T13:37:30.452Z'
created_by: elastic
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: my_saved_query_copy
interval: '60'
platform: linux,darwin
query: select * from uptime;
removed: false
saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c
snapshot: true
timeout: 120
updated_at: '2025-02-26T13:37:30.452Z'
updated_by: elastic
schema:
$ref: '#/components/schemas/Security_Osquery_API_CopySavedQueryResponse'
description: Indicates a successful call.
summary: Copy a saved query
tags:
- Security Osquery API
x-state: Generally available; Added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/osquery/scheduled_results/{scheduleId}/{executionCount}:
get:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get paginated query result rows (the actual osquery output data) for a specific scheduled query execution.
operationId: OsqueryGetScheduledQueryResults
parameters:
- description: The schedule ID of the scheduled query.
in: path
name: scheduleId
required: true
schema:
description: The schedule ID of the scheduled query.
example: pack_my_pack_uptime
type: string
- description: The execution count for this scheduled query run.
in: path
name: executionCount
required: true
schema:
description: The execution count for this scheduled query run.
example: 3
type: integer
- description: The kuery to filter the results by.
in: query
name: kuery
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined'
- description: The page number to return. The default is 1.
in: query
name: page
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
- description: The number of results to return per page. The default is 20.
in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
- description: The field that is used to sort the results.
in: query
name: sort
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
- description: Specifies the sort order.
in: query
name: sortOrder
required: false
schema:
$ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
- description: The start date filter (ISO 8601) to narrow down results.
in: query
name: startDate
required: false
schema:
description: The start date filter (ISO 8601) to narrow down results.
example: '2024-01-01T00:00:00Z'
type: string
responses:
'200':
content:
application/json:
examples:
scheduledQueryResultsExample:
summary: Example scheduled query results response
value:
data:
edges:
- _id: row-001
fields:
host.uptime:
- '12345'
- _id: row-002
fields:
host.uptime:
- '67890'
total: 2
schema:
$ref: '#/components/schemas/Security_Osquery_API_GetScheduledQueryResultsResponse'
description: Indicates a successful call.
summary: Get scheduled query results
tags:
- Security Osquery API
x-state: Generally available; Added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/pinned_event:
patch:
description: |-
**Spaces method and path for this operation:**
patch/s/{space_id}/api/pinned_event
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Pin/unpin an event to/from an existing Timeline.
operationId: PersistPinnedEventRoute
requestBody:
content:
application/json:
examples:
pinEvent:
summary: Pin an event
value:
eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc
timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
schema:
type: object
properties:
eventId:
description: The `_id` of the associated event for this pinned event.
example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc
type: string
pinnedEventId:
description: The `savedObjectId` of the pinned event you want to unpin.
example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3
nullable: true
type: string
timelineId:
description: The `savedObjectId` of the timeline that you want this pinned event unpinned from.
example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
type: string
required:
- eventId
- timelineId
description: The pinned event to add or unpin, along with additional metadata.
required: true
responses:
'200':
content:
application/json:
examples:
pinnedSaved:
summary: Pinned event saved object
value:
eventId: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc
pinnedEventId: 10r1929b-0af7-42bd-85a8-56e234f98h2f3
timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
version: WzQ2LDFe
unpinned:
summary: Unpin response
value:
unpinned: true
schema:
$ref: '#/components/schemas/Security_Timeline_API_PersistPinnedEventResponse'
description: Indicates a successful call.
summary: Pin/unpin an event
tags:
- Security Timeline API
x-metaTags:
- content: Kibana
name: product_name
/api/risk_score/engine/dangerously_delete_data:
delete:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Schedule the risk scoring engine to run as soon as possible. You can use this to recalculate entity risk scores after updating their asset criticality.
operationId: ScheduleRiskEngineNow
requestBody:
content:
application/json:
examples:
emptyRequest:
summary: No request body
value: {}
schema:
type: object
responses:
'200':
content:
application/json:
examples:
ScheduleRiskEngineNowResponse:
summary: Successful schedule response
value:
success: true
schema:
$ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse'
description: Successful response
'400':
content:
application/json:
examples:
taskManagerUnavailable:
summary: Task manager is unavailable
value:
message: Task Manager is unavailable, but is required by the risk engine. Please enable the taskManager plugin and try again.
status_code: 400
schema:
$ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse'
description: Task manager is unavailable
default:
content:
application/json:
examples:
scheduleNowError:
summary: Schedule now failed
value:
full_error: '{}'
message: Internal server error
schema:
$ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse'
description: Unexpected error
summary: Run the risk scoring engine
tags:
- Security Entity Analytics API
x-metaTags:
- content: Kibana
name: product_name
/api/saved_objects/_bulk_create:
post:
deprecated: true
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/saved_objects/_bulk_create
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana.
Creates multiple Kibana saved objects in a single request.
For transferring or backing up saved objects, prefer the import and export APIs (`POST /api/saved_objects/_import` and `POST /api/saved_objects/_export`).
operationId: post-saved-objects-bulk-create
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: Overwrite existing saved objects that match the same type and ID.
in: query
name: overwrite
required: false
schema:
default: false
type: boolean
requestBody:
content:
application/json:
examples:
bulkCreateRequest:
summary: Create multiple saved objects (partial success)
value:
- attributes:
title: Example dashboard 1
id: example-dashboard-1
references: []
type: dashboard
- attributes:
title: Example dashboard 2
id: example-dashboard-2
references: []
type: dashboard
schema:
items:
additionalProperties: false
type: object
properties:
attributes:
additionalProperties:
nullable: true
type: object
coreMigrationVersion:
type: string
id:
type: string
initialNamespaces:
items:
type: string
maxItems: 100
minItems: 1
type: array
migrationVersion:
additionalProperties:
type: string
type: object
references:
items:
additionalProperties: false
type: object
properties:
id:
type: string
name:
type: string
type:
type: string
required:
- name
- type
- id
maxItems: 1000
type: array
type:
type: string
typeMigrationVersion:
type: string
version:
type: string
required:
- type
- attributes
maxItems: 10000
type: array
responses:
'200':
content:
application/json:
examples:
bulkCreateResponse:
summary: A bulk create response with one conflict
value:
saved_objects:
- attributes:
title: Example dashboard 1
id: example-dashboard-1
managed: false
namespaces:
- default
references: []
type: dashboard
updated_at: '2026-04-17T12:00:00.000Z'
version: WzEsMV0=
- error:
error: Conflict
message: Saved object [dashboard/example-dashboard-2] conflict
statusCode: 409
id: example-dashboard-2
type: dashboard
description: A bulk create response.
'400':
content:
application/json:
examples:
badRequestResponse:
summary: A bad request error
value:
error: Bad Request
message: 'Unsupported saved object type(s): unknownType'
statusCode: 400
description: A bad request.
summary: Create saved objects
tags:
- saved objects
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/saved_objects/_bulk_create?overwrite=false" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '[{"type":"dashboard","id":"example-dashboard-1","attributes":{"title":"Example dashboard 1"},"references":[]},{"type":"dashboard","id":"example-dashboard-2","attributes":{"title":"Example dashboard 2"},"references":[]}]'
- lang: Console
source: |
POST kbn://api/saved_objects/_bulk_create?overwrite=false
[{"type":"dashboard","id":"example-dashboard-1","attributes":{"title":"Example dashboard 1"},"references":[]},{"type":"dashboard","id":"example-dashboard-2","attributes":{"title":"Example dashboard 2"},"references":[]}]
x-metaTags:
- content: Kibana
name: product_name
/api/saved_objects/_bulk_delete:
post:
deprecated: true
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/saved_objects/_bulk_delete
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana.
Deletes multiple Kibana saved objects in a single request.
There is currently no complete replacement for deleting arbitrary saved objects via an HTTP API.
operationId: post-saved-objects-bulk-delete
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: When true, force deletion of multi-namespace objects from all namespaces.
in: query
name: force
required: false
schema:
type: boolean
requestBody:
content:
application/json:
examples:
bulkDeleteRequest:
summary: Delete multiple saved objects
value:
- id: example-dashboard-1
type: dashboard
- id: does-not-exist
type: dashboard
schema:
items:
additionalProperties: false
type: object
properties:
id:
type: string
type:
type: string
required:
- type
- id
maxItems: 10000
type: array
responses:
'200':
content:
application/json:
examples:
bulkDeleteResponse:
summary: A bulk delete response with one not found result
value:
statuses:
- id: example-dashboard-1
success: true
type: dashboard
- error:
error: Not Found
message: Saved object [dashboard/does-not-exist] not found
statusCode: 404
id: does-not-exist
success: false
type: dashboard
description: A bulk delete response.
'400':
content:
application/json:
examples:
badRequestResponse:
summary: A bad request error
value:
error: Bad Request
message: 'Unsupported saved object type(s): unknownType'
statusCode: 400
description: A bad request.
summary: Delete saved objects
tags:
- saved objects
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/saved_objects/_bulk_delete?force=false" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '[{"type":"dashboard","id":"example-dashboard-1"},{"type":"dashboard","id":"does-not-exist"}]'
- lang: Console
source: |
POST kbn://api/saved_objects/_bulk_delete?force=false
[{"type":"dashboard","id":"example-dashboard-1"},{"type":"dashboard","id":"does-not-exist"}]
x-metaTags:
- content: Kibana
name: product_name
/api/saved_objects/_bulk_get:
post:
deprecated: true
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/saved_objects/_bulk_get
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana.
Retrieves multiple Kibana saved objects by type and ID in a single request.
For transferring or backing up saved objects, prefer the export API (`POST /api/saved_objects/_export`).
operationId: post-saved-objects-bulk-get
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
bulkGetRequest:
summary: Get multiple saved objects
value:
- id: example-dashboard-1
type: dashboard
- id: does-not-exist
type: dashboard
schema:
items:
additionalProperties: false
type: object
properties:
fields:
items:
type: string
maxItems: 100
type: array
id:
type: string
namespaces:
items:
type: string
maxItems: 100
type: array
type:
type: string
required:
- type
- id
maxItems: 10000
type: array
responses:
'200':
content:
application/json:
examples:
bulkGetResponse:
summary: A bulk get response with one not found result
value:
saved_objects:
- attributes:
title: Example dashboard 1
id: example-dashboard-1
managed: false
namespaces:
- default
references: []
type: dashboard
updated_at: '2026-04-17T12:00:00.000Z'
version: WzEsMV0=
- error:
error: Not Found
message: Saved object [dashboard/does-not-exist] not found
statusCode: 404
id: does-not-exist
type: dashboard
description: A bulk get response.
'400':
content:
application/json:
examples:
badRequestResponse:
summary: A bad request error
value:
error: Bad Request
message: 'Unsupported saved object type(s): unknownType'
statusCode: 400
description: A bad request.
summary: Get saved objects
tags:
- saved objects
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/saved_objects/_bulk_get" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '[{"type":"dashboard","id":"example-dashboard-1"},{"type":"dashboard","id":"does-not-exist"}]'
- lang: Console
source: |
POST kbn://api/saved_objects/_bulk_get
[{"type":"dashboard","id":"example-dashboard-1"},{"type":"dashboard","id":"does-not-exist"}]
x-metaTags:
- content: Kibana
name: product_name
/api/saved_objects/_bulk_resolve:
post:
deprecated: true
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/saved_objects/_bulk_resolve
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana.
Retrieve multiple Kibana saved objects by ID, using any legacy URL aliases if they exist.
Under certain circumstances, when Kibana is upgraded, saved object migrations may necessitate regenerating some object IDs to enable new features. When an object's ID is regenerated, a legacy URL alias is created for that object, preserving its old ID. In such a scenario, that object can be retrieved with the bulk resolve API using either its new ID or its old ID.
operationId: post-saved-objects-bulk-resolve
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
bulkResolveRequest:
summary: Resolve multiple saved objects
value:
- id: example-dashboard-1
type: dashboard
- id: legacy-id
type: dashboard
schema:
items:
additionalProperties: false
type: object
properties:
id:
type: string
type:
type: string
required:
- type
- id
maxItems: 10000
type: array
responses:
'200':
content:
application/json:
examples:
bulkResolveResponse:
summary: A bulk resolve response with an exact and alias match
value:
resolved_objects:
- outcome: exactMatch
saved_object:
attributes:
title: Example dashboard 1
id: example-dashboard-1
managed: false
namespaces:
- default
references: []
type: dashboard
updated_at: '2026-04-17T12:00:00.000Z'
version: WzEsMV0=
- alias_target_id: example-dashboard-2
outcome: aliasMatch
saved_object:
attributes:
title: Example dashboard 2
id: example-dashboard-2
managed: false
namespaces:
- default
references: []
type: dashboard
updated_at: '2026-04-17T12:00:00.000Z'
version: WzEsMl0=
description: A bulk resolve response.
'400':
content:
application/json:
examples:
badRequestResponse:
summary: A bad request error
value:
error: Bad Request
message: 'Unsupported saved object type(s): unknownType'
statusCode: 400
description: A bad request.
summary: Resolve saved objects
tags:
- saved objects
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/saved_objects/_bulk_resolve" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '[{"type":"dashboard","id":"example-dashboard-1"},{"type":"dashboard","id":"legacy-id"}]'
- lang: Console
source: |
POST kbn://api/saved_objects/_bulk_resolve
[{"type":"dashboard","id":"example-dashboard-1"},{"type":"dashboard","id":"legacy-id"}]
x-metaTags:
- content: Kibana
name: product_name
/api/saved_objects/_bulk_update:
put:
deprecated: true
description: |-
**Spaces method and path for this operation:**
put/s/{space_id}/api/saved_objects/_bulk_update
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana.
Updates multiple Kibana saved objects in a single request.
For transferring or backing up saved objects, prefer the import and export APIs (`POST /api/saved_objects/_import` and `POST /api/saved_objects/_export`).
operationId: put-saved-objects-bulk-update
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
bulkUpdateRequest:
summary: Update multiple saved objects (partial success)
value:
- attributes:
title: Updated dashboard title
id: example-dashboard-1
references: []
type: dashboard
- attributes:
title: Updated dashboard title
id: does-not-exist
type: dashboard
schema:
items:
additionalProperties: false
type: object
properties:
attributes:
additionalProperties:
nullable: true
type: object
id:
type: string
namespace:
minLength: 1
type: string
references:
items:
additionalProperties: false
type: object
properties:
id:
type: string
name:
type: string
type:
type: string
required:
- name
- type
- id
maxItems: 1000
type: array
type:
type: string
version:
type: string
required:
- type
- id
- attributes
maxItems: 10000
type: array
responses:
'200':
content:
application/json:
examples:
bulkUpdateResponse:
summary: A bulk update response with one not found result
value:
saved_objects:
- attributes:
title: Updated dashboard title
id: example-dashboard-1
managed: false
namespaces:
- default
references: []
type: dashboard
updated_at: '2026-04-17T12:00:00.000Z'
version: WzIsMV0=
- error:
error: Not Found
message: Saved object [dashboard/does-not-exist] not found
statusCode: 404
id: does-not-exist
type: dashboard
description: A bulk update response.
'400':
content:
application/json:
examples:
badRequestResponse:
summary: A bad request error
value:
error: Bad Request
message: 'Unsupported saved object type(s): unknownType'
statusCode: 400
description: A bad request.
summary: Update saved objects
tags:
- saved objects
x-codeSamples:
- lang: curl
source: |
curl \
-X PUT "${KIBANA_URL}/api/saved_objects/_bulk_update" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '[{"type":"dashboard","id":"example-dashboard-1","attributes":{"title":"Updated dashboard title"},"references":[]},{"type":"dashboard","id":"does-not-exist","attributes":{"title":"Updated dashboard title"}}]'
- lang: Console
source: |
PUT kbn://api/saved_objects/_bulk_update
[{"type":"dashboard","id":"example-dashboard-1","attributes":{"title":"Updated dashboard title"},"references":[]},{"type":"dashboard","id":"does-not-exist","attributes":{"title":"Updated dashboard title"}}]
x-metaTags:
- content: Kibana
name: product_name
/api/saved_objects/_export:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/saved_objects/_export
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieve sets of saved objects that you want to import into Kibana. You must include `type` or `objects` in the request body. The output of exporting saved objects must be treated as opaque. Tampering with exported data risks introducing unspecified errors and data loss.
Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana.
NOTE: The exported saved objects include `coreMigrationVersion` and `typeMigrationVersion` metadata. If you store exported saved objects outside of Kibana (for example in NDJSON files) or generate them yourself, you must preserve or include these fields to retain forward compatibility across Kibana versions.
NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be exported.
operationId: post-saved-objects-export
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
exportSavedObjectsRequest:
summary: Export a specific saved object
value:
excludeExportDetails: true
includeReferencesDeep: false
objects:
- id: example-dashboard-1
type: dashboard
schema:
additionalProperties: false
type: object
properties:
excludeExportDetails:
default: false
description: Do not add export details entry at the end of the stream.
type: boolean
hasReference:
anyOf:
- additionalProperties: false
type: object
properties:
id:
type: string
type:
type: string
required:
- type
- id
- items:
additionalProperties: false
type: object
properties:
id:
type: string
type:
type: string
required:
- type
- id
maxItems: 100
type: array
includeReferencesDeep:
default: false
description: Includes all of the referenced objects in the exported objects.
type: boolean
objects:
description: 'A list of objects to export. NOTE: this optional parameter cannot be combined with the `types` option'
items:
additionalProperties: false
type: object
properties:
id:
type: string
type:
type: string
required:
- type
- id
maxItems: 10000
type: array
search:
description: Search for documents to export using the Elasticsearch Simple Query String syntax.
type: string
type:
anyOf:
- type: string
- items:
type: string
maxItems: 100
type: array
description: The saved object types to include in the export. Use `*` to export all the types. Valid options depend on enabled plugins, but may include `visualization`, `dashboard`, `search`, `index-pattern`, `tag`, `config`, `config-global`, `lens`, `map`, `event-annotation-group`, `query`, `url`, `action`, `alert`, `alerting_rule_template`, `apm-indices`, `cases-user-actions`, `cases`, `cases-comments`, `infrastructure-monitoring-log-view`, `ml-trained-model`, `osquery-saved-query`, `osquery-pack`, `osquery-pack-asset`.
responses:
'200':
content:
application/x-ndjson:
examples:
exportSavedObjectsResponse:
summary: The export response contains an NDJSON record for each exported object
value: |
{"id":"example-dashboard-1","type":"dashboard","attributes":{"title":"Example dashboard 1"},"references":[],"managed":false}
{"exportedCount":1,"missingRefCount":0,"missingReferences":[]}
schema: {}
description: Indicates a successfull call.
'400':
content:
application/json:
examples:
badRequestResponse:
summary: A bad request error
value:
error: Bad Request
message: 'Either `type` or `objects` are required.: Bad Request'
statusCode: 400
schema:
additionalProperties: false
description: Indicates an unsuccessful response.
type: object
properties:
error:
type: string
message:
type: string
statusCode:
enum:
- 400
type: integer
required:
- error
- message
- statusCode
description: Bad request.
summary: Export saved objects
tags:
- saved objects
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/saved_objects/_export" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{"objects":[{"type":"dashboard","id":"example-dashboard-1"}],"includeReferencesDeep":false,"excludeExportDetails":true}'
- lang: Console
source: |
POST kbn://api/saved_objects/_export
{"objects":[{"type":"dashboard","id":"example-dashboard-1"}],"includeReferencesDeep":false,"excludeExportDetails":true}
x-metaTags:
- content: Kibana
name: product_name
/api/saved_objects/_find:
get:
deprecated: true
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/saved_objects/_find
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana.
Searches for Kibana saved objects.
For transferring or backing up saved objects, prefer the export API (`POST /api/saved_objects/_export`).
operationId: get-saved-objects-find
parameters:
- description: The number of items per page.
in: query
name: per_page
required: false
schema:
default: 20
minimum: 0
type: number
- description: The page index to return.
in: query
name: page
required: false
schema:
default: 1
minimum: 0
type: number
- description: The saved object type or types to search for. Use multiple `type` values to search across types.
in: query
name: type
required: true
schema:
items:
type: string
maxItems: 100
type: array
- description: A text search string.
in: query
name: search
required: false
schema:
type: string
- description: The boolean operator to use when combining multiple values.
in: query
name: default_search_operator
required: false
schema:
default: OR
enum:
- OR
- AND
type: string
- description: The fields to search on.
in: query
name: search_fields
required: false
schema:
items:
type: string
maxItems: 100
type: array
- description: The field to sort on.
in: query
name: sort_field
required: false
schema:
type: string
- description: Return only saved objects that have a reference to the specified saved object(s).
in: query
name: has_reference
required: false
schema:
anyOf:
- additionalProperties: false
type: object
properties:
id:
type: string
type:
type: string
required:
- type
- id
- items:
additionalProperties: false
type: object
properties:
id:
type: string
type:
type: string
required:
- type
- id
maxItems: 100
type: array
- description: The boolean operator to use when combining multiple values.
in: query
name: has_reference_operator
required: false
schema:
default: OR
enum:
- OR
- AND
type: string
- description: Return only saved objects that do not have a reference to the specified saved object(s).
in: query
name: has_no_reference
required: false
schema:
anyOf:
- additionalProperties: false
type: object
properties:
id:
type: string
type:
type: string
required:
- type
- id
- items:
additionalProperties: false
type: object
properties:
id:
type: string
type:
type: string
required:
- type
- id
maxItems: 100
type: array
- description: The boolean operator to use when combining multiple values.
in: query
name: has_no_reference_operator
required: false
schema:
default: OR
enum:
- OR
- AND
type: string
- description: The fields to return for each saved object.
in: query
name: fields
required: false
schema:
items:
type: string
maxItems: 100
type: array
- description: A KQL filter to apply to the search.
in: query
name: filter
required: false
schema:
type: string
- description: Aggregations as a JSON string.
in: query
name: aggs
required: false
schema:
type: string
- description: The namespaces (spaces) to search in.
in: query
name: namespaces
required: false
schema:
items:
type: string
maxItems: 100
type: array
responses:
'200':
content:
application/json:
examples:
findSavedObjectsResponse:
summary: A page of saved objects
value:
page: 1
per_page: 20
saved_objects:
- attributes:
title: Example dashboard 1
id: example-dashboard-1
managed: false
namespaces:
- default
references: []
type: dashboard
updated_at: '2026-04-17T12:00:00.000Z'
version: WzEsMV0=
total: 1
description: A search response.
'400':
content:
application/json:
examples:
badRequestResponse:
summary: A bad request error
value:
error: Bad Request
message: 'This type dashboard is not allowed: Bad Request'
statusCode: 400
description: A bad request.
summary: Search for saved objects
tags:
- saved objects
x-codeSamples:
- lang: curl
source: |
curl \
-X GET "${KIBANA_URL}/api/saved_objects/_find?type=dashboard&fields=title&per_page=20&page=1" \
-H "Authorization: ApiKey ${API_KEY}"
- lang: Console
source: |
GET kbn://api/saved_objects/_find?type=dashboard&fields=title&per_page=20&page=1
x-metaTags:
- content: Kibana
name: product_name
/api/saved_objects/_import:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/saved_objects/_import
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create sets of Kibana saved objects from a file created by the export API. Saved objects can only be imported into the same version, a newer minor on the same major, or the next major. Tampering with exported data risks introducing unspecified errors and data loss.
Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana.
NOTE: The exported saved objects include `coreMigrationVersion` and `typeMigrationVersion` metadata. If you store exported saved objects outside of Kibana (for example in NDJSON files) or generate them yourself, you must preserve or include these fields to retain forwards compatibility across Kibana versions.
operationId: post-saved-objects-import
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: 'Overwrites saved objects when they already exist. When used, potential conflict errors are automatically resolved by overwriting the destination object. NOTE: This option cannot be used with the `createNewCopies` option.'
in: query
name: overwrite
required: false
schema:
default: false
type: boolean
- description: 'Creates copies of saved objects, regenerates each object ID, and resets the origin. When used, potential conflict errors are avoided. NOTE: This option cannot be used with the `overwrite` and `compatibilityMode` options.'
in: query
name: createNewCopies
required: false
schema:
default: false
type: boolean
- description: 'Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with imported saved objects. NOTE: This option cannot be used with the `createNewCopies` option.'
in: query
name: compatibilityMode
required: false
schema:
default: false
type: boolean
requestBody:
content:
multipart/form-data:
examples:
importObjectsRequest:
summary: Import saved objects from an NDJSON file
value:
file: file.ndjson
schema:
additionalProperties: false
type: object
properties:
file:
description: 'A file exported using the export API. Changing the contents of the exported file in any way before importing it can cause errors, crashes or data loss. NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be included in this file. Similarly, the `savedObjects.maxImportPayloadBytes` setting limits the overall size of the file that can be imported.'
type: object
required:
- file
responses:
'200':
content:
application/json:
examples:
importObjectsResponse:
summary: A successful import response
value:
errors: []
success: true
successCount: 1
successResults:
- destinationId: example-dashboard-1-copy
id: example-dashboard-1
managed: false
type: dashboard
schema:
additionalProperties: false
type: object
properties:
errors:
description: |-
Indicates the import was unsuccessful and specifies the objects that failed to import.
NOTE: One object may result in multiple errors, which requires separate steps to resolve. For instance, a `missing_references` error and conflict error.
items:
additionalProperties: true
type: object
properties: {}
type: array
success:
description: Indicates when the import was successfully completed. When set to false, some objects may not have been created. For additional information, refer to the `errors` and `successResults` properties.
type: boolean
successCount:
description: Indicates the number of successfully imported records.
type: number
successResults:
description: |-
Indicates the objects that are successfully imported, with any metadata if applicable.
NOTE: Objects are created only when all resolvable errors are addressed, including conflicts and missing references. If objects are created as new copies, each entry in the `successResults` array includes a `destinationId` attribute.
items:
additionalProperties: true
type: object
properties: {}
type: array
required:
- success
- successCount
- errors
- successResults
description: Indicates a successful call.
'400':
content:
application/json:
examples:
badRequestResponse:
summary: A bad request error
value:
error: Bad Request
message: Invalid file extension .txt
statusCode: 400
schema:
additionalProperties: false
description: Indicates an unsuccessful response.
type: object
properties:
error:
type: string
message:
type: string
statusCode:
enum:
- 400
type: integer
required:
- error
- message
- statusCode
description: Bad request.
summary: Import saved objects
tags:
- saved objects
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/saved_objects/_import?createNewCopies=true" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
--form file=@file.ndjson
- lang: Console
source: |
POST kbn://api/saved_objects/_import?createNewCopies=true
x-metaTags:
- content: Kibana
name: product_name
/api/saved_objects/_resolve_import_errors:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
To resolve errors from the import objects API, you can retry certain saved objects, overwrite specific saved objects, and change references to different saved objects
operationId: post-saved-objects-resolve-import-errors
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: Creates copies of saved objects, regenerates each object ID, and resets the origin.
in: query
name: createNewCopies
required: false
schema:
default: false
type: boolean
- description: Applies adjustments to maintain compatibility between different Kibana versions.
in: query
name: compatibilityMode
required: false
schema:
default: false
type: boolean
requestBody:
content:
multipart/form-data:
examples:
resolveImportErrorsRequest:
summary: Resolve import errors by retrying objects
value:
file: file.ndjson
retries:
- id: example-dashboard-1
overwrite: true
replaceReferences: []
type: dashboard
schema:
additionalProperties: false
type: object
properties:
file:
type: object
retries:
items:
additionalProperties: false
type: object
properties:
createNewCopy:
type: boolean
destinationId:
type: string
id:
type: string
ignoreMissingReferences:
type: boolean
overwrite:
default: false
type: boolean
replaceReferences:
default: []
items:
additionalProperties: false
type: object
properties:
from:
type: string
to:
type: string
type:
type: string
required:
- type
- from
- to
maxItems: 100
type: array
type:
type: string
required:
- type
- id
maxItems: 10000
type: array
required:
- file
- retries
responses:
'200':
content:
application/json:
examples:
resolveImportErrorsResponse:
summary: A successful resolve import errors response
value:
errors: []
success: true
successCount: 1
successResults:
- id: example-dashboard-1
managed: false
type: dashboard
description: A successful resolve import errors response.
'400':
content:
application/json:
examples:
badRequestResponse:
summary: A bad request error
value:
error: Bad Request
message: Invalid file extension .txt
statusCode: 400
description: A bad request.
summary: Resolve import errors
tags:
- saved objects
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/saved_objects/_resolve_import_errors" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
--form file=@file.ndjson \
--form retries='[{"type":"dashboard","id":"example-dashboard-1","overwrite":true,"replaceReferences":[]}]'
- lang: Console
source: |
POST kbn://api/saved_objects/_resolve_import_errors
x-metaTags:
- content: Kibana
name: product_name
/api/saved_objects/{type}:
post:
deprecated: true
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/saved_objects/{type}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana.
Creates a Kibana saved object; if an ID is provided it is used, otherwise Kibana generates one.
For transferring or backing up saved objects, prefer the import and export APIs (`POST /api/saved_objects/_import` and `POST /api/saved_objects/_export`).
operationId: post-saved-objects-type
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The saved object type.
in: path
name: type
required: true
schema:
type: string
- description: Overwrite an existing saved object.
in: query
name: overwrite
required: false
schema:
default: false
type: boolean
requestBody:
content:
application/json:
examples:
createDashboardRequest:
summary: Create a dashboard saved object
value:
attributes:
title: Example dashboard
references: []
schema:
additionalProperties: false
type: object
properties:
attributes:
additionalProperties:
nullable: true
type: object
coreMigrationVersion:
type: string
initialNamespaces:
items:
type: string
maxItems: 100
minItems: 1
type: array
migrationVersion:
additionalProperties:
type: string
type: object
references:
items:
additionalProperties: false
type: object
properties:
id:
type: string
name:
type: string
type:
type: string
required:
- name
- type
- id
maxItems: 1000
type: array
typeMigrationVersion:
type: string
required:
- attributes
responses:
'200':
content:
application/json:
examples:
createDashboardResponse:
summary: A created saved object
value:
attributes:
title: Example dashboard
id: example-dashboard-id
managed: false
namespaces:
- default
references: []
type: dashboard
updated_at: '2026-04-17T12:00:00.000Z'
version: WzEsMV0=
description: A successful create response.
'409':
content:
application/json:
examples:
conflictResponse:
summary: A conflict error
value:
error: Conflict
message: Saved object [dashboard/example-dashboard-id] conflict
statusCode: 409
description: A conflict error.
summary: Create a saved object
tags:
- saved objects
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/saved_objects/dashboard/example-dashboard-id?overwrite=false" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{"attributes":{"title":"Example dashboard"},"references":[]}'
- lang: Console
source: |
POST kbn://api/saved_objects/dashboard/example-dashboard-id?overwrite=false
{"attributes":{"title":"Example dashboard"},"references":[]}
x-metaTags:
- content: Kibana
name: product_name
/api/saved_objects/{type}/{id}:
delete:
deprecated: true
description: |-
**Spaces method and path for this operation:**
delete/s/{space_id}/api/saved_objects/{type}/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana.
Deletes a single Kibana saved object by type and ID.
There is currently no complete replacement for deleting arbitrary saved objects via an HTTP API.
operationId: delete-saved-objects-type-id
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The saved object type.
in: path
name: type
required: true
schema:
type: string
- description: The saved object identifier.
in: path
name: id
required: true
schema:
type: string
- description: When true, force deletion of multi-namespace objects from all namespaces.
in: query
name: force
required: false
schema:
type: boolean
responses:
'200':
content:
application/json:
examples:
deleteSavedObjectResponse:
summary: Successful delete
value: {}
description: A successful delete response.
'404':
content:
application/json:
examples:
notFoundResponse:
summary: A not found error
value:
error: Not Found
message: Saved object [dashboard/does-not-exist] not found
statusCode: 404
description: Not found.
summary: Delete a saved object
tags:
- saved objects
x-codeSamples:
- lang: curl
source: |
curl \
-X DELETE "${KIBANA_URL}/api/saved_objects/dashboard/example-dashboard-1?force=false" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true"
- lang: Console
source: |
DELETE kbn://api/saved_objects/dashboard/example-dashboard-1?force=false
x-metaTags:
- content: Kibana
name: product_name
get:
deprecated: true
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/saved_objects/{type}/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana.
Retrieves a single Kibana saved object by type and ID.
For transferring or backing up saved objects, prefer the export API (`POST /api/saved_objects/_export`).
operationId: get-saved-objects-type-id
parameters:
- description: The saved object type.
in: path
name: type
required: true
schema:
type: string
- description: The saved object identifier.
in: path
name: id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getSavedObjectResponse:
summary: A saved object
value:
attributes:
title: Example dashboard 1
id: example-dashboard-1
managed: false
namespaces:
- default
references: []
type: dashboard
updated_at: '2026-04-17T12:00:00.000Z'
version: WzEsMV0=
description: A saved object.
'400':
content:
application/json:
examples:
badRequestResponse:
summary: A bad request error
value:
error: Bad Request
message: 'Unsupported saved object type(s): unknownType'
statusCode: 400
description: A bad request.
summary: Get a saved object
tags:
- saved objects
x-codeSamples:
- lang: curl
source: |
curl \
-X GET "${KIBANA_URL}/api/saved_objects/dashboard/example-dashboard-1" \
-H "Authorization: ApiKey ${API_KEY}"
- lang: Console
source: |
GET kbn://api/saved_objects/dashboard/example-dashboard-1
x-metaTags:
- content: Kibana
name: product_name
post:
deprecated: true
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/saved_objects/{type}/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana.
Creates a Kibana saved object; if an ID is provided it is used, otherwise Kibana generates one.
For transferring or backing up saved objects, prefer the import and export APIs (`POST /api/saved_objects/_import` and `POST /api/saved_objects/_export`).
operationId: post-saved-objects-type-id
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The saved object type.
in: path
name: type
required: true
schema:
type: string
- description: The saved object identifier.
in: path
name: id
required: true
schema:
type: string
- description: Overwrite an existing saved object.
in: query
name: overwrite
required: false
schema:
default: false
type: boolean
requestBody:
content:
application/json:
examples:
createDashboardRequest:
summary: Create a dashboard saved object
value:
attributes:
title: Example dashboard
references: []
schema:
additionalProperties: false
type: object
properties:
attributes:
additionalProperties:
nullable: true
type: object
coreMigrationVersion:
type: string
initialNamespaces:
items:
type: string
maxItems: 100
minItems: 1
type: array
migrationVersion:
additionalProperties:
type: string
type: object
references:
items:
additionalProperties: false
type: object
properties:
id:
type: string
name:
type: string
type:
type: string
required:
- name
- type
- id
maxItems: 1000
type: array
typeMigrationVersion:
type: string
required:
- attributes
responses:
'200':
content:
application/json:
examples:
createDashboardResponse:
summary: A created saved object
value:
attributes:
title: Example dashboard
id: example-dashboard-id
managed: false
namespaces:
- default
references: []
type: dashboard
updated_at: '2026-04-17T12:00:00.000Z'
version: WzEsMV0=
description: A successful create response.
'409':
content:
application/json:
examples:
conflictResponse:
summary: A conflict error
value:
error: Conflict
message: Saved object [dashboard/example-dashboard-id] conflict
statusCode: 409
description: A conflict error.
summary: Create a saved object
tags:
- saved objects
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/saved_objects/dashboard/example-dashboard-id?overwrite=false" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{"attributes":{"title":"Example dashboard"},"references":[]}'
- lang: Console
source: |
POST kbn://api/saved_objects/dashboard/example-dashboard-id?overwrite=false
{"attributes":{"title":"Example dashboard"},"references":[]}
x-metaTags:
- content: Kibana
name: product_name
put:
deprecated: true
description: |-
**Spaces method and path for this operation:**
put/s/{space_id}/api/saved_objects/{type}/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana.
Updates a single Kibana saved object by type and ID.
For transferring or backing up saved objects, prefer the import and export APIs (`POST /api/saved_objects/_import` and `POST /api/saved_objects/_export`).
operationId: put-saved-objects-type-id
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The saved object type.
in: path
name: type
required: true
schema:
type: string
- description: The saved object identifier.
in: path
name: id
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
updateDashboardRequest:
summary: Update a dashboard saved object
value:
attributes:
title: Updated dashboard title
references: []
schema:
additionalProperties: false
type: object
properties:
attributes:
additionalProperties:
nullable: true
type: object
references:
items:
additionalProperties: false
type: object
properties:
id:
type: string
name:
type: string
type:
type: string
required:
- name
- type
- id
maxItems: 1000
type: array
upsert:
additionalProperties:
nullable: true
type: object
version:
type: string
required:
- attributes
responses:
'200':
content:
application/json:
examples:
updateDashboardResponse:
summary: An updated saved object
value:
attributes:
title: Updated dashboard title
id: example-dashboard-1
managed: false
namespaces:
- default
references: []
type: dashboard
updated_at: '2026-04-17T12:00:00.000Z'
version: WzIsMV0=
description: A successful update response.
'404':
content:
application/json:
examples:
notFoundResponse:
summary: A not found error
value:
error: Not Found
message: Saved object [dashboard/does-not-exist] not found
statusCode: 404
description: Not found.
'409':
content:
application/json:
examples:
conflictResponse:
summary: A conflict error
value:
error: Conflict
message: Saved object [dashboard/example-dashboard-1] conflict
statusCode: 409
description: A conflict error.
summary: Update a saved object
tags:
- saved objects
x-codeSamples:
- lang: curl
source: |
curl \
-X PUT "${KIBANA_URL}/api/saved_objects/dashboard/example-dashboard-1" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{"attributes":{"title":"Updated dashboard title"},"references":[]}'
- lang: Console
source: |
PUT kbn://api/saved_objects/dashboard/example-dashboard-1
{"attributes":{"title":"Updated dashboard title"},"references":[]}
x-metaTags:
- content: Kibana
name: product_name
/api/saved_objects/resolve/{type}/{id}:
get:
deprecated: true
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
WARNING: This API is deprecated. This is a legacy Saved Objects API and may be removed in a future version of Kibana.
Retrieve a single Kibana saved object by ID, using any legacy URL alias if it exists.
Under certain circumstances, when Kibana is upgraded, saved object migrations may necessitate regenerating some object IDs to enable new features. When an object's ID is regenerated, a legacy URL alias is created for that object, preserving its old ID. In such a scenario, that object can be retrieved with the resolve API using either its new ID or its old ID.
operationId: get-saved-objects-resolve-type-id
parameters:
- description: The saved object type.
in: path
name: type
required: true
schema:
type: string
- description: The saved object identifier.
in: path
name: id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
resolveSavedObjectResponse:
summary: A resolved saved object (alias match)
value:
alias_target_id: example-dashboard-2
outcome: aliasMatch
saved_object:
attributes:
title: Example dashboard 2
id: example-dashboard-2
managed: false
namespaces:
- default
references: []
type: dashboard
updated_at: '2026-04-17T12:00:00.000Z'
version: WzEsMl0=
description: A resolve response.
'400':
content:
application/json:
examples:
badRequestResponse:
summary: A bad request error
value:
error: Bad Request
message: 'Unsupported saved object type(s): unknownType'
statusCode: 400
description: A bad request.
summary: Resolve a saved object
tags:
- saved objects
x-codeSamples:
- lang: curl
source: |
curl \
-X GET "${KIBANA_URL}/api/saved_objects/resolve/dashboard/legacy-id" \
-H "Authorization: ApiKey ${API_KEY}"
- lang: Console
source: |
GET kbn://api/saved_objects/resolve/dashboard/legacy-id
x-metaTags:
- content: Kibana
name: product_name
/api/security_ai_assistant/anonymization_fields/_bulk_action:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a list of all conversations for the current user. This endpoint allows users to search, filter, sort, and paginate through their conversations.
operationId: FindConversations
parameters:
- description: A list of fields to include in the response. If omitted, all fields are returned.
in: query
name: fields
required: false
schema:
example:
- id
- title
- createdAt
items:
type: string
type: array
- description: A search query to filter the conversations. Can match against titles, messages, or other conversation attributes.
in: query
name: filter
required: false
schema:
example: Security Issue
type: string
- description: The field by which to sort the results. Valid fields are `created_at`, `title`, and `updated_at`.
in: query
name: sort_field
required: false
schema:
$ref: '#/components/schemas/Security_AI_Assistant_API_FindConversationsSortField'
example: created_at
- description: The order in which to sort the results. Can be either `asc` for ascending or `desc` for descending.
in: query
name: sort_order
required: false
schema:
$ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder'
example: desc
- description: The page number of the results to retrieve. Default is 1.
in: query
name: page
required: false
schema:
default: 1
example: 1
minimum: 1
type: integer
- description: The number of conversations to return per page. Default is 20.
in: query
name: per_page
required: false
schema:
default: 20
example: 20
minimum: 0
type: integer
- description: Whether to return conversations that the current user owns. If true, only conversations owned by the user are returned.
in: query
name: is_owner
required: false
schema:
default: false
example: true
type: boolean
responses:
'200':
content:
application/json:
examples:
FindConversationsResponse200Example:
value:
data:
- category: assistant
createdAt: '2023-10-31T12:00:00Z'
createdBy:
id: user1
name: John Doe
excludeFromLastConversationStorage: false
id: conv-abc123
messages: []
namespace: default
replacements: {}
title: Security Discussion
updatedAt: '2023-10-31T12:05:00Z'
users:
- id: user1
name: John Doe
page: 1
perPage: 20
total: 5
schema:
type: object
properties:
data:
description: A list of conversations.
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse'
type: array
page:
description: The current page of the results.
example: 1
type: integer
perPage:
description: The number of results returned per page.
example: 20
type: integer
total:
description: The total number of conversations matching the filter criteria.
example: 100
type: integer
required:
- page
- perPage
- total
- data
description: Successful response, returns a paginated list of conversations matching the specified criteria.
'400':
content:
application/json:
examples:
FindConversationsResponse400Example:
value:
error: Bad Request
message: Invalid filter parameter.
statusCode: 400
schema:
type: object
properties:
error:
example: Bad Request
type: string
message:
example: Invalid filter query parameter
type: string
statusCode:
example: 400
type: number
description: Bad Request response.
summary: Get conversations
tags:
- Security AI Assistant API
x-codeSamples:
- label: Example request
lang: curl
source: |
curl \
--request GET 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/_find?page=1&per_page=20' \
--header "Authorization: $API_KEY"
x-metaTags:
- content: Kibana
name: product_name
/api/security_ai_assistant/current_user/conversations/{id}:
delete:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the details of an existing conversation using the conversation ID. This allows users to fetch the specific conversation data by its unique ID.
operationId: ReadConversation
parameters:
- description: The conversation's `id` value, a unique identifier for the conversation.
example: abc123
in: path
name: id
required: true
schema:
$ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString'
responses:
'200':
content:
application/json:
examples:
ReadConversationResponse200Example:
value:
apiConfig:
actionTypeId: '67890'
connectorId: '12345'
category: assistant
createdAt: '2023-10-31T12:01:00Z'
createdBy:
id: user1
name: John Doe
excludeFromLastConversationStorage: false
id: abc123
messages:
- content: Hello, how can I assist you today?
role: system
timestamp: '2023-10-31T12:00:00Z'
namespace: default
replacements: {}
title: Security Discussion
updatedAt: '2023-10-31T12:01:00Z'
users:
- id: user1
name: John Doe
schema:
$ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse'
description: Indicates a successful call. The conversation details are returned.
'400':
content:
application/json:
examples:
ReadConversationResponse400Example:
value:
error: Bad Request
message: Invalid conversation ID
statusCode: 400
schema:
type: object
properties:
error:
example: Bad Request
type: string
message:
example: Invalid conversation ID
type: string
statusCode:
example: 400
type: number
description: Bad Request response.
summary: Get a conversation
tags:
- Security AI Assistant API
x-codeSamples:
- label: Example request
lang: curl
source: |
curl \
--request GET 'http://localhost:5601/api/security_ai_assistant/current_user/conversations/abc123' \
--header "Authorization: $API_KEY"
x-metaTags:
- content: Kibana
name: product_name
put:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create a knowledge base. Use this endpoint when no specific resource identifier is needed.
operationId: PostKnowledgeBase
parameters:
- description: ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used.
example: elser-model-001
in: query
name: modelId
required: false
schema:
type: string
- description: Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`.
example: true
in: query
name: ignoreSecurityLabs
required: false
schema:
default: false
type: boolean
responses:
'200':
content:
application/json:
examples:
KnowledgeBaseResponse200Example2:
summary: A response that indicates that the request was successful.
value:
success: true
schema:
$ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse'
description: Indicates a successful call.
'400':
content:
application/json:
examples:
KnowledgeBaseResponse400Example2:
summary: A response for a request that failed due to an invalid query parameter value.
value: |
statusCode: 400 error: Bad Request message: "[request query]: ignoreSecurityLabs: Invalid enum value. Expected 'true' | 'false', received 'yes', ignoreSecurityLabs: Expected boolean, received string"
schema:
$ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400'
description: Bad Request response.
summary: Create a KnowledgeBase
tags:
- Security AI Assistant API
x-codeSamples:
- label: Example request
lang: curl
source: |
curl \
--request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base?ignoreSecurityLabs=false' \
--header "Authorization: $API_KEY"
x-metaTags:
- content: Kibana
name: product_name
/api/security_ai_assistant/knowledge_base/{resource}:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create a knowledge base with a specific resource identifier.
operationId: CreateKnowledgeBase
parameters:
- description: The KnowledgeBase `resource` value.
example: kb12345
in: path
name: resource
required: true
schema:
type: string
- description: ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used.
example: elser-model-001
in: query
name: modelId
required: false
schema:
type: string
- description: Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`.
example: true
in: query
name: ignoreSecurityLabs
required: false
schema:
default: false
type: boolean
responses:
'200':
content:
application/json:
examples:
KnowledgeBaseResponse200Example1:
summary: A response that indicates that the request was successful.
value:
success: true
schema:
$ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse'
description: Indicates a successful call.
'400':
content:
application/json:
examples:
KnowledgeBaseResponse400Example1:
summary: A response for a request that failed due to an invalid query parameter value.
value: |
statusCode: 400 error: Bad Request message: "[request query]: ignoreSecurityLabs: Invalid enum value. Expected 'true' | 'false', received 'yes', ignoreSecurityLabs: Expected boolean, received string"
schema:
$ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse400'
description: Bad Request response.
summary: Create a KnowledgeBase for a resource
tags:
- Security AI Assistant API
x-codeSamples:
- label: Example request
lang: curl
source: |
curl \
--request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/kb12345?ignoreSecurityLabs=false' \
--header "Authorization: $API_KEY"
x-metaTags:
- content: Kibana
name: product_name
/api/security_ai_assistant/knowledge_base/entries:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create a Knowledge Base Entry
operationId: CreateKnowledgeBaseEntry
requestBody:
content:
application/json:
examples:
CreateKnowledgeBaseEntryRequest:
value:
kbResource: user
name: How to reset a password
source: manual
text: To reset your password, go to the settings page and click 'Reset Password'.
type: document
schema:
$ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps'
required: true
responses:
'200':
content:
application/json:
examples:
CreateKnowledgeBaseEntryResponse200Example:
value:
createdAt: '2024-01-15T10:00:00.000Z'
createdBy: user@example.com
global: false
id: '12345'
kbResource: user
name: How to reset a password
namespace: default
source: manual
text: To reset your password, go to the settings page and click 'Reset Password'.
type: document
updatedAt: '2024-01-15T10:00:00.000Z'
updatedBy: user@example.com
schema:
$ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse'
description: Successful request returning Knowledge Base Entries
'400':
content:
application/json:
examples:
CreateKnowledgeBaseEntryResponse400Example:
value:
error: Invalid input
message: The 'name' field is required.
schema:
$ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema'
description: Bad Request response.
summary: Create a Knowledge Base Entry
tags:
- Security AI Assistant API
x-codeSamples:
- label: Example request
lang: curl
source: |
curl \
--request POST 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '{"name":"How to reset a password","type":"document","kbResource":"user","source":"manual","text":"To reset your password, go to the settings page and click Reset Password."}'
x-metaTags:
- content: Kibana
name: product_name
/api/security_ai_assistant/knowledge_base/entries/_bulk_action:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Finds Knowledge Base Entries that match the given query.
operationId: FindKnowledgeBaseEntries
parameters:
- description: A list of fields to include in the response. If not provided, all fields will be included.
in: query
name: fields
required: false
schema:
example:
- name
- created_at
items:
type: string
type: array
- description: Search query to filter Knowledge Base Entries by specific criteria.
in: query
name: filter
required: false
schema:
example: error handling
type: string
- description: Field to sort the Knowledge Base Entries by.
in: query
name: sort_field
required: false
schema:
$ref: '#/components/schemas/Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField'
example: created_at
- description: Sort order for the results, either asc or desc.
in: query
name: sort_order
required: false
schema:
$ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder'
example: asc
- description: Page number for paginated results. Defaults to 1.
in: query
name: page
required: false
schema:
default: 1
example: 2
minimum: 1
type: integer
- description: Number of Knowledge Base Entries to return per page. Defaults to 20.
in: query
name: per_page
required: false
schema:
default: 20
example: 10
minimum: 0
type: integer
responses:
'200':
content:
application/json:
examples:
FindKnowledgeBaseEntriesResponse200Example:
value:
data:
- createdAt: '2024-01-15T10:00:00.000Z'
createdBy: user@example.com
global: false
id: '12345'
kbResource: user
name: How to reset a password
namespace: default
source: manual
text: To reset your password, go to the settings page and click 'Reset Password'.
type: document
updatedAt: '2024-01-15T10:00:00.000Z'
updatedBy: user@example.com
page: 1
perPage: 20
total: 100
schema:
type: object
properties:
data:
description: The list of Knowledge Base Entries for the current page.
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse'
type: array
page:
description: The current page number.
example: 1
type: integer
perPage:
description: The number of Knowledge Base Entries returned per page.
example: 20
type: integer
total:
description: The total number of Knowledge Base Entries available.
example: 100
type: integer
required:
- page
- perPage
- total
- data
description: Successful response containing the paginated Knowledge Base Entries.
'400':
content:
application/json:
examples:
FindKnowledgeBaseEntriesResponse400Example:
value:
error: Bad Request
message: 'Invalid query parameter: sort_order'
statusCode: 400
schema:
type: object
properties:
error:
description: A short description of the error.
example: Bad Request
type: string
message:
description: A detailed message explaining the error.
example: 'Invalid query parameter: sort_order'
type: string
statusCode:
description: The HTTP status code of the error.
example: 400
type: number
description: Bad Request response.
summary: Finds Knowledge Base Entries that match the given query.
tags:
- Security AI Assistant API
x-codeSamples:
- label: Example request
lang: curl
source: |
curl \
--request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/_find?page=1&per_page=20' \
--header "Authorization: $API_KEY"
x-metaTags:
- content: Kibana
name: product_name
/api/security_ai_assistant/knowledge_base/entries/{id}:
delete:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete a Knowledge Base Entry by its unique `id`.
operationId: DeleteKnowledgeBaseEntry
parameters:
- description: The unique identifier (`id`) of the Knowledge Base Entry to delete.
example: '12345'
in: path
name: id
required: true
schema:
$ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString'
responses:
'200':
content:
application/json:
examples:
DeleteKnowledgeBaseEntryResponse200Example:
value:
id: '12345'
message: Knowledge Base Entry successfully deleted.
schema:
$ref: '#/components/schemas/Security_AI_Assistant_API_DeleteResponseFields'
description: Successful request returning the `id` of the deleted Knowledge Base Entry.
'400':
content:
application/json:
examples:
DeleteKnowledgeBaseEntryResponse400Example:
value:
error: Not Found
message: No Knowledge Base Entry found with the provided `id`.
schema:
$ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema'
description: Bad Request response.
summary: Deletes a single Knowledge Base Entry using the `id` field
tags:
- Security AI Assistant API
x-codeSamples:
- label: Example request
lang: curl
source: |
curl \
--request DELETE 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \
--header "Authorization: $API_KEY"
x-metaTags:
- content: Kibana
name: product_name
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieve a Knowledge Base Entry by its unique `id`.
operationId: ReadKnowledgeBaseEntry
parameters:
- description: The unique identifier (`id`) of the Knowledge Base Entry to retrieve.
example: '12345'
in: path
name: id
required: true
schema:
$ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString'
responses:
'200':
content:
application/json:
examples:
ReadKnowledgeBaseEntryResponse200Example:
value:
createdAt: '2024-01-15T10:00:00.000Z'
createdBy: user@example.com
global: false
id: '12345'
kbResource: user
name: How to reset a password
namespace: default
source: manual
text: To reset your password, go to the settings page and click 'Reset Password'.
type: document
updatedAt: '2024-01-15T10:00:00.000Z'
updatedBy: user@example.com
schema:
$ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse'
description: Successful request returning the requested Knowledge Base Entry.
'400':
content:
application/json:
examples:
ReadKnowledgeBaseEntryResponse400Example:
value:
error: Not Found
message: No Knowledge Base Entry found with the provided `id`.
schema:
$ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema'
description: Bad Request response.
summary: Read a Knowledge Base Entry
tags:
- Security AI Assistant API
x-codeSamples:
- label: Example request
lang: curl
source: |
curl \
--request GET 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \
--header "Authorization: $API_KEY"
x-metaTags:
- content: Kibana
name: product_name
put:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update an existing Knowledge Base Entry by its unique `id`.
operationId: UpdateKnowledgeBaseEntry
parameters:
- description: The unique identifier (`id`) of the Knowledge Base Entry to update.
example: '12345'
in: path
name: id
required: true
schema:
$ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString'
requestBody:
content:
application/json:
examples:
UpdateKnowledgeBaseEntryRequest:
value:
kbResource: user
name: How to reset a password (updated)
source: manual
text: 'Updated: go to settings and click Reset Password, then follow the on-screen instructions.'
type: document
schema:
$ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps'
required: true
responses:
'200':
content:
application/json:
examples:
UpdateKnowledgeBaseEntryResponse200Example:
value:
createdAt: '2024-01-15T10:00:00.000Z'
createdBy: user@example.com
global: false
id: '12345'
kbResource: user
name: How to reset a password (updated)
namespace: default
source: manual
text: 'Updated: go to settings and click Reset Password, then follow the on-screen instructions.'
type: document
updatedAt: '2024-01-15T10:05:00.000Z'
updatedBy: user@example.com
schema:
$ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse'
description: Successful request returning the updated Knowledge Base Entry.
'400':
content:
application/json:
examples:
UpdateKnowledgeBaseEntryResponse400Example:
value:
error: Invalid input
message: The 'text' field cannot be empty.
schema:
$ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema'
description: Bad Request response.
summary: Update a Knowledge Base Entry
tags:
- Security AI Assistant API
x-codeSamples:
- label: Example request
lang: curl
source: |
curl \
--request PUT 'http://localhost:5601/api/security_ai_assistant/knowledge_base/entries/12345' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '{"name":"How to reset a password (updated)","type":"document","kbResource":"user","source":"manual","text":"Updated: go to settings and click Reset Password, then follow the on-screen instructions."}'
x-metaTags:
- content: Kibana
name: product_name
/api/security_ai_assistant/prompts/_bulk_action:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Apply a bulk action to multiple prompts. The bulk action is applied to all prompts that match the filter or to the list of prompts by their IDs. This action allows for bulk create, update, or delete operations.
operationId: PerformPromptsBulkAction
requestBody:
content:
application/json:
examples:
PerformPromptsBulkActionRequest:
value:
create:
- content: Please verify the security settings.
name: New Security Prompt
promptType: system
delete:
ids:
- prompt1
- prompt2
update:
- content: Updated content for security prompt.
id: prompt123
schema:
type: object
properties:
create:
description: List of prompts to be created.
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_PromptCreateProps'
type: array
delete:
description: Criteria for deleting prompts in bulk.
type: object
properties:
ids:
description: Array of IDs to apply the action to.
example:
- '1234'
- '5678'
items:
type: string
minItems: 1
type: array
query:
description: Query to filter the bulk action.
example: 'status: ''inactive'''
type: string
update:
description: List of prompts to be updated.
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_PromptUpdateProps'
type: array
responses:
'200':
content:
application/json:
examples:
success:
value:
attributes:
errors: []
results:
created:
- content: Please verify the security settings.
id: prompt6
name: New Security Prompt
promptType: system
deleted:
- prompt2
- prompt3
skipped:
- id: prompt4
name: Security Prompt
skip_reason: PROMPT_FIELD_NOT_MODIFIED
updated:
- content: Updated security settings prompt
id: prompt1
name: Security Prompt
promptType: system
summary:
failed: 0
skipped: 1
succeeded: 4
total: 5
message: Bulk action completed successfully.
prompts_count: 5
status_code: 200
success: true
schema:
$ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse'
description: Indicates a successful call with the results of the bulk action.
'400':
content:
application/json:
examples:
PerformPromptsBulkActionResponse400Example:
value:
error: Bad Request
message: Invalid prompt ID or missing required fields.
statusCode: 400
schema:
type: object
properties:
error:
description: A short error message.
example: Bad Request
type: string
message:
description: A detailed error message.
example: Invalid prompt ID or missing required fields.
type: string
statusCode:
description: The HTTP status code for the error.
example: 400
type: number
description: Bad Request response.
summary: Apply a bulk action to prompts
tags:
- Security AI Assistant API
x-codeSamples:
- label: Example request
lang: curl
source: |
curl \
--request POST 'http://localhost:5601/api/security_ai_assistant/prompts/_bulk_action' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '{"delete":{"query":"name: test","ids":[]}}'
x-metaTags:
- content: Kibana
name: product_name
/api/security_ai_assistant/prompts/_find:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a list of all prompts based on optional filters, sorting, and pagination.
operationId: FindPrompts
parameters:
- description: List of specific fields to include in each returned prompt.
in: query
name: fields
required: false
schema:
example:
- id
- name
- content
items:
type: string
type: array
- description: Search query string to filter prompts by matching fields.
in: query
name: filter
required: false
schema:
example: error handling
type: string
- description: Field to sort prompts by.
in: query
name: sort_field
required: false
schema:
$ref: '#/components/schemas/Security_AI_Assistant_API_FindPromptsSortField'
- description: Sort order, either asc or desc.
in: query
name: sort_order
required: false
schema:
$ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder'
- description: Page number for pagination.
in: query
name: page
required: false
schema:
default: 1
example: 1
minimum: 1
type: integer
- description: Number of prompts per page.
in: query
name: per_page
required: false
schema:
default: 20
example: 20
minimum: 0
type: integer
responses:
'200':
content:
application/json:
examples:
FindPromptsResponse200Example:
value:
data:
- categories:
- troubleshooting
- logging
color: '#FF5733'
consumer: security
content: If you encounter an error, check the logs and retry.
createdAt: '2025-04-20T21:00:00Z'
createdBy: jdoe
id: prompt-123
isDefault: true
isNewConversationDefault: false
name: Error Troubleshooting Prompt
namespace: default
promptType: standard
timestamp: '2025-04-30T22:30:00Z'
updatedAt: '2025-04-30T22:45:00Z'
updatedBy: jdoe
users:
- full_name: John Doe
username: jdoe
page: 1
perPage: 20
total: 142
schema:
example:
data:
- categories:
- troubleshooting
- logging
color: '#FF5733'
consumer: security
content: If you encounter an error, check the logs and retry.
createdAt: '2025-04-20T21:00:00Z'
createdBy: jdoe
id: prompt-123
isDefault: true
isNewConversationDefault: false
name: Error Troubleshooting Prompt
namespace: default
promptType: standard
timestamp: '2025-04-30T22:30:00Z'
updatedAt: '2025-04-30T22:45:00Z'
updatedBy: jdoe
users:
- full_name: John Doe
username: jdoe
page: 1
perPage: 20
total: 142
type: object
properties:
data:
description: The list of prompts returned based on the search query, sorting, and pagination.
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse'
type: array
page:
description: Current page number.
example: 1
type: integer
perPage:
description: Number of prompts per page.
example: 20
type: integer
total:
description: Total number of prompts matching the query.
example: 142
type: integer
required:
- page
- perPage
- total
- data
description: Successful response containing a list of prompts.
'400':
content:
application/json:
examples:
FindPromptsResponse400Example:
value:
error: Bad Request
message: Invalid sort order value provided.
statusCode: 400
schema:
type: object
properties:
error:
description: Short error message.
example: Bad Request
type: string
message:
description: Detailed description of the error.
example: Invalid sort order value provided.
type: string
statusCode:
description: HTTP status code for the error.
example: 400
type: number
description: Bad request due to invalid parameters or malformed query.
summary: Get prompts
tags:
- Security AI Assistant API
x-codeSamples:
- label: Example request
lang: curl
source: |
curl \
--request GET 'http://localhost:5601/api/security_ai_assistant/prompts/_find?page=1&per_page=20' \
--header "Authorization: $API_KEY"
x-metaTags:
- content: Kibana
name: product_name
/api/security/entity_store:
put:
description: |-
**Spaces method and path for this operation:**
put/s/{space_id}/api/security/entity_store
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update the Entity Store log extraction configuration.
[Required authorization] Route required privileges: securitySolution.
operationId: put-security-entity-store
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
updateLogExtractionExample:
description: Update the log extraction configuration with a new lookback period and frequency.
summary: Update log extraction settings
value:
logExtraction:
fieldHistoryLength: 15
frequency: 10m
lookbackPeriod: 6h
schema:
additionalProperties: false
type: object
properties:
logExtraction:
additionalProperties: false
type: object
properties:
additionalIndexPatterns:
items:
type: string
type: array
delay:
pattern: '[smdh]$'
type: string
docsLimit:
maximum: 9007199254740991
minimum: 1
type: integer
fieldHistoryLength:
maximum: 9007199254740991
minimum: -9007199254740991
type: integer
frequency:
pattern: '[smdh]$'
type: string
lookbackPeriod:
pattern: '[smdh]$'
type: string
maxLogsPerPage:
maximum: 9007199254740991
minimum: 1
type: integer
required:
- logExtraction
responses:
'200':
content:
application/json:
examples:
updateSuccessExample:
description: The Entity Store configuration was successfully updated.
summary: Entity Store updated
value:
ok: true
description: Indicates a successful response.
'400':
content:
application/json:
examples:
invalidDurationExample:
description: A log extraction parameter has an invalid duration format.
summary: Invalid duration parameter
value:
error: Bad Request
message: '[request body]: logExtraction.frequency: must be a valid duration of at least 30 seconds (e.g. 1m, 30s)'
statusCode: 400
description: Bad request.
'404':
content:
application/json:
examples:
notFoundExample:
description: The Entity Store has not been installed yet.
summary: Entity Store not installed
value:
error: Not Found
message: Entity store is not installed
statusCode: 404
description: Entity Store not found.
summary: Update the Entity Store
tags:
- Security entity store
x-codeSamples:
- lang: curl
source: |
curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \
-H "Content-Type: application/json" \
-d '{"logExtraction":{"lookbackPeriod":"6h","frequency":"10m","fieldHistoryLength":15}}' \
"${KIBANA_URL}/api/security/entity_store"
- lang: Console
source: |
PUT kbn://api/security/entity_store
{
"logExtraction": {
"lookbackPeriod": "6h",
"frequency": "10m",
"fieldHistoryLength": 15
}
}
x-metaTags:
- content: Kibana
name: product_name
/api/security/entity_store/entities:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
List entity records from the Entity Store with paging, sorting, and filtering. Supports two modes: page-based pagination (page/per_page) and cursor-based pagination (searchAfter). The two modes cannot be combined.
[Required authorization] Route required privileges: securitySolution.
operationId: get-security-entity-store-entities
parameters:
- description: A Kibana Query Language (KQL) filter for the search-after mode.
in: query
name: filter
required: false
schema:
type: string
- description: Number of entities to return in search-after mode.
in: query
name: size
required: false
schema:
maximum: 9007199254740991
minimum: 1
type: integer
- description: JSON-encoded search_after value for cursor-based pagination.
in: query
name: searchAfter
required: false
schema:
type: string
- description: Fields to include in the response source.
in: query
name: source
required: false
schema:
items:
type: string
type: array
- description: Fields to include in the response.
in: query
name: fields
required: false
schema:
items:
type: string
type: array
- description: Field to sort results by in page mode.
in: query
name: sort_field
required: false
schema:
type: string
- description: Sort order in page mode.
in: query
name: sort_order
required: false
schema:
enum:
- asc
- desc
type: string
- description: Page number to return (1-indexed) in page mode.
in: query
name: page
required: false
schema:
maximum: 9007199254740991
minimum: 1
type: integer
- description: Number of entities per page in page mode.
in: query
name: per_page
required: false
schema:
maximum: 10000
minimum: 1
type: integer
- description: An Elasticsearch query string to filter entities in page mode.
in: query
name: filterQuery
required: false
schema:
type: string
- description: Entity types to include in the results.
in: query
name: entity_types
required: false
schema:
items:
enum:
- user
- host
- service
- generic
type: string
type: array
responses:
'200':
content:
application/json:
examples:
emptyResultExample:
description: No entities matched the query.
summary: Empty result
value:
page: 1
per_page: 10
records: []
total: 0
pageModeExample:
description: A paginated list of host entities sorted by timestamp in descending order, including query inspection data.
summary: Page mode response with host entities
value:
inspect:
dsl:
- '{"index":["entities-latest-default"],"body":{"terms":{"entity.EngineMetadata.Type":["host"]}}}'
response:
- '{"took":1,"timed_out":false,"hits":{"total":{"value":1,"relation":"eq"}}}'
page: 1
per_page: 10
records:
- '@timestamp': '2026-04-10T08:30:00.000Z'
asset:
criticality: high_impact
environment: production
entity:
attributes:
asset: true
managed: true
id: host:web-server-prod-01
lifecycle:
first_seen: '2026-01-15T10:00:00.000Z'
last_activity: '2026-04-10T08:30:00.000Z'
name: web-server-prod-01
risk:
calculated_level: Moderate
calculated_score: 47.5
calculated_score_norm: 47.5
source:
- logs
type: host
host:
hostname:
- web-server-prod-01.example.com
ip:
- 10.0.1.42
name: web-server-prod-01
os:
name: Ubuntu
type: linux
total: 1
searchAfterModeExample:
description: A cursor-based response with entities and a search_after token for the next page.
summary: Search-after mode response
value:
entities:
- '@timestamp': '2026-04-10T08:30:00.000Z'
entity:
id: user:jane.doe@example.com
name: jane.doe
type: user
user:
email:
- jane.doe@example.com
name: jane.doe
nextSearchAfter:
- 1712736600000
- 1
description: Indicates a successful response.
'400':
content:
application/json:
examples:
invalidFilterExample:
description: The provided Kibana Query Language filter could not be parsed.
summary: Invalid filter
value:
error: Bad Request
message: |-
Invalid filter: Expected "(", "{", value, whitespace but ":" found.
invalid :: query
---------^
statusCode: 400
mixedModesExample:
description: Cannot combine page-based pagination with cursor-based pagination in the same request.
summary: Mixed pagination modes
value:
error: Bad Request
message: '[request query]: Cannot combine page/per_page with searchAfter'
statusCode: 400
description: Bad request.
summary: List entities
tags:
- Security entity store
x-codeSamples:
- lang: curl
source: |
curl -X GET -H "Authorization: ApiKey ${API_KEY}" \
"${KIBANA_URL}/api/security/entity_store/entities?entity_types=host&page=1&per_page=10&sort_field=%40timestamp&sort_order=desc"
- lang: Console
source: |
GET kbn://api/security/entity_store/entities?entity_types=host&page=1&per_page=10&sort_field=@timestamp&sort_order=desc
x-metaTags:
- content: Kibana
name: product_name
/api/security/entity_store/entities/:
delete:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete a single entity record from the Entity Store. The entity is immediately removed from the latest index.
[Required authorization] Route required privileges: securitySolution.
operationId: delete-security-entity-store-entities
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
deleteEntityExample:
description: Delete a single entity from the Entity Store using its entity identifier.
summary: Delete an entity by identifier
value:
entityId: host:web-server-prod-01
schema:
additionalProperties: false
type: object
properties:
entityId:
description: The identifier of the entity to delete.
type: string
required:
- entityId
responses:
'200':
content:
application/json:
examples:
deleteSuccessExample:
description: The entity was found and successfully removed from the latest index.
summary: Entity deleted
value:
deleted: true
description: Indicates the entity was successfully deleted.
'404':
content:
application/json:
examples:
notFoundExample:
description: No entity with the specified identifier exists in the Entity Store.
summary: Entity not found
value:
error: Not Found
message: Entity ID 'host:web-server-prod-01' not found
statusCode: 404
description: Entity not found.
summary: Delete an entity
tags:
- Security entity store
x-codeSamples:
- lang: curl
source: |
curl -X DELETE -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \
-H "Content-Type: application/json" \
-d '{"entityId":"host:web-server-prod-01"}' \
"${KIBANA_URL}/api/security/entity_store/entities/"
- lang: Console
source: |
DELETE kbn://api/security/entity_store/entities/
{
"entityId": "host:web-server-prod-01"
}
x-metaTags:
- content: Kibana
name: product_name
/api/security/entity_store/entities/{entityType}:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create a new entity record in the Entity Store for the specified entity type.
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update an existing entity record in the Entity Store. By default only certain fields can be updated. Set the `force` query parameter to `true` to update protected fields.
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update multiple entity records in the Entity Store in a single request.
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Install the Entity Store and create engines for the specified entity types. A single `logExtraction` configuration is shared across all entity types. Supply it once at install to customize settings; omit it (or send an empty object) to use defaults on first install or preserve the existing configuration on re-install. To change settings after install, use the update endpoint.
[Required authorization] Route required privileges: securitySolution.
operationId: post-security-entity-store-install
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
installDefaultExample:
description: Install the Entity Store for all entity types with default log extraction settings.
summary: Install with default entity types
value:
entityTypes:
- user
- host
- service
- generic
logExtraction: {}
installWithCustomSettingsExample:
description: Install the Entity Store for host entities only with a custom lookback period and field history length.
summary: Install with custom log extraction
value:
entityTypes:
- host
logExtraction:
delay: 2m
fieldHistoryLength: 20
frequency: 5m
lookbackPeriod: 12h
schema:
additionalProperties: false
type: object
properties:
entityTypes:
default:
- user
- host
- service
- generic
items:
enum:
- user
- host
- service
- generic
type: string
type: array
historySnapshot:
additionalProperties: false
type: object
properties:
frequency:
default: 24h
pattern: '[smdh]$'
type: string
logExtraction:
additionalProperties: false
type: object
properties:
additionalIndexPatterns:
default: []
items:
type: string
type: array
delay:
default: 1m
pattern: '[smdh]$'
type: string
docsLimit:
default: 10000
maximum: 9007199254740991
minimum: 1
type: integer
fieldHistoryLength:
default: 10
maximum: 9007199254740991
minimum: -9007199254740991
type: integer
frequency:
default: 1m
pattern: '[smdh]$'
type: string
lookbackPeriod:
default: 3h
pattern: '[smdh]$'
type: string
maxLogsPerPage:
default: 40000
maximum: 9007199254740991
minimum: 1
type: integer
responses:
'200':
content:
application/json:
examples:
alreadyInstalledExample:
description: All requested entity types were already installed.
summary: Already installed
value:
ok: true
description: Indicates all requested entity types are already installed.
'201':
content:
application/json:
examples:
installSuccessExample:
description: The Entity Store was installed and engines are being created.
summary: Entity Store installed
value:
ok: true
description: Indicates the Entity Store was successfully installed.
'403':
content:
application/json:
examples:
forbiddenExample:
description: The user does not have the required Elasticsearch privileges.
summary: Insufficient privileges
value:
error: Forbidden
message: User 'analyst' has insufficient privileges
statusCode: 403
description: Insufficient privileges.
summary: Install the Entity Store
tags:
- Security entity store
x-codeSamples:
- lang: curl
source: |
curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \
-H "Content-Type: application/json" \
-d '{"entityTypes":["user","host","service","generic"],"logExtraction":{}}' \
"${KIBANA_URL}/api/security/entity_store/install"
- lang: Console
source: |
POST kbn://api/security/entity_store/install
{
"entityTypes": ["user", "host", "service", "generic"],
"logExtraction": {}
}
x-metaTags:
- content: Kibana
name: product_name
/api/security/entity_store/resolution/group:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the resolution group for a given entity, returning all linked entities. Requires an enterprise license.
[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics.
operationId: get-security-entity-store-resolution-group
parameters:
- description: The entity identifier to look up the resolution group for.
in: query
name: entity_id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
resolutionGroupExample:
description: Returns the resolution group for an entity, including the target entity, all aliases, and the group size.
summary: Resolution group with linked entities
value:
aliases:
- '@timestamp': '2026-04-10T08:25:00.000Z'
entity:
id: user:jdoe@example.com
name: jdoe
relationships:
resolution:
resolved_to: user:jane.doe@example.com
type: user
user:
name: jdoe
group_size: 2
target:
'@timestamp': '2026-04-10T08:30:00.000Z'
entity:
id: user:jane.doe@example.com
name: jane.doe
type: user
user:
email:
- jane.doe@example.com
name: jane.doe
description: Indicates a successful response.
'400':
content:
application/json:
examples:
truncatedSearchExample:
description: The resolution search returned too many results and was truncated.
summary: Search results truncated
value:
error: Bad Request
message: Resolution search truncated
statusCode: 400
description: Bad request.
'404':
content:
application/json:
examples:
notFoundExample:
description: The specified entity does not exist or has no resolution group.
summary: Entity not found
value:
error: Not Found
message: 'Entities not found: [user:nonexistent@example.com]'
statusCode: 404
description: Entity not found.
summary: Get resolution group
tags:
- Security entity store
x-codeSamples:
- lang: curl
source: |
curl -X GET -H "Authorization: ApiKey ${API_KEY}" \
"${KIBANA_URL}/api/security/entity_store/resolution/group?entity_id=user%3Ajane.doe%40example.com"
- lang: Console
source: |
GET kbn://api/security/entity_store/resolution/group?entity_id=user:jane.doe@example.com
x-metaTags:
- content: Kibana
name: product_name
/api/security/entity_store/resolution/link:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Link one or more entities to a target entity, creating a resolution group. Requires an enterprise license.
[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics.
operationId: post-security-entity-store-resolution-link
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
linkEntitiesExample:
description: Link two user entities to a target entity, creating a resolution group.
summary: Link entities to a target
value:
entity_ids:
- user:jdoe@example.com
- user:j.doe@example.com
target_id: user:jane.doe@example.com
schema:
additionalProperties: false
type: object
properties:
entity_ids:
description: Entity identifiers to link to the target entity. Minimum 1, maximum 1000.
items:
type: string
maxItems: 1000
minItems: 1
type: array
target_id:
description: The entity identifier to resolve the linked entities to.
type: string
required:
- target_id
- entity_ids
responses:
'200':
content:
application/json:
examples:
linkSuccessExample:
description: The entities were successfully linked to the target entity.
summary: Entities linked
value:
linked:
- user:jdoe@example.com
- user:j.doe@example.com
skipped: []
target_id: user:jane.doe@example.com
description: Indicates a successful response.
'400':
content:
application/json:
examples:
mixedTypesExample:
description: All entities in a resolution group must be of the same type.
summary: Mixed entity types
value:
error: Bad Request
message: Cannot link entities of different types
statusCode: 400
selfLinkExample:
description: Cannot link an entity to itself.
summary: Self-link error
value:
error: Bad Request
message: Cannot link entity 'user:jane.doe@example.com' to itself.
statusCode: 400
description: Bad request.
'404':
content:
application/json:
examples:
notFoundExample:
description: One or more of the specified entity identifiers were not found.
summary: Entities not found
value:
error: Not Found
message: 'Entities not found: [user:nonexistent@example.com, user:also-nonexistent@example.com]'
statusCode: 404
description: Entities not found.
summary: Link entities
tags:
- Security entity store
x-codeSamples:
- lang: curl
source: |
curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \
-H "Content-Type: application/json" \
-d '{"target_id":"user:jane.doe@example.com","entity_ids":["user:jdoe@example.com"]}' \
"${KIBANA_URL}/api/security/entity_store/resolution/link"
- lang: Console
source: |
POST kbn://api/security/entity_store/resolution/link
{
"target_id": "user:jane.doe@example.com",
"entity_ids": ["user:jdoe@example.com"]
}
x-metaTags:
- content: Kibana
name: product_name
/api/security/entity_store/resolution/unlink:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Remove one or more entities from their resolution group. Requires an enterprise license.
[Required authorization] Route required privileges: securitySolution AND securitySolution-entity-analytics.
operationId: post-security-entity-store-resolution-unlink
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
unlinkEntitiesExample:
description: Remove entities from their resolution group, restoring them as standalone entities.
summary: Unlink entities from their resolution group
value:
entity_ids:
- user:jdoe@example.com
- user:j.doe@example.com
schema:
additionalProperties: false
type: object
properties:
entity_ids:
description: Entity identifiers to unlink from their resolution group. Minimum 1, maximum 1000.
items:
type: string
maxItems: 1000
minItems: 1
type: array
required:
- entity_ids
responses:
'200':
content:
application/json:
examples:
unlinkSuccessExample:
description: The entities were successfully removed from their resolution group.
summary: Entities unlinked
value:
skipped: []
unlinked:
- user:jdoe@example.com
- user:j.doe@example.com
description: Indicates a successful response.
'404':
content:
application/json:
examples:
notFoundExample:
description: One or more of the specified entity identifiers were not found.
summary: Entities not found
value:
error: Not Found
message: 'Entities not found: [user:nonexistent@example.com]'
statusCode: 404
description: Entities not found.
summary: Unlink entities
tags:
- Security entity store
x-codeSamples:
- lang: curl
source: |
curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \
-H "Content-Type: application/json" \
-d '{"entity_ids":["user:jdoe@example.com"]}' \
"${KIBANA_URL}/api/security/entity_store/resolution/unlink"
- lang: Console
source: |
POST kbn://api/security/entity_store/resolution/unlink
{
"entity_ids": ["user:jdoe@example.com"]
}
x-metaTags:
- content: Kibana
name: product_name
/api/security/entity_store/start:
put:
description: |-
**Spaces method and path for this operation:**
put/s/{space_id}/api/security/entity_store/start
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Start previously stopped entity engines, resuming data processing for the specified entity types.
[Required authorization] Route required privileges: securitySolution.
operationId: put-security-entity-store-start
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
startAllExample:
description: Start all stopped entity engines.
summary: Start all entity engines
value:
entityTypes:
- user
- host
- service
- generic
startSingleExample:
description: Start only the host entity engine.
summary: Start a single entity engine
value:
entityTypes:
- host
schema:
additionalProperties: false
type: object
properties:
entityTypes:
default:
- user
- host
- service
- generic
description: Entity types to start. Defaults to all installed types.
items:
enum:
- user
- host
- service
- generic
type: string
type: array
responses:
'200':
content:
application/json:
examples:
startSuccessExample:
description: The specified entity engines were successfully started.
summary: Engines started
value:
ok: true
description: Indicates a successful response.
summary: Start Entity Store engines
tags:
- Security entity store
x-codeSamples:
- lang: curl
source: |
curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \
-H "Content-Type: application/json" \
-d '{"entityTypes":["user","host","service","generic"]}' \
"${KIBANA_URL}/api/security/entity_store/start"
- lang: Console
source: |
PUT kbn://api/security/entity_store/start
{
"entityTypes": ["user", "host", "service", "generic"]
}
x-metaTags:
- content: Kibana
name: product_name
/api/security/entity_store/status:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/security/entity_store/status
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the overall Entity Store status and per-engine statuses, optionally including component-level health details.
[Required authorization] Route required privileges: securitySolution.
operationId: get-security-entity-store-status
parameters:
- description: If true, returns a detailed status of each engine including all its components.
in: query
name: include_components
required: false
schema:
anyOf:
- enum:
- 'true'
- 'false'
type: string
- type: boolean
default: false
responses:
'200':
content:
application/json:
examples:
notInstalledExample:
description: The Entity Store has not been installed.
summary: Entity Store not installed
value:
engines: []
status: not_installed
runningStatusExample:
description: The Entity Store is running with two started engines using default settings.
summary: Entity Store running
value:
engines:
- delay: 1m
docsPerSecond: -1
enrichPolicyExecutionInterval: null
fieldHistoryLength: 10
filter: ''
frequency: 30s
indexPattern: ''
lastExecutionTimestamp: '2026-04-10T08:30:00.000Z'
lookbackPeriod: 3h
maxPageSearchSize: 10000
status: started
timeout: 25s
timestampField: '@timestamp'
type: host
- delay: 1m
docsPerSecond: -1
enrichPolicyExecutionInterval: null
fieldHistoryLength: 10
filter: ''
frequency: 30s
indexPattern: ''
lastExecutionTimestamp: '2026-04-10T08:30:00.000Z'
lookbackPeriod: 3h
maxPageSearchSize: 10000
status: started
timeout: 25s
timestampField: '@timestamp'
type: user
status: running
description: Indicates a successful response.
summary: Get Entity Store status
tags:
- Security entity store
x-codeSamples:
- lang: curl
source: |
curl -X GET -H "Authorization: ApiKey ${API_KEY}" \
"${KIBANA_URL}/api/security/entity_store/status?include_components=false"
- lang: Console
source: |
GET kbn://api/security/entity_store/status?include_components=false
x-metaTags:
- content: Kibana
name: product_name
/api/security/entity_store/stop:
put:
description: |-
**Spaces method and path for this operation:**
put/s/{space_id}/api/security/entity_store/stop
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Stop running entity engines, pausing data processing for the specified entity types.
[Required authorization] Route required privileges: securitySolution.
operationId: put-security-entity-store-stop
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
stopAllExample:
description: Stop all running entity engines.
summary: Stop all entity engines
value:
entityTypes:
- user
- host
- service
- generic
schema:
additionalProperties: false
type: object
properties:
entityTypes:
default:
- user
- host
- service
- generic
description: Entity types to stop. Defaults to all running types.
items:
enum:
- user
- host
- service
- generic
type: string
type: array
responses:
'200':
content:
application/json:
examples:
stopSuccessExample:
description: The specified entity engines were successfully stopped.
summary: Engines stopped
value:
ok: true
description: Indicates a successful response.
summary: Stop Entity Store engines
tags:
- Security entity store
x-codeSamples:
- lang: curl
source: |
curl -X PUT -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \
-H "Content-Type: application/json" \
-d '{"entityTypes":["user","host","service","generic"]}' \
"${KIBANA_URL}/api/security/entity_store/stop"
- lang: Console
source: |
PUT kbn://api/security/entity_store/stop
{
"entityTypes": ["user", "host", "service", "generic"]
}
x-metaTags:
- content: Kibana
name: product_name
/api/security/entity_store/uninstall:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Uninstall the Entity Store, removing engines and associated resources for the specified entity types.
[Required authorization] Route required privileges: securitySolution.
operationId: post-security-entity-store-uninstall
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
uninstallAllExample:
description: Uninstall all entity engines from the Entity Store.
summary: Uninstall all entity types
value:
entityTypes:
- user
- host
- service
- generic
uninstallSingleExample:
description: Uninstall only the host engine from the Entity Store.
summary: Uninstall a single entity type
value:
entityTypes:
- host
schema:
additionalProperties: false
type: object
properties:
entityTypes:
default:
- user
- host
- service
- generic
description: Entity types to uninstall. Defaults to all installed types.
items:
enum:
- user
- host
- service
- generic
type: string
type: array
responses:
'200':
content:
application/json:
examples:
uninstallSuccessExample:
description: The specified entity engines were successfully uninstalled.
summary: Entity Store uninstalled
value:
ok: true
description: Indicates a successful response.
summary: Uninstall the Entity Store
tags:
- Security entity store
x-codeSamples:
- lang: curl
source: |
curl -X POST -H "kbn-xsrf: true" -H "Authorization: ApiKey ${API_KEY}" \
-H "Content-Type: application/json" \
-d '{"entityTypes":["user","host","service","generic"]}' \
"${KIBANA_URL}/api/security/entity_store/uninstall"
- lang: Console
source: |
POST kbn://api/security/entity_store/uninstall
{
"entityTypes": ["user", "host", "service", "generic"]
}
x-metaTags:
- content: Kibana
name: product_name
/api/security/role:
get:
operationId: get-security-role
parameters:
- description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges.
in: query
name: replaceDeprecatedPrivileges
required: false
schema:
type: boolean
responses:
'200':
description: Indicates a successful call.
content:
application/json:
examples:
getRolesResponse1:
$ref: '#/components/examples/get_roles_response1'
summary: Get all roles
tags:
- roles
x-metaTags:
- content: Kibana
name: product_name
/api/security/role/_query:
post:
operationId: post-security-role-query
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/Kibana_HTTP_APIs_security_query_roles_body'
responses:
'200':
description: Indicates a successful call.
summary: Query roles
tags: []
x-metaTags:
- content: Kibana
name: product_name
/api/security/role/{name}:
delete:
operationId: delete-security-role-name
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The role name.
in: path
name: name
required: true
schema:
minLength: 1
type: string
responses:
'204':
description: Indicates a successful call.
summary: Delete a role
tags:
- roles
x-metaTags:
- content: Kibana
name: product_name
get:
operationId: get-security-role-name
parameters:
- description: The role name.
in: path
name: name
required: true
schema:
minLength: 1
type: string
- description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges.
in: query
name: replaceDeprecatedPrivileges
required: false
schema:
type: boolean
responses:
'200':
description: Indicates a successful call.
content:
application/json:
examples:
getRoleResponse1:
$ref: '#/components/examples/get_role_response1'
summary: Get a role
tags:
- roles
x-metaTags:
- content: Kibana
name: product_name
put:
description: Create a new Kibana role or update the attributes of an existing role. Kibana roles are stored in the Elasticsearch native realm.
operationId: put-security-role-name
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The role name.
in: path
name: name
required: true
schema:
maxLength: 1024
minLength: 1
type: string
- description: When true, a role is not overwritten if it already exists.
in: query
name: createOnly
required: false
schema:
default: false
type: boolean
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_put_payload'
examples:
createRoleRequest1:
$ref: '#/components/examples/create_role_request1'
createRoleRequest2:
$ref: '#/components/examples/create_role_request2'
createRoleRequest3:
$ref: '#/components/examples/create_role_request3'
createRoleRequest4:
$ref: '#/components/examples/create_role_request4'
responses:
'204':
description: Indicates a successful call.
summary: Create or update a role
tags:
- roles
x-metaTags:
- content: Kibana
name: product_name
/api/security/roles:
post:
operationId: post-security-roles
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/Kibana_HTTP_APIs_security_roles_bulk_create_or_update_payload'
responses:
'200':
description: Indicates a successful call.
summary: Create or update roles
tags:
- roles
x-metaTags:
- content: Kibana
name: product_name
/api/security/session/_invalidate:
post:
description: |
Invalidate user sessions that match a query. To use this API, you must be a superuser.
operationId: post-security-session-invalidate
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
invalidateRequestExample1:
description: Run `POST api/security/session/_invalidate` to invalidate all existing sessions.
summary: Invalidate all sessions
value: |-
{
"match" : "all"
}
invalidateRequestExample2:
description: Run `POST api/security/session/_invalidate` to invalidate sessions that were created by any SAML authentication provider.
summary: Invalidate all SAML sessions
value: |-
{
"match" : "query",
"query": {
"provider" : { "type": "saml" }
}
}
invalidateRequestExample3:
description: Run `POST api/security/session/_invalidate` to invalidate sessions that were created by the SAML authentication provider named `saml1`.
summary: Invalidate sessions for a provider
value: |-
{
"match" : "query",
"query": {
"provider" : { "type": "saml", "name": "saml1" }
}
}
invalidateRequestExample4:
description: Run `POST api/security/session/_invalidate` to invalidate sessions that were created by any OpenID Connect authentication provider for the user with the username `user@my-oidc-sso.com`.
summary: Invalidate sessions for a user
value: |-
{
"match" : "query",
"query": {
"provider" : { "type": "oidc" },
"username": "user@my-oidc-sso.com"
}
}
schema:
type: object
properties:
match:
description: |
The method Kibana uses to determine which sessions to invalidate. If it is `all`, all existing sessions will be invalidated. If it is `query`, only the sessions that match the query will be invalidated.
enum:
- all
- query
type: string
query:
description: |
The query that Kibana uses to match the sessions to invalidate when the `match` parameter is set to `query`.
type: object
properties:
provider:
description: The authentication providers that will have their user sessions invalidated.
type: object
properties:
name:
description: The authentication provider name.
type: string
type:
description: |
The authentication provide type. For example: `basic`, `token`, `saml`, `oidc`, `kerberos`, or `pki`.
type: string
required:
- type
username:
description: The username that will have its sessions invalidated.
type: string
required:
- provider
required:
- match
responses:
'200':
content:
application/json:
schema:
type: object
properties:
total:
description: The number of sessions that were successfully invalidated.
type: integer
description: Indicates a successful call
'403':
description: Indicates that the user may not be authorized to invalidate sessions for other users.
summary: Invalidate user sessions
tags:
- user session
x-metaTags:
- content: Kibana
name: product_name
/api/short_url:
post:
description: |
Kibana URLs may be long and cumbersome, short URLs are much easier to remember and share.
Short URLs are created by specifying the locator ID and locator parameters. When a short URL is resolved, the locator ID and locator parameters are used to redirect user to the right Kibana page.
operationId: post-url
requestBody:
content:
application/json:
examples:
createShortUrlRequest:
description: Request a short URL that resolves to a dashboard with a preset time range.
summary: Create a short URL for a dashboard locator
value:
locatorId: DASHBOARD_APP_LOCATOR
params:
dashboardId: edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b
timeRange:
from: now-7d
to: now
slug: my-dashboard
schema:
type: object
properties:
humanReadableSlug:
description: |
When the `slug` parameter is omitted, the API will generate a random human-readable slug if `humanReadableSlug` is set to true.
type: boolean
locatorId:
description: The identifier for the locator.
type: string
params:
description: |
An object which contains all necessary parameters for the given locator to resolve to a Kibana location.
> warn
> When you create a short URL, locator params are not validated, which allows you to pass arbitrary and ill-formed data into the API that can break Kibana. Make sure any data that you send to the API is properly formed.
type: object
slug:
description: |
A custom short URL slug. The slug is the part of the short URL that identifies it. You can provide a custom slug which consists of latin alphabet letters, numbers, and `-._` characters. The slug must be at least 3 characters long, but no longer than 255 characters.
type: string
required:
- locatorId
- params
required: true
responses:
'200':
content:
application/json:
examples:
createShortUrlResponse:
description: The created short URL record.
summary: Short URL created
value:
accessCount: 0
accessDate: 1767225600000
createDate: 1767225600000
id: c54b04f5d4b3aa3c
locator:
id: DASHBOARD_APP_LOCATOR
state:
dashboardId: edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b
timeRange:
from: now-7d
to: now
version: 9.4.0
slug: my-dashboard
schema:
$ref: '#/components/schemas/Short_URL_APIs_urlResponse'
description: Indicates a successful call.
summary: Create a short URL
tags:
- short url
x-state: Technical Preview
x-metaTags:
- content: Kibana
name: product_name
/api/short_url/_slug/{slug}:
get:
description: |
Resolve a Kibana short URL by its slug.
operationId: resolve-url
parameters:
- description: The slug of the short URL.
in: path
name: slug
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
resolveShortUrlResponse:
description: The short URL record matching the given slug.
summary: Short URL resolved by slug
value:
accessCount: 12
accessDate: 1767744000000
createDate: 1767225600000
id: c54b04f5d4b3aa3c
locator:
id: DASHBOARD_APP_LOCATOR
state:
dashboardId: edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b
timeRange:
from: now-7d
to: now
version: 9.4.0
slug: my-dashboard
schema:
$ref: '#/components/schemas/Short_URL_APIs_urlResponse'
description: Indicates a successful call.
summary: Resolve a short URL
tags:
- short url
x-state: Technical Preview
x-metaTags:
- content: Kibana
name: product_name
/api/short_url/{id}:
delete:
description: |
Delete a Kibana short URL.
operationId: delete-url
parameters:
- $ref: '#/components/parameters/Short_URL_APIs_idParam'
responses:
'200':
description: Indicates a successful call.
summary: Delete a short URL
tags:
- short url
x-state: Technical Preview
x-metaTags:
- content: Kibana
name: product_name
get:
description: |
Get a single Kibana short URL.
operationId: get-url
parameters:
- $ref: '#/components/parameters/Short_URL_APIs_idParam'
responses:
'200':
content:
application/json:
examples:
getShortUrlResponse:
description: The short URL record matching the given identifier.
summary: Short URL retrieved by ID
value:
accessCount: 12
accessDate: 1767744000000
createDate: 1767225600000
id: c54b04f5d4b3aa3c
locator:
id: DASHBOARD_APP_LOCATOR
state:
dashboardId: edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b
timeRange:
from: now-7d
to: now
version: 9.4.0
slug: my-dashboard
schema:
$ref: '#/components/schemas/Short_URL_APIs_urlResponse'
description: Indicates a successful call.
summary: Get a short URL
tags:
- short url
x-state: Technical Preview
x-metaTags:
- content: Kibana
name: product_name
/api/spaces/_copy_saved_objects:
post:
description: 'It also allows you to automatically copy related objects, so when you copy a dashboard, this can automatically copy over the associated visualizations, data views, and saved Discover sessions, as required. You can request to overwrite any objects that already exist in the target space if they share an identifier or you can use the resolve copy saved objects conflicts API to do this on a per-object basis.
[Required authorization] Route required privileges: copySavedObjectsToSpaces.'
operationId: post-spaces-copy-saved-objects
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
schema:
additionalProperties: false
type: object
properties:
compatibilityMode:
default: false
description: Apply various adjustments to the saved objects that are being copied to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with copied saved objects. This option cannot be used with the `createNewCopies` option.
type: boolean
createNewCopies:
default: true
description: Create new copies of saved objects, regenerate each object identifier, and reset the origin. When used, potential conflict errors are avoided. This option cannot be used with the `overwrite` and `compatibilityMode` options.
type: boolean
includeReferences:
default: false
description: When set to true, all saved objects related to the specified saved objects will also be copied into the target spaces.
type: boolean
objects:
items:
additionalProperties: false
type: object
properties:
id:
description: The identifier of the saved object to copy.
type: string
type:
description: The type of the saved object to copy.
type: string
required:
- type
- id
maxItems: 1000
type: array
overwrite:
default: false
description: When set to true, all conflicts are automatically overridden. When a saved object with a matching type and identifier exists in the target space, that version is replaced with the version from the source space. This option cannot be used with the `createNewCopies` option.
type: boolean
spaces:
items:
description: The identifiers of the spaces where you want to copy the specified objects.
type: string
maxItems: 100
type: array
required:
- spaces
- objects
examples:
copySavedObjectsRequestExample1:
$ref: '#/components/examples/copy_saved_objects_request1'
copySavedObjectsRequestExample2:
$ref: '#/components/examples/copy_saved_objects_request2'
responses:
'200':
description: 'OK: A successful request.'
content:
application/json:
examples:
copySavedObjectsResponseExample1:
$ref: '#/components/examples/copy_saved_objects_response1'
copySavedObjectsResponseExample2:
$ref: '#/components/examples/copy_saved_objects_response2'
copySavedObjectsResponseExample3:
$ref: '#/components/examples/copy_saved_objects_response3'
copySavedObjectsResponseExample4:
$ref: '#/components/examples/copy_saved_objects_response4'
summary: Copy saved objects between spaces
tags:
- spaces
x-metaTags:
- content: Kibana
name: product_name
/api/spaces/_disable_legacy_url_aliases:
post:
description: Disable one or more legacy URL aliases so that they no longer resolve to their target saved objects.
operationId: post-spaces-disable-legacy-url-aliases
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
schema:
additionalProperties: false
type: object
properties:
aliases:
items:
additionalProperties: false
type: object
properties:
sourceId:
description: The alias source object identifier. This is the legacy object identifier.
type: string
targetSpace:
description: The space where the alias target object exists.
type: string
targetType:
description: 'The type of alias target object. '
type: string
required:
- targetSpace
- targetType
- sourceId
maxItems: 1000
type: array
required:
- aliases
examples:
disableLegacyURLRequestExample1:
$ref: '#/components/examples/disable_legacy_url_request1'
responses:
'204':
description: Indicates a successful call.
summary: Disable legacy URL aliases
tags:
- spaces
x-metaTags:
- content: Kibana
name: product_name
/api/spaces/_get_shareable_references:
post:
description: Collect references and space contexts for saved objects.
operationId: post-spaces-get-shareable-references
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
schema:
additionalProperties: false
type: object
properties:
objects:
items:
additionalProperties: false
type: object
properties:
id:
type: string
type:
type: string
required:
- type
- id
maxItems: 1000
type: array
required:
- objects
examples:
getShareableReferencesRequestExample1:
$ref: '#/components/examples/get_shareable_references_request1'
responses:
'200':
description: Indicates a successful call.
content:
application/json:
examples:
getShareableReferencesResponseExample1:
$ref: '#/components/examples/get_shareable_references_response1'
summary: Get shareable references
tags:
- spaces
x-metaTags:
- content: Kibana
name: product_name
/api/spaces/_resolve_copy_saved_objects_errors:
post:
description: 'Overwrite saved objects that are returned as errors from the copy saved objects to space API.
[Required authorization] Route required privileges: copySavedObjectsToSpaces.'
operationId: post-spaces-resolve-copy-saved-objects-errors
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
schema:
additionalProperties: false
type: object
properties:
compatibilityMode:
default: false
type: boolean
createNewCopies:
default: true
type: boolean
includeReferences:
default: false
type: boolean
objects:
items:
additionalProperties: false
type: object
properties:
id:
type: string
type:
type: string
required:
- type
- id
maxItems: 1000
type: array
retries:
additionalProperties:
items:
additionalProperties: false
type: object
properties:
createNewCopy:
description: Creates new copies of the saved objects, regenerates each object ID, and resets the origin.
type: boolean
destinationId:
description: Specifies the destination identifier that the copied object should have, if different from the current identifier.
type: string
id:
description: The saved object identifier.
type: string
ignoreMissingReferences:
description: When set to true, any missing references errors are ignored.
type: boolean
overwrite:
default: false
description: When set to true, the saved object from the source space overwrites the conflicting object in the destination space.
type: boolean
type:
description: The saved object type.
type: string
required:
- type
- id
maxItems: 1000
type: array
type: object
required:
- retries
- objects
examples:
resolveCopySavedObjectsRequestExample1:
$ref: '#/components/examples/resolve_copy_saved_objects_request1'
resolveCopySavedObjectsRequestExample2:
$ref: '#/components/examples/resolve_copy_saved_objects_request2'
responses:
'200':
description: 'OK: A successful request.'
content:
application/json:
examples:
resolveCopySavedObjectsResponseExample1:
$ref: '#/components/examples/copy_saved_objects_response1'
resolveCopySavedObjectsResponseExample2:
$ref: '#/components/examples/copy_saved_objects_response2'
summary: Resolve conflicts copying saved objects
tags: []
x-metaTags:
- content: Kibana
name: product_name
/api/spaces/_update_objects_spaces:
post:
description: Update one or more saved objects to add or remove them from some spaces.
operationId: post-spaces-update-objects-spaces
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
schema:
additionalProperties: false
type: object
properties:
objects:
items:
additionalProperties: false
type: object
properties:
id:
description: The identifier of the saved object to update.
type: string
type:
description: The type of the saved object to update.
type: string
required:
- type
- id
maxItems: 1000
type: array
spacesToAdd:
items:
description: The identifiers of the spaces the saved objects should be added to or removed from.
type: string
maxItems: 1000
type: array
spacesToRemove:
items:
description: The identifiers of the spaces the saved objects should be added to or removed from.
type: string
maxItems: 1000
type: array
required:
- objects
- spacesToAdd
- spacesToRemove
examples:
updateObjectSpacesRequestExample1:
$ref: '#/components/examples/update_saved_objects_spaces_request1'
responses:
'200':
description: 'OK: A successful request.'
content:
application/json:
examples:
updateObjectSpacesResponseExample1:
$ref: '#/components/examples/update_saved_objects_spaces_response1'
summary: Update saved objects in spaces
tags:
- spaces
x-metaTags:
- content: Kibana
name: product_name
/api/spaces/space:
get:
description: Retrieve all available Kibana spaces. The list includes only the spaces that the user is authorized to access.
operationId: get-spaces-space
parameters:
- description: Specifies which authorization checks are applied to the API call. The default value is `any`.
in: query
name: purpose
required: false
schema:
enum:
- any
- copySavedObjectsIntoSpace
- shareSavedObjectsIntoSpace
type: string
- description: When enabled, the API returns any spaces the user is authorized to access in any capacity, each including the purposes for which the user is authorized. This is useful for identifying spaces the user can read but is not authorized for a given purpose. Without the security plugin, this parameter has no effect, because no authorization checks are performed. This parameter cannot be used together with the `purpose` parameter.
in: query
name: include_authorized_purposes
required: false
schema:
type: boolean
responses:
'200':
description: Indicates a successful call.
content:
application/json:
examples:
getSpacesResponseExample1:
$ref: '#/components/examples/get_spaces_response1'
getSpacesResponseExample2:
$ref: '#/components/examples/get_spaces_response2'
summary: Get all spaces
tags:
- spaces
x-metaTags:
- content: Kibana
name: product_name
post:
description: Create a new Kibana space.
operationId: post-spaces-space
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
schema:
additionalProperties: false
type: object
properties:
_reserved:
type: boolean
color:
description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name.
type: string
description:
description: A description for the space.
type: string
disabledFeatures:
default: []
items:
description: The list of features that are turned off in the space.
type: string
maxItems: 100
type: array
id:
description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation.
type: string
imageUrl:
description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images.
type: string
initials:
description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name.
maxLength: 2
type: string
name:
description: 'The display name for the space. '
minLength: 1
type: string
projectRouting:
description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments.
type: string
solution:
enum:
- security
- oblt
- es
- classic
type: string
required:
- id
- name
examples:
createSpaceRequest:
$ref: '#/components/examples/create_space_request'
responses:
'200':
content:
application/json:
schema:
additionalProperties: false
type: object
properties:
_reserved:
type: boolean
color:
description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name.
type: string
description:
description: A description for the space.
type: string
disabledFeatures:
default: []
items:
description: The list of features that are turned off in the space.
type: string
maxItems: 100
type: array
id:
description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation.
type: string
imageUrl:
description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images.
type: string
initials:
description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name.
maxLength: 2
type: string
name:
description: 'The display name for the space. '
minLength: 1
type: string
projectRouting:
description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments.
type: string
solution:
enum:
- security
- oblt
- es
- classic
type: string
required:
- id
- name
examples:
createSpaceResponseExample:
$ref: '#/components/examples/get_space_response'
description: Indicates a successful call.
summary: Create a space
tags:
- spaces
x-metaTags:
- content: Kibana
name: product_name
/api/spaces/space/{id}:
delete:
description: When you delete a space, all saved objects that belong to the space are automatically deleted, which is permanent and cannot be undone.
operationId: delete-spaces-space-id
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The space identifier.
in: path
name: id
required: true
schema:
type: string
responses:
'204':
description: Indicates a successful call.
'404':
description: Indicates that the request failed.
summary: Delete a space
tags:
- spaces
x-metaTags:
- content: Kibana
name: product_name
get:
description: Retrieve a single Kibana space by its identifier.
operationId: get-spaces-space-id
parameters:
- description: The space identifier.
in: path
name: id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getSpaceResponse:
description: A response that contains the full configuration for a single Kibana space.
summary: Get details about a marketing space
value:
color: '#aabbcc'
description: This is the Marketing Space
disabledFeatures: []
id: marketing
imageUrl: ''
initials: MK
name: Marketing
solution: es
schema:
additionalProperties: false
type: object
properties:
_reserved:
type: boolean
color:
description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name.
type: string
description:
description: A description for the space.
type: string
disabledFeatures:
default: []
items:
description: The list of features that are turned off in the space.
type: string
maxItems: 100
type: array
id:
description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation.
type: string
imageUrl:
description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images.
type: string
initials:
description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name.
maxLength: 2
type: string
name:
description: 'The display name for the space. '
minLength: 1
type: string
projectRouting:
description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments.
type: string
solution:
enum:
- security
- oblt
- es
- classic
type: string
required:
- id
- name
description: Indicates a successful call.
summary: Get a space
tags:
- spaces
x-metaTags:
- content: Kibana
name: product_name
put:
description: Update an existing Kibana space.
operationId: put-spaces-space-id
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The space identifier. You are unable to change the ID with the update operation.
in: path
name: id
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
additionalProperties: false
type: object
properties:
_reserved:
type: boolean
color:
description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name.
type: string
description:
description: A description for the space.
type: string
disabledFeatures:
default: []
items:
description: The list of features that are turned off in the space.
type: string
maxItems: 100
type: array
id:
description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation.
type: string
imageUrl:
description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images.
type: string
initials:
description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name.
maxLength: 2
type: string
name:
description: 'The display name for the space. '
minLength: 1
type: string
projectRouting:
description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments.
type: string
solution:
enum:
- security
- oblt
- es
- classic
type: string
required:
- id
- name
examples:
updateSpaceRequest:
$ref: '#/components/examples/update_space_request'
responses:
'200':
content:
application/json:
examples:
updateSpaceResponse:
description: A response that contains the updated configuration of the Kibana space.
summary: Update the marketing space
value:
color: '#aabbcc'
description: An updated description for the Marketing Space
disabledFeatures: []
id: marketing
imageUrl: ''
initials: MK
name: Marketing
solution: es
schema:
additionalProperties: false
type: object
properties:
_reserved:
type: boolean
color:
description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name.
type: string
description:
description: A description for the space.
type: string
disabledFeatures:
default: []
items:
description: The list of features that are turned off in the space.
type: string
maxItems: 100
type: array
id:
description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation.
type: string
imageUrl:
description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images.
type: string
initials:
description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name.
maxLength: 2
type: string
name:
description: 'The display name for the space. '
minLength: 1
type: string
projectRouting:
description: Cross-project search default routing configuration for this space. Controls whether searches are scoped to a single project or span multiple projects in serverless environments.
type: string
solution:
enum:
- security
- oblt
- es
- classic
type: string
required:
- id
- name
description: Indicates a successful call.
summary: Update a space
tags:
- spaces
x-metaTags:
- content: Kibana
name: product_name
/api/status:
get:
operationId: get-status
parameters:
- description: Set to "true" to get the response in v7 format.
in: query
name: v7format
required: false
schema:
type: boolean
- description: Set to "true" to get the response in v8 format.
in: query
name: v8format
required: false
schema:
type: boolean
responses:
'200':
content:
application/json:
schema:
anyOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse'
description: Kibana's operational status. A minimal response is sent for unauthorized users.
description: Overall status is OK and Kibana should be functioning normally.
'503':
content:
application/json:
schema:
anyOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse'
description: Kibana's operational status. A minimal response is sent for unauthorized users.
description: Kibana or some of it's essential services are unavailable. Kibana may be degraded or unavailable.
summary: Get Kibana's current status
tags:
- system
x-metaTags:
- content: Kibana
name: product_name
/api/streams:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/streams
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Fetches list of all streams
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Disables wired streams and deletes all existing stream definitions. The data of wired streams is deleted, but the data of classic streams is preserved.
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Resyncs all streams, making sure that Elasticsearch assets are up to date
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Deletes a stream definition and the underlying data stream
[Required authorization] Route required privileges: manage_stream.
operationId: delete-streams-name
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The name of the stream.
in: path
name: name
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
anyOf:
- additionalProperties: false
type: object
properties: {}
- nullable: true
- {}
responses:
'200':
description: The stream was deleted successfully.
summary: Delete a stream
tags:
- streams
x-state: Technical Preview; added in 9.1.0
x-metaTags:
- content: Kibana
name: product_name
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/streams/{name}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Fetches a stream definition and associated dashboards
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Creates or updates a stream definition. Classic streams can not be created through this API, only updated
[Required authorization] Route required privileges: manage_stream.
operationId: put-streams-name
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The name of the stream.
in: path
name: name
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
createQueryStream:
value:
dashboards: []
queries: []
rules: []
stream:
description: All error-level logs across every stream
query:
esql: FROM logs* | WHERE log.level == "error"
view: logs.errors-view
type: query
createWiredStream:
value:
dashboards: []
queries: []
rules: []
stream:
description: Web server access logs, routed by severity
ingest:
failure_store:
inherit: {}
lifecycle:
inherit: {}
processing:
steps: []
settings: {}
wired:
fields:
host.name:
type: keyword
http.response.status_code:
type: long
message:
type: match_only_text
routing:
- destination: logs.nginx.errors
status: enabled
where:
field: http.response.status_code
gte: 500
type: wired
updateClassicStream:
value:
dashboards: []
queries: []
rules: []
stream:
description: Legacy application logs managed as a classic data stream
ingest:
classic: {}
failure_store:
disabled: {}
lifecycle:
dsl:
data_retention: 30d
processing:
steps:
- action: grok
from: message
ignore_missing: true
patterns:
- '%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:log.level} %{GREEDYDATA:message}'
settings: {}
type: classic
schema:
$ref: '#/components/schemas/Kibana_HTTP_APIs_StreamUpsertRequest'
responses:
'200':
description: The stream was created or updated successfully.
summary: Create or update a stream
tags:
- streams
x-state: Technical Preview; added in 9.1.0
x-metaTags:
- content: Kibana
name: product_name
/api/streams/{name}/_fork:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/streams/{name}/_fork
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Forks a wired stream and creates a child stream
[Required authorization] Route required privileges: manage_stream.
operationId: post-streams-name-fork
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The name of the parent stream to fork from.
in: path
name: name
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
forkStream:
value:
status: enabled
stream:
name: logs.nginx.errors
where:
eq: '500'
field: http.response.status_code
schema:
additionalProperties: false
type: object
properties:
draft:
type: boolean
status:
enum:
- enabled
- disabled
type: string
stream:
additionalProperties: false
type: object
properties:
name:
type: string
required:
- name
where:
$ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
required:
- stream
- where
responses:
'200':
description: The stream was forked successfully.
summary: Fork a stream
tags:
- streams
x-state: Technical Preview; added in 9.1.0
x-metaTags:
- content: Kibana
name: product_name
/api/streams/{name}/_ingest:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/streams/{name}/_ingest
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Fetches the ingest settings of an ingest stream definition
[Required authorization] Route required privileges: read_stream.
operationId: get-streams-name-ingest
parameters:
- description: The name of the stream.
in: path
name: name
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
anyOf:
- additionalProperties: false
type: object
properties: {}
- nullable: true
- {}
responses:
'200':
content:
application/json:
examples:
getWiredIngest:
value:
ingest:
failure_store:
inherit: {}
lifecycle:
inherit: {}
processing:
steps:
- action: grok
from: message
ignore_missing: false
patterns:
- '%{IPORHOST:client.ip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:@timestamp}\] "%{WORD:http.method} %{DATA:url.original} HTTP/%{NUMBER:http.version}" %{NUMBER:http.response.status_code:int} (?:%{NUMBER:http.response.body.bytes:int}|-)'
updated_at: '2025-01-15T10:30:00.000Z'
settings: {}
wired:
fields:
client.ip:
type: ip
http.method:
type: keyword
http.response.body.bytes:
type: long
http.response.status_code:
type: long
url.original:
type: wildcard
routing:
- destination: logs.nginx.errors
status: enabled
where:
field: http.response.status_code
gte: 500
description: Ingest settings for the stream.
summary: Get ingest stream settings
tags:
- streams
x-state: Technical Preview; added in 9.1.0
x-metaTags:
- content: Kibana
name: product_name
put:
description: |-
**Spaces method and path for this operation:**
put/s/{space_id}/api/streams/{name}/_ingest
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Upserts the ingest settings of an ingest stream definition
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Fetches the query settings of a query stream definition
[Required authorization] Route required privileges: read_stream.
operationId: get-streams-name-query
parameters:
- description: The name of the query stream.
in: path
name: name
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
anyOf:
- additionalProperties: false
type: object
properties: {}
- nullable: true
- {}
responses:
'200':
description: Query settings for the stream.
summary: Get query stream settings
tags:
- streams
x-state: Technical Preview; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
put:
description: |-
**Spaces method and path for this operation:**
put/s/{space_id}/api/streams/{name}/_query
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Upserts the query settings of a query stream definition
[Required authorization] Route required privileges: manage_stream.
operationId: put-streams-name-query
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The name of the query stream.
in: path
name: name
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
upsertQueryStream:
value:
query:
esql: FROM logs* | WHERE log.level == "error" | KEEP @timestamp, message, host.name, log.level
schema:
additionalProperties: false
type: object
properties:
field_descriptions:
additionalProperties:
type: string
type: object
query:
additionalProperties: false
type: object
properties:
esql:
type: string
required:
- esql
required:
- query
responses:
'200':
description: The query stream settings were updated successfully.
summary: Upsert query stream settings
tags:
- streams
x-state: Technical Preview; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/streams/{name}/content/export:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Links content objects to a stream.
[Required authorization] Route required privileges: manage_stream.
operationId: post-streams-name-content-import
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The name of the stream to import content into.
in: path
name: name
required: true
schema:
type: string
requestBody:
content:
multipart/form-data:
examples:
importContent:
value:
content:
include: '{"objects":{"all":{}}}'
schema:
additionalProperties: false
type: object
properties:
content: {}
include:
type: string
required:
- include
- content
responses:
'200':
description: Content was imported into the stream successfully.
summary: Import content into a stream
tags:
- streams
x-state: Technical Preview; added in 9.1.0
x-metaTags:
- content: Kibana
name: product_name
/api/streams/{name}/queries:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/streams/{name}/queries
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Fetches all queries linked to a stream that are visible to the current user in the current space.
[Required authorization] Route required privileges: read_stream.
operationId: get-streams-name-queries
parameters:
- description: The name of the stream.
in: path
name: name
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
anyOf:
- additionalProperties: false
type: object
properties: {}
- nullable: true
- {}
responses:
'200':
content:
application/json:
examples:
listQueries:
value:
queries:
- description: Count error-level log events grouped by host name
esql:
query: FROM logs.nginx | WHERE log.level == "error" | STATS count = COUNT(*) BY host.name
id: error-count-by-host
severity_score: 75
title: Error count by host
type: match
- description: Requests with response time above 2 seconds
esql:
query: FROM logs.nginx | WHERE http.response_time > 2000
id: high-latency-requests
severity_score: 50
title: High latency requests
type: match
description: List of queries linked to the stream.
summary: Get stream queries
tags:
- streams
x-state: Technical Preview; added in 9.1.0
x-metaTags:
- content: Kibana
name: product_name
/api/streams/{name}/queries/_bulk:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Bulk update queries of a stream. Can add new queries and delete existing ones.
[Required authorization] Route required privileges: manage_stream.
operationId: post-streams-name-queries-bulk
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The name of the stream.
in: path
name: name
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
bulkQueries:
value:
operations:
- index:
description: Count error-level log events grouped by host name
esql:
query: FROM logs* | WHERE log.level == "error" | STATS count = COUNT(*) BY host.name
id: error-count-by-host
title: Error count by host
- delete:
id: old-query-id
schema:
additionalProperties: false
type: object
properties:
operations:
items:
anyOf:
- type: object
properties:
index:
type: object
properties:
description:
default: ''
type: string
esql:
type: object
properties:
query:
type: string
required:
- query
evidence:
items:
type: string
type: array
id:
description: A non-empty string.
minLength: 1
type: string
severity_score:
type: number
title:
description: A non-empty string.
minLength: 1
type: string
required:
- title
- esql
- id
required:
- index
- type: object
properties:
delete:
type: object
properties:
id:
type: string
required:
- id
required:
- delete
type: array
required:
- operations
responses:
'200':
description: Bulk operation completed successfully.
summary: Bulk update queries
tags:
- streams
x-state: Technical Preview; added in 9.1.0
x-metaTags:
- content: Kibana
name: product_name
/api/streams/{name}/queries/{queryId}:
delete:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Remove a query from a stream. Noop if the query is not found on the stream.
[Required authorization] Route required privileges: manage_stream.
operationId: delete-streams-name-queries-queryid
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The name of the stream.
in: path
name: name
required: true
schema:
type: string
- description: The identifier of the query to remove.
in: path
name: queryId
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
anyOf:
- additionalProperties: false
type: object
properties: {}
- nullable: true
- {}
responses:
'200':
description: The query was removed successfully.
summary: Remove a query from a stream
tags:
- streams
x-state: Technical Preview; added in 9.1.0
x-metaTags:
- content: Kibana
name: product_name
put:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Adds a query to a stream. Noop if the query is already present on the stream.
[Required authorization] Route required privileges: manage_stream.
operationId: put-streams-name-queries-queryid
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The name of the stream.
in: path
name: name
required: true
schema:
type: string
- description: The identifier of the query.
in: path
name: queryId
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
upsertQuery:
value:
description: Count error-level log events grouped by host name
esql:
query: FROM logs* | WHERE log.level == "error" | STATS count = COUNT(*) BY host.name
title: Error count by host
schema:
additionalProperties: false
type: object
properties:
description:
default: ''
type: string
esql:
additionalProperties: false
type: object
properties:
query:
type: string
required:
- query
evidence:
items:
type: string
type: array
severity_score:
type: number
title:
description: A non-empty string.
minLength: 1
type: string
required:
- title
- esql
responses:
'200':
description: The query was added or updated successfully.
summary: Upsert a query to a stream
tags:
- streams
x-state: Technical Preview; added in 9.1.0
x-metaTags:
- content: Kibana
name: product_name
/api/streams/{name}/significant_events:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Generate significant events queries based on the stream data
[Required authorization] Route required privileges: read_stream.
operationId: post-streams-name-significant-events-generate
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The name of the stream.
in: path
name: name
required: true
schema:
type: string
- description: Optional connector ID. If not provided, the default AI connector from settings will be used.
in: query
name: connectorId
required: false
schema:
type: string
- in: query
name: from
required: true
schema:
type: string
- in: query
name: to
required: true
schema:
type: string
- description: Number of sample documents to use for generation from the current data of stream
in: query
name: sampleDocsSize
required: false
schema:
type: number
requestBody:
content:
application/json:
schema:
anyOf:
- additionalProperties: false
type: object
properties: {}
- nullable: true
- {}
responses:
'200':
description: Generated significant event query definitions.
summary: Generate significant events
tags:
- streams
x-state: Technical Preview; added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
/api/streams/{name}/significant_events/_preview:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Preview significant event results based on a given query
[Required authorization] Route required privileges: read_stream.
operationId: post-streams-name-significant-events-preview
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The name of the stream.
in: path
name: name
required: true
schema:
type: string
- in: query
name: from
required: true
schema:
type: string
- in: query
name: to
required: true
schema:
type: string
- description: The bucket size for aggregating events (e.g. "1m", "1h").
in: query
name: bucketSize
required: true
schema:
type: string
requestBody:
content:
application/json:
schema:
additionalProperties: false
type: object
properties:
query:
additionalProperties: false
type: object
properties:
esql:
additionalProperties: false
type: object
properties:
query:
type: string
required:
- query
required:
- esql
required:
- query
responses:
'200':
description: Significant event preview results.
summary: Preview significant events
tags:
- streams
x-state: Technical Preview; added in 9.1.0
x-metaTags:
- content: Kibana
name: product_name
/api/streams/{streamName}/attachments:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Fetches all attachments linked to a stream that are visible to the current user in the current space. Optionally filter by attachment types, search query, and tags.
[Required authorization] Route required privileges: read_stream.
operationId: get-streams-streamname-attachments
parameters:
- description: The name of the stream
in: path
name: streamName
required: true
schema:
type: string
- description: Search query to filter attachments by title
in: query
name: query
required: false
schema:
type: string
- description: Filter by attachment types (single value or array)
in: query
name: attachmentTypes
required: false
schema:
items:
enum:
- dashboard
- rule
- slo
type: string
type: array
- description: Filter by tags (single value or array)
in: query
name: tags
required: false
schema:
items:
type: string
type: array
requestBody:
content:
application/json:
examples:
listAttachmentsExample:
value: {}
schema:
anyOf:
- additionalProperties: false
type: object
properties: {}
- nullable: true
- {}
responses:
'200':
content:
application/json:
examples:
listAttachmentsResponse:
value:
attachments:
- createdAt: '2023-02-23T16:15:47.275Z'
description: Dashboard for monitoring production services
id: dashboard-123
streamNames:
- logs.awsfirehose
- logs.nginx
tags:
- monitoring
- production
title: My Dashboard
type: dashboard
updatedAt: '2023-03-24T14:39:17.636Z'
description: Successfully retrieved attachments
summary: Get stream attachments
tags:
- streams
x-state: Technical Preview; added in 9.3.0
x-metaTags:
- content: Kibana
name: product_name
/api/streams/{streamName}/attachments/_bulk:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Bulk update attachments linked to a stream. Can link new attachments and delete existing ones. Supports mixed attachment types in a single request.
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Unlinks an attachment from a stream. Noop if the attachment is not linked to the stream.
[Required authorization] Route required privileges: manage_stream.
operationId: delete-streams-streamname-attachments-attachmenttype-attachmentid
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The name of the stream
in: path
name: streamName
required: true
schema:
type: string
- description: The type of the attachment
in: path
name: attachmentType
required: true
schema:
enum:
- dashboard
- rule
- slo
type: string
- description: The ID of the attachment
in: path
name: attachmentId
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
unlinkAttachmentExample:
value: {}
schema:
anyOf:
- additionalProperties: false
type: object
properties: {}
- nullable: true
- {}
responses:
'200':
content:
application/json:
examples:
unlinkAttachmentResponse:
value:
acknowledged: true
description: Successfully unlinked attachment
summary: Unlink an attachment from a stream
tags:
- streams
x-state: Technical Preview; added in 9.3.0
x-metaTags:
- content: Kibana
name: product_name
put:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Links an attachment to a stream. Noop if the attachment is already linked to the stream.
[Required authorization] Route required privileges: manage_stream.
operationId: put-streams-streamname-attachments-attachmenttype-attachmentid
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: The name of the stream
in: path
name: streamName
required: true
schema:
type: string
- description: The type of the attachment
in: path
name: attachmentType
required: true
schema:
enum:
- dashboard
- rule
- slo
type: string
- description: The ID of the attachment
in: path
name: attachmentId
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
linkAttachmentExample:
value: {}
schema:
anyOf:
- additionalProperties: false
type: object
properties: {}
- nullable: true
- {}
responses:
'200':
content:
application/json:
examples:
linkAttachmentResponse:
value:
acknowledged: true
description: Successfully linked attachment
summary: Link an attachment to a stream
tags:
- streams
x-state: Technical Preview; added in 9.3.0
x-metaTags:
- content: Kibana
name: product_name
/api/synthetics/monitor/test/{monitorId}:
post:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Trigger an immediate test execution for the specified monitor. The response includes the generated `testRunId`. If the test encounters issues in one or more service locations, an `errors` array is also returned with details about the failures.
operationId: post-synthetics-monitor-test
parameters:
- description: The ID (config_id) of the monitor to test.
in: path
name: monitorId
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
testNowMonitorResponseExample1:
value: |-
{
"testRunId": "2bd506e5-4f9a-4aa6-a019-7988500afba0",
"errors": [
{
"locationId": "us_central_staging",
"error": {
"status": 401,
"reason": "no auth credentials provided",
"failed_monitors": null
}
}
]
}
schema:
type: object
properties:
errors:
description: Array of errors encountered while triggering the test, one per service location.
items:
type: object
properties:
error:
type: object
properties:
failed_monitors:
description: Optional list of monitors that failed at the location.
items:
type: object
nullable: true
type: array
reason:
description: Human-readable explanation of the failure.
type: string
status:
description: HTTP status code returned by the agent.
type: integer
required:
- status
- reason
- failed_monitors
locationId:
description: Identifier of the service location where the error occurred.
type: string
required:
- locationId
- error
type: array
testRunId:
description: Unique identifier for the triggered test run.
type: string
required:
- testRunId
description: Test run triggered successfully.
'404':
description: Monitor not found.
summary: Trigger an on-demand test run for a monitor
tags:
- synthetics
x-state: Generally available; added in 9.2.0
x-metaTags:
- content: Kibana
name: product_name
/api/synthetics/monitors:
get:
description: |
**Spaces method and path for this operation:**
get/s/{space_id}/api/synthetics/monitors
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a list of monitors.
You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges.
operationId: get-synthetic-monitors
parameters:
- description: Additional filtering criteria.
in: query
name: filter
schema:
type: string
- description: The locations to filter by.
in: query
name: locations
schema:
oneOf:
- type: string
- type: array
- description: The monitor types to filter.
in: query
name: monitorTypes
schema:
oneOf:
- enum:
- browser
- http
- icmp
- tcp
type: string
- type: array
- description: The page number for paginated results.
in: query
name: page
schema:
type: integer
- description: The number of items to return per page.
in: query
name: per_page
schema:
type: integer
- description: The projects to filter by.
in: query
name: projects
schema:
oneOf:
- type: string
- type: array
- description: A free-text query string.
in: query
name: query
schema:
type: string
- description: The schedules to filter by.
in: query
name: schedules
schema:
oneOf:
- type: array
- type: string
- description: The field to sort the results by.
in: query
name: sortField
schema:
enum:
- name
- createdAt
- updatedAt
- status
type: string
- description: The sort order.
in: query
name: sortOrder
schema:
enum:
- asc
- desc
type: string
- description: The status to filter by.
in: query
name: status
schema:
oneOf:
- type: array
- type: string
- description: Tags to filter monitors.
in: query
name: tags
schema:
oneOf:
- type: string
- type: array
- description: |
Specifies whether to apply logical AND filtering for specific fields. Accepts either a string with values "tags" or "locations" or an array containing both.
in: query
name: useLogicalAndFor
schema:
oneOf:
- enum:
- tags
- locations
type: string
- items:
enum:
- tags
- locations
type: string
type: array
responses:
'200':
content:
application/json:
examples:
getSyntheticMonitorsResponseExample1:
description: A successful response from `GET /api/synthetics/monitors?tags=prod&monitorTypes=http&locations=us-east-1&projects=project1&status=up`.
value: |-
{
"page": 1,
"total": 24,
"monitors": [
{
"type": "icmp",
"enabled": false,
"alert": {
"status": {
"enabled": true
},
"tls": {
"enabled": true
}
},
"schedule": {
"number": "3",
"unit": "m"
},
"config_id": "e59142e5-1fe3-4aae-b0b0-19d6345e65a1",
"timeout": "16",
"name": "8.8.8.8:80",
"locations": [
{
"id": "us_central",
"label": "North America - US Central",
"geo": {
"lat": 41.25,
"lon": -95.86
},
"isServiceManaged": true
}
],
"namespace": "default",
"origin": "ui",
"id": "e59142e5-1fe3-4aae-b0b0-19d6345e65a1",
"max_attempts": 2,
"wait": "7",
"revision": 3,
"mode": "all",
"ipv4": true,
"ipv6": true,
"created_at": "2023-11-07T09:57:04.152Z",
"updated_at": "2023-12-04T19:19:34.039Z",
"host": "8.8.8.8:80"
}
],
"absoluteTotal": 24,
"perPage": 10,
}
schema:
type: object
description: A successful response.
summary: Get monitors
tags:
- synthetics
x-metaTags:
- content: Kibana
name: product_name
post:
description: |
**Spaces method and path for this operation:**
post/s/{space_id}/api/synthetics/monitors
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create a new monitor with the specified attributes. A monitor can be one of the following types: HTTP, TCP, ICMP, or Browser. The required and default fields may vary based on the monitor type.
You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges.
operationId: post-synthetic-monitors
requestBody:
content:
application/json:
examples:
postSyntheticMonitorsRequestExample1:
description: Create an HTTP monitor to check a website's availability.
summary: HTTP monitor
value: |-
{
"type": "http",
"name": "Website Availability",
"url": "https://example.com",
"tags": ["website", "availability"],
"locations": ["united_kingdom"]
}
postSyntheticMonitorsRequestExample2:
description: Create a TCP monitor to monitor a server's availability.
summary: TCP monitor
value: |-
{
"type": "tcp",
"name": "Server Availability",
"host": "example.com",
"private_locations": ["my_private_location"]
}
postSyntheticMonitorsRequestExample3:
description: Create an ICMP monitor to perform ping checks.
summary: ICMP monitor
value: |-
{
"type": "icmp",
"name": "Ping Test",
"host": "example.com",
"locations": ["united_kingdom"]
}
postSyntheticMonitorsRequestExample4:
description: Create a browser monitor to check a website.
summary: Browser monitor
value: |-
{
"type": "browser",
"name": "Example journey",
"inline_script": "step('Go to https://google.com.co', () => page.goto('https://www.google.com'))",
"locations": ["united_kingdom"]
}
schema:
description: |
The request body should contain the attributes of the monitor you want to create. The required and default fields differ depending on the monitor type.
discriminator:
propertyName: type
oneOf:
- $ref: '#/components/schemas/Synthetics_browserMonitorFields'
- $ref: '#/components/schemas/Synthetics_httpMonitorFields'
- $ref: '#/components/schemas/Synthetics_icmpMonitorFields'
- $ref: '#/components/schemas/Synthetics_tcpMonitorFields'
required: true
responses:
'200':
content:
application/json:
examples:
postSyntheticMonitorsResponseWithWarning:
description: A response when a browser monitor specifies a timeout but has no private locations.
summary: Response with warning
value: |-
{
"type": "browser",
"name": "Example journey",
"enabled": true,
"warnings": [
{
"id": "monitor-id",
"message": "For browser monitors, timeout is only supported on private locations. Browser monitor \"Example journey\" specifies a timeout and is running on public locations: \"public-1, public-2\". The timeout will have no effect on these locations.",
"publicLocationIds": ["public-1", "public-2"]
}
]
}
schema:
type: object
properties:
warnings:
description: |
An optional array of warnings about the monitor configuration.
items:
$ref: '#/components/schemas/Synthetics_monitorWarning'
type: array
description: |
A successful response. The response may include a `warnings` array when the monitor configuration has non-critical issues. For example, if a browser monitor specifies a timeout but has no private locations configured, a warning is returned indicating the timeout will have no effect.
'400':
content:
application/json:
examples:
invalidBrowserTimeout:
description: A 400 error when a browser monitor timeout is below 30 seconds.
summary: Invalid browser timeout
value: |-
{
"statusCode": 400,
"error": "Bad Request",
"message": "Browser Monitor timeout is invalid",
"attributes": {
"details": "Invalid timeout 20 seconds supplied. Minimum timeout for browser monitors is 30 seconds."
}
}
schema:
type: object
properties:
attributes:
type: object
properties:
details:
example: Invalid timeout 20 seconds supplied. Minimum timeout for browser monitors is 30 seconds.
type: string
error:
example: Bad Request
type: string
message:
example: Browser Monitor timeout is invalid
type: string
statusCode:
example: 400
type: integer
description: |
Bad request. For browser monitors, a 400 error is returned if the timeout is less than 30 seconds.
summary: Create a monitor
tags:
- synthetics
x-metaTags:
- content: Kibana
name: product_name
/api/synthetics/monitors/_bulk_delete:
post:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete multiple monitors by sending a list of config IDs.
operationId: delete-synthetic-monitors
requestBody:
content:
application/json:
examples:
bulkDeleteRequestExample1:
description: Run `POST /api/synthetics/monitors/_bulk_delete` to delete a list of monitors.
value: |-
{
"ids": [
"monitor1-id",
"monitor2-id"
]
}
schema:
type: object
properties:
ids:
description: An array of monitor IDs to delete.
items:
type: string
type: array
required:
- ids
required: true
responses:
'200':
content:
application/json:
examples:
deleteMonitorsResponseExample1:
description: A response from successfully deleting multiple monitors.
value: |-
[
{
"id": "monitor1-id",
"deleted": true
},
{
"id": "monitor2-id",
"deleted": true
}
]
schema:
items:
description: The API response includes information about the deleted monitors.
type: object
properties:
deleted:
description: |
If it is `true`, the monitor was successfully deleted If it is `false`, the monitor was not deleted.
type: boolean
ids:
description: The unique identifier of the deleted monitor.
type: string
type: array
description: A successful response.
summary: Delete monitors
tags:
- synthetics
x-metaTags:
- content: Kibana
name: product_name
/api/synthetics/monitors/{id}:
delete:
description: |
**Spaces method and path for this operation:**
delete/s/{space_id}/api/synthetics/monitors/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete a monitor from the Synthetics app.
You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges.
operationId: delete-synthetic-monitor
parameters:
- description: The identifier for the monitor that you want to delete.
in: path
name: id
required: true
schema:
type: string
responses:
'200':
description: OK
summary: Delete a monitor
tags:
- synthetics
x-metaTags:
- content: Kibana
name: product_name
get:
operationId: get-synthetic-monitor
parameters:
- description: The ID of the monitor.
in: path
name: id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getSyntheticMonitorResponseExample1:
description: A successful response from `GET /api/synthetics/monitors/`.
value: |-
{
"type": "http",
"enabled": true,
"alert": {
"status": {
"enabled": true
},
"tls": {
"enabled": true
}
},
"schedule": {
"number": "3",
"unit": "m"
},
"config_id": "a8188705-d01e-4bb6-87a1-64fa5e4b07ec",
"timeout": "16",
"name": "am i something",
"locations": [
{
"id": "us_central",
"label": "North America - US Central",
"geo": {
"lat": 41.25,
"lon": -95.86
},
"isServiceManaged": true
}
],
"namespace": "default",
"origin": "ui",
"id": "a8188705-d01e-4bb6-87a1-64fa5e4b07ec",
"max_attempts": 2,
"__ui": {
"is_tls_enabled": false
},
"max_redirects": "0",
"response.include_body": "on_error",
"response.include_headers": true,
"check.request.method": "GET",
"mode": "any",
"response.include_body_max_bytes": "1024",
"ipv4": true,
"ipv6": true,
"ssl.verification_mode": "full",
"ssl.supported_protocols": [
"TLSv1.1",
"TLSv1.2",
"TLSv1.3"
],
"revision": 13,
"created_at": "2023-11-08T08:45:29.334Z",
"updated_at": "2023-12-18T20:31:44.770Z",
"url": "https://fast.com"
}
schema:
type: object
description: A successful response.
'404':
description: If the monitor is not found, the API returns a 404 error.
summary: Get a monitor
tags:
- synthetics
x-metaTags:
- content: Kibana
name: product_name
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/synthetics/monitors/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
put:
description: |
**Spaces method and path for this operation:**
put/s/{space_id}/api/synthetics/monitors/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update a monitor with the specified attributes. The required and default fields may vary based on the monitor type.
You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges.
You can also partially update a monitor. This will only update the fields that are specified in the request body. All other fields are left unchanged. The specified fields should conform to the monitor type. For example, you can't update the `inline_scipt` field of a HTTP monitor.
operationId: put-synthetic-monitor
parameters:
- description: The identifier for the monitor that you want to update.
in: path
name: id
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
putSyntheticMonitorsRequestExample1:
description: Update an HTTP monitor that checks a website's availability.
summary: HTTP monitor
value: |-
{
"type": "http",
"name": "Website Availability",
"url": "https://example.com",
"tags": ["website", "availability"],
"locations": ["united_kingdom"]
}
putSyntheticMonitorsRequestExample2:
description: Update a TCP monitor that monitors a server's availability.
summary: TCP monitor
value: |-
{
"type": "tcp",
"name": "Server Availability",
"host": "example.com",
"private_locations": ["my_private_location"]
}
putSyntheticMonitorsRequestExample3:
description: Update an ICMP monitor that performs ping checks.
summary: ICMP monitor
value: |-
{
"type": "icmp",
"name": "Ping Test",
"host": "example.com",
"locations": ["united_kingdom"]
}
putSyntheticMonitorsRequestExample4:
description: Update a browser monitor that checks a website.
summary: Browser monitor
value: |-
{
"type": "browser",
"name": "Example journey",
"inline_script": "step('Go to https://google.com.co', () => page.goto('https://www.google.com'))",
"locations": ["united_kingdom"]
}
schema:
description: |
The request body should contain the attributes of the monitor you want to update. The required and default fields differ depending on the monitor type.
discriminator:
propertyName: type
oneOf:
- $ref: '#/components/schemas/Synthetics_browserMonitorFields'
- $ref: '#/components/schemas/Synthetics_httpMonitorFields'
- $ref: '#/components/schemas/Synthetics_icmpMonitorFields'
- $ref: '#/components/schemas/Synthetics_tcpMonitorFields'
type: object
required: true
responses:
'200':
content:
application/json:
examples:
putSyntheticMonitorResponseWithWarning:
description: A response when a browser monitor specifies a timeout but has no private locations.
summary: Response with warning
value: |-
{
"type": "browser",
"name": "Example journey",
"enabled": true,
"warnings": [
{
"id": "monitor-id",
"message": "For browser monitors, timeout is only supported on private locations. Browser monitor \"Example journey\" specifies a timeout and is running on public locations: \"public-1, public-2\". The timeout will have no effect on these locations.",
"publicLocationIds": ["public-1", "public-2"]
}
]
}
schema:
type: object
properties:
warnings:
description: |
An optional array of warnings about the monitor configuration.
items:
$ref: '#/components/schemas/Synthetics_monitorWarning'
type: array
description: |
A successful response. The response may include a `warnings` array when the monitor configuration has non-critical issues.
'400':
description: |
Bad request. For browser monitors, a 400 error is returned if the timeout is less than 30 seconds.
summary: Update a monitor
tags:
- synthetics
x-metaTags:
- content: Kibana
name: product_name
/api/synthetics/params:
get:
description: |
**Spaces method and path for this operation:**
get/s/{space_id}/api/synthetics/params
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a list of all parameters. You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges.
operationId: get-parameters
responses:
'200':
content:
application/json:
examples:
getParametersResponseExample1:
description: A successful response for a user with read-only permissions to get a list of parameters.
summary: Read access
value: |-
[
{
"id": "param1-id",
"key": "param1",
"description": "Description for param1",
"tags": ["tag1", "tag2"],
"namespaces": ["namespace1"]
},
{
"id": "param2-id",
"key": "param2",
"description": "Description for param2",
"tags": ["tag3"],
"namespaces": ["namespace2"]
}
]
getParametersResponseExample2:
description: A successful response for a user with write permissions to get a list of parameters.
summary: Write access
value: |-
[
{
"id": "param1-id",
"key": "param1",
"description": "Description for param1",
"tags": ["tag1", "tag2"],
"namespaces": ["namespace1"],
"value": "value1"
},
{
"id": "param2-id",
"key": "param2",
"description": "Description for param2",
"tags": ["tag3"],
"namespaces": ["namespace2"],
"value": "value2"
}
]
schema:
items:
$ref: '#/components/schemas/Synthetics_getParameterResponse'
type: array
description: A successful response.
summary: Get parameters
tags:
- synthetics
x-metaTags:
- content: Kibana
name: product_name
post:
description: |
**Spaces method and path for this operation:**
post/s/{space_id}/api/synthetics/params
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Add one or more parameters to the Synthetics app.
You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges.
operationId: post-parameters
requestBody:
content:
application/json:
examples:
postParametersRequestExample1:
description: Add a single parameter.
summary: Single parameter
value: |-
{
"key": "your-key-name",
"value": "your-parameter-value",
"description": "Param to use in browser monitor",
"tags": ["authentication", "security"],
"share_across_spaces": true
}
postParametersRequestExample2:
description: Add multiple parameters.
summary: Multiple parameters
value: |-
[
{
"key": "param1",
"value": "value1"
},
{
"key": "param2",
"value": "value2"
}
]
schema:
oneOf:
- items:
$ref: '#/components/schemas/Synthetics_parameterRequest'
type: array
- $ref: '#/components/schemas/Synthetics_parameterRequest'
description: The request body can contain either a single parameter object or an array of parameter objects.
required: true
responses:
'200':
content:
application/json:
examples:
postParametersResponseExample1:
description: A successful response for a single added parameter.
summary: Single parameter
value: |-
{
"id": "unique-parameter-id",
"key": "your-key-name",
"value": "your-param-value",
"description": "Param to use in browser monitor",
"tags": ["authentication", "security"],
"share_across_spaces": true
}
postParametersResponseExample2:
description: A successful response for multiple added parameters.
summary: Multiple parameters
value: |-
[
{
"id": "param1-id",
"key": "param1",
"value": "value1"
},
{
"id": "param2-id",
"key": "param2",
"value": "value2"
}
]
schema:
oneOf:
- items:
$ref: '#/components/schemas/Synthetics_postParameterResponse'
type: array
- $ref: '#/components/schemas/Synthetics_postParameterResponse'
description: A successful response.
summary: Add parameters
tags:
- synthetics
x-metaTags:
- content: Kibana
name: product_name
/api/synthetics/params/_bulk_delete:
post:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete parameters from the Synthetics app.
You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges.
operationId: delete-parameters
requestBody:
content:
application/json:
examples:
deleteParametersRequestExample1:
description: Run `POST /api/synthetics/params/_bulk_delete` to delete multiple parameters.
value: |-
{
"ids": ["param1-id", "param2-id"]
}
schema:
type: object
properties:
ids:
description: An array of parameter IDs to delete.
items:
type: string
type: array
required: true
responses:
'200':
content:
application/json:
examples:
deleteParametersResponseExample1:
value: |-
[
{
"id": "param1-id",
"deleted": true
}
]
schema:
items:
type: object
properties:
deleted:
description: |
Indicates whether the parameter was successfully deleted. It is `true` if it was deleted. It is `false` if it was not deleted.
type: boolean
id:
description: The unique identifier for the deleted parameter.
type: string
type: array
description: A successful response.
summary: Delete parameters
tags:
- synthetics
x-metaTags:
- content: Kibana
name: product_name
/api/synthetics/params/{id}:
delete:
description: |
**Spaces method and path for this operation:**
delete/s/{space_id}/api/synthetics/params/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete a parameter from the Synthetics app.
You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges.
operationId: delete-parameter
parameters:
- description: The ID for the parameter to delete.
in: path
name: id
required: true
schema:
type: string
responses:
'200':
description: OK
summary: Delete a parameter
tags:
- synthetics
x-metaTags:
- content: Kibana
name: product_name
get:
description: |
**Spaces method and path for this operation:**
get/s/{space_id}/api/synthetics/params/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a parameter from the Synthetics app.
You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges.
operationId: get-parameter
parameters:
- description: The unique identifier for the parameter.
in: path
name: id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getParameterResponseExample1:
description: A successful response for a user with read-only permissions to get a single parameter.
summary: Read access
value: |-
{
"id": "unique-parameter-id",
"key": "your-api-key",
"description": "Param to use in browser monitor",
"tags": ["authentication", "security"],
"namespaces": ["namespace1", "namespace2"]
}
getParameterResponseExample2:
description: A successful response for a user with write permissions to get a single parameter.
summary: Write access
value: |-
{
"id": "unique-parameter-id",
"key": "your-param-key",
"description": "Param to use in browser monitor",
"tags": ["authentication", "security"],
"namespaces": ["namespace1", "namespace2"],
"value": "your-param-value"
}
schema:
$ref: '#/components/schemas/Synthetics_getParameterResponse'
description: A successful response.
summary: Get a parameter
tags:
- synthetics
x-metaTags:
- content: Kibana
name: product_name
put:
description: |
**Spaces method and path for this operation:**
put/s/{space_id}/api/synthetics/params/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update a parameter in the Synthetics app.
You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges.
operationId: put-parameter
parameters:
- description: The unique identifier for the parameter.
in: path
name: id
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
putParameterRequestExample1:
value: |-
{
"key": "updated_param_key",
"value": "updated-param-value",
"description": "Updated Param to be used in browser monitor",
"tags": ["authentication", "security", "updated"]
}
schema:
type: object
properties:
description:
description: The updated description of the parameter.
type: string
key:
description: The key of the parameter.
type: string
tags:
description: An array of updated tags to categorize the parameter.
items:
type: string
type: array
value:
description: The updated value associated with the parameter.
type: string
description: The request body cannot be empty; at least one attribute is required.
required: true
responses:
'200':
content:
application/json:
examples:
putParameterResponseExample1:
value: |-
{
"id": "param_id1",
"key": "updated_param_key",
"value": "updated-param-value",
"description": "Updated Param to be used in browser monitor",
"tags": ["authentication", "security", "updated"]
}
schema:
type: object
description: A successful response.
summary: Update a parameter
tags:
- synthetics
x-metaTags:
- content: Kibana
name: product_name
/api/synthetics/private_locations:
get:
description: |
**Spaces method and path for this operation:**
get/s/{space_id}/api/synthetics/private_locations
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a list of private locations.
You must have `read` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges.
operationId: get-private-locations
responses:
'200':
content:
application/json:
examples:
getPrivateLocationsResponseExample1:
value: |-
[
{
"label": "Test private location",
"id": "fleet-server-policy",
"agentPolicyId": "fleet-server-policy",
"isInvalid": false,
"geo": {
"lat": 0,
"lon": 0
},
"namespace": "default"
},
{
"label": "Test private location 2",
"id": "691225b0-6ced-11ee-8f5a-376306ee85ae",
"agentPolicyId": "691225b0-6ced-11ee-8f5a-376306ee85ae",
"isInvalid": false,
"geo": {
"lat": 0,
"lon": 0
},
"namespace": "test"
}
]
schema:
items:
$ref: '#/components/schemas/Synthetics_getPrivateLocation'
type: array
description: A successful response.
summary: Get private locations
tags:
- synthetics
x-metaTags:
- content: Kibana
name: product_name
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
You must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges.
operationId: post-private-location
requestBody:
content:
application/json:
examples:
postPrivateLocationRequestExample1:
description: Run `POST /api/private_locations` to create a private location.
value: |-
{
"label": "Private Location 1",
"agentPolicyId": "abcd1234",
"tags": ["private", "testing"],
"geo": {
"lat": 40.7128,
"lon": -74.0060
}
"spaces": ["default"]
}
schema:
type: object
properties:
agentPolicyId:
description: The ID of the agent policy associated with the private location.
type: string
geo:
description: Geographic coordinates (WGS84) for the location.
type: object
properties:
lat:
description: The latitude of the location.
type: number
lon:
description: The longitude of the location.
type: number
required:
- lat
- lon
label:
description: A label for the private location.
type: string
spaces:
description: |
An array of space IDs where the private location is available. If it is not provided, the private location is available in all spaces.
items:
type: string
type: array
tags:
description: An array of tags to categorize the private location.
items:
type: string
type: array
required:
- agentPolicyId
- label
required: true
responses:
'200':
content:
application/json:
examples:
postPrivateLocationResponseExample1:
value: |-
{
"id": "abcd1234",
"label": "Private Location 1",
"agentPolicyId": "abcd1234",
"tags": ["private", "testing"],
"geo": {
"lat": 40.7128,
"lon": -74.0060
}
}
schema:
type: object
description: A successful response.
'400':
description: If the `agentPolicyId` is already used by an existing private location or if the `label` already exists, the API will return a 400 Bad Request response with a corresponding error message.
summary: Create a private location
tags:
- synthetics
x-metaTags:
- content: Kibana
name: product_name
/api/synthetics/private_locations/{id}:
delete:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
You must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges.
The API does not return a response body for deletion, but it will return an appropriate status code upon successful deletion.
A location cannot be deleted if it has associated monitors in use. You must delete all monitors associated with the location before deleting the location.
operationId: delete-private-location
parameters:
- description: The unique identifier of the private location to be deleted.
in: path
name: id
required: true
schema:
maxLength: 1024
minLength: 1
type: string
responses:
'200':
description: OK
summary: Delete a private location
tags:
- synthetics
x-metaTags:
- content: Kibana
name: product_name
get:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
You must have `read` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges.
operationId: get-private-location
parameters:
- description: A private location identifier or label.
in: path
name: id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getPrivateLocationResponseExample1:
value: |-
{
"label": "Test private location",
"id": "test-private-location-id",
"agentPolicyId": "test-private-location-id",
"isServiceManaged": false,
"isInvalid": false,
"geo": {
"lat": 0,
"lon": 0
},
"namespace": "default"
}
schema:
$ref: '#/components/schemas/Synthetics_getPrivateLocation'
description: A successful response.
summary: Get a private location
tags:
- synthetics
x-metaTags:
- content: Kibana
name: product_name
put:
description: |
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update an existing private location's label.
You must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges.
When a private location's label is updated, all monitors using this location will also be updated to maintain data consistency.
operationId: put-private-location
parameters:
- description: The unique identifier of the private location to be updated.
in: path
name: id
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
putPrivateLocationRequestExample1:
description: Update a private location's label.
value: |-
{
"label": "Updated Private Location Name"
}
schema:
type: object
properties:
label:
description: A new label for the private location. Must be at least 1 character long.
minLength: 1
type: string
required:
- label
required: true
responses:
'200':
content:
application/json:
examples:
putPrivateLocationResponseExample1:
value: |-
{
"label": "Updated Private Location Name",
"id": "test-private-location-id",
"agentPolicyId": "test-private-location-id",
"isServiceManaged": false,
"isInvalid": false,
"tags": ["private", "testing", "updated"],
"geo": {
"lat": 37.7749,
"lon": -122.4194
},
"spaces": ["*"]
}
schema:
$ref: '#/components/schemas/Synthetics_getPrivateLocation'
description: A successful response.
'400':
description: If the `label` is shorter than 1 character the API will return a 400 Bad Request response with a corresponding error message.
'404':
description: If the private location with the specified ID does not exist, the API will return a 404 Not Found response.
summary: Update a private location
tags:
- synthetics
x-metaTags:
- content: Kibana
name: product_name
/api/task_manager/_health:
get:
description: |
Get the health status of the Kibana task manager.
operationId: task-manager-health
responses:
'200':
content:
application/json:
examples:
taskManagerHealthResponse1:
$ref: '#/components/examples/Task_manager_health_APIs_health_200response'
schema:
$ref: '#/components/schemas/Task_manager_health_APIs_health_response'
description: Indicates a successful call
summary: Get the task manager health
tags:
- task manager
x-metaTags:
- content: Kibana
name: product_name
/api/timeline:
delete:
description: |-
**Spaces method and path for this operation:**
delete/s/{space_id}/api/timeline
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete one or more Timelines or Timeline templates.
operationId: DeleteTimelines
requestBody:
content:
application/json:
examples:
deleteByIds:
summary: Delete timelines by saved object id
value:
savedObjectIds:
- 15c1929b-0af7-42bd-85a8-56e234cc7c4e
deleteWithSearches:
summary: Delete Timelines and their linked saved searches
value:
savedObjectIds:
- 15c1929b-0af7-42bd-85a8-56e234cc7c4e
- 6ce1b592-84e3-4b4a-9552-f189d4b82075
searchIds:
- 2c1b8f02-9ad6-4e33-8f6a-2c6b7d0a1f11
schema:
type: object
properties:
savedObjectIds:
description: The list of IDs of the Timelines or Timeline templates to delete
items:
type: string
maxItems: 100
type: array
searchIds:
description: Saved search IDs that should be deleted alongside the timelines
items:
type: string
maxItems: 100
type: array
required:
- savedObjectIds
description: The IDs of the Timelines or Timeline templates to delete.
required: true
responses:
'200':
content:
application/json:
examples:
success:
summary: Success
value: {}
schema:
additionalProperties: true
type: object
description: Indicates a successful call.
summary: Delete Timelines or Timeline templates
tags:
- Security Timeline API
x-metaTags:
- content: Kibana
name: product_name
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/timeline
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the details of an existing saved Timeline or Timeline template.
operationId: GetTimeline
parameters:
- description: The `savedObjectId` of the Timeline template to retrieve.
in: query
name: template_timeline_id
schema:
type: string
- description: The `savedObjectId` of the Timeline to retrieve.
in: query
name: id
schema:
type: string
responses:
'200':
content:
application/json:
examples:
timelineDetail:
summary: Timeline detail
value:
description: User-reported suspicious email
noteIds: []
pinnedEventIds: []
savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
status: active
timelineType: default
title: Phishing investigation
version: WzE0LDFd
schema:
$ref: '#/components/schemas/Security_Timeline_API_TimelineResponse'
description: Indicates a successful call.
summary: Get Timeline or Timeline template details
tags:
- Security Timeline API
x-metaTags:
- content: Kibana
name: product_name
patch:
description: |-
**Spaces method and path for this operation:**
patch/s/{space_id}/api/timeline
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update an existing Timeline. You can update the title, description, date range, pinned events, pinned queries, and/or pinned saved queries of an existing Timeline.
operationId: PatchTimeline
requestBody:
content:
application/json:
examples:
patchTitle:
summary: Update title
value:
timeline:
title: Escalated case review
timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
version: WzE0LDFd
schema:
type: object
properties:
timeline:
$ref: '#/components/schemas/Security_Timeline_API_SavedTimeline'
description: The timeline object of the Timeline or Timeline template that you’re updating.
timelineId:
description: The `savedObjectId` of the Timeline or Timeline template that you’re updating.
example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
nullable: true
type: string
version:
description: The version of the Timeline or Timeline template that you’re updating.
example: WzE0LDFd
nullable: true
type: string
required:
- timelineId
- version
- timeline
description: The Timeline updates, along with the Timeline ID and version.
required: true
responses:
'200':
content:
application/json:
examples:
patched:
summary: Updated timeline
value:
savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
status: active
timelineType: default
title: Escalated case review
version: WzE1LDFd
schema:
$ref: '#/components/schemas/Security_Timeline_API_TimelineResponse'
description: Indicates a successful call.
'405':
content:
application/json:
examples:
error:
summary: Error body
value:
body: update timeline error
statusCode: 405
schema:
type: object
properties:
body:
description: The error message.
example: update timeline error
type: string
statusCode:
example: 405
type: number
description: Indicates that the user does not have the required access to create a Timeline.
summary: Update a Timeline
tags:
- Security Timeline API
x-metaTags:
- content: Kibana
name: product_name
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/timeline
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create a new Timeline or Timeline template.
operationId: CreateTimelines
requestBody:
content:
application/json:
examples:
createDefault:
summary: Create a default timeline
value:
timeline:
status: active
timelineType: default
title: Malware containment
schema:
type: object
properties:
status:
$ref: '#/components/schemas/Security_Timeline_API_TimelineStatus'
nullable: true
templateTimelineId:
description: A unique identifier for the Timeline template.
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
nullable: true
type: string
templateTimelineVersion:
description: Timeline template version number.
example: 12
nullable: true
type: number
timeline:
$ref: '#/components/schemas/Security_Timeline_API_SavedTimeline'
timelineId:
description: A unique identifier for the Timeline.
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
nullable: true
type: string
timelineType:
$ref: '#/components/schemas/Security_Timeline_API_TimelineType'
nullable: true
version:
nullable: true
type: string
required:
- timeline
description: The required Timeline fields used to create a new Timeline, along with optional fields that will be created if not provided.
required: true
responses:
'200':
content:
application/json:
examples:
created:
summary: Created timeline
value:
savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
status: active
timelineType: default
title: Malware containment
version: WzE0LDFd
schema:
$ref: '#/components/schemas/Security_Timeline_API_TimelineResponse'
description: Indicates a successful call.
'405':
content:
application/json:
examples:
error:
summary: Error body
value:
body: update timeline error
statusCode: 405
schema:
type: object
properties:
body:
description: The error message
example: update timeline error
type: string
statusCode:
example: 405
type: number
description: Indicates that there was an error in the Timeline creation.
summary: Create a Timeline or Timeline template
tags:
- Security Timeline API
x-metaTags:
- content: Kibana
name: product_name
/api/timeline/_copy:
post:
description: |
**Spaces method and path for this operation:**
post/s/{space_id}/api/timeline/_copy
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Copies and returns a timeline or timeline template.
operationId: CopyTimeline
requestBody:
content:
application/json:
examples:
copyWithTitle:
summary: Copy with a new title
value:
timeline:
timelineType: default
title: Copy of investigation
timelineIdToCopy: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
schema:
type: object
properties:
timeline:
$ref: '#/components/schemas/Security_Timeline_API_SavedTimeline'
timelineIdToCopy:
description: The `savedObjectId` of the timeline or template to duplicate.
type: string
required:
- timeline
- timelineIdToCopy
description: Source timeline id to copy plus timeline fields for the new saved object.
required: true
responses:
'200':
content:
application/json:
examples:
copied:
summary: Newly saved timeline
value:
savedObjectId: 6ce1b592-84e3-4b4a-9552-f189d4b82075
status: active
timelineType: default
title: Copy of investigation
version: WzE1LDFd
schema:
$ref: '#/components/schemas/Security_Timeline_API_TimelineResponse'
description: Indicates a successful call.
summary: Copies timeline or timeline template
tags:
- Security Timeline API
x-metaTags:
- content: Kibana
name: product_name
/api/timeline/_draft:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/timeline/_draft
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get the details of the draft Timeline or Timeline template for the current user. If the user doesn't have a draft Timeline, an empty Timeline is returned.
operationId: GetDraftTimelines
parameters:
- description: Which draft to load (`default` investigation timeline or `template` timeline template).
in: query
name: timelineType
required: true
schema:
$ref: '#/components/schemas/Security_Timeline_API_TimelineType'
responses:
'200':
content:
application/json:
examples:
draftPayload:
summary: Draft timeline payload
value:
savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
status: draft
timelineType: default
title: ''
version: WzE0LDFd
schema:
$ref: '#/components/schemas/Security_Timeline_API_TimelineResponse'
description: Indicates a successful call.
'403':
content:
application/json:
examples:
forbidden:
summary: Permission denied
value:
message: Forbidden
status_code: 403
schema:
type: object
properties:
message:
type: string
status_code:
type: number
description: If a draft Timeline was not found and we attempted to create one, it indicates that the user does not have the required permissions to create a draft Timeline.
'409':
content:
application/json:
examples:
conflict:
summary: Draft conflict
value:
message: Conflict
status_code: 409
schema:
type: object
properties:
message:
type: string
status_code:
type: number
description: This should never happen, but if a draft Timeline was not found and we attempted to create one, it indicates that there is already a draft Timeline with the given `timelineId`.
summary: Get draft Timeline or Timeline template details
tags:
- Security Timeline API
x-metaTags:
- content: Kibana
name: product_name
post:
description: |
**Spaces method and path for this operation:**
post/s/{space_id}/api/timeline/_draft
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create a clean draft Timeline or Timeline template for the current user.
> info
> If the user already has a draft Timeline, the existing draft Timeline is cleared and returned.
operationId: CleanDraftTimelines
requestBody:
content:
application/json:
examples:
defaultDraft:
summary: Create a default draft timeline
value:
timelineType: default
schema:
type: object
properties:
timelineType:
$ref: '#/components/schemas/Security_Timeline_API_TimelineType'
required:
- timelineType
description: The type of Timeline to create. Valid values are `default` and `template`.
required: true
responses:
'200':
content:
application/json:
examples:
draftResponse:
summary: Draft after reset or creation
value:
savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
status: draft
templateTimelineId: null
templateTimelineVersion: null
timelineType: default
title: ''
version: WzE0LDFd
schema:
$ref: '#/components/schemas/Security_Timeline_API_TimelineResponse'
description: Indicates a successful call.
'403':
content:
application/json:
examples:
forbidden:
summary: Permission denied
value:
message: Forbidden
status_code: 403
schema:
type: object
properties:
message:
type: string
status_code:
type: number
description: Indicates that the user does not have the required permissions to create a draft Timeline.
'409':
content:
application/json:
examples:
conflict:
summary: Draft conflict
value:
message: Conflict
status_code: 409
schema:
type: object
properties:
message:
type: string
status_code:
type: number
description: Indicates that there is already a draft Timeline with the given `timelineId`.
summary: Create a clean draft Timeline or Timeline template
tags:
- Security Timeline API
x-metaTags:
- content: Kibana
name: product_name
/api/timeline/_export:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/timeline/_export
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Export Timelines as an NDJSON file.
operationId: ExportTimelines
parameters:
- description: The name of the file to export
in: query
name: file_name
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
exportIds:
summary: Export by timeline ids
value:
ids:
- 15c1929b-0af7-42bd-85a8-56e234cc7c4e
schema:
type: object
properties:
ids:
items:
type: string
maxItems: 1000
minItems: 1
nullable: true
type: array
description: The IDs of the Timelines to export.
required: true
responses:
'200':
content:
application/ndjson:
examples:
ndjsonLine:
summary: Single NDJSON line
value: '{"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd","title":"Investigation","timelineType":"default"}'
schema:
description: NDJSON of the exported Timelines
type: string
description: Indicates a successful call.
'400':
content:
application/ndjson:
examples:
badRequest:
summary: Export error
value:
body: Export limit exceeded
statusCode: 400
schema:
type: object
properties:
body:
type: string
statusCode:
type: number
description: Bad Request response.
summary: Export Timelines
tags:
- Security Timeline API
x-metaTags:
- content: Kibana
name: product_name
/api/timeline/_favorite:
patch:
description: |-
**Spaces method and path for this operation:**
patch/s/{space_id}/api/timeline/_favorite
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Favorite a Timeline or Timeline template for the current user.
operationId: PersistFavoriteRoute
requestBody:
content:
application/json:
examples:
favoriteDefault:
summary: Favorite a default timeline
value:
templateTimelineId: null
templateTimelineVersion: null
timelineId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
timelineType: default
schema:
type: object
properties:
templateTimelineId:
nullable: true
type: string
templateTimelineVersion:
nullable: true
type: number
timelineId:
nullable: true
type: string
timelineType:
$ref: '#/components/schemas/Security_Timeline_API_TimelineType'
nullable: true
required:
- timelineId
- templateTimelineId
- templateTimelineVersion
- timelineType
description: The required fields used to favorite a (template) Timeline.
required: true
responses:
'200':
content:
application/json:
examples:
favoriteResponse:
summary: Favorite metadata updated
value:
favorite:
- favoriteDate: 1741337636741
userName: elastic
savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
timelineType: default
version: WzE2LDFd
schema:
$ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResponse'
description: Indicates a successful call.
'403':
content:
application/json:
examples:
forbidden:
summary: Forbidden
value:
body: Forbidden
statusCode: 403
schema:
type: object
properties:
body:
type: string
statusCode:
type: number
description: Indicates the user does not have the required permissions to persist the favorite status.
summary: Favorite a Timeline or Timeline template
tags:
- Security Timeline API
x-metaTags:
- content: Kibana
name: product_name
/api/timeline/_import:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/timeline/_import
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Import Timelines.
operationId: ImportTimelines
requestBody:
content:
application/json:
examples:
multipartPlaceholder:
summary: Request shape (file is a stream of NDJSON lines at runtime)
value:
file: '{"savedObjectId":"15c1929b-0af7-42bd-85a8-56e234cc7c4e","version":"WzE0LDFd"}\n'
isImmutable: 'false'
schema:
type: object
properties:
file: {}
isImmutable:
description: Whether the Timeline should be immutable
enum:
- 'true'
- 'false'
type: string
required:
- file
description: The Timelines to import as a readable stream.
required: true
responses:
'200':
content:
application/json:
examples:
importSummary:
summary: Import summary
value:
errors: []
success: true
success_count: 5
timelines_installed: 3
timelines_updated: 2
schema:
$ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult'
description: Indicates a successful call.
'400':
content:
application/json:
examples:
badRequest:
summary: Invalid import
value:
body: Invalid file extension
statusCode: 400
schema:
type: object
properties:
body:
description: The error message
example: Invalid file extension
type: string
statusCode:
example: 400
type: number
description: Bad Request response.
'404':
content:
application/json:
examples:
notFound:
summary: Saved objects client missing
value:
body: Unable to find saved object client
statusCode: 404
schema:
type: object
properties:
body:
description: The error message
example: Unable to find saved object client
type: string
statusCode:
example: 404
type: number
description: Not found response.
'409':
content:
application/json:
examples:
conflict:
summary: Import conflict
value:
body: Could not import timelines
statusCode: 409
schema:
type: object
properties:
body:
description: The error message
example: Could not import timelines
type: string
statusCode:
example: 409
type: number
description: Indicates the import of Timelines was unsuccessful.
summary: Import Timelines
tags:
- Security Timeline API
x-metaTags:
- content: Kibana
name: product_name
/api/timeline/_prepackaged:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/timeline/_prepackaged
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Install or update prepackaged Timelines.
operationId: InstallPrepackedTimelines
requestBody:
content:
application/json:
examples:
emptyArrays:
summary: Installer payload shape
value:
prepackagedTimelines: []
timelinesToInstall: []
timelinesToUpdate: []
schema:
type: object
properties:
prepackagedTimelines:
items:
$ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject'
nullable: true
type: array
timelinesToInstall:
items:
$ref: '#/components/schemas/Security_Timeline_API_ImportTimelines'
nullable: true
type: array
timelinesToUpdate:
items:
$ref: '#/components/schemas/Security_Timeline_API_ImportTimelines'
nullable: true
type: array
required:
- timelinesToInstall
- timelinesToUpdate
- prepackagedTimelines
description: The Timelines to install or update.
required: true
responses:
'200':
content:
application/json:
examples:
installResult:
summary: Install result counts
value:
errors: []
success: true
success_count: 10
timelines_installed: 8
timelines_updated: 2
schema:
$ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult'
description: Indicates a successful call.
'500':
content:
application/json:
examples:
serverError:
summary: Server error
value:
body: Internal error
statusCode: 500
schema:
type: object
properties:
body:
type: string
statusCode:
type: number
description: Indicates the installation of prepackaged Timelines was unsuccessful.
summary: Install prepackaged Timelines
tags:
- Security Timeline API
x-metaTags:
- content: Kibana
name: product_name
/api/timeline/resolve:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/timeline/resolve
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Resolve a Timeline or Timeline template, surfacing outcomes such as `exactMatch`, `aliasMatch`, or `conflict` when object IDs have been remapped during upgrades or imports. Provide **either** `id` for default Timelines or `template_timeline_id` for templates.
operationId: ResolveTimeline
parameters:
- description: The ID of the template timeline to resolve
in: query
name: template_timeline_id
schema:
type: string
- description: The ID of the timeline to resolve
in: query
name: id
schema:
type: string
responses:
'200':
content:
application/json:
examples:
exactMatch:
description: Timeline resolved without alias or conflict
summary: Exact match outcome
value:
outcome: exactMatch
timeline:
savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
timelineType: default
title: Investigation
schema:
$ref: '#/components/schemas/Security_Timeline_API_ResolvedTimeline'
description: Indicates a successful call.
'400':
content:
application/json:
examples:
badRequest:
summary: Bad request
value: {}
schema:
additionalProperties: true
type: object
description: Bad Request response.
'404':
content:
application/json:
examples:
notFound:
summary: Not found
value: {}
schema:
additionalProperties: true
type: object
description: The (template) Timeline was not found
summary: Resolve a Timeline or Timeline template
tags:
- Security Timeline API
x-metaTags:
- content: Kibana
name: product_name
/api/timelines:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/timelines
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Get a list of all saved Timelines or Timeline templates.
operationId: GetTimelines
parameters:
- description: If `true`, only Timelines that the current user has marked as favorite are returned.
in: query
name: only_user_favorite
schema:
enum:
- 'true'
- 'false'
nullable: true
type: string
- description: Restrict results to `default` investigation timelines or `template` timeline templates.
in: query
name: timeline_type
schema:
$ref: '#/components/schemas/Security_Timeline_API_TimelineType'
nullable: true
- description: Field used to sort the list (`title`, `description`, `updated`, or `created`).
in: query
name: sort_field
schema:
$ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline'
- description: Whether to sort the results `ascending` or `descending`
in: query
name: sort_order
schema:
enum:
- asc
- desc
type: string
- description: How many results should returned at once
in: query
name: page_size
schema:
nullable: true
type: string
- description: How many pages should be skipped
in: query
name: page_index
schema:
nullable: true
type: string
- description: Allows to search for timelines by their title
in: query
name: search
schema:
nullable: true
type: string
- description: Filter by timeline lifecycle state (`active`, `draft`, or `immutable`).
in: query
name: status
schema:
$ref: '#/components/schemas/Security_Timeline_API_TimelineStatus'
nullable: true
responses:
'200':
content:
application/json:
examples:
timelineList:
summary: Example list response
value:
customTemplateTimelineCount: 0
defaultTimelineCount: 1
elasticTemplateTimelineCount: 0
favoriteCount: 0
templateTimelineCount: 0
timeline:
- savedObjectId: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
status: active
timelineType: default
title: Phishing investigation
updated: 1741344876825
version: WzE0LDFd
totalCount: 1
schema:
type: object
properties:
customTemplateTimelineCount:
description: The amount of custom Timeline templates in the results
example: 2
type: number
defaultTimelineCount:
description: The amount of `default` type Timelines in the results
example: 90
type: number
elasticTemplateTimelineCount:
description: The amount of Elastic's Timeline templates in the results
example: 8
type: number
favoriteCount:
description: The amount of favorited Timelines
example: 5
type: number
templateTimelineCount:
description: The amount of Timeline templates in the results
example: 10
type: number
timeline:
items:
$ref: '#/components/schemas/Security_Timeline_API_TimelineResponse'
type: array
totalCount:
description: The total amount of results
example: 100
type: number
required:
- timeline
- totalCount
description: Indicates a successful call.
'400':
content:
application/json:
examples:
badRequest:
summary: Error response body
value:
body: get timeline error
statusCode: 400
schema:
type: object
properties:
body:
description: The error message.
example: get timeline error
type: string
statusCode:
example: 400
type: number
description: Bad Request response.
summary: Get Timelines or Timeline templates
tags:
- Security Timeline API
x-metaTags:
- content: Kibana
name: product_name
/api/upgrade_assistant/status:
get:
description: Check the status of your cluster.
operationId: get-upgrade-status
responses:
'200':
content:
application/json:
examples:
getUpgradeStatusResponseExample1:
value: |-
{
"readyForUpgrade": false,
"cluster": [
{
"message": "Cluster deprecated issue",
"details":"You have 2 system indices that must be migrated and 5 Elasticsearch deprecation issues and 0 Kibana deprecation issues that must be resolved before upgrading."
}
]
}
description: Indicates a successful call.
summary: Get the upgrade readiness status
tags:
- upgrade
x-state: Technical Preview
x-metaTags:
- content: Kibana
name: product_name
/api/uptime/settings:
get:
description: |
**Spaces method and path for this operation:**
get/s/{space_id}/api/uptime/settings
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
You must have `read` privileges for the uptime feature in the Observability section of the Kibana feature privileges.
operationId: get-uptime-settings
responses:
'200':
content:
application/json:
examples:
getUptimeSettingsResponseExample1:
value: |-
{
"heartbeatIndices": "heartbeat-8*",
"certExpirationThreshold": 30,
"certAgeThreshold": 730,
"defaultConnectors": [
"08990f40-09c5-11ee-97ae-912b222b13d4",
"db25f830-2318-11ee-9391-6b0c030836d6"
],
"defaultEmail": {
"to": [],
"cc": [],
"bcc": []
}
}
schema:
type: object
description: Indicates a successful call
summary: Get uptime settings
tags:
- uptime
x-metaTags:
- content: Kibana
name: product_name
put:
description: |
**Spaces method and path for this operation:**
put/s/{space_id}/api/uptime/settings
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Update uptime setting attributes like `heartbeatIndices`, `certExpirationThreshold`, `certAgeThreshold`, `defaultConnectors`, or `defaultEmail`. You must have `all` privileges for the uptime feature in the Observability section of the Kibana feature privileges. A partial update is supported, provided settings keys will be merged with existing settings.
operationId: put-uptime-settings
requestBody:
content:
application/json:
examples:
putUptimeSettingsRequestExample1:
description: Run `PUT api/uptime/settings` to update multiple Uptime settings.
summary: Update multiple settings
value: |-
{
"heartbeatIndices": "heartbeat-8*",
"certExpirationThreshold": 30,
"certAgeThreshold": 730,
"defaultConnectors": [
"08990f40-09c5-11ee-97ae-912b222b13d4",
"db25f830-2318-11ee-9391-6b0c030836d6"
],
"defaultEmail": {
"to": [],
"cc": [],
"bcc": []
}
}
putUptimeSettingsRequestExample2:
description: Run `PUT api/uptime/settings` to update a single Uptime setting.
summary: Update a setting
value: |-
{
"heartbeatIndices": "heartbeat-8*",
}
schema:
type: object
properties:
certAgeThreshold:
default: 730
description: The number of days after a certificate is created to trigger an alert.
type: number
certExpirationThreshold:
default: 30
description: The number of days before a certificate expires to trigger an alert.
type: number
defaultConnectors:
default: []
description: A list of connector IDs to be used as default connectors for new alerts.
type: array
defaultEmail:
description: |
The default email configuration for new alerts.
type: object
properties:
bcc:
default: []
items:
type: string
type: array
cc:
default: []
items:
type: string
type: array
to:
default: []
items:
type: string
type: array
heartbeatIndices:
default: heartbeat-*
description: |
An index pattern string to be used within the Uptime app and alerts to query Heartbeat data.
type: string
responses:
'200':
content:
application/json:
examples:
putUptimeSettingsResponseExample1:
description: A successful response from `PUT api/uptime/settings`.
value: |-
{
"heartbeatIndices": "heartbeat-8*",
"certExpirationThreshold": 30,
"certAgeThreshold": 730,
"defaultConnectors": [
"08990f40-09c5-11ee-97ae-912b222b13d4",
"db25f830-2318-11ee-9391-6b0c030836d6"
],
"defaultEmail": {
"to": [],
"cc": [],
"bcc": []
}
}
schema:
type: object
description: Indicates a successful call
summary: Update uptime settings
tags:
- uptime
x-metaTags:
- content: Kibana
name: product_name
/api/workflows:
delete:
description: |-
**Spaces method and path for this operation:**
delete/s/{space_id}/api/workflows
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete multiple workflows by their IDs.
[Required authorization] Route required privileges: workflowsManagement:delete.
operationId: delete-workflows
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: When true, permanently deletes the workflows (hard delete) instead of soft-deleting them. The workflow IDs become available for reuse.
in: query
name: force
required: false
schema:
default: false
type: boolean
requestBody:
content:
application/json:
examples:
bulkDeleteWorkflowsRequestExample:
description: Example request for deleting multiple workflows
value:
ids:
- workflow-c3d4e5f6-a7b8-9012-cdef-234567890123
- workflow-d4e5f6a7-b8c9-0123-defa-345678901234
schema:
additionalProperties: false
type: object
properties:
ids:
description: Array of workflow IDs to delete.
items:
description: Workflow ID to delete.
type: string
maxItems: 1000
type: array
required:
- ids
responses:
'200':
content:
application/json:
examples:
bulkDeleteWorkflowsResponseExample:
description: Example response after deleting multiple workflows
value:
deleted: 2
failures: []
total: 2
description: Indicates a successful response
summary: Bulk delete workflows
tags:
- workflows
x-codeSamples:
- label: Soft delete (default)
lang: curl
source: |
curl \
-X DELETE "${KIBANA_URL}/api/workflows" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{
"ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"]
}'
- label: Hard delete (permanent)
lang: curl
source: |
curl \
-X DELETE "${KIBANA_URL}/api/workflows?force=true" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{
"ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"]
}'
- lang: Console
source: |
DELETE kbn://api/workflows
{
"ids": ["workflow-c3d4e5f6-a7b8-9012-cdef-234567890123", "workflow-d4e5f6a7-b8c9-0123-defa-345678901234"]
}
x-state: Generally available; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/workflows
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieve a paginated list of workflows with optional filtering.
[Required authorization] Route required privileges: workflowsManagement:read OR workflowsManagement:readExecution.
operationId: get-workflows
parameters:
- description: Free-text search query.
in: query
name: query
required: false
schema:
type: string
- description: Number of results per page.
in: query
name: size
required: false
schema:
minimum: 1
type: number
- description: Page number.
in: query
name: page
required: false
schema:
minimum: 1
type: number
- description: Filter by enabled state.
in: query
name: enabled
required: false
schema:
items:
type: boolean
maxItems: 2
type: array
- description: Filter by creator.
in: query
name: createdBy
required: false
schema:
items:
type: string
maxItems: 1000
type: array
- description: Filter by tags.
in: query
name: tags
required: false
schema:
items:
type: string
maxItems: 1000
type: array
responses:
'200':
content:
application/json:
examples:
getWorkflowsResponseExample:
description: Example response returning a paginated list of workflows
value:
page: 1
results:
- createdAt: '2025-11-20T10:30:00.000Z'
definition:
description: This is a workflow example
enabled: true
inputs:
- default: hello world
name: message
type: string
name: Example definition
steps:
- name: hello_world_step
type: console
with:
message: '{{ inputs.message }}'
triggers:
- type: manual
description: This is a workflow example
enabled: true
history:
- duration: 5000
finishedAt: '2025-11-20T12:00:05.000Z'
id: exec-001
startedAt: '2025-11-20T12:00:00.000Z'
status: completed
workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890
workflowName: Example definition
id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890
name: Example definition
tags:
- example
valid: true
size: 20
total: 1
description: Indicates a successful response
summary: Get workflows
tags:
- workflows
x-codeSamples:
- lang: curl
source: |
curl \
-X GET "${KIBANA_URL}/api/workflows?size=20&page=1" \
-H "Authorization: ApiKey ${API_KEY}"
- lang: Console
source: |
GET kbn://api/workflows?size=20&page=1
x-state: Generally available; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/workflows
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create multiple workflows in a single request. Optionally overwrite existing workflows.
[Required authorization] Route required privileges: workflowsManagement:create AND workflowsManagement:update.
operationId: post-workflows
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: Whether to overwrite existing workflows.
in: query
name: overwrite
required: false
schema:
default: false
type: boolean
requestBody:
content:
application/json:
examples:
bulkCreateWorkflowsRequestExample:
description: Example request for creating multiple workflows at once
value:
workflows:
- yaml: |
name: Example definition
enabled: true
description: This is a workflow example
triggers:
- type: manual
inputs:
- name: message
type: string
default: "hello world"
steps:
- name: hello_world_step
type: console
with:
message: "{{ inputs.message }}"
- id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901
yaml: |
name: Second workflow
enabled: false
description: Another workflow
triggers:
- type: manual
steps:
- name: log_step
type: console
with:
message: "Hello from second workflow"
schema:
additionalProperties: false
type: object
properties:
workflows:
items:
type: object
properties:
id:
maxLength: 255
minLength: 3
pattern: ^[a-z0-9]([a-z0-9-]*[a-z0-9])?$
type: string
yaml:
maxLength: 1048576
type: string
required:
- yaml
maxItems: 500
type: array
required:
- workflows
responses:
'200':
content:
application/json:
examples:
bulkCreateWorkflowsResponseExample:
description: Example response after creating multiple workflows
value:
created:
- id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890
name: Example definition
- id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901
name: Second workflow
failures: []
total: 2
description: Indicates a successful response
summary: Bulk create workflows
tags:
- workflows
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/workflows?overwrite=false" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{
"workflows": [
{ "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" },
{ "id": "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901", "yaml": "name: Second workflow\nenabled: false\ndescription: Another workflow\ntriggers:\n - type: manual\nsteps:\n - name: log_step\n type: console\n with:\n message: \"Hello from second workflow\"\n" }
]
}'
- lang: Console
source: |
POST kbn://api/workflows?overwrite=false
{
"workflows": [
{ "yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n" },
{ "id": "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901", "yaml": "name: Second workflow\nenabled: false\ndescription: Another workflow\ntriggers:\n - type: manual\nsteps:\n - name: log_step\n type: console\n with:\n message: \"Hello from second workflow\"\n" }
]
}
x-state: Generally available; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/workflows/aggs:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/workflows/aggs
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieve distinct values and their counts for the specified workflow fields. Useful for building filters such as lists of tags or creators.
[Required authorization] Route required privileges: workflowsManagement:read.
operationId: get-workflows-aggs
parameters:
- description: Field or fields to aggregate on.
in: query
name: fields
required: true
schema:
description: Fields to aggregate on.
items:
description: Field name to aggregate.
type: string
maxItems: 25
type: array
responses:
'200':
content:
application/json:
examples:
getAggsResponseExample:
description: Example response with tag and createdBy aggregations
value:
createdBy:
- doc_count: 2
key: elastic
tags:
- doc_count: 1
key: reporting
- doc_count: 1
key: security
- doc_count: 1
key: triage
description: Indicates a successful response
summary: Get workflow aggregations
tags:
- workflows
x-codeSamples:
- lang: curl
source: |
curl \
-X GET "${KIBANA_URL}/api/workflows/aggs?fields=tags&fields=createdBy" \
-H "Authorization: ApiKey ${API_KEY}"
- lang: Console
source: |
GET kbn://api/workflows/aggs?fields=tags&fields=createdBy
x-state: Generally available; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/workflows/connectors:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/workflows/connectors
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieve the Kibana action connectors that can be used in workflow steps, grouped by connector type. Each type includes its configured instances and availability status.
[Required authorization] Route required privileges: workflowsManagement:read.
operationId: get-workflows-connectors
parameters: []
responses:
'200':
content:
application/json:
examples:
getConnectorsResponseExample:
description: Example response with available connector types and their instances
value:
connectorTypes:
.email:
actionTypeId: .email
displayName: Email
enabled: true
enabledInConfig: true
enabledInLicense: true
instances: []
minimumLicenseRequired: gold
subActions:
- displayName: Send
name: send
.slack_api:
actionTypeId: .slack_api
displayName: Slack
enabled: true
enabledInConfig: true
enabledInLicense: true
instances:
- id: slack-connector-1
isDeprecated: false
isPreconfigured: false
name: Team Notifications
minimumLicenseRequired: gold
subActions:
- displayName: Post Message
name: postMessage
totalConnectors: 1
description: Indicates a successful response
summary: Get available connectors
tags:
- workflows
x-codeSamples:
- lang: curl
source: |
curl \
-X GET "${KIBANA_URL}/api/workflows/connectors" \
-H "Authorization: ApiKey ${API_KEY}"
- lang: Console
source: |
GET kbn://api/workflows/connectors
x-state: Generally available; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/workflows/executions/{executionId}:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieve details of a single workflow execution by its ID.
[Required authorization] Route required privileges: workflowsManagement:readExecution.
operationId: get-workflows-executions-executionid
parameters:
- description: Workflow execution ID
in: path
name: executionId
required: true
schema:
type: string
- description: Include execution input data.
in: query
name: includeInput
required: false
schema:
default: false
type: boolean
- description: Include execution output data.
in: query
name: includeOutput
required: false
schema:
default: false
type: boolean
responses:
'200':
content:
application/json:
examples:
getExecutionResponseExample:
description: Example response returning a workflow execution with step details
value:
duration: 3000
executedBy: elastic
finishedAt: '2025-11-20T12:00:03.000Z'
id: exec-a1b2c3d4-e5f6-7890
input:
message: hello world
isTestRun: false
output: hello world
spaceId: default
startedAt: '2025-11-20T12:00:00.000Z'
status: completed
stepExecutions:
- executionTimeMs: 1000
finishedAt: '2025-11-20T12:00:02.000Z'
globalExecutionIndex: 0
id: step-exec-001
isTestRun: false
scopeStack: []
spaceId: default
startedAt: '2025-11-20T12:00:01.000Z'
status: completed
stepExecutionIndex: 0
stepId: hello_world_step
stepType: console
topologicalIndex: 0
workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890
workflowRunId: exec-a1b2c3d4-e5f6-7890
triggeredBy: manual
workflowDefinition:
description: This is a workflow example
enabled: true
inputs:
- default: hello world
name: message
type: string
name: Example definition
steps:
- name: hello_world_step
type: console
with:
message: '{{ inputs.message }}'
triggers:
- type: manual
workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890
yaml: |
name: Example definition
enabled: true
description: This is a workflow example
triggers:
- type: manual
inputs:
- name: message
type: string
default: "hello world"
steps:
- name: hello_world_step
type: console
with:
message: "{{ inputs.message }}"
description: Indicates a successful response
summary: Get a workflow execution
tags:
- workflows
x-codeSamples:
- lang: curl
source: |
curl \
-X GET "${KIBANA_URL}/api/workflows/executions/{executionId}?includeInput=true&includeOutput=true" \
-H "Authorization: ApiKey ${API_KEY}"
- lang: Console
source: |
GET kbn://api/workflows/executions/{executionId}?includeInput=true&includeOutput=true
x-state: Generally available; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/workflows/executions/{executionId}/cancel:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieve child workflow executions spawned by sub-workflow steps within a parent execution.
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieve paginated logs for a workflow execution. Optionally filter by a specific step execution.
[Required authorization] Route required privileges: workflowsManagement:readExecution.
operationId: get-workflows-executions-executionid-logs
parameters:
- description: Workflow execution ID
in: path
name: executionId
required: true
schema:
type: string
- description: Filter logs by a specific step execution ID.
in: query
name: stepExecutionId
required: false
schema:
type: string
- description: Number of log entries per page.
in: query
name: size
required: false
schema:
default: 100
maximum: 100
minimum: 1
type: number
- description: Page number.
in: query
name: page
required: false
schema:
default: 1
minimum: 1
type: number
- description: Field to sort by.
in: query
name: sortField
required: false
schema:
type: string
- description: Sort order.
in: query
name: sortOrder
required: false
schema:
enum:
- asc
- desc
type: string
responses:
'200':
content:
application/json:
examples:
getExecutionLogsResponseExample:
description: Example response returning paginated execution logs
value:
logs:
- additionalData:
executionId: exec-a1b2c3d4-e5f6-7890
workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890
connectorType: console
duration: 150
id: log-001
level: info
message: Workflow execution started
stepId: hello_world_step
stepName: Hello World
timestamp: '2025-11-20T12:00:01.000Z'
- additionalData:
executionId: exec-a1b2c3d4-e5f6-7890
workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890
connectorType: console
duration: 200
id: log-002
level: info
message: Step completed successfully
stepId: hello_world_step
stepName: Hello World
timestamp: '2025-11-20T12:00:02.000Z'
page: 1
size: 100
total: 2
description: Indicates a successful response
summary: Get execution logs
tags:
- workflows
x-codeSamples:
- lang: curl
source: |
curl \
-X GET "${KIBANA_URL}/api/workflows/executions/{executionId}/logs?size=100&page=1" \
-H "Authorization: ApiKey ${API_KEY}"
- lang: Console
source: |
GET kbn://api/workflows/executions/{executionId}/logs?size=100&page=1
x-state: Generally available; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/workflows/executions/{executionId}/resume:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Resume a paused workflow execution with the provided input.
[Required authorization] Route required privileges: workflowsManagement:execute.
operationId: post-workflows-executions-executionid-resume
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: Workflow execution ID
in: path
name: executionId
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
resumeExecutionRequestExample:
description: Example request to resume a paused workflow execution
value:
input:
approved: true
comment: Approved by analyst
schema:
additionalProperties: false
type: object
properties:
input:
additionalProperties:
nullable: true
description: Input data to resume the execution with.
type: object
required:
- input
responses:
'200':
content:
application/json:
examples:
resumeExecutionResponseExample:
description: Example response confirming the resume was scheduled
value:
executionId: exec-a1b2c3d4-e5f6-7890
message: Workflow resume scheduled
success: true
description: Indicates a successful response
summary: Resume a workflow execution
tags:
- workflows
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/workflows/executions/{executionId}/resume" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{
"input": {
"approved": true,
"comment": "Approved by analyst"
}
}'
- lang: Console
source: |
POST kbn://api/workflows/executions/{executionId}/resume
{
"input": {
"approved": true,
"comment": "Approved by analyst"
}
}
x-state: Generally available; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/workflows/executions/{executionId}/step/{stepExecutionId}:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieve details of a single step execution within a workflow execution.
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Export one or more workflows as JSON with YAML content and metadata.
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieve multiple workflows by their IDs in a single request. Optionally use the `source` parameter to return only specific fields from each workflow document.
[Required authorization] Route required privileges: workflowsManagement:read.
operationId: post-workflows-mget
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
mgetWorkflowsRequestExample:
description: Example request to retrieve multiple workflows by their IDs
value:
ids:
- workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890
- workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901
source:
- name
- enabled
schema:
additionalProperties: false
type: object
properties:
ids:
description: Array of workflow IDs to look up.
items:
description: Workflow ID.
maxLength: 255
type: string
maxItems: 500
minItems: 1
type: array
source:
description: Array of source fields to include.
items:
description: Source field.
maxLength: 255
type: string
maxItems: 10
minItems: 1
type: array
required:
- ids
responses:
'200':
content:
application/json:
examples:
mgetWorkflowsResponseExample:
description: Example response returning the requested workflows with projected fields
value:
- enabled: true
id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890
name: Example definition
- enabled: false
id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901
name: Second workflow
description: Indicates a successful response
summary: Get workflows by IDs
tags:
- workflows
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/workflows/mget" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{
"ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"],
"source": ["name", "enabled"]
}'
- lang: Console
source: |
POST kbn://api/workflows/mget
{
"ids": ["workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890", "workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901"],
"source": ["name", "enabled"]
}
x-state: Generally available; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/workflows/schema:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/workflows/schema
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieve the JSON schema used to validate workflow YAML definitions. The schema includes available step types based on the configured connectors in the current space.
[Required authorization] Route required privileges: workflowsManagement:read.
operationId: get-workflows-schema
parameters:
- description: When true, returns a permissive schema that allows additional properties. When false, returns a strict schema for full validation.
in: query
name: loose
required: true
schema:
type: boolean
responses:
'200':
content:
application/json:
examples:
getSchemaResponseExample:
description: Example response returning the workflow JSON schema (truncated)
value:
$schema: http://json-schema.org/draft-07/schema#
type: object
properties:
description:
type: string
enabled:
default: true
type: boolean
name:
minLength: 1
type: string
tags:
items:
type: string
type: array
version:
const: '1'
default: '1'
description: The version of the workflow schema
type: string
required:
- name
- triggers
- steps
description: Indicates a successful response
summary: Get workflow JSON schema
tags:
- workflows
x-codeSamples:
- lang: curl
source: |
curl \
-X GET "${KIBANA_URL}/api/workflows/schema?loose=false" \
-H "Authorization: ApiKey ${API_KEY}"
- lang: Console
source: |
GET kbn://api/workflows/schema?loose=false
x-state: Generally available; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/workflows/stats:
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/workflows/stats
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieve summary statistics about workflows, including total, enabled, and disabled counts; execution history metrics for the last 30 days are included only when the caller has execution read privilege.
[Required authorization] Route required privileges: workflowsManagement:read OR workflowsManagement:readExecution.
operationId: get-workflows-stats
parameters: []
responses:
'200':
content:
application/json:
examples:
getStatsResponseExample:
description: Example response with workflow counts and 30-day execution history
value:
executions:
- cancelled: 1
completed: 45
date: '2025-11-20'
failed: 2
timestamp: '2025-11-20T00:00:00.000Z'
- cancelled: 0
completed: 50
date: '2025-11-21'
failed: 0
timestamp: '2025-11-21T00:00:00.000Z'
workflows:
disabled: 3
enabled: 12
description: Indicates a successful response
summary: Get workflow statistics
tags:
- workflows
x-codeSamples:
- lang: curl
source: |
curl \
-X GET "${KIBANA_URL}/api/workflows/stats" \
-H "Authorization: ApiKey ${API_KEY}"
- lang: Console
source: |
GET kbn://api/workflows/stats
x-state: Generally available; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/workflows/step/test:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/workflows/step/test
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Execute a single step from a workflow definition in test mode.
[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read.
operationId: post-workflows-step-test
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
testStepRequestExample:
description: Example request to test a single workflow step
value:
contextOverride:
inputs:
message: override message
stepId: hello_world_step
workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890
workflowYaml: |
name: Example definition
enabled: true
description: This is a workflow example
triggers:
- type: manual
inputs:
- name: message
type: string
default: "hello world"
steps:
- name: hello_world_step
type: console
with:
message: "{{ inputs.message }}"
schema:
additionalProperties: false
type: object
properties:
contextOverride:
additionalProperties:
nullable: true
description: Context overrides for the step execution.
type: object
executionContext:
additionalProperties:
nullable: true
description: Execution context for the step execution.
type: object
stepId:
description: ID of the step to test.
type: string
workflowId:
description: ID of the workflow containing the step.
type: string
workflowYaml:
description: YAML definition of the workflow containing the step.
type: string
required:
- stepId
- contextOverride
- workflowYaml
responses:
'200':
content:
application/json:
examples:
testStepResponseExample:
description: Example response returning the step test execution ID
value:
workflowExecutionId: step-test-exec-a1b2c3d4
description: Indicates a successful response
summary: Test a workflow step
tags:
- workflows
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/workflows/step/test" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{
"stepId": "hello_world_step",
"workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"workflowYaml": "name: Example definition\nenabled: true\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"",
"contextOverride": { "inputs": { "message": "override message" } }
}'
- lang: Console
source: |
POST kbn://api/workflows/step/test
{
"stepId": "hello_world_step",
"workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"workflowYaml": "name: Example definition\nenabled: true\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"",
"contextOverride": { "inputs": { "message": "override message" } }
}
x-state: Generally available; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/workflows/test:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/workflows/test
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Execute a workflow in test mode without requiring it to be saved or enabled. Provide either a workflow ID to test a saved workflow, a YAML definition to test an unsaved draft, or both to test a modified version of an existing workflow.
[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read.
operationId: post-workflows-test
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
testWorkflowByIdRequestExample:
description: Example request to test a saved workflow by its ID
value:
inputs:
message: test message
workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890
testWorkflowByYamlRequestExample:
description: Example request to test an unsaved workflow YAML draft
value:
inputs:
message: test message
workflowYaml: |
name: Example definition
enabled: true
description: This is a workflow example
triggers:
- type: manual
inputs:
- name: message
type: string
default: "hello world"
steps:
- name: hello_world_step
type: console
with:
message: "{{ inputs.message }}"
schema:
additionalProperties: false
type: object
properties:
inputs:
additionalProperties:
nullable: true
description: Key-value inputs for the test execution.
type: object
workflowId:
description: ID of an existing workflow to test.
type: string
workflowYaml:
description: YAML definition to test.
type: string
required:
- inputs
responses:
'200':
content:
application/json:
examples:
testWorkflowResponseExample:
description: Example response returning the test execution ID
value:
workflowExecutionId: test-exec-a1b2c3d4-e5f6
description: Indicates a successful response
summary: Test a workflow
tags:
- workflows
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/workflows/test" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{
"workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"inputs": { "message": "test message" }
}'
- lang: Console
source: |
POST kbn://api/workflows/test
{
"workflowId": "workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"inputs": { "message": "test message" }
}
x-state: Generally available; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/workflows/workflow:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/workflows/workflow
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create a new workflow from a YAML definition. The YAML is validated and parsed before the workflow is saved. An optional custom ID can be provided.
[Required authorization] Route required privileges: workflowsManagement:create.
operationId: post-workflows-workflow
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
requestBody:
content:
application/json:
examples:
createWorkflowRequestExample:
description: Example request for creating a workflow from a YAML definition
value:
yaml: |
name: Example definition
enabled: true
description: This is a workflow example
triggers:
- type: manual
inputs:
- name: message
type: string
default: "hello world"
steps:
- name: hello_world_step
type: console
with:
message: "{{ inputs.message }}"
createWorkflowWithIdRequestExample:
description: Example request for creating a workflow with a custom ID
value:
id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890
yaml: |
name: Example definition
enabled: true
description: This is a workflow example
triggers:
- type: manual
inputs:
- name: message
type: string
default: "hello world"
steps:
- name: hello_world_step
type: console
with:
message: "{{ inputs.message }}"
schema:
additionalProperties: false
type: object
properties:
id:
maxLength: 255
minLength: 3
pattern: ^[a-z0-9]([a-z0-9-]*[a-z0-9])?$
type: string
yaml:
maxLength: 1048576
type: string
required:
- yaml
responses:
'200':
content:
application/json:
examples:
createWorkflowResponseExample:
description: Example response returning the created workflow
value:
createdAt: '2025-11-20T10:30:00.000Z'
createdBy: elastic
definition:
description: This is a workflow example
enabled: true
inputs:
- default: hello world
name: message
type: string
name: Example definition
steps:
- name: hello_world_step
type: console
with:
message: '{{ inputs.message }}'
triggers:
- type: manual
description: This is a workflow example
enabled: true
id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890
lastUpdatedAt: '2025-11-20T10:30:00.000Z'
lastUpdatedBy: elastic
name: Example definition
valid: true
yaml: |
name: Example definition
enabled: true
description: This is a workflow example
triggers:
- type: manual
inputs:
- name: message
type: string
default: "hello world"
steps:
- name: hello_world_step
type: console
with:
message: "{{ inputs.message }}"
description: Indicates a successful response
summary: Create a workflow
tags:
- workflows
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/workflows/workflow" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{
"yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n"
}'
- lang: Console
source: |
POST kbn://api/workflows/workflow
{
"yaml": "name: Example definition\nenabled: true\ndescription: This is a workflow example\ntriggers:\n - type: manual\ninputs:\n - name: message\n type: string\n default: \"hello world\"\nsteps:\n - name: hello_world_step\n type: console\n with:\n message: \"{{ inputs.message }}\"\n"
}
x-state: Generally available; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/workflows/workflow/{id}:
delete:
description: |-
**Spaces method and path for this operation:**
delete/s/{space_id}/api/workflows/workflow/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Delete a single workflow by its ID.
[Required authorization] Route required privileges: workflowsManagement:delete.
operationId: delete-workflows-workflow-id
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: Workflow ID
in: path
name: id
required: true
schema:
type: string
- description: When true, permanently deletes the workflow (hard delete) instead of soft-deleting it. The workflow ID becomes available for reuse.
in: query
name: force
required: false
schema:
default: false
type: boolean
responses:
'200':
description: Indicates a successful response
summary: Delete a workflow
tags:
- workflows
x-codeSamples:
- label: Soft delete (default)
lang: curl
source: |
curl \
-X DELETE "${KIBANA_URL}/api/workflows/workflow/{id}" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true"
- label: Hard delete (permanent)
lang: curl
source: |
curl \
-X DELETE "${KIBANA_URL}/api/workflows/workflow/{id}?force=true" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true"
- lang: Console
source: |
DELETE kbn://api/workflows/workflow/{id}
x-state: Generally available; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
get:
description: |-
**Spaces method and path for this operation:**
get/s/{space_id}/api/workflows/workflow/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieve a single workflow by its ID.
[Required authorization] Route required privileges: workflowsManagement:read.
operationId: get-workflows-workflow-id
parameters:
- description: Workflow ID
in: path
name: id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getWorkflowResponseExample:
description: Example response returning a single workflow
value:
createdAt: '2025-11-20T10:30:00.000Z'
createdBy: elastic
definition:
description: This is a workflow example
enabled: true
inputs:
- default: hello world
name: message
type: string
name: Example definition
steps:
- name: hello_world_step
type: console
with:
message: '{{ inputs.message }}'
triggers:
- type: manual
description: This is a workflow example
enabled: true
id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890
lastUpdatedAt: '2025-11-21T14:00:00.000Z'
lastUpdatedBy: elastic
name: Example definition
valid: true
yaml: |
name: Example definition
enabled: true
description: This is a workflow example
triggers:
- type: manual
inputs:
- name: message
type: string
default: "hello world"
steps:
- name: hello_world_step
type: console
with:
message: "{{ inputs.message }}"
description: Indicates a successful response
summary: Get a workflow
tags:
- workflows
x-codeSamples:
- lang: curl
source: |
curl \
-X GET "${KIBANA_URL}/api/workflows/workflow/{id}" \
-H "Authorization: ApiKey ${API_KEY}"
- lang: Console
source: |
GET kbn://api/workflows/workflow/{id}
x-state: Generally available; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
put:
description: |-
**Spaces method and path for this operation:**
put/s/{space_id}/api/workflows/workflow/{id}
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Partially update an existing workflow. You can update individual fields such as name, description, enabled state, tags, or the YAML definition without providing all fields.
[Required authorization] Route required privileges: workflowsManagement:update.
operationId: put-workflows-workflow-id
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: Workflow ID
in: path
name: id
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
updateWorkflowEnableExample:
description: Example request to enable a workflow and update its tags
value:
enabled: true
tags:
- production
updateWorkflowFullExample:
description: Example request to update multiple workflow fields
value:
description: Updated workflow description
enabled: true
name: Updated example
tags:
- example
- updated
yaml: |
name: Updated example
enabled: true
description: Updated workflow description
triggers:
- type: manual
inputs:
- name: message
type: string
default: "hello world"
steps:
- name: hello_world_step
type: console
with:
message: "{{ inputs.message }}"
schema:
additionalProperties: false
type: object
properties:
description:
type: string
enabled:
type: boolean
name:
type: string
tags:
items:
type: string
type: array
yaml:
type: string
responses:
'200':
content:
application/json:
examples:
updateWorkflowResponseExample:
description: Example response returning the updated workflow
value:
enabled: false
id: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890
lastUpdatedAt: '2026-03-23T13:38:59.568Z'
lastUpdatedBy: elastic
valid: true
validationErrors: []
description: Indicates a successful response
summary: Update a workflow
tags:
- workflows
x-codeSamples:
- lang: curl
source: |
curl \
-X PUT "${KIBANA_URL}/api/workflows/workflow/{id}" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{
"enabled": true,
"tags": ["production"]
}'
- lang: Console
source: |
PUT kbn://api/workflows/workflow/{id}
{
"enabled": true,
"tags": ["production"]
}
x-state: Generally available; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/workflows/workflow/{id}/clone:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Create a copy of an existing workflow.
[Required authorization] Route required privileges: workflowsManagement:create AND workflowsManagement:read.
operationId: post-workflows-workflow-id-clone
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: Workflow ID
in: path
name: id
required: true
schema:
type: string
responses:
'200':
content:
application/json:
examples:
cloneWorkflowResponseExample:
description: Example response returning the cloned workflow with a new ID
value:
createdAt: '2025-11-22T11:00:00.000Z'
createdBy: elastic
definition:
description: This is a workflow example
enabled: false
inputs:
- default: hello world
name: message
type: string
name: Example definition (copy)
steps:
- name: hello_world_step
type: console
with:
message: '{{ inputs.message }}'
triggers:
- type: manual
description: This is a workflow example
enabled: false
id: workflow-b2c3d4e5-f6a7-8901-bcde-f12345678901
lastUpdatedAt: '2025-11-22T11:00:00.000Z'
lastUpdatedBy: elastic
name: Example definition (copy)
valid: true
yaml: |
name: Example definition (copy)
enabled: false
description: This is a workflow example
triggers:
- type: manual
inputs:
- name: message
type: string
default: "hello world"
steps:
- name: hello_world_step
type: console
with:
message: "{{ inputs.message }}"
description: Indicates a successful response
summary: Clone a workflow
tags:
- workflows
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/workflows/workflow/{id}/clone" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true"
- lang: Console
source: |
POST kbn://api/workflows/workflow/{id}/clone
x-state: Generally available; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/workflows/workflow/{id}/run:
post:
description: |-
**Spaces method and path for this operation:**
post/s/{space_id}/api/workflows/workflow/{id}/run
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Execute a workflow by its ID with the provided inputs. The workflow must be enabled and have a valid definition. Returns an execution ID that can be used to monitor progress.
[Required authorization] Route required privileges: workflowsManagement:execute AND workflowsManagement:read.
operationId: post-workflows-workflow-id-run
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: Workflow ID
in: path
name: id
required: true
schema:
type: string
requestBody:
content:
application/json:
examples:
runWorkflowRequestExample:
description: Example request to execute a workflow with inputs
value:
inputs:
message: hello from the API
schema:
additionalProperties: false
type: object
properties:
inputs:
additionalProperties:
nullable: true
description: Key-value inputs for the workflow execution.
type: object
metadata:
additionalProperties:
nullable: true
description: Optional metadata for the execution.
type: object
required:
- inputs
responses:
'200':
content:
application/json:
examples:
runWorkflowResponseExample:
description: Example response returning the execution ID
value:
workflowExecutionId: exec-a1b2c3d4-e5f6-7890
description: Indicates a successful response
summary: Run a workflow
tags:
- workflows
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/workflows/workflow/{id}/run" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-d '{
"inputs": {
"message": "hello from the API"
}
}'
- lang: Console
source: |
POST kbn://api/workflows/workflow/{id}/run
{
"inputs": {
"message": "hello from the API"
}
}
x-state: Generally available; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/workflows/workflow/{workflowId}/executions:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieve a paginated list of executions for a specific workflow.
[Required authorization] Route required privileges: workflowsManagement:readExecution.
operationId: get-workflows-workflow-workflowid-executions
parameters:
- description: Workflow ID
in: path
name: workflowId
required: true
schema:
type: string
- description: Filter by execution status.
in: query
name: statuses
required: false
schema:
items:
enum:
- pending
- waiting
- waiting_for_input
- running
- completed
- failed
- cancelled
- timed_out
- skipped
type: string
maxItems: 9
type: array
- description: Filter by execution type.
in: query
name: executionTypes
required: false
schema:
items:
enum:
- test
- production
type: string
maxItems: 2
type: array
- description: Filter by the user who triggered the execution.
in: query
name: executedBy
required: false
schema:
items:
type: string
maxItems: 100
type: array
- description: Whether to exclude step-level execution data.
in: query
name: omitStepRuns
required: false
schema:
type: boolean
- description: Page number.
in: query
name: page
required: false
schema:
minimum: 1
type: number
- description: Number of results per page.
in: query
name: size
required: false
schema:
maximum: 100
minimum: 1
type: number
responses:
'200':
content:
application/json:
examples:
getWorkflowExecutionsResponseExample:
description: Example response returning a paginated list of executions for a workflow
value:
page: 1
results:
- duration: 3000
error: null
executedBy: elastic
finishedAt: '2025-11-20T12:00:03.000Z'
id: exec-001
isTestRun: false
spaceId: default
startedAt: '2025-11-20T12:00:00.000Z'
status: completed
triggeredBy: manual
workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890
- duration: 2000
error:
message: Step 'hello_world_step' failed
executedBy: elastic
finishedAt: '2025-11-20T13:00:02.000Z'
id: exec-002
isTestRun: false
spaceId: default
startedAt: '2025-11-20T13:00:00.000Z'
status: failed
triggeredBy: manual
workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890
size: 20
total: 2
description: Indicates a successful response
summary: Get workflow executions
tags:
- workflows
x-codeSamples:
- lang: curl
source: |
curl \
-X GET "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions?page=1&size=20" \
-H "Authorization: ApiKey ${API_KEY}"
- lang: Console
source: |
GET kbn://api/workflows/workflow/{workflowId}/executions?page=1&size=20
x-state: Generally available; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/workflows/workflow/{workflowId}/executions/cancel:
post:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Request cancellation for all non-terminal executions of the given workflow in the current space.
[Required authorization] Route required privileges: workflowsManagement:cancelExecution.
operationId: post-workflows-workflow-workflowid-executions-cancel
parameters:
- description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
- description: Workflow ID
in: path
name: workflowId
required: true
schema:
type: string
responses:
'200':
description: Indicates a successful response
summary: Cancel all active workflow executions
tags:
- workflows
x-codeSamples:
- lang: curl
source: |
curl \
-X POST "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions/cancel" \
-H "Authorization: ApiKey ${API_KEY}" \
-H "kbn-xsrf: true"
- lang: Console
source: |
POST kbn://api/workflows/workflow/{workflowId}/executions/cancel
x-state: Generally available; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/api/workflows/workflow/{workflowId}/executions/steps:
get:
description: |-
**Spaces method and path for this operation:**
Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.
Retrieve a paginated list of step-level execution records for a specific workflow. Optionally filter by step ID and include input or output data.
[Required authorization] Route required privileges: workflowsManagement:readExecution.
operationId: get-workflows-workflow-workflowid-executions-steps
parameters:
- description: Workflow ID
in: path
name: workflowId
required: true
schema:
type: string
- description: Filter by step ID.
in: query
name: stepId
required: false
schema:
type: string
- description: Include step input data.
in: query
name: includeInput
required: false
schema:
type: boolean
- description: Include step output data.
in: query
name: includeOutput
required: false
schema:
type: boolean
- description: Page number for pagination.
in: query
name: page
required: false
schema:
minimum: 1
type: number
- description: Number of results per page.
in: query
name: size
required: false
schema:
maximum: 100
minimum: 1
type: number
responses:
'200':
content:
application/json:
examples:
getWorkflowStepExecutionsResponseExample:
description: Example response returning step execution records for a workflow
value:
results:
- executionTimeMs: 1000
finishedAt: '2025-11-20T12:00:02.000Z'
globalExecutionIndex: 0
id: step-exec-001
input:
message: hello world
isTestRun: false
scopeStack: []
spaceId: default
startedAt: '2025-11-20T12:00:01.000Z'
status: completed
stepExecutionIndex: 0
stepId: hello_world_step
stepType: console
topologicalIndex: 0
workflowId: workflow-a1b2c3d4-e5f6-7890-abcd-ef1234567890
workflowRunId: exec-001
total: 1
description: Indicates a successful response
summary: Get workflow step executions
tags:
- workflows
x-codeSamples:
- lang: curl
source: |
curl \
-X GET "${KIBANA_URL}/api/workflows/workflow/{workflowId}/executions/steps?includeInput=true" \
-H "Authorization: ApiKey ${API_KEY}"
- lang: Console
source: |
GET kbn://api/workflows/workflow/{workflowId}/executions/steps?includeInput=true
x-state: Generally available; added in 9.4.0
x-metaTags:
- content: Kibana
name: product_name
/s/{spaceId}/api/observability/slos:
get:
description: |
You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.
operationId: findSlosOp
parameters:
- $ref: '#/components/parameters/SLOs_kbn_xsrf'
- $ref: '#/components/parameters/SLOs_space_id'
- description: A valid kql query to filter the SLO with
example: 'slo.name:latency* and slo.tags : "prod"'
in: query
name: kqlQuery
schema:
type: string
- description: The page size to use for cursor-based pagination, must be greater or equal than 1
example: 1
in: query
name: size
schema:
default: 1
type: integer
- description: The cursor to use for fetching the results from, when using a cursor-base pagination.
in: query
name: searchAfter
schema:
items:
type: string
type: array
- description: The page to use for pagination, must be greater or equal than 1
example: 1
in: query
name: page
schema:
default: 1
type: integer
- description: Number of SLOs returned by page
example: 25
in: query
name: perPage
schema:
default: 25
maximum: 5000
type: integer
- description: Sort by field
example: status
in: query
name: sortBy
schema:
default: status
enum:
- sli_value
- status
- error_budget_consumed
- error_budget_remaining
type: string
- description: Sort order
example: asc
in: query
name: sortDirection
schema:
default: asc
enum:
- asc
- desc
type: string
- description: Hide stale SLOs from the list as defined by stale SLO threshold in SLO settings
in: query
name: hideStale
schema:
type: boolean
responses:
'200':
content:
application/json:
examples:
findSloResponse:
summary: A paginated list of SLOs
value:
page: 1
perPage: 25
results:
- budgetingMethod: occurrences
createdAt: '2025-01-12T10:03:19.000Z'
description: Availability of my web service
enabled: true
groupBy: '*'
id: 8853df00-ae2e-11ed-90af-09bb6422b258
indicator:
params:
filter: 'field.environment : "production" and service.name : "my-service"'
good: 'request.status_code : "2xx"'
index: logs-*
timestampField: '@timestamp'
total: 'request.status_code : *'
type: sli.kql.custom
instanceId: '*'
name: My Service Availability
objective:
target: 0.99
revision: 1
settings:
frequency: 5m
syncDelay: 5m
summary:
errorBudget:
consumed: 0.17
initial: 0.01
isEstimated: false
remaining: 0.83
sliValue: 0.9983
status: HEALTHY
tags:
- production
- web-service
timeWindow:
duration: 30d
type: rolling
updatedAt: '2025-01-12T10:03:19.000Z'
version: 2
total: 42
schema:
$ref: '#/components/schemas/SLOs_find_slo_response'
description: Successful request
'400':
content:
application/json:
examples:
badRequestExample:
summary: Bad request
value:
error: Bad Request
message: 'Invalid value ''invalid'' supplied to: sortBy'
statusCode: 400
schema:
$ref: '#/components/schemas/SLOs_400_response'
description: Bad request
'401':
content:
application/json:
examples:
unauthorizedExample:
summary: Unauthorized
value:
error: Unauthorized
message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]'
statusCode: 401
schema:
$ref: '#/components/schemas/SLOs_401_response'
description: Unauthorized response
'403':
content:
application/json:
examples:
forbiddenExample:
summary: Forbidden
value:
error: Forbidden
message: 'security_exception: action [slo_read] is unauthorized for user'
statusCode: 403
schema:
$ref: '#/components/schemas/SLOs_403_response'
description: Forbidden response
'404':
content:
application/json:
examples:
notFoundExample:
summary: Not found
value:
error: Not Found
message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found
statusCode: 404
schema:
$ref: '#/components/schemas/SLOs_404_response'
description: Not found response
summary: Get a paginated list of SLOs
tags:
- slo
x-metaTags:
- content: Kibana
name: product_name
post:
description: |
You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.
operationId: createSloOp
parameters:
- $ref: '#/components/parameters/SLOs_kbn_xsrf'
- $ref: '#/components/parameters/SLOs_space_id'
requestBody:
content:
application/json:
examples:
createSloKqlExample:
summary: Create an SLO with a KQL indicator
value:
budgetingMethod: occurrences
description: Availability of my web service measured by successful HTTP responses
indicator:
params:
filter: 'field.environment : "production" and service.name : "my-service"'
good: 'request.status_code : "2xx"'
index: logs-*
timestampField: '@timestamp'
total: 'request.status_code : *'
type: sli.kql.custom
name: My Service Availability
objective:
target: 0.99
settings:
frequency: 5m
syncDelay: 5m
tags:
- production
- web-service
timeWindow:
duration: 30d
type: rolling
schema:
$ref: '#/components/schemas/SLOs_create_slo_request'
required: true
responses:
'200':
content:
application/json:
examples:
createSloResponse:
summary: Create SLO response
value:
id: 8853df00-ae2e-11ed-90af-09bb6422b258
schema:
$ref: '#/components/schemas/SLOs_create_slo_response'
description: Successful request
'400':
content:
application/json:
examples:
badRequestExample:
summary: Bad request
value:
error: Bad Request
message: 'Invalid value ''foo'' supplied to: indicator/type'
statusCode: 400
schema:
$ref: '#/components/schemas/SLOs_400_response'
description: Bad request
'401':
content:
application/json:
examples:
unauthorizedExample:
summary: Unauthorized
value:
error: Unauthorized
message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]'
statusCode: 401
schema:
$ref: '#/components/schemas/SLOs_401_response'
description: Unauthorized response
'403':
content:
application/json:
examples:
forbiddenExample:
summary: Forbidden
value:
error: Forbidden
message: 'security_exception: action [slo_write] is unauthorized for user'
statusCode: 403
schema:
$ref: '#/components/schemas/SLOs_403_response'
description: Forbidden response
'409':
content:
application/json:
examples:
conflictExample:
summary: Conflict
value:
error: Conflict
message: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists
statusCode: 409
schema:
$ref: '#/components/schemas/SLOs_409_response'
description: Conflict - The SLO id already exists
summary: Create an SLO
tags:
- slo
x-metaTags:
- content: Kibana
name: product_name
/s/{spaceId}/api/observability/slos/_bulk_delete:
post:
description: |
Bulk delete SLO definitions and their associated summary and rollup data. This endpoint initiates a bulk deletion operation for SLOs, which may take some time to complete. The status of the operation can be checked using the `GET /api/slo/_bulk_delete/{taskId}` endpoint.
operationId: bulkDeleteOp
parameters:
- $ref: '#/components/parameters/SLOs_kbn_xsrf'
- $ref: '#/components/parameters/SLOs_space_id'
requestBody:
content:
application/json:
examples:
bulkDeleteRequest:
summary: Bulk delete two SLOs
value:
list:
- 8853df00-ae2e-11ed-90af-09bb6422b258
- d077e940-1515-11ee-9c50-9d096392f520
schema:
$ref: '#/components/schemas/SLOs_bulk_delete_request'
required: true
responses:
'200':
content:
application/json:
examples:
bulkDeleteResponse:
summary: Bulk delete response with task ID
value:
taskId: d08506b7-f0e8-4f8b-a06a-a83940f4db91
schema:
$ref: '#/components/schemas/SLOs_bulk_delete_response'
description: Successful response
'400':
content:
application/json:
examples:
badRequestExample:
summary: Bad request
value:
error: Bad Request
message: 'Invalid value ''foo'' supplied to: list'
statusCode: 400
schema:
$ref: '#/components/schemas/SLOs_400_response'
description: Bad request
'401':
content:
application/json:
examples:
unauthorizedExample:
summary: Unauthorized
value:
error: Unauthorized
message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]'
statusCode: 401
schema:
$ref: '#/components/schemas/SLOs_401_response'
description: Unauthorized response
'403':
content:
application/json:
examples:
forbiddenExample:
summary: Forbidden
value:
error: Forbidden
message: 'security_exception: action [slo_write] is unauthorized for user'
statusCode: 403
schema:
$ref: '#/components/schemas/SLOs_403_response'
description: Forbidden response
summary: Bulk delete SLO definitions and their associated summary and rollup data.
tags:
- slo
x-metaTags:
- content: Kibana
name: product_name
/s/{spaceId}/api/observability/slos/_bulk_delete/{taskId}:
get:
description: |
Retrieve the status of the bulk deletion operation for SLOs. This endpoint returns the status of the bulk deletion operation, including whether it is completed and the results of the operation.
operationId: bulkDeleteStatusOp
parameters:
- $ref: '#/components/parameters/SLOs_kbn_xsrf'
- $ref: '#/components/parameters/SLOs_space_id'
- description: The task id of the bulk delete operation
in: path
name: taskId
required: true
schema:
example: 8853df00-ae2e-11ed-90af-09bb6422b258
type: string
responses:
'200':
content:
application/json:
examples:
bulkDeleteStatusComplete:
summary: Completed bulk deletion
value:
isDone: true
results:
- id: 8853df00-ae2e-11ed-90af-09bb6422b258
success: true
- id: d077e940-1515-11ee-9c50-9d096392f520
success: true
bulkDeleteStatusPartialFailure:
summary: Completed with partial failure
value:
isDone: true
results:
- id: 8853df00-ae2e-11ed-90af-09bb6422b258
success: true
- error: SLO [d077e940-1515-11ee-9c50-9d096392f520] not found
id: d077e940-1515-11ee-9c50-9d096392f520
success: false
schema:
$ref: '#/components/schemas/SLOs_bulk_delete_status_response'
description: Successful response
'400':
content:
application/json:
examples:
badRequestExample:
summary: Bad request
value:
error: Bad Request
message: 'Invalid value ''foo'' supplied to: taskId'
statusCode: 400
schema:
$ref: '#/components/schemas/SLOs_400_response'
description: Bad request
'401':
content:
application/json:
examples:
unauthorizedExample:
summary: Unauthorized
value:
error: Unauthorized
message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]'
statusCode: 401
schema:
$ref: '#/components/schemas/SLOs_401_response'
description: Unauthorized response
'403':
content:
application/json:
examples:
forbiddenExample:
summary: Forbidden
value:
error: Forbidden
message: 'security_exception: action [slo_write] is unauthorized for user'
statusCode: 403
schema:
$ref: '#/components/schemas/SLOs_403_response'
description: Forbidden response
summary: Retrieve the status of the bulk deletion
tags:
- slo
x-metaTags:
- content: Kibana
name: product_name
/s/{spaceId}/api/observability/slos/_bulk_purge_rollup:
post:
description: |
The deletion occurs for the specified list of `sloId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.
operationId: deleteRollupDataOp
parameters:
- $ref: '#/components/parameters/SLOs_kbn_xsrf'
- $ref: '#/components/parameters/SLOs_space_id'
requestBody:
content:
application/json:
examples:
purgeByAgeExample:
summary: Purge rollup data older than 7 days
value:
list:
- 8853df00-ae2e-11ed-90af-09bb6422b258
purgePolicy:
age: 7d
purgeType: fixed-age
purgeByTimestampExample:
summary: Purge rollup data before a specific date
value:
list:
- 8853df00-ae2e-11ed-90af-09bb6422b258
- d077e940-1515-11ee-9c50-9d096392f520
purgePolicy:
purgeType: fixed-time
timestamp: '2024-12-31T00:00:00.000Z'
schema:
$ref: '#/components/schemas/SLOs_bulk_purge_rollup_request'
required: true
responses:
'200':
content:
application/json:
examples:
bulkPurgeResponse:
summary: Bulk purge response with task ID
value:
taskId: 8853df00-ae2e-11ed-90af-09bb6422b258
schema:
$ref: '#/components/schemas/SLOs_bulk_purge_rollup_response'
description: Successful request
'400':
content:
application/json:
examples:
badRequestExample:
summary: Bad request
value:
error: Bad Request
message: 'Invalid value ''foo'' supplied to: purgePolicy/purgeType'
statusCode: 400
schema:
$ref: '#/components/schemas/SLOs_400_response'
description: Bad request
'401':
content:
application/json:
examples:
unauthorizedExample:
summary: Unauthorized
value:
error: Unauthorized
message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]'
statusCode: 401
schema:
$ref: '#/components/schemas/SLOs_401_response'
description: Unauthorized response
'403':
content:
application/json:
examples:
forbiddenExample:
summary: Forbidden
value:
error: Forbidden
message: 'security_exception: action [slo_write] is unauthorized for user'
statusCode: 403
schema:
$ref: '#/components/schemas/SLOs_403_response'
description: Forbidden response
summary: Batch delete rollup and summary data
tags:
- slo
x-metaTags:
- content: Kibana
name: product_name
/s/{spaceId}/api/observability/slos/_delete_instances:
post:
description: |
The deletion occurs for the specified list of `sloId` and `instanceId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.
operationId: deleteSloInstancesOp
parameters:
- $ref: '#/components/parameters/SLOs_kbn_xsrf'
- $ref: '#/components/parameters/SLOs_space_id'
requestBody:
content:
application/json:
examples:
deleteInstancesExample:
summary: Delete specific SLO instances
value:
list:
- instanceId: host-abc123
sloId: 8853df00-ae2e-11ed-90af-09bb6422b258
- instanceId: host-def456
sloId: 8853df00-ae2e-11ed-90af-09bb6422b258
schema:
$ref: '#/components/schemas/SLOs_delete_slo_instances_request'
required: true
responses:
'204':
description: Successful request
'400':
content:
application/json:
examples:
badRequestExample:
summary: Bad request
value:
error: Bad Request
message: 'Invalid value ''foo'' supplied to: list/0/sloId'
statusCode: 400
schema:
$ref: '#/components/schemas/SLOs_400_response'
description: Bad request
'401':
content:
application/json:
examples:
unauthorizedExample:
summary: Unauthorized
value:
error: Unauthorized
message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]'
statusCode: 401
schema:
$ref: '#/components/schemas/SLOs_401_response'
description: Unauthorized response
'403':
content:
application/json:
examples:
forbiddenExample:
summary: Forbidden
value:
error: Forbidden
message: 'security_exception: action [slo_write] is unauthorized for user'
statusCode: 403
schema:
$ref: '#/components/schemas/SLOs_403_response'
description: Forbidden response
summary: Batch delete rollup and summary data
tags:
- slo
x-metaTags:
- content: Kibana
name: product_name
/s/{spaceId}/api/observability/slos/{sloId}:
delete:
description: |
You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.
operationId: deleteSloOp
parameters:
- $ref: '#/components/parameters/SLOs_kbn_xsrf'
- $ref: '#/components/parameters/SLOs_space_id'
- $ref: '#/components/parameters/SLOs_slo_id'
responses:
'204':
description: Successful request
'400':
content:
application/json:
examples:
badRequestExample:
summary: Bad request
value:
error: Bad Request
message: 'Invalid value ''foo'' supplied to: id'
statusCode: 400
schema:
$ref: '#/components/schemas/SLOs_400_response'
description: Bad request
'401':
content:
application/json:
examples:
unauthorizedExample:
summary: Unauthorized
value:
error: Unauthorized
message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]'
statusCode: 401
schema:
$ref: '#/components/schemas/SLOs_401_response'
description: Unauthorized response
'403':
content:
application/json:
examples:
forbiddenExample:
summary: Forbidden
value:
error: Forbidden
message: 'security_exception: action [slo_write] is unauthorized for user'
statusCode: 403
schema:
$ref: '#/components/schemas/SLOs_403_response'
description: Forbidden response
'404':
content:
application/json:
examples:
notFoundExample:
summary: Not found
value:
error: Not Found
message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found
statusCode: 404
schema:
$ref: '#/components/schemas/SLOs_404_response'
description: Not found response
summary: Delete an SLO
tags:
- slo
x-metaTags:
- content: Kibana
name: product_name
get:
description: |
You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.
operationId: getSloOp
parameters:
- $ref: '#/components/parameters/SLOs_kbn_xsrf'
- $ref: '#/components/parameters/SLOs_space_id'
- $ref: '#/components/parameters/SLOs_slo_id'
- description: the specific instanceId used by the summary calculation
example: host-abcde
in: query
name: instanceId
schema:
type: string
responses:
'200':
content:
application/json:
examples:
getSloResponse:
summary: Get SLO response
value:
budgetingMethod: occurrences
createdAt: '2025-01-12T10:03:19.000Z'
description: Availability of my web service
enabled: true
groupBy: '*'
id: 8853df00-ae2e-11ed-90af-09bb6422b258
indicator:
params:
filter: 'field.environment : "production" and service.name : "my-service"'
good: 'request.status_code : "2xx"'
index: logs-*
timestampField: '@timestamp'
total: 'request.status_code : *'
type: sli.kql.custom
instanceId: '*'
name: My Service Availability
objective:
target: 0.99
revision: 1
settings:
frequency: 5m
syncDelay: 5m
summary:
errorBudget:
consumed: 0.17
initial: 0.01
isEstimated: false
remaining: 0.83
sliValue: 0.9983
status: HEALTHY
tags:
- production
- web-service
timeWindow:
duration: 30d
type: rolling
updatedAt: '2025-01-12T10:03:19.000Z'
version: 2
schema:
$ref: '#/components/schemas/SLOs_slo_with_summary_response'
description: Successful request
'400':
content:
application/json:
examples:
badRequestExample:
summary: Bad request
value:
error: Bad Request
message: 'Invalid value ''foo'' supplied to: id'
statusCode: 400
schema:
$ref: '#/components/schemas/SLOs_400_response'
description: Bad request
'401':
content:
application/json:
examples:
unauthorizedExample:
summary: Unauthorized
value:
error: Unauthorized
message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]'
statusCode: 401
schema:
$ref: '#/components/schemas/SLOs_401_response'
description: Unauthorized response
'403':
content:
application/json:
examples:
forbiddenExample:
summary: Forbidden
value:
error: Forbidden
message: 'security_exception: action [slo_read] is unauthorized for user'
statusCode: 403
schema:
$ref: '#/components/schemas/SLOs_403_response'
description: Forbidden response
'404':
content:
application/json:
examples:
notFoundExample:
summary: Not found
value:
error: Not Found
message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found
statusCode: 404
schema:
$ref: '#/components/schemas/SLOs_404_response'
description: Not found response
summary: Get an SLO
tags:
- slo
x-metaTags:
- content: Kibana
name: product_name
put:
description: |
You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.
operationId: updateSloOp
parameters:
- $ref: '#/components/parameters/SLOs_kbn_xsrf'
- $ref: '#/components/parameters/SLOs_space_id'
- $ref: '#/components/parameters/SLOs_slo_id'
requestBody:
content:
application/json:
examples:
updateSloNameExample:
summary: Update the SLO name and tags
value:
name: Updated Service Availability
tags:
- production
- updated
updateSloObjectiveExample:
summary: Update the SLO objective
value:
objective:
target: 0.995
schema:
$ref: '#/components/schemas/SLOs_update_slo_request'
required: true
responses:
'200':
content:
application/json:
examples:
updateSloResponse:
summary: Update SLO response
value:
budgetingMethod: occurrences
createdAt: '2025-01-12T10:03:19.000Z'
description: Availability of my web service
enabled: true
groupBy: '*'
id: 8853df00-ae2e-11ed-90af-09bb6422b258
indicator:
params:
filter: 'field.environment : "production" and service.name : "my-service"'
good: 'request.status_code : "2xx"'
index: logs-*
timestampField: '@timestamp'
total: 'request.status_code : *'
type: sli.kql.custom
name: Updated Service Availability
objective:
target: 0.99
revision: 2
settings:
frequency: 5m
syncDelay: 5m
tags:
- production
- updated
timeWindow:
duration: 30d
type: rolling
updatedAt: '2025-03-26T14:30:00.000Z'
version: 2
schema:
$ref: '#/components/schemas/SLOs_slo_definition_response'
description: Successful request
'400':
content:
application/json:
examples:
badRequestExample:
summary: Bad request
value:
error: Bad Request
message: 'Invalid value ''foo'' supplied to: indicator/type'
statusCode: 400
schema:
$ref: '#/components/schemas/SLOs_400_response'
description: Bad request
'401':
content:
application/json:
examples:
unauthorizedExample:
summary: Unauthorized
value:
error: Unauthorized
message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]'
statusCode: 401
schema:
$ref: '#/components/schemas/SLOs_401_response'
description: Unauthorized response
'403':
content:
application/json:
examples:
forbiddenExample:
summary: Forbidden
value:
error: Forbidden
message: 'security_exception: action [slo_write] is unauthorized for user'
statusCode: 403
schema:
$ref: '#/components/schemas/SLOs_403_response'
description: Forbidden response
'404':
content:
application/json:
examples:
notFoundExample:
summary: Not found
value:
error: Not Found
message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found
statusCode: 404
schema:
$ref: '#/components/schemas/SLOs_404_response'
description: Not found response
summary: Update an SLO
tags:
- slo
x-metaTags:
- content: Kibana
name: product_name
/s/{spaceId}/api/observability/slos/{sloId}/_reset:
post:
description: |
You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.
operationId: resetSloOp
parameters:
- $ref: '#/components/parameters/SLOs_kbn_xsrf'
- $ref: '#/components/parameters/SLOs_space_id'
- $ref: '#/components/parameters/SLOs_slo_id'
responses:
'200':
content:
application/json:
examples:
resetSloResponse:
summary: Reset SLO response
value:
budgetingMethod: occurrences
createdAt: '2025-01-12T10:03:19.000Z'
description: Availability of my web service
enabled: true
groupBy: '*'
id: 8853df00-ae2e-11ed-90af-09bb6422b258
indicator:
params:
filter: 'field.environment : "production" and service.name : "my-service"'
good: 'request.status_code : "2xx"'
index: logs-*
timestampField: '@timestamp'
total: 'request.status_code : *'
type: sli.kql.custom
name: My Service Availability
objective:
target: 0.99
revision: 2
settings:
frequency: 5m
syncDelay: 5m
tags:
- production
- web-service
timeWindow:
duration: 30d
type: rolling
updatedAt: '2025-03-26T14:30:00.000Z'
version: 2
schema:
$ref: '#/components/schemas/SLOs_slo_definition_response'
description: Successful request
'400':
content:
application/json:
examples:
badRequestExample:
summary: Bad request
value:
error: Bad Request
message: 'Invalid value ''foo'' supplied to: id'
statusCode: 400
schema:
$ref: '#/components/schemas/SLOs_400_response'
description: Bad request
'401':
content:
application/json:
examples:
unauthorizedExample:
summary: Unauthorized
value:
error: Unauthorized
message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]'
statusCode: 401
schema:
$ref: '#/components/schemas/SLOs_401_response'
description: Unauthorized response
'403':
content:
application/json:
examples:
forbiddenExample:
summary: Forbidden
value:
error: Forbidden
message: 'security_exception: action [slo_write] is unauthorized for user'
statusCode: 403
schema:
$ref: '#/components/schemas/SLOs_403_response'
description: Forbidden response
'404':
content:
application/json:
examples:
notFoundExample:
summary: Not found
value:
error: Not Found
message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found
statusCode: 404
schema:
$ref: '#/components/schemas/SLOs_404_response'
description: Not found response
summary: Reset an SLO
tags:
- slo
x-metaTags:
- content: Kibana
name: product_name
/s/{spaceId}/api/observability/slos/{sloId}/disable:
post:
description: |
You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.
operationId: disableSloOp
parameters:
- $ref: '#/components/parameters/SLOs_kbn_xsrf'
- $ref: '#/components/parameters/SLOs_space_id'
- $ref: '#/components/parameters/SLOs_slo_id'
responses:
'204':
description: Successful request
'400':
content:
application/json:
examples:
badRequestExample:
summary: Bad request
value:
error: Bad Request
message: 'Invalid value ''foo'' supplied to: id'
statusCode: 400
schema:
$ref: '#/components/schemas/SLOs_400_response'
description: Bad request
'401':
content:
application/json:
examples:
unauthorizedExample:
summary: Unauthorized
value:
error: Unauthorized
message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]'
statusCode: 401
schema:
$ref: '#/components/schemas/SLOs_401_response'
description: Unauthorized response
'403':
content:
application/json:
examples:
forbiddenExample:
summary: Forbidden
value:
error: Forbidden
message: 'security_exception: action [slo_write] is unauthorized for user'
statusCode: 403
schema:
$ref: '#/components/schemas/SLOs_403_response'
description: Forbidden response
'404':
content:
application/json:
examples:
notFoundExample:
summary: Not found
value:
error: Not Found
message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found
statusCode: 404
schema:
$ref: '#/components/schemas/SLOs_404_response'
description: Not found response
summary: Disable an SLO
tags:
- slo
x-metaTags:
- content: Kibana
name: product_name
/s/{spaceId}/api/observability/slos/{sloId}/enable:
post:
description: |
You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.
operationId: enableSloOp
parameters:
- $ref: '#/components/parameters/SLOs_kbn_xsrf'
- $ref: '#/components/parameters/SLOs_space_id'
- $ref: '#/components/parameters/SLOs_slo_id'
responses:
'204':
description: Successful request
'400':
content:
application/json:
examples:
badRequestExample:
summary: Bad request
value:
error: Bad Request
message: 'Invalid value ''foo'' supplied to: id'
statusCode: 400
schema:
$ref: '#/components/schemas/SLOs_400_response'
description: Bad request
'401':
content:
application/json:
examples:
unauthorizedExample:
summary: Unauthorized
value:
error: Unauthorized
message: 'security_exception: unable to authenticate user for REST request [/api/observability/slos]'
statusCode: 401
schema:
$ref: '#/components/schemas/SLOs_401_response'
description: Unauthorized response
'403':
content:
application/json:
examples:
forbiddenExample:
summary: Forbidden
value:
error: Forbidden
message: 'security_exception: action [slo_write] is unauthorized for user'
statusCode: 403
schema:
$ref: '#/components/schemas/SLOs_403_response'
description: Forbidden response
'404':
content:
application/json:
examples:
notFoundExample:
summary: Not found
value:
error: Not Found
message: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found
statusCode: 404
schema:
$ref: '#/components/schemas/SLOs_404_response'
description: Not found response
summary: Enable an SLO
tags:
- slo
x-metaTags:
- content: Kibana
name: product_name
/s/{spaceId}/internal/observability/slos/_definitions:
get:
description: |
You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.
operationId: getDefinitionsOp
parameters:
- $ref: '#/components/parameters/SLOs_kbn_xsrf'
- $ref: '#/components/parameters/SLOs_space_id'
- description: Indicates if the API returns only outdated SLO or all SLO definitions
in: query
name: includeOutdatedOnly
schema:
type: boolean
- description: Indicates if the API returns SLO health data with definitions
example: true
in: query
name: includeHealth
schema:
type: boolean
- description: Filters the SLOs by tag
in: query
name: tags
schema:
type: string
- description: Filters the SLOs by name
example: my service availability
in: query
name: search
schema:
type: string
- description: The page to use for pagination, must be greater or equal than 1
example: 1
in: query
name: page
schema:
type: number
- description: Number of SLOs returned by page
example: 100
in: query
name: perPage
schema:
default: 100
maximum: 1000
type: integer
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/SLOs_find_slo_definitions_response'
description: Successful request
'400':
content:
application/json:
schema:
$ref: '#/components/schemas/SLOs_400_response'
description: Bad request
'401':
content:
application/json:
schema:
$ref: '#/components/schemas/SLOs_401_response'
description: Unauthorized response
'403':
content:
application/json:
schema:
$ref: '#/components/schemas/SLOs_403_response'
description: Forbidden response
summary: Get the SLO definitions
tags:
- slo
x-metaTags:
- content: Kibana
name: product_name
components:
examples:
Alerting_401_health_response:
summary: Unauthorized response for the get alerting health API.
value:
error: Unauthorized
message: '[security_exception] missing authentication credentials for REST request'
statusCode: 401
Alerting_401_rule_types_response:
summary: Unauthorized response for the get rule types API.
value:
error: Unauthorized
message: '[security_exception] missing authentication credentials for REST request'
statusCode: 401
Alerting_get_health_response:
summary: Retrieve information about the health of the alerting framework.
value:
alerting_framework_health:
decryption_health:
status: ok
timestamp: '2023-01-13T01:28:00.280Z'
execution_health:
status: ok
timestamp: '2023-01-13T01:28:00.280Z'
read_health:
status: ok
timestamp: '2023-01-13T01:28:00.280Z'
has_permanent_encryption_key: true
is_sufficiently_secure: true
Alerting_get_rule_types_response:
summary: Retrieve rule types associated with Kibana machine learning features
value:
- action_groups:
- id: anomaly_score_match
name: Anomaly score matched the condition
- id: recovered
name: Recovered
action_variables:
context:
- description: The bucket timestamp of the anomaly
name: timestamp
- description: The bucket time of the anomaly in ISO8601 format
name: timestampIso8601
- description: List of job IDs that triggered the alert
name: jobIds
- description: Alert info message
name: message
- description: Indicate if top hits contain interim results
name: isInterim
- description: Anomaly score at the time of the notification action
name: score
- description: Top records
name: topRecords
- description: Top influencers
name: topInfluencers
- description: URL to open in the Anomaly Explorer
name: anomalyExplorerUrl
useWithTripleBracesInTemplates: true
params: []
state: []
alerts:
context: ml.anomaly-detection
mappings:
fieldMap:
kibana.alert.anomaly_score:
array: false
type: double
required: false
kibana.alert.anomaly_timestamp:
array: false
type: date
required: false
kibana.alert.is_interim:
array: false
type: boolean
required: false
kibana.alert.job_id:
array: false
type: keyword
required: true
kibana.alert.top_influencers:
array: true
dynamic: false
type: object
properties:
influencer_field_name:
type: keyword
influencer_field_value:
type: keyword
influencer_score:
type: double
initial_influencer_score:
type: double
is_interim:
type: boolean
job_id:
type: keyword
timestamp:
type: date
required: false
kibana.alert.top_records:
array: true
dynamic: false
type: object
properties:
actual:
type: double
by_field_name:
type: keyword
by_field_value:
type: keyword
detector_index:
type: integer
field_name:
type: keyword
function:
type: keyword
initial_record_score:
type: double
is_interim:
type: boolean
job_id:
type: keyword
over_field_name:
type: keyword
over_field_value:
type: keyword
partition_field_name:
type: keyword
partition_field_value:
type: keyword
record_score:
type: double
timestamp:
type: date
typical:
type: double
required: false
shouldWrite: true
authorized_consumers:
alerts:
all: true
read: true
apm:
all: true
read: true
discover:
all: true
read: true
infrastructure:
all: true
read: true
logs:
all: true
read: true
ml:
all: true
read: true
monitoring:
all: true
read: true
siem:
all: true
read: true
slo:
all: true
read: true
stackAlerts:
all: true
read: true
uptime:
all: true
read: true
category: management
default_action_group_id: anomaly_score_match
does_set_recovery_context: true
enabled_in_license: true
has_alerts_mappings: true
has_fields_for_a_a_d: true
id: xpack.ml.anomaly_detection_alert
is_exportable: true
minimum_license_required: platinum
name: Anomaly detection alert
producer: ml
recovery_action_group:
id: recovered
name: Recovered
rule_task_timeout: 5m
- action_groups:
- id: anomaly_detection_realtime_issue
name: Issue detected
- id: recovered
name: Recovered
action_variables:
context:
- description: Results of the rule execution
name: results
- description: Alert info message
name: message
params: []
state: []
authorized_consumers:
alerts:
all: true
read: true
apm:
all: true
read: true
discover:
all: true
read: true
infrastructure:
all: true
read: true
logs:
all: true
read: true
ml:
all: true
read: true
monitoring:
all: true
read: true
siem:
all: true
read: true
slo:
all: true
read: true
stackAlerts:
all: true
read: true
uptime:
all: true
read: true
category: management
default_action_group_id: anomaly_detection_realtime_issue
does_set_recovery_context: true
enabled_in_license: true
has_alerts_mappings: false
has_fields_for_a_a_d: false
id: xpack.ml.anomaly_detection_jobs_health
is_exportable: true
minimum_license_required: platinum
name: Anomaly detection jobs health
producer: ml
recovery_action_group:
id: recovered
name: Recovered
rule_task_timeout: 5m
APM_UI_agent_configuration_environments_200_response1:
description: An example of a successful response from `GET /api/apm/settings/agent-configuration/environments`.
value:
environments:
- alreadyConfigured: true
name: production
- alreadyConfigured: false
name: development
- alreadyConfigured: false
name: ALL_OPTION_VALUE
APM_UI_agent_configuration_intake_object_delete_200_response1:
description: An example of a successful response from `DELETE /api/apm/settings/agent-configuration`.
value:
result: deleted
APM_UI_agent_configuration_intake_object_delete_request1:
description: Run `DELETE /api/apm/settings/agent-configuration` to delete a configuration.
value:
service:
environment: production
name: frontend
APM_UI_agent_configuration_intake_object_get_200_response1:
description: An example of a successful response from `GET /api/apm/settings/agent-configuration`.
value:
- '@timestamp': 1581934104843
agent_name: go
applied_by_agent: false
etag: 1e58c178efeebae15c25c539da740d21dee422fc
service:
environment: production
name: opbeans-go
settings:
capture_body: 'off'
transaction_max_spans: '200'
transaction_sample_rate: '1'
- '@timestamp': 1581934111727
agent_name: go
applied_by_agent: false
etag: 3eed916d3db434d9fb7f039daa681c7a04539a64
service:
name: opbeans-go
settings:
capture_body: 'off'
transaction_max_spans: '300'
transaction_sample_rate: '1'
- '@timestamp': 1582031336265
agent_name: nodejs
applied_by_agent: false
etag: 5080ed25785b7b19f32713681e79f46996801a5b
service:
name: frontend
settings:
transaction_sample_rate: '1'
APM_UI_agent_configuration_intake_object_put_200_response1:
description: An example of a successful response from `PUT /api/apm/settings/agent-configuration`. The response body is intentionally empty.
value: {}
APM_UI_agent_configuration_intake_object_put_request1:
description: Run `PUT /api/apm/settings/agent-configuration` to create or update configuration details.
value:
agent_name: nodejs
service:
environment: production
name: frontend
settings:
capture_body: 'off'
transaction_max_spans: '500'
transaction_sample_rate: '0.4'
APM_UI_agent_configuration_intake_object_search_200_response1:
description: An example of a successful response from `POST /api/apm/settings/agent-configuration/search`.
value:
_id: CIaqXXABmQCdPphWj8EJ
_index: .apm-agent-configuration
_score: 2
_source:
'@timestamp': 1582031336265
agent_name: nodejs
applied_by_agent: false
etag: 5080ed25785b7b19f32713681e79f46996801a5b
service:
name: frontend
settings:
transaction_sample_rate: '1'
APM_UI_agent_configuration_intake_object_search_request1:
description: Run `POST /api/apm/settings/agent-configuration/search` to search configuration details.
value:
etag: 1e58c178efeebae15c25c539da740d21dee422fc
service:
environment: production
name: frontend
APM_UI_agent_configuration_intake_object_view_200_response1:
description: An example of a successful response from `GET /api/apm/settings/agent-configuration/view`.
value:
'@timestamp': 1582031336265
agent_name: nodejs
applied_by_agent: true
etag: 5080ed25785b7b19f32713681e79f46996801a5b
id: CIaqXXABmQCdPphWj8EJ
service:
environment: production
name: frontend
settings:
capture_body: 'off'
transaction_max_spans: '500'
transaction_sample_rate: '0.4'
APM_UI_agent_keys_object_post_200_response1:
description: An example of a successful response from `POST /api/apm/agent_keys`, which creates an APM agent API key.
value:
agentKey:
api_key: PjGloCGOTzaZr8ilUPvkjA
encoded: M0RDTG1uMEIzWk1oTFVhN1dCRzk6UGpHbG9DR09UemFacjhpbFVQdmtqQQ==
id: 3DCLmn0B3ZMhLUa7WBG9
name: apm-key
APM_UI_agent_keys_object_post_request1:
description: Run `POST /api/apm/agent_keys` to create an APM agent API key with the specified privileges.
value:
name: apm-key
privileges:
- event:write
- config_agent:read
APM_UI_annotation_object_post_200_response1:
description: An example of a successful response from `POST /api/apm/services/opbeans-java/annotation`, which creates an annotation for a service named `opbeans-java`.
value:
_id: Lc9I93EBh6DbmkeV7nFX
_index: observability-annotations
_primary_term: 1
_seq_no: 12
_source:
'@timestamp': '2020-05-08T10:31:30.452Z'
annotation:
type: deployment
event:
created: '2020-05-09T02:34:43.937Z'
message: Deployment 1.2
service:
name: opbeans-java
version: '1.2'
tags:
- apm
- elastic.co
- customer
_version: 1
found: true
APM_UI_annotation_object_post_request1:
description: Run `POST /api/apm/services/{serviceName}/annotation` to create a deployment annotation for a service.
value:
'@timestamp': '2024-01-15T12:00:00.000Z'
message: Deployment 1.2.0
service:
environment: production
version: 1.2.0
tags:
- apm
- deployment
APM_UI_fleet_apm_server_schema_200_response1:
description: An example of a successful response from `POST /api/apm/fleet/apm_server_schema`. The response body is intentionally empty.
value: {}
APM_UI_source_maps_delete_200_response1:
description: An example of a successful response from `DELETE /api/apm/sourcemaps/{id}`. The response body is intentionally empty.
value: {}
APM_UI_source_maps_get_200_response1:
description: A successful response from `GET /api/apm/sourcemaps`.
value:
artifacts:
- body:
bundleFilepath: /test/e2e/general-usecase/bundle.js
serviceName: foo
serviceVersion: 1.0.0
sourceMap:
file: static/js/main.chunk.js
mappings: mapping
sourceRoot: ''
sources:
- fleet-source-map-client/src/index.css
- fleet-source-map-client/src/App.js
- webpack:///./src/index.css?bb0a
- fleet-source-map-client/src/index.js
- fleet-source-map-client/src/reportWebVitals.js
sourcesContent:
- content
version: 3
compressionAlgorithm: zlib
created: '2021-07-09T20:47:44.812Z'
decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456
decodedSize: 441
encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24
encodedSize: 237
encryptionAlgorithm: none
id: apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456
identifier: foo-1.0.0
packageName: apm
relative_url: /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456
type: sourcemap
APM_UI_source_maps_upload_200_response1:
description: A successful response from `POST /api/apm/sourcemaps`.
value:
body: eJyFkL1OwzAUhd/Fc+MbYMuCEBIbHRjKgBgc96R16tiWr1OQqr47NwqJxEK3q/PzWccXxchnZ7E1A1SjuhjVZtF2yOxiEPlO17oWox3D3uPFeSRTjmJQARfCPeiAgGx8NTKsYdAc1T3rwaSJGcds8Sp3c1HnhfywUZ3QhMTFFGepZxqMC9oex3CS9tpk1XyozgOlmoVKuJX1DqEQZ0su7PGtLU+V/3JPKc3cL7TJ2FNDRPov4bFta3MDM4f7W69lpJjLO9qdK8bzVPhcJz3HUCQ4LbO/p5hCSC4cZPByrp/wFqOklbpefwAhzpqI
compressionAlgorithm: zlib
created: '2021-07-09T20:47:44.812Z'
decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456
decodedSize: 441
encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24
encodedSize: 237
encryptionAlgorithm: none
id: apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456
identifier: foo-1.0.0
packageName: apm
relative_url: /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456
type: sourcemap
Cases_add_comment_request:
summary: Adds a comment to a case.
value:
comment: A new comment.
owner: cases
type: user
Cases_add_comment_response:
summary: The add comment to case API returns a JSON object that contains details about the case and its comments.
value:
assignees: []
category: null
closed_at: null
closed_by: null
comments:
- comment: A new comment.
created_at: '2022-10-02T00:49:47.716Z'
created_by:
email: null
full_name: null
profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
username: elastic
id: 8af6ac20-74f6-11ea-b83a-553aecdb28b6
owner: cases
pushed_at: null
pushed_by: null
type: user
updated_at: null
updated_by: null
version: WzIwNDMxLDFd
connector:
fields: null
id: none
name: none
type: .none
created_at: '2022-03-24T00:37:03.906Z'
created_by:
email: null
full_name: null
profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
username: elastic
customFields:
- key: d312efda-ec2b-42ec-9e2c-84981795c581
type: text
value: Field value
- key: fcc6840d-eb14-42df-8aaf-232201a705ec
type: toggle
value: true
description: A case description.
duration: null
external_service: null
id: 293f1bc0-74f6-11ea-b83a-553aecdb28b6
observables: []
owner: cases
settings:
syncAlerts: false
severity: low
status: open
tags:
- tag 1
title: Case title 1
total_observables: 0
totalAlerts: 0
totalComment: 1
totalEvents: 0
updated_at: '2022-06-03T00:49:47.716Z'
updated_by:
email: null
full_name: null
profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
username: elastic
version: WzIzMzgsMV0=
Cases_create_case_request:
summary: Create a security case that uses a Jira connector.
value:
connector:
fields:
issueType: '10006'
parent: null
priority: High
id: 131d4448-abe0-4789-939d-8ef60680b498
name: My connector
type: .jira
customFields:
- key: d312efda-ec2b-42ec-9e2c-84981795c581
type: text
value: My field value
description: A case description.
owner: cases
settings:
extractObservables: false
syncAlerts: true
tags:
- tag-1
title: Case title 1
Cases_create_case_response:
summary: The create case API returns a JSON object that contains details about the case.
value:
assignees: []
closed_at: null
closed_by: null
comments: []
connector:
fields:
issueType: '10006'
parent: null
priority: High
id: 131d4448-abe0-4789-939d-8ef60680b498
name: My connector
type: .jira
created_at: '2022-10-13T15:33:50.604Z'
created_by:
email: null
full_name: null
profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
username: elastic
customFields:
- key: d312efda-ec2b-42ec-9e2c-84981795c581
type: text
value: My field value
- key: fcc6840d-eb14-42df-8aaf-232201a705ec
type: toggle
value: null
description: A case description.
duration: null
external_service: null
id: 66b9aa00-94fa-11ea-9f74-e7e108796192
observables: []
owner: cases
settings:
extractObservables: false
syncAlerts: true
severity: low
status: open
tags:
- tag 1
title: Case title 1
total_observables: 0
totalAlerts: 0
totalComment: 0
totalEvents: 0
updated_at: null
updated_by: null
version: WzUzMiwxXQ==
Cases_find_case_activity_response:
summary: Retrieves all activity for a case
value:
page: 1
perPage: 20
total: 3
userActions:
- action: create
comment_id: null
created_at: '2023-10-20T01:17:22.150Z'
created_by:
email: null
full_name: null
profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
username: elastic
id: b4cd0770-07c9-11ed-a5fd-47154cb8767e
owner: cases
payload:
assignees: []
category: null
connector:
fields: null
id: none
name: none
type: .none
customFields:
- key: d312efda-ec2b-42ec-9e2c-84981795c581
type: text
value: My field value
- key: fcc6840d-eb14-42df-8aaf-232201a705ec
type: toggle
value: null
description: A case description.
owner: cases
settings:
syncAlerts: false
severity: low
status: open
tags:
- tag 1
title: Case title 1
type: create_case
version: WzM1ODg4LDFd
- action: create
comment_id: 578608d0-03b1-11ed-920c-974bfa104448
created_at: '2023-10-14T20:12:53.354Z'
created_by:
email: null
full_name: null
profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
username: elastic
id: 57af14a0-03b1-11ed-920c-974bfa104448
owner: cases
payload:
comment:
comment: A new comment
owner: cases
type: user
type: comment
version: WzM1ODg4LDFa
- action: add
comment_id: null
created_at: '2023-10-20T01:10:28.238Z'
created_by:
email: null
full_name: null
profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
username: elastic
id: 573c6980-6123-11ed-aa41-81a0a61fe447
owner: cases
payload:
assignees:
- uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
type: assignees
version: WzM1ODg4LDFb
Cases_find_case_comments_response:
summary: Paginated list of user comments for a case
value:
comments:
- comment: A new comment
created_at: '2023-10-07T19:32:13.104Z'
created_by:
email: null
full_name: null
profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
username: elastic
id: 8048b460-fe2b-11ec-b15d-779a7c8bbcc3
owner: cases
pushed_at: null
pushed_by: null
type: user
updated_at: null
updated_by: null
version: WzIzLDFd
page: 1
per_page: 20
total: 1
Cases_find_case_response:
summary: Retrieve the first five cases with the `tag-1` tag, in ascending order by last update time.
value:
cases:
- assignees: []
category: null
closed_at: null
closed_by: null
comments: []
connector:
fields: null
id: none
name: none
type: .none
created_at: '2023-10-12T00:16:36.371Z'
created_by:
email: null
full_name: null
profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
username: elastic
customFields:
- key: d312efda-ec2b-42ec-9e2c-84981795c581
type: text
value: My field value
- key: fcc6840d-eb14-42df-8aaf-232201a705ec
type: toggle
value: null
description: Case description
duration: null
external_service: null
id: abed3a70-71bd-11ea-a0b2-c51ea50a58e2
incremental_id: 1
observables: []
owner: cases
settings:
extractObservables: false
syncAlerts: true
severity: low
status: open
tags:
- tag-1
title: Case title
total_observables: 0
totalAlerts: 0
totalComment: 1
totalEvents: 0
updated_at: '2023-10-12T00:27:58.162Z'
updated_by:
email: null
full_name: null
profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
username: elastic
version: WzExMCwxXQ==
count_closed_cases: 0
count_in_progress_cases: 0
count_open_cases: 1
page: 1
per_page: 5
total: 1
Cases_find_connector_response:
summary: Retrieve information about the connectors and their settings.
value:
- actionTypeId: .jira
config:
apiUrl: https://elastic.atlassian.net/
projectKey: ES
id: 61787f53-4eee-4741-8df6-8fe84fa616f7
isDeprecated: false
isMissingSecrets: false
isPreconfigured: false
name: my-Jira
referencedByCount: 0
Cases_get_case_alerts_response:
summary: Retrieves all alerts attached to a case
value:
- attached_at: '2022-07-25T20:09:40.963Z'
id: f6a7d0c3-d52d-432c-b2e6-447cd7fce04d
index: .alerts-observability.logs.alerts-default
Cases_get_case_configuration_response:
summary: Get the case configuration.
value:
- closure_type: close-by-user
connector:
fields: null
id: none
name: none
type: .none
created_at: '2024-07-01T17:07:17.767Z'
created_by:
email: null
full_name: null
username: elastic
customFields:
- defaultValue: Custom text field value.
key: d312efda-ec2b-42ec-9e2c-84981795c581
label: my-text-field
type: text
required: false
error: null
id: 856ee650-6c82-11ee-a20a-6164169afa58
mappings: []
observableTypes: []
owner: cases
templates:
- caseFields:
assignees:
- uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
category: Default-category
connector:
fields: null
id: none
name: none
type: .none
customFields:
- key: d312efda-ec2b-42ec-9e2c-84981795c581
type: text
value: Default text field value.
description: A default description for cases.
settings:
syncAlerts: false
tags:
- Default case tag
title: Default case title
description: A description of the template.
key: 505932fe-ee3a-4960-a661-c781b5acdb05
name: template-1
tags:
- Template tag 1
updated_at: null
updated_by: null
version: WzEyLDNd
Cases_get_case_observability_response:
summary: Get case response (Observability). Comments are not included; use the find case comments API. totalComment reflects the actual count.
value:
assignees:
- uid: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0
category: null
closed_at: null
closed_by: null
connector:
fields: null
id: none
name: none
type: .none
created_at: '2023-11-06T19:29:04.086Z'
created_by:
email: null
full_name: null
username: elastic
customFields: []
description: An Observability case description.
duration: null
external_service: null
id: c3ff7550-def1-4e90-b6bc-c9969a4a09b1
observables: []
owner: observability
settings:
extractObservables: false
syncAlerts: false
severity: low
status: in-progress
tags:
- observability
- tag 1
title: Observability case title 1
total_observables: 0
totalAlerts: 1
totalComment: 1
totalEvents: 0
updated_at: '2023-11-06T19:47:55.662Z'
updated_by:
email: null
full_name: null
profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
username: elastic
version: WzI0NywyXQ==
Cases_get_case_response:
summary: Get case response. Comments are not included; use the find case comments API. totalComment reflects the actual count.
value:
assignees:
- uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
category: null
closed_at: null
closed_by: null
connector:
fields: null
id: none
name: none
type: .none
created_at: '2023-10-13T15:33:50.604Z'
created_by:
email: null
full_name: null
profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
username: elastic
customFields:
- key: d312efda-ec2b-42ec-9e2c-84981795c581
type: text
value: My field value
- key: fcc6840d-eb14-42df-8aaf-232201a705ec
type: toggle
value: null
description: A case description
duration: null
external_service: null
id: 31cdada0-02c1-11ed-85f2-4f7c222ca2fa
incremental_id: 1
observables: []
owner: cases
settings:
extractObservables: false
syncAlerts: true
severity: low
status: open
tags:
- tag 1
title: Case title 1
total_observables: 0
totalAlerts: 1
totalComment: 1
totalEvents: 0
updated_at: '2023-10-13T15:40:32.335Z'
updated_by:
email: null
full_name: null
profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
username: elastic
version: WzM2LDFd
Cases_get_comment_response:
summary: A single user comment retrieved from a case
value:
comment: A new comment
created_at: '2023-10-07T19:32:13.104Z'
created_by:
email: null
full_name: null
profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
username: elastic
id: 8048b460-fe2b-11ec-b15d-779a7c8bbcc3
owner: cases
pushed_at: null
pushed_by: null
type: user
updated_at: null
updated_by: null
version: WzIzLDFd
Cases_get_reporters_response:
summary: A list of two users that opened cases
value:
- email: null
full_name: null
profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
username: elastic
- email: jdoe@example.com
full_name: Jane Doe
profile_uid: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0
username: jdoe
Cases_get_tags_response:
summary: A list of tags that are used in cases
value:
- observability
- security
- tag 1
- tag 2
Cases_push_case_response:
summary: The push case API returns a JSON object with details about the case and the external service.
value:
assignees: []
category: null
closed_at: null
closed_by: null
comments: []
connector:
fields:
issueType: '10006'
parent: null
priority: Low
id: 09f8c0b0-0eda-11ed-bd18-65557fe66949
name: My connector
type: .jira
created_at: '2022-07-29T00:59:39.444Z'
created_by:
email: null
full_name: null
profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
username: elastic
customFields: []
description: A case description.
duration: null
external_service:
connector_id: 09f8c0b0-0eda-11ed-bd18-65557fe66949
connector_name: My connector
external_id: '71926'
external_title: ES-554
external_url: https://cases.jira.com
pushed_at: '2022-07-29T01:20:58.436Z'
pushed_by:
email: null
full_name: null
username: elastic
id: b917f300-0ed9-11ed-bd18-65557fe66949
observables: []
owner: cases
settings:
extractObservables: false
syncAlerts: true
severity: low
status: open
tags:
- tag 1
title: Case title 1
total_observables: 0
totalAlerts: 0
totalComment: 0
totalEvents: 0
updated_at: '2022-07-29T01:20:58.436Z'
updated_by:
email: null
full_name: null
profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
username: elastic
version: WzE3NjgsM10=
Cases_response_401:
summary: Authorization information is missing or invalid.
value:
error: Unauthorized
message: Unable to authenticate with the provided credentials.
statusCode: 401
Cases_set_case_configuration_request:
summary: Set the closure type, custom fields, and default connector for Stack Management cases.
value:
closure_type: close-by-user
connector:
fields: null
id: 5e656730-e1ca-11ec-be9b-9b1838238ee6
name: my-jira-connector
type: .jira
customFields:
- defaultValue: My custom field default value.
key: d312efda-ec2b-42ec-9e2c-84981795c581
label: my-text-field
type: text
required: false
owner: cases
templates:
- caseFields:
assignees:
- uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
category: Default-category
customFields:
- key: d312efda-ec2b-42ec-9e2c-84981795c581
type: text
value: A text field value for the template.
description: A default description for cases.
tags:
- Default case tag
title: Default case title
description: A description of the template.
key: 505932fe-ee3a-4960-a661-c781b5acdb05
name: template-1
tags:
- Template tag 1
Cases_set_case_configuration_response:
summary: This is an example response for case settings.
value:
closure_type: close-by-user
connector:
fields: null
id: 5e656730-e1ca-11ec-be9b-9b1838238ee6
name: my-jira-connector
type: .jira
created_at: '2024-07-01T17:07:17.767Z'
created_by:
email: null,
full_name: null
profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
username: elastic
customFields:
- defaultValue: My custom field default value.
key: d312efda-ec2b-42ec-9e2c-84981795c581
label: my-text-field
type: text
required: false
error: null
id: 4a97a440-e1cd-11ec-be9b-9b1838238ee6
mappings:
- action_type: overwrite
source: title
target: summary
- action_type: overwrite
source: description
target: description
- action_type: append
source: comments
target: comments
- action_type: overwrite
source: tags
target: labels
owner: cases
templates:
- caseFields:
assignees:
- uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
category: Default-category
customFields:
- key: d312efda-ec2b-42ec-9e2c-84981795c581
type: text
value: A text field value for the template.
description: A default description for cases.
tags:
- Default case tag
title: Default case title
description: A description of the template.
key: 505932fe-ee3a-4960-a661-c781b5acdb05
name: template-1
tags:
- Template tag 1
updated_at: null
updated_by: null
version: WzIwNzMsMV0=
Cases_update_case_configuration_request:
summary: Update the case settings.
value:
closure_type: close-by-user
connector:
fields: null
id: 5e656730-e1ca-11ec-be9b-9b1838238ee6
name: my-jira-connector
type: .jira
customFields:
- defaultValue: A new default value.
key: d312efda-ec2b-42ec-9e2c-84981795c581
label: my-text-field
type: text
required: true
- key: fcc6840d-eb14-42df-8aaf-232201a705ec
label: my-toggle
type: toggle
required: false
version: WzExOSw0XQ==
Cases_update_case_configuration_response:
summary: This is an example response when the case configuration was updated.
value:
closure_type: close-by-user
connector:
fields: null
id: 5e656730-e1ca-11ec-be9b-9b1838238ee6
name: my-jira-connector
type: .jira
created_at: '2024-07-01T17:07:17.767Z'
created_by:
email: null
full_name: null
profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
username: elastic
customFields:
- defaultValue: A new default value.
key: d312efda-ec2b-42ec-9e2c-84981795c581
label: my-text-field
type: text
required: true
- key: fcc6840d-eb14-42df-8aaf-232201a705ec
label: my-toggle
type: toggle
required: false
error: null
id: 4a97a440-e1cd-11ec-be9b-9b1838238ee6
mappings:
- action_type: overwrite
source: title
target: summary
- action_type: overwrite
source: description
target: description
- action_type: overwrite
source: tags
target: labels
- action_type: append
source: comments
target: comments
owner: cases
templates: []
updated_at: '2024-07-19T00:52:42.401Z'
updated_by:
email: null
full_name: null
profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
username: elastic
version: WzI2LDNd
Cases_update_case_request:
summary: Update the case description, tags, and connector.
value:
cases:
- connector:
fields:
issueType: '10006'
parent: null
priority: null
id: 131d4448-abe0-4789-939d-8ef60680b498
name: My connector
type: .jira
customFields:
- key: fcc6840d-eb14-42df-8aaf-232201a705ec
type: toggle
value: false
- key: d312efda-ec2b-42ec-9e2c-84981795c581
type: text
value: My new field value
description: A case description.
id: a18b38a0-71b0-11ea-a0b2-c51ea50a58e2
settings:
extractObservables: false
syncAlerts: true
tags:
- tag-1
version: WzIzLDFd
Cases_update_case_response:
summary: This is an example response when the case description, tags, and connector were updated.
value:
- assignees: []
category: null
closed_at: null
closed_by: null
comments: []
connector:
fields:
issueType: '10006'
parent: null
priority: null
id: 131d4448-abe0-4789-939d-8ef60680b498
name: My connector
type: .jira
created_at: '2023-10-13T09:16:17.416Z'
created_by:
email: null
full_name: null
profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
username: elastic
customFields:
- key: d312efda-ec2b-42ec-9e2c-84981795c581
type: text
value: My new field value
- key: fcc6840d-eb14-42df-8aaf-232201a705ec
type: toggle
value: false
description: A case description.
duration: null
external_service:
connector_id: 05da469f-1fde-4058-99a3-91e4807e2de8
connector_name: Jira
external_id: '10003'
external_title: IS-4
external_url: https://hms.atlassian.net/browse/IS-4
pushed_at: '2023-10-13T09:20:40.672Z'
pushed_by:
email: null
full_name: null
username: elastic
id: 66b9aa00-94fa-11ea-9f74-e7e108796192
observables: []
owner: cases
settings:
extractObservables: false
syncAlerts: true
severity: low
status: open
tags:
- tag-1
title: Case title 1
total_observables: 0
totalAlerts: 0
totalComment: 0
totalEvents: 0
updated_at: '2023-10-13T09:48:33.043Z'
updated_by:
email: null
full_name: null
profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
username: elastic
version: WzU0OCwxXQ==
Cases_update_comment_request:
summary: Updates a comment of a case.
value:
comment: An updated comment.
id: 8af6ac20-74f6-11ea-b83a-553aecdb28b6
owner: cases
type: user
version: Wzk1LDFd
Cases_update_comment_response:
summary: The add comment to case API returns a JSON object that contains details about the case and its comments.
value:
assignees: []
category: null
closed_at: null
closed_by: null
comments:
- comment: An updated comment.
created_at: '2023-10-24T00:37:10.832Z'
created_by:
email: null
full_name: null
profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
username: elastic
id: 8af6ac20-74f6-11ea-b83a-553aecdb28b6
owner: cases
pushed_at: null
pushed_by: null
type: user
updated_at: '2023-10-24T01:27:06.210Z'
updated_by:
email: null
full_name: null
profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
username: elastic
version: WzIwNjM3LDFd
connector:
fields: null
id: none
name: none
type: .none
created_at: '2023-10-24T00:37:03.906Z'
created_by:
email: null
full_name: null
profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
username: elastic
customFields:
- key: d312efda-ec2b-42ec-9e2c-84981795c581
type: text
value: My new field value
- key: fcc6840d-eb14-42df-8aaf-232201a705ec
type: toggle
value: false
description: A case description.
duration: null
external_service: null
id: 293f1bc0-74f6-11ea-b83a-553aecdb28b6
owner: cases
settings:
syncAlerts: false
severity: low
status: open
tags:
- tag 1
title: Case title 1
totalAlerts: 0
totalComment: 1
totalEvents: 0
updated_at: '2023-10-24T01:27:06.210Z'
updated_by:
email: null
full_name: null
profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
username: elastic
version: WzIwNjM2LDFd
Data_views_create_data_view_request:
description: Create a data view for logstash indices that includes a runtime field which extracts the shape name from a source field.
summary: Create a data view with runtime fields.
value:
data_view:
name: My Logstash data view
runtimeFieldMap:
runtime_shape_name:
script:
source: emit(doc['shape_name'].value)
type: keyword
title: logstash-*
Data_views_create_data_view_response:
description: The response includes the full data view specification, including auto-generated fields such as the unique identifier and version.
summary: The create data view API returns a JSON object that contains details about the new data view.
value:
data_view:
allowNoIndex: false
fieldAttrs: {}
fieldFormats: {}
fields:
runtime_shape_name:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
name: runtime_shape_name
readFromDocValues: false
runtimeField:
script:
source: emit(doc['shape_name'].value)
type: keyword
scripted: false
searchable: true
shortDotsEnable: false
type: string
id: b561acfb-0181-455e-84a3-ce8980b2272f
name: My Logstash data view
namespaces:
- default
runtimeFieldMap:
runtime_shape_name:
script:
source: emit(doc['shape_name'].value)
type: keyword
sourceFilters: []
title: logstash-*
typeMeta: {}
version: WzQ5LDJd
Data_views_create_runtime_field_request:
description: Create a long-type runtime field that emits a value derived from the foo source field.
summary: Create a runtime field.
value:
name: runtimeFoo
runtimeField:
script:
source: emit(doc["foo"].value)
type: long
Data_views_create_runtime_field_response:
description: The response includes the newly created runtime field as an array and the full updated data view object.
summary: The API returns created runtime field object array and updated data view object.
value:
data_view:
...: null
fields:
- ...
Data_views_error_400_response:
description: The request was rejected because the payload or query parameters are missing required fields or contain invalid values.
summary: A bad request response.
value:
error: Bad Request
message: '[request body.data_view.title]: expected value of type [string] but got [undefined]'
statusCode: 400
Data_views_error_404_response:
description: The requested data view or runtime field was not found in the current Kibana space.
summary: A not found response.
value:
error: Not Found
message: Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found
statusCode: 404
Data_views_get_data_view_response:
description: A complete data view object including all fields, runtime fields, and metadata.
summary: The get data view API returns a JSON object that contains information about the data view.
value:
data_view:
allowNoIndex: false
fieldAttrs:
products.manufacturer:
count: 1
products.price:
count: 1
products.product_name:
count: 1
total_quantity:
count: 1
fieldFormats:
products.base_price:
id: number
params:
pattern: $0,0.00
products.base_unit_price:
id: number
params:
pattern: $0,0.00
products.min_price:
id: number
params:
pattern: $0,0.00
products.price:
id: number
params:
pattern: $0,0.00
products.taxful_price:
id: number
params:
pattern: $0,0.00
products.taxless_price:
id: number
params:
pattern: $0,0.00
taxful_total_price:
id: number
params:
pattern: $0,0.[00]
taxless_total_price:
id: number
params:
pattern: $0,0.00
fields:
_id:
aggregatable: false
count: 0
esTypes:
- _id
format:
id: string
isMapped: true
name: _id
readFromDocValues: false
scripted: false
searchable: true
shortDotsEnable: false
type: string
_index:
aggregatable: true
count: 0
esTypes:
- _index
format:
id: string
isMapped: true
name: _index
readFromDocValues: false
scripted: false
searchable: true
shortDotsEnable: false
type: string
_score:
aggregatable: false
count: 0
format:
id: number
isMapped: true
name: _score
readFromDocValues: false
scripted: false
searchable: false
shortDotsEnable: false
type: number
_source:
aggregatable: false
count: 0
esTypes:
- _source
format:
id: _source
isMapped: true
name: _source
readFromDocValues: false
scripted: false
searchable: false
shortDotsEnable: false
type: _source
category:
aggregatable: false
count: 0
esTypes:
- text
format:
id: string
isMapped: true
name: category
readFromDocValues: false
scripted: false
searchable: true
shortDotsEnable: false
type: string
category.keyword:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: category.keyword
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
subType:
multi:
parent: category
type: string
currency:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: currency
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
customer_birth_date:
aggregatable: true
count: 0
esTypes:
- date
format:
id: date
isMapped: true
name: customer_birth_date
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: date
customer_first_name:
aggregatable: false
count: 0
esTypes:
- text
format:
id: string
isMapped: true
name: customer_first_name
readFromDocValues: false
scripted: false
searchable: true
shortDotsEnable: false
type: string
customer_first_name.keyword:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: customer_first_name.keyword
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
subType:
multi:
parent: customer_first_name
type: string
customer_full_name:
aggregatable: false
count: 0
esTypes:
- text
format:
id: string
isMapped: true
name: customer_full_name
readFromDocValues: false
scripted: false
searchable: true
shortDotsEnable: false
type: string
customer_full_name.keyword:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: customer_full_name.keyword
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
subType:
multi:
parent: customer_full_name
type: string
customer_gender:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: customer_gender
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
customer_id:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: customer_id
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
customer_last_name:
aggregatable: false
count: 0
esTypes:
- text
format:
id: string
isMapped: true
name: customer_last_name
readFromDocValues: false
scripted: false
searchable: true
shortDotsEnable: false
type: string
customer_last_name.keyword:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: customer_last_name.keyword
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
subType:
multi:
parent: customer_last_name
type: string
customer_phone:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: customer_phone
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
day_of_week:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: day_of_week
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
day_of_week_i:
aggregatable: true
count: 0
esTypes:
- integer
format:
id: number
isMapped: true
name: day_of_week_i
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: number
email:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: email
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
event.dataset:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: event.dataset
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
geoip.city_name:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: geoip.city_name
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
geoip.continent_name:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: geoip.continent_name
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
geoip.country_iso_code:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: geoip.country_iso_code
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
geoip.location:
aggregatable: true
count: 0
esTypes:
- geo_point
format:
id: geo_point
params:
transform: wkt
isMapped: true
name: geoip.location
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: geo_point
geoip.region_name:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: geoip.region_name
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
manufacturer:
aggregatable: false
count: 0
esTypes:
- text
format:
id: string
isMapped: true
name: manufacturer
readFromDocValues: false
scripted: false
searchable: true
shortDotsEnable: false
type: string
manufacturer.keyword:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: manufacturer.keyword
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
subType:
multi:
parent: manufacturer
type: string
order_date:
aggregatable: true
count: 0
esTypes:
- date
format:
id: date
isMapped: true
name: order_date
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: date
order_id:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: order_id
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
products._id:
aggregatable: false
count: 0
esTypes:
- text
format:
id: string
isMapped: true
name: products._id
readFromDocValues: false
scripted: false
searchable: true
shortDotsEnable: false
type: string
products._id.keyword:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: products._id.keyword
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
subType:
multi:
parent: products._id
type: string
products.base_price:
aggregatable: true
count: 0
esTypes:
- half_float
format:
id: number
params:
pattern: $0,0.00
isMapped: true
name: products.base_price
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: number
products.base_unit_price:
aggregatable: true
count: 0
esTypes:
- half_float
format:
id: number
params:
pattern: $0,0.00
isMapped: true
name: products.base_unit_price
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: number
products.category:
aggregatable: false
count: 0
esTypes:
- text
format:
id: string
isMapped: true
name: products.category
readFromDocValues: false
scripted: false
searchable: true
shortDotsEnable: false
type: string
products.category.keyword:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: products.category.keyword
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
subType:
multi:
parent: products.category
type: string
products.created_on:
aggregatable: true
count: 0
esTypes:
- date
format:
id: date
isMapped: true
name: products.created_on
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: date
products.discount_amount:
aggregatable: true
count: 0
esTypes:
- half_float
format:
id: number
isMapped: true
name: products.discount_amount
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: number
products.discount_percentage:
aggregatable: true
count: 0
esTypes:
- half_float
format:
id: number
isMapped: true
name: products.discount_percentage
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: number
products.manufacturer:
aggregatable: false
count: 1
esTypes:
- text
format:
id: string
isMapped: true
name: products.manufacturer
readFromDocValues: false
scripted: false
searchable: true
shortDotsEnable: false
type: string
products.manufacturer.keyword:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: products.manufacturer.keyword
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
subType:
multi:
parent: products.manufacturer
type: string
products.min_price:
aggregatable: true
count: 0
esTypes:
- half_float
format:
id: number
params:
pattern: $0,0.00
isMapped: true
name: products.min_price
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: number
products.price:
aggregatable: true
count: 1
esTypes:
- half_float
format:
id: number
params:
pattern: $0,0.00
isMapped: true
name: products.price
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: number
products.product_id:
aggregatable: true
count: 0
esTypes:
- long
format:
id: number
isMapped: true
name: products.product_id
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: number
products.product_name:
aggregatable: false
count: 1
esTypes:
- text
format:
id: string
isMapped: true
name: products.product_name
readFromDocValues: false
scripted: false
searchable: true
shortDotsEnable: false
type: string
products.product_name.keyword:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: products.product_name.keyword
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
subType:
multi:
parent: products.product_name
type: string
products.quantity:
aggregatable: true
count: 0
esTypes:
- integer
format:
id: number
isMapped: true
name: products.quantity
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: number
products.sku:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: products.sku
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
products.tax_amount:
aggregatable: true
count: 0
esTypes:
- half_float
format:
id: number
isMapped: true
name: products.tax_amount
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: number
products.taxful_price:
aggregatable: true
count: 0
esTypes:
- half_float
format:
id: number
params:
pattern: $0,0.00
isMapped: true
name: products.taxful_price
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: number
products.taxless_price:
aggregatable: true
count: 0
esTypes:
- half_float
format:
id: number
params:
pattern: $0,0.00
isMapped: true
name: products.taxless_price
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: number
products.unit_discount_amount:
aggregatable: true
count: 0
esTypes:
- half_float
format:
id: number
isMapped: true
name: products.unit_discount_amount
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: number
sku:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: sku
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
taxful_total_price:
aggregatable: true
count: 0
esTypes:
- half_float
format:
id: number
params:
pattern: $0,0.[00]
isMapped: true
name: taxful_total_price
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: number
taxless_total_price:
aggregatable: true
count: 0
esTypes:
- half_float
format:
id: number
params:
pattern: $0,0.00
isMapped: true
name: taxless_total_price
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: number
total_quantity:
aggregatable: true
count: 1
esTypes:
- integer
format:
id: number
isMapped: true
name: total_quantity
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: number
total_unique_products:
aggregatable: true
count: 0
esTypes:
- integer
format:
id: number
isMapped: true
name: total_unique_products
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: number
type:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: type
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
user:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: user
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
id: ff959d40-b880-11e8-a6d9-e546fe2bba5f
name: Kibana Sample Data eCommerce
namespaces:
- default
runtimeFieldMap: {}
sourceFilters: []
timeFieldName: order_date
title: kibana_sample_data_ecommerce
typeMeta: {}
version: WzUsMV0=
Data_views_get_data_views_response:
description: A list of available data views including their identifiers, names, and index patterns.
summary: The get all data views API returns a list of data views.
value:
data_view:
- id: ff959d40-b880-11e8-a6d9-e546fe2bba5f
name: Kibana Sample Data eCommerce
namespaces:
- default
title: kibana_sample_data_ecommerce
typeMeta: {}
- id: d3d7af60-4c81-11e8-b3d7-01146121b73d
name: Kibana Sample Data Flights
namespaces:
- default
title: kibana_sample_data_flights
- id: 90943e30-9a47-11e8-b64d-95841ca0b247
name: Kibana Sample Data Logs
namespaces:
- default
title: kibana_sample_data_logs
Data_views_get_default_data_view_response:
description: The identifier of the default data view for the current Kibana space.
summary: The get default data view API returns the default data view identifier.
value:
data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f
Data_views_get_runtime_field_response:
description: The runtime field definition along with the parent data view.
summary: The get runtime field API returns a JSON object that contains information about the runtime field (`hour_of_day`) and the data view (`d3d7af60-4c81-11e8-b3d7-01146121b73d`).
value:
data_view:
allowNoIndex: false
fieldAttrs: {}
fieldFormats:
AvgTicketPrice:
id: number
params:
pattern: $0,0.[00]
hour_of_day:
id: number
params:
pattern: '00'
fields:
_id:
aggregatable: false
count: 0
esTypes:
- _id
format:
id: string
isMapped: true
name: _id
readFromDocValues: false
scripted: false
searchable: true
shortDotsEnable: false
type: string
_index:
aggregatable: true
count: 0
esTypes:
- _index
format:
id: string
isMapped: true
name: _index
readFromDocValues: false
scripted: false
searchable: true
shortDotsEnable: false
type: string
_score:
aggregatable: false
count: 0
format:
id: number
isMapped: true
name: _score
readFromDocValues: false
scripted: false
searchable: false
shortDotsEnable: false
type: number
_source:
aggregatable: false
count: 0
esTypes:
- _source
format:
id: _source
isMapped: true
name: _source
readFromDocValues: false
scripted: false
searchable: false
shortDotsEnable: false
type: _source
AvgTicketPrice:
aggregatable: true
count: 0
esTypes:
- float
format:
id: number
params:
pattern: $0,0.[00]
isMapped: true
name: AvgTicketPrice
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: number
Cancelled:
aggregatable: true
count: 0
esTypes:
- boolean
format:
id: boolean
isMapped: true
name: Cancelled
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: boolean
Carrier:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: Carrier
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
dayOfWeek:
aggregatable: true
count: 0
esTypes:
- integer
format:
id: number
isMapped: true
name: dayOfWeek
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: number
Dest:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: Dest
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
DestAirportID:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: DestAirportID
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
DestCityName:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: DestCityName
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
DestCountry:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: DestCountry
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
DestLocation:
aggregatable: true
count: 0
esTypes:
- geo_point
format:
id: geo_point
params:
transform: wkt
isMapped: true
name: DestLocation
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: geo_point
DestRegion:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: DestRegion
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
DestWeather:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: DestWeather
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
DistanceKilometers:
aggregatable: true
count: 0
esTypes:
- float
format:
id: number
isMapped: true
name: DistanceKilometers
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: number
DistanceMiles:
aggregatable: true
count: 0
esTypes:
- float
format:
id: number
isMapped: true
name: DistanceMiles
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: number
FlightDelay:
aggregatable: true
count: 0
esTypes:
- boolean
format:
id: boolean
isMapped: true
name: FlightDelay
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: boolean
FlightDelayMin:
aggregatable: true
count: 0
esTypes:
- integer
format:
id: number
isMapped: true
name: FlightDelayMin
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: number
FlightDelayType:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: FlightDelayType
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
FlightNum:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: FlightNum
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
FlightTimeHour:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: FlightTimeHour
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
FlightTimeMin:
aggregatable: true
count: 0
esTypes:
- float
format:
id: number
isMapped: true
name: FlightTimeMin
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: number
hour_of_day:
aggregatable: true
count: 0
esTypes:
- long
format:
id: number
params:
pattern: '00'
name: hour_of_day
readFromDocValues: false
runtimeField:
script:
source: emit(doc['timestamp'].value.getHour());
type: long
scripted: false
searchable: true
shortDotsEnable: false
type: number
Origin:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: Origin
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
OriginAirportID:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: OriginAirportID
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
OriginCityName:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: OriginCityName
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
OriginCountry:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: OriginCountry
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
OriginLocation:
aggregatable: true
count: 0
esTypes:
- geo_point
format:
id: geo_point
params:
transform: wkt
isMapped: true
name: OriginLocation
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: geo_point
OriginRegion:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: OriginRegion
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
OriginWeather:
aggregatable: true
count: 0
esTypes:
- keyword
format:
id: string
isMapped: true
name: OriginWeather
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: string
timestamp:
aggregatable: true
count: 0
esTypes:
- date
format:
id: date
isMapped: true
name: timestamp
readFromDocValues: true
scripted: false
searchable: true
shortDotsEnable: false
type: date
id: d3d7af60-4c81-11e8-b3d7-01146121b73d
name: Kibana Sample Data Flights
runtimeFieldMap:
hour_of_day:
script:
source: emit(doc['timestamp'].value.getHour());
type: long
sourceFilters: []
timeFieldName: timestamp
title: kibana_sample_data_flights
version: WzM2LDJd
fields:
- aggregatable: true
count: 0
esTypes:
- long
name: hour_of_day
readFromDocValues: false
runtimeField:
script:
source: emit(doc['timestamp'].value.getHour());
type: long
scripted: false
searchable: true
shortDotsEnable: false
type: number
Data_views_preview_swap_data_view_request:
description: Preview the saved objects that would be affected by swapping references from one data view to another.
summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123".
value:
fromId: abcd-efg
toId: xyz-123
Data_views_preview_swap_data_view_response:
description: The result array lists every saved object that references the source data view. No saved objects are modified by the preview endpoint.
summary: A preview of saved objects that would be affected by a data view swap.
value:
result:
- id: 8963ca30-bca7-11e8-aa00-0123456789ab
type: visualization
- id: edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b
type: dashboard
Data_views_set_default_data_view_request:
description: Set the default data view, using the force flag to overwrite an existing default.
summary: Set the default data view identifier.
value:
data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f
force: true
Data_views_set_default_data_view_response:
description: The acknowledged flag confirms that the default data view for the current Kibana space was updated.
summary: The default data view was set successfully.
value:
acknowledged: true
Data_views_swap_data_view_request:
description: Swap all saved object references from one data view to another and delete the source data view afterward.
summary: Swap references from data view ID "abcd-efg" to "xyz-123" and remove the data view that is no longer referenced.
value:
delete: true
fromId: abcd-efg
toId: xyz-123
Data_views_swap_data_view_response:
description: The list of saved objects whose references were updated, along with the delete status of the source.
summary: The swap references API returns a list of the affected saved objects.
value:
deleteStatus:
deletePerformed: true
remainingRefs: 0
result:
- id: '123'
type: visualization
Data_views_update_data_view_request:
description: Update the title, time field, and other properties of an existing data view.
summary: Update some properties for a data view.
value:
data_view:
allowNoIndex: false
name: Kibana Sample Data eCommerce
timeFieldName: order_date
title: kibana_sample_data_ecommerce
refresh_fields: true
Data_views_update_field_metadata_request:
description: Update the popularity count, custom label, and custom description for specific fields in a data view.
summary: Update metadata for multiple fields.
value:
fields:
field1:
count: 123
customLabel: Field 1 label
field2:
customDescription: Field 2 description
customLabel: Field 2 label
Data_views_update_field_metadata_response:
description: The acknowledged flag confirms that the field metadata changes were applied to the data view.
summary: Field metadata was updated successfully.
value:
acknowledged: true
Data_views_update_runtime_field_request:
description: Update the script of an existing runtime field.
summary: Update an existing runtime field on a data view.
value:
runtimeField:
script:
source: emit(doc["bar"].value)
Machine_learning_APIs_mlSync401Example:
summary: Two anomaly detection jobs required synchronization in this example.
value:
error: Unauthorized
message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [ml_viewer] for REST request [/_security/_authenticate]]: unable to authenticate user [ml_viewer] for REST request [/_security/_authenticate]"
statusCode: 401
Machine_learning_APIs_mlSyncExample:
summary: Two anomaly detection jobs required synchronization in this example.
value:
datafeedsAdded: {}
datafeedsRemoved: {}
savedObjectsCreated:
anomaly-detector:
myjob1:
success: true
myjob2:
success: true
savedObjectsDeleted: {}
Observability_AI_Assistant_API_ChatCompleteRequestExample:
summary: Example of completing a chat interaction
value: |
{
"connectorId": "",
"disableFunctions": false,
"messages": [
{
"@timestamp": "2025-06-25T23:45:00.000Z",
"message": {
"role": "user",
"content": "Is my Elasticsearch cluster healthy right now?"
}
}
],
"persist": false,
"actions": [
{
"name": "get_cluster_health",
"description": "Fetch the current Elasticsearch cluster-health status and key metrics.",
"parameters": {
"type": "object",
"properties": {
"includeShardStats": {
"type": "boolean",
"default": false
}
}
}
}
],
"instructions": ["When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English."]
}
Observability_AI_Assistant_API_ChatCompleteResponseExample:
summary: Get a chat completion from the Observability AI Assistant
value: |
data: {"model":"unknown","choices":[{"delta":{"content":"","function_call":{"name":"get_cluster_health","arguments":"{\"includeShardStats\":true}"}},"finish_reason":null,"index":0}],"created":1750936626911,"id":"9c8eff9b-4fd4-4203-a4ab-2e364688deff","object":"chat.completion.chunk"}
data: [DONE]
Saved_objects_key_rotation_response:
summary: Encryption key rotation using default parameters.
value:
failed: 0
successful: 300
total: 1000
Security_Detections_API_SetAlertAssigneesBodyAdd:
value:
assignees:
add:
- u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0
remove: []
ids:
- 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6
Security_Detections_API_SetAlertAssigneesBodyRemove:
value:
assignees:
add: []
remove:
- u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0
ids:
- 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6
Security_Detections_API_SetAlertTagsBodyAdd:
value:
ids:
- 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e
tags:
tags_to_add:
- Duplicate
tags_to_remove: []
Security_Detections_API_SetAlertTagsBodyRemove:
value:
ids:
- 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e
tags:
tags_to_add: []
tags_to_remove:
- Duplicate
Task_manager_health_APIs_health_200response:
description: A successful response from `GET api/task_manager/_health`.
value: |-
{
"id": "330bbc6a-56cd-44d5-88e3-e3229f14d619",
"timestamp": "2025-03-21T21:30:04.780Z",
"status": "OK",
"last_update": "2025-03-21T21:30:04.455Z",
"stats": {
"configuration": {
"timestamp": "2025-03-21T21:26:10.002Z",
"value": {
"request_capacity": 1000,
"monitored_aggregated_stats_refresh_rate": 60000,
"monitored_stats_running_average_window": 50,
"monitored_task_execution_thresholds": {
"custom": {},
"default": {
"error_threshold": 90,
"warn_threshold": 80
}
},
"claim_strategy": "mget",
"poll_interval": 500,
"capacity": {
"config": 10,
"as_workers": 10,
"as_cost": 20
}
},
"status": "OK"
},
"runtime": {
"timestamp": "2025-03-21T21:30:04.455Z",
"value": {
"polling": {
"last_successful_poll": "2025-03-21T21:30:04.455Z",
"last_polling_delay": "2025-03-21T21:26:10.001Z",
"claim_duration": {
"p50": 17,
"p90": 22,
"p95": 25,
"p99": 27
},
"duration": {
"p50": 19,
"p90": 25.5,
"p95": 28,
"p99": 28
},
"claim_conflicts": {
"p50": 0,
"p90": 0,
"p95": 0,
"p99": 0
},
"claim_mismatches": {
"p50": 0,
"p90": 0,
"p95": 0,
"p99": 0
},
"claim_stale_tasks": {
"p50": 0,
"p90": 0,
"p95": 0,
"p99": 0
},
"result_frequency_percent_as_number": {
"Failed": 0,
"NoAvailableWorkers": 0,
"NoTasksClaimed": 100,
"RanOutOfCapacity": 0,
"RunningAtCapacity": 0,
"PoolFilled": 0
},
"persistence": {
"recurring": 88,
"non_recurring": 12
}
},
"drift": {
"p50": 2089,
"p90": 3037,
"p95": 3037,
"p99": 3037
},
"drift_by_type": {
"SLO:ORPHAN_SUMMARIES-CLEANUP-TASK": {
"p50": 2082,
"p90": 2082,
"p95": 2082,
"p99": 2082
},
"fleet:check-deleted-files-task": {
"p50": 2080,
"p90": 2080,
"p95": 2080,
"p99": 2080
},
"osquery:telemetry-saved-queries": {
"p50": 2080,
"p90": 2080,
"p95": 2080,
"p99": 2080
},
"task_manager:mark_removed_tasks_as_unrecognized": {
"p50": 2089,
"p90": 2089,
"p95": 2089,
"p99": 2089
},
"task_manager:delete_inactive_background_task_nodes": {
"p50": 336.5,
"p90": 2089,
"p95": 2089,
"p99": 2089
},
"alerts_invalidate_api_keys": {
"p50": 2086,
"p90": 2086,
"p95": 2086,
"p99": 2086
},
"fleet:unenroll-inactive-agents-task": {
"p50": 2080,
"p90": 2080,
"p95": 2080,
"p99": 2080
},
"alerting_health_check": {
"p50": 2086,
"p90": 2086,
"p95": 2086,
"p99": 2086
},
"Fleet-Usage-Sender": {
"p50": 2079,
"p90": 2079,
"p95": 2079,
"p99": 2079
},
"security:endpoint-diagnostics": {
"p50": 2525,
"p90": 2525,
"p95": 2525,
"p99": 2525
},
"security:telemetry-lists": {
"p50": 2525,
"p90": 2525,
"p95": 2525,
"p99": 2525
},
"security:telemetry-timelines": {
"p50": 2526,
"p90": 2526,
"p95": 2526,
"p99": 2526
},
"cases-telemetry-task": {
"p50": 2083,
"p90": 2083,
"p95": 2083,
"p99": 2083
},
"osquery:telemetry-packs": {
"p50": 2530,
"p90": 2530,
"p95": 2530,
"p99": 2530
},
"Fleet-Metrics-Task": {
"p50": 133.5,
"p90": 2530,
"p95": 2530,
"p99": 2530
},
"fleet:delete-unenrolled-agents-task": {
"p50": 2530,
"p90": 2530,
"p95": 2530,
"p99": 2530
},
"osquery:telemetry-configs": {
"p50": 2529,
"p90": 2529,
"p95": 2529,
"p99": 2529
},
"endpoint:complete-external-response-actions": {
"p50": 519,
"p90": 2526,
"p95": 2526,
"p99": 2526
},
"security:telemetry-detection-rules": {
"p50": 3037,
"p90": 3037,
"p95": 3037,
"p99": 3037
},
"security:telemetry-prebuilt-rule-alerts": {
"p50": 3037,
"p90": 3037,
"p95": 3037,
"p99": 3037
},
"security:endpoint-meta-telemetry": {
"p50": 3037,
"p90": 3037,
"p95": 3037,
"p99": 3037
},
"security:telemetry-filterlist-artifact": {
"p50": 3037,
"p90": 3037,
"p95": 3037,
"p99": 3037
},
"security:telemetry-diagnostic-timelines": {
"p50": 3037,
"p90": 3037,
"p95": 3037,
"p99": 3037
},
"security:telemetry-configuration": {
"p50": 3037,
"p90": 3037,
"p95": 3037,
"p99": 3037
},
"security:indices-metadata-telemetry": {
"p50": 3037,
"p90": 3037,
"p95": 3037,
"p99": 3037
},
"Fleet-Usage-Logger": {
"p50": 2190,
"p90": 2190,
"p95": 2190,
"p99": 2190
},
"obs-ai-assistant:knowledge-base-migration": {
"p50": 2189,
"p90": 2189,
"p95": 2189,
"p99": 2189
},
"dashboard_telemetry": {
"p50": 2452,
"p90": 2452,
"p95": 2452,
"p99": 2452
},
"session_cleanup": {
"p50": 2569,
"p90": 2569,
"p95": 2569,
"p99": 2569
},
"ProductDocBase:EnsureUpToDate": {
"p50": 2452,
"p90": 2452,
"p95": 2452,
"p99": 2452
},
"apm-telemetry-task": {
"p50": 2591,
"p90": 2591,
"p95": 2591,
"p99": 2591
},
"ML:saved-objects-sync": {
"p50": 2475,
"p90": 2475,
"p95": 2475,
"p99": 2475
},
"apm-source-map-migration-task": {
"p50": 1603.5,
"p90": 2987,
"p95": 2987,
"p99": 2987
},
"actions_telemetry": {
"p50": 771,
"p90": 771,
"p95": 771,
"p99": 771
},
"alerting_telemetry": {
"p50": 768,
"p90": 768,
"p95": 768,
"p99": 768
},
"endpoint:metadata-check-transforms-task": {
"p50": 834,
"p90": 834,
"p95": 834,
"p99": 834
},
"endpoint:user-artifact-packager": {
"p50": 529.5,
"p90": 835,
"p95": 835,
"p99": 835
},
"fleet:bump_agent_policies": {
"p50": 361,
"p90": 361,
"p95": 361,
"p99": 361
}
},
"load": {
"p50": 10,
"p90": 100,
"p95": 100,
"p99": 100
},
"execution": {
"duration": {
"SLO:ORPHAN_SUMMARIES-CLEANUP-TASK": {
"p50": 24,
"p90": 24,
"p95": 24,
"p99": 24
},
"fleet:check-deleted-files-task": {
"p50": 24,
"p90": 24,
"p95": 24,
"p99": 24
},
"osquery:telemetry-saved-queries": {
"p50": 25,
"p90": 25,
"p95": 25,
"p99": 25
},
"task_manager:mark_removed_tasks_as_unrecognized": {
"p50": 28,
"p90": 28,
"p95": 28,
"p99": 28
},
"task_manager:delete_inactive_background_task_nodes": {
"p50": 7.5,
"p90": 29,
"p95": 29,
"p99": 29
},
"alerts_invalidate_api_keys": {
"p50": 34,
"p90": 34,
"p95": 34,
"p99": 34
},
"fleet:unenroll-inactive-agents-task": {
"p50": 39,
"p90": 39,
"p95": 39,
"p99": 39
},
"alerting_health_check": {
"p50": 42,
"p90": 42,
"p95": 42,
"p99": 42
},
"Fleet-Usage-Sender": {
"p50": 78,
"p90": 78,
"p95": 78,
"p99": 78
},
"security:endpoint-diagnostics": {
"p50": 6,
"p90": 6,
"p95": 6,
"p99": 6
},
"security:telemetry-lists": {
"p50": 6,
"p90": 6,
"p95": 6,
"p99": 6
},
"security:telemetry-timelines": {
"p50": 6,
"p90": 6,
"p95": 6,
"p99": 6
},
"cases-telemetry-task": {
"p50": 458,
"p90": 458,
"p95": 458,
"p99": 458
},
"osquery:telemetry-packs": {
"p50": 10,
"p90": 10,
"p95": 10,
"p99": 10
},
"Fleet-Metrics-Task": {
"p50": 5,
"p90": 10,
"p95": 10,
"p99": 10
},
"fleet:delete-unenrolled-agents-task": {
"p50": 11,
"p90": 11,
"p95": 11,
"p99": 11
},
"osquery:telemetry-configs": {
"p50": 12,
"p90": 12,
"p95": 12,
"p99": 12
},
"endpoint:complete-external-response-actions": {
"p50": 7,
"p90": 11,
"p95": 11,
"p99": 11
},
"security:telemetry-detection-rules": {
"p50": 6,
"p90": 6,
"p95": 6,
"p99": 6
},
"security:telemetry-prebuilt-rule-alerts": {
"p50": 6,
"p90": 6,
"p95": 6,
"p99": 6
},
"security:endpoint-meta-telemetry": {
"p50": 6,
"p90": 6,
"p95": 6,
"p99": 6
},
"security:telemetry-filterlist-artifact": {
"p50": 5,
"p90": 5,
"p95": 5,
"p99": 5
},
"security:telemetry-diagnostic-timelines": {
"p50": 5,
"p90": 5,
"p95": 5,
"p99": 5
},
"security:telemetry-configuration": {
"p50": 5,
"p90": 5,
"p95": 5,
"p99": 5
},
"security:indices-metadata-telemetry": {
"p50": 5,
"p90": 5,
"p95": 5,
"p99": 5
},
"Fleet-Usage-Logger": {
"p50": 18,
"p90": 18,
"p95": 18,
"p99": 18
},
"obs-ai-assistant:knowledge-base-migration": {
"p50": 8,
"p90": 8,
"p95": 8,
"p99": 8
},
"dashboard_telemetry": {
"p50": 12,
"p90": 12,
"p95": 12,
"p99": 12
},
"session_cleanup": {
"p50": 58,
"p90": 58,
"p95": 58,
"p99": 58
},
"ProductDocBase:EnsureUpToDate": {
"p50": 147,
"p90": 147,
"p95": 147,
"p99": 147
},
"apm-telemetry-task": {
"p50": 543,
"p90": 543,
"p95": 543,
"p99": 543
},
"ML:saved-objects-sync": {
"p50": 544,
"p90": 544,
"p95": 544,
"p99": 544
},
"apm-source-map-migration-task": {
"p50": 1649,
"p90": 3282,
"p95": 3282,
"p99": 3282
},
"actions_telemetry": {
"p50": 19,
"p90": 19,
"p95": 19,
"p99": 19
},
"alerting_telemetry": {
"p50": 64,
"p90": 64,
"p95": 64,
"p99": 64
},
"endpoint:metadata-check-transforms-task": {
"p50": 6,
"p90": 6,
"p95": 6,
"p99": 6
},
"endpoint:user-artifact-packager": {
"p50": 10,
"p90": 13,
"p95": 13,
"p99": 13
},
"fleet:bump_agent_policies": {
"p50": 9,
"p90": 9,
"p95": 9,
"p99": 9
}
},
"duration_by_persistence": {
"recurring": {
"p50": 9,
"p90": 63.39999999999999,
"p95": 474.99999999999966,
"p99": 544
},
"non_recurring": {
"p50": 14,
"p90": 2968.500000000001,
"p95": 3282,
"p99": 3282
}
},
"persistence": {
"recurring": 88,
"non_recurring": 12
},
"result_frequency_percent_as_number": {
"SLO:ORPHAN_SUMMARIES-CLEANUP-TASK": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"fleet:check-deleted-files-task": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"osquery:telemetry-saved-queries": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"task_manager:mark_removed_tasks_as_unrecognized": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"task_manager:delete_inactive_background_task_nodes": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"alerts_invalidate_api_keys": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"fleet:unenroll-inactive-agents-task": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"alerting_health_check": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"Fleet-Usage-Sender": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"security:endpoint-diagnostics": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"security:telemetry-lists": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"security:telemetry-timelines": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"cases-telemetry-task": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"osquery:telemetry-packs": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"Fleet-Metrics-Task": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"fleet:delete-unenrolled-agents-task": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"osquery:telemetry-configs": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"endpoint:complete-external-response-actions": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"security:telemetry-detection-rules": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"security:telemetry-prebuilt-rule-alerts": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"security:endpoint-meta-telemetry": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"security:telemetry-filterlist-artifact": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"security:telemetry-diagnostic-timelines": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"security:telemetry-configuration": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"security:indices-metadata-telemetry": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"Fleet-Usage-Logger": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"obs-ai-assistant:knowledge-base-migration": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"dashboard_telemetry": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"session_cleanup": {
"Success": 0,
"RetryScheduled": 100,
"Failed": 0,
"status": "OK"
},
"ProductDocBase:EnsureUpToDate": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"apm-telemetry-task": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"ML:saved-objects-sync": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"apm-source-map-migration-task": {
"Success": 50,
"RetryScheduled": 50,
"Failed": 0,
"status": "OK"
},
"actions_telemetry": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"alerting_telemetry": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"endpoint:metadata-check-transforms-task": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"endpoint:user-artifact-packager": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
},
"fleet:bump_agent_policies": {
"Success": 100,
"RetryScheduled": 0,
"Failed": 0,
"status": "OK"
}
}
}
},
"status": "OK"
},
"workload": {
"timestamp": "2025-03-21T21:29:10.367Z",
"value": {
"count": 35,
"cost": 70,
"task_types": {
"Fleet-Metrics-Task": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"Fleet-Usage-Logger": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"Fleet-Usage-Sender": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"ML:saved-objects-sync": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"SLO:ORPHAN_SUMMARIES-CLEANUP-TASK": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"actions_telemetry": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"alerting_health_check": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"alerting_telemetry": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"alerts_invalidate_api_keys": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"apm-telemetry-task": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"cases-telemetry-task": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"dashboard_telemetry": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"endpoint:complete-external-response-actions": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"endpoint:metadata-check-transforms-task": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"endpoint:user-artifact-packager": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"fleet:check-deleted-files-task": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"fleet:delete-unenrolled-agents-task": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"fleet:unenroll-inactive-agents-task": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"osquery:telemetry-configs": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"osquery:telemetry-packs": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"osquery:telemetry-saved-queries": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"security:endpoint-diagnostics": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"security:endpoint-meta-telemetry": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"security:indices-metadata-telemetry": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"security:telemetry-configuration": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"security:telemetry-detection-rules": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"security:telemetry-diagnostic-timelines": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"security:telemetry-filterlist-artifact": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"security:telemetry-lists": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"security:telemetry-prebuilt-rule-alerts": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"security:telemetry-timelines": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"session_cleanup": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"task_manager:delete_inactive_background_task_nodes": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
},
"task_manager:mark_removed_tasks_as_unrecognized": {
"count": 1,
"cost": 2,
"status": {
"idle": 1
}
}
},
"non_recurring": 1,
"non_recurring_cost": 2,
"schedule": [
[
"1m",
2
],
[
"60s",
2
],
[
"5m",
2
],
[
"10m",
1
],
[
"15m",
1
],
[
"45m",
1
],
[
"1h",
9
],
[
"3600s",
1
],
[
"60m",
1
],
[
"2h",
1
],
[
"720m",
2
],
[
"24h",
7
],
[
"1d",
3
],
[
"1440m",
1
]
],
"overdue": 0,
"overdue_cost": 0,
"overdue_non_recurring": 0,
"estimated_schedule_density": [
0,
0,
0,
1,
1,
1,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
1,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0,
0
],
"capacity_requirements": {
"per_minute": 4,
"per_hour": 46,
"per_day": 27
}
},
"status": "OK"
},
"capacity_estimation": {
"status": "OK",
"reason": "Task Manager is healthy, the assumedRequiredThroughputPerMinutePerKibana (148.78541666666666) < capacityPerMinutePerKibana (1200)",
"timestamp": "2025-03-21T21:30:04.780Z",
"value": {
"observed": {
"observed_kibana_instances": 1,
"max_throughput_per_minute_per_kibana": 1200,
"max_throughput_per_minute": 1200,
"minutes_to_drain_overdue": 0,
"avg_recurring_required_throughput_per_minute": 5,
"avg_recurring_required_throughput_per_minute_per_kibana": 5,
"avg_required_throughput_per_minute": 149,
"avg_required_throughput_per_minute_per_kibana": 149
},
"proposed": {
"provisioned_kibana": 2,
"min_required_kibana": 1,
"avg_recurring_required_throughput_per_minute_per_kibana": 3,
"avg_required_throughput_per_minute_per_kibana": 75
}
}
}
}
}
get_connector_types_generativeai_response:
summary: A list of connector types for the `generativeAI` feature.
value:
- id: .gen-ai
name: OpenAI
enabled: true
enabled_in_config: true
enabled_in_license: true
minimum_license_required: enterprise
supported_feature_ids:
- generativeAIForSecurity
- generativeAIForObservability
- generativeAIForSearchPlayground
is_system_action_type: false
- id: .bedrock
name: AWS Bedrock
enabled: true
enabled_in_config: true
enabled_in_license: true
minimum_license_required: enterprise
supported_feature_ids:
- generativeAIForSecurity
- generativeAIForObservability
- generativeAIForSearchPlayground
is_system_action_type: false
- id: .gemini
name: Google Gemini
enabled: true
enabled_in_config: true
enabled_in_license: true
minimum_license_required: enterprise
supported_feature_ids:
- generativeAIForSecurity
is_system_action_type: false
get_connector_response:
summary: Get connector details.
value:
id: df770e30-8b8b-11ed-a780-3b746c987a81
name: my_server_log_connector
config: {}
connector_type_id: .server-log
is_preconfigured: false
is_deprecated: false
is_missing_secrets: false
is_system_action: false
update_index_connector_request:
summary: Update an index connector.
value:
name: updated-connector
config:
index: updated-index
create_email_connector_request:
summary: Create an email connector.
value:
name: email-connector-1
connector_type_id: .email
config:
from: tester@example.com
hasAuth: true
host: https://example.com
port: 1025
secure: false
service: other
secrets:
user: username
password: password
create_index_connector_request:
summary: Create an index connector.
value:
name: my-connector
connector_type_id: .index
config:
index: test-index
create_webhook_connector_request:
summary: Create a webhook connector with SSL authentication.
value:
name: my-webhook-connector
connector_type_id: .webhook
config:
method: post
url: https://example.com
authType: webhook-authentication-ssl
certType: ssl-crt-key
secrets:
crt: QmFnIEF0dH...
key: LS0tLS1CRUdJ...
password: my-passphrase
create_xmatters_connector_request:
summary: Create an xMatters connector with URL authentication.
value:
name: my-xmatters-connector
connector_type_id: .xmatters
config:
usesBasic: false
secrets:
secretsUrl: https://example.com?apiKey=xxxxx
create_email_connector_response:
summary: A new email connector.
value:
id: 90a82c60-478f-11ee-a343-f98a117c727f
connector_type_id: .email
name: email-connector-1
config:
from: tester@example.com
service: other
host: https://example.com
port: 1025
secure: false
hasAuth: true
tenantId: null
clientId: null
oauthTokenUrl: null
is_preconfigured: false
is_deprecated: false
is_missing_secrets: false
is_system_action: false
create_index_connector_response:
summary: A new index connector.
value:
id: c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad
connector_type_id: .index
name: my-connector
config:
index: test-index
refresh: false
executionTimeField: null
is_preconfigured: false
is_deprecated: false
is_missing_secrets: false
is_system_action: false
create_webhook_connector_response:
summary: A new webhook connector.
value:
id: 900eb010-3b9d-11ee-a642-8ffbb94e38bd
name: my-webhook-connector
config:
method: post
url: https://example.com
authType: webhook-authentication-ssl
certType: ssl-crt-key
verificationMode: full
headers: null
hasAuth: true
connector_type_id: .webhook
is_preconfigured: false
is_deprecated: false
is_missing_secrets: false
is_system_action: false
run_index_connector_request:
summary: Run an index connector.
value:
params:
documents:
- id: my_doc_id
name: my_doc_name
message: hello, world
run_jira_connector_request:
summary: Run a Jira connector to retrieve the list of issue types.
value:
params:
subAction: issueTypes
run_servicenow_itom_connector_request:
summary: Run a ServiceNow ITOM connector to retrieve the list of choices.
value:
params:
subAction: getChoices
subActionParams:
fields:
- severity
- urgency
run_slack_api_connector_request:
summary: Run a Slack connector that uses the web API method to post a message on a channel.
value:
params:
subAction: postMessage
subActionParams:
channelIds:
- C123ABC456
text: A test message.
run_swimlane_connector_request:
summary: Run a Swimlane connector to create an incident.
value:
params:
subAction: pushToService
subActionParams:
comments:
- commentId: 1
comment: A comment about the incident.
incident:
caseId: '1000'
caseName: Case name
description: Description of the incident.
run_index_connector_response:
summary: Response from running an index connector.
value:
connector_id: fd38c600-96a5-11ed-bb79-353b74189cba
data:
errors: false
items:
- create:
_id: 4JtvwYUBrcyxt2NnfW3y
_index: my-index
_primary_term: 1
_seq_no: 0
_shards:
failed: 0
successful: 1
total: 2
_version: 1
result: created
status: 201
took: 135
status: ok
run_jira_connector_response:
summary: Response from retrieving the list of issue types for a Jira connector.
value:
connector_id: b3aad810-edbe-11ec-82d1-11348ecbf4a6
data:
- id: 10024
name: Improvement
- id: 10006
name: Task
- id: 10007
name: Sub-task
- id: 10025
name: New Feature
- id: 10023
name: Bug
- id: 10000
name: Epic
status: ok
run_server_log_connector_response:
summary: Response from running a server log connector.
value:
connector_id: 7fc7b9a0-ecc9-11ec-8736-e7d63118c907
status: ok
run_servicenow_itom_connector_response:
summary: Response from retrieving the list of choices for a ServiceNow ITOM connector.
value:
connector_id: 9d9be270-2fd2-11ed-b0e0-87533c532698
data:
- dependent_value: ''
element: severity
label: Critical
value: 1
- dependent_value: ''
element: severity
label: Major
value: 2
- dependent_value: ''
element: severity
label: Minor
value: 3
- dependent_value: ''
element: severity
label: Warning
value: 4
- dependent_value: ''
element: severity
label: OK
value: 5
- dependent_value: ''
element: severity
label: Clear
value: 0
- dependent_value: ''
element: urgency
label: 1 - High
value: 1
- dependent_value: ''
element: urgency
label: 2 - Medium
value: 2
- dependent_value: ''
element: urgency
label: 3 - Low
value: 3
status: ok
run_slack_api_connector_response:
summary: Response from posting a message with a Slack connector.
value:
status: ok
data:
ok: true
channel: C123ABC456
ts: '1234567890.123456'
message:
bot_id: B12BCDEFGHI
type: message
text: A test message
user: U12A345BC6D
ts: '1234567890.123456'
app_id: A01BC2D34EF
blocks:
- type: rich_text
block_id: /NXe
elements:
- type: rich_text_section
elements:
- type: text
text: A test message.
team: T01ABCDE2F
bot_profile:
id: B12BCDEFGHI
app_id: A01BC2D34EF
name: test
icons:
image_36: https://a.slack-edge.com/80588/img/plugins/app/bot_36.png
deleted: false
updated: 1672169705
team_id: T01ABCDE2F
connector_id: .slack_api
run_swimlane_connector_response:
summary: Response from creating a Swimlane incident.
value:
connector_id: a4746470-2f94-11ed-b0e0-87533c532698
data:
id: aKPmBHWzmdRQtx6Mx
title: TEST-457
url: https://elastic.swimlane.url.us/record/aNcL2xniGHGpa2AHb/aKPmBHWzmdRQtx6Mx
pushedDate: '2022-09-08T16:52:27.866Z'
comments:
- commentId: 1
pushedDate: '2022-09-08T16:52:27.865Z'
status: ok
get_connectors_response:
summary: A list of connectors
value:
- id: preconfigured-email-connector
name: my-preconfigured-email-notification
connector_type_id: .email
is_preconfigured: true
is_deprecated: false
referenced_by_count: 0
is_system_action: false
- id: e07d0c80-8b8b-11ed-a780-3b746c987a81
name: my-index-connector
config:
index: test-index
refresh: false
executionTimeField: null
connector_type_id: .index
is_preconfigured: false
is_deprecated: false
referenced_by_count: 2
is_missing_secrets: false
is_system_action: false
get_roles_response1:
summary: Get all role details
value:
- name: my_kibana_role
description: My kibana role description
metadata:
version: 1
transient_metadata:
enabled: true
elasticsearch:
indices: []
cluster: []
run_as: []
kibana:
- base:
- all
feature: {}
spaces:
- '*'
- name: my_admin_role
description: My admin role description
metadata:
version: 1
transient_metadata:
enabled: true
elasticsearch:
cluster:
- all
indices:
- names:
- index1
- index2
privileges:
- all
field_security:
grant:
- title
- body
query: '{\"match\": {\"title\": \"foo\"}}'
kibana: []
get_role_response1:
summary: Get role details
value:
name: my_kibana_role
description: Grants all cluster privileges and full access to index1 and index2. Grants full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grants all Kibana privileges in the default space.
metadata:
version: 1
transient_metadata:
enabled: true
elasticsearch:
cluster:
- all
remote_cluster:
- privileges:
- monitor_enrich
clusters:
- remote_cluster1
indices:
- names:
- index1
- index2
privileges:
- all
allow_restricted_indices: false
remote_indices:
- names:
- remote_index1
- remote_index2
privileges:
- all
allow_restricted_indices: false
clusters:
- remote_cluster1
run_as: []
kibana:
- base:
- all
feature: {}
spaces:
- default
_transform_error: []
_unrecognized_applications: []
create_role_request1:
summary: Feature privileges in multiple spaces
description: Grant access to various features in some spaces.
value:
description: Grant full access to discover and dashboard features in the default space. Grant read access in the marketing, and sales spaces.
metadata:
version: 1
elasticsearch:
cluster: []
indices: []
kibana:
- base: []
feature:
discover:
- all
dashboard:
- all
spaces:
- default
- base:
- read
spaces:
- marketing
- sales
create_role_request2:
summary: Dashboard privileges in a space
description: Grant access to dashboard features in a Marketing space.
value:
description: Grant dashboard access in the Marketing space.
metadata:
version: 1
elasticsearch:
cluster: []
indices: []
kibana:
- base: []
feature:
dashboard:
- read
spaces:
- marketing
create_role_request3:
summary: Feature privileges in a space
description: Grant full access to all features in the default space.
value:
metadata:
version: 1
elasticsearch:
cluster: []
indices: []
kibana:
- base:
- all
feature: {}
spaces:
- default
create_role_request4:
summary: Elasticsearch and Kibana feature privileges
description: Grant Elasticsearch and Kibana feature privileges.
value:
description: Grant all cluster privileges and full access to index1 and index2. Grant full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grant all Kibana privileges in the default space.
metadata:
version: 1
elasticsearch:
cluster:
- all
indices:
- names:
- index1
- index2
privileges:
- all
remote_indices:
- clusters:
- remote_cluster1
names:
- remote_index1
- remote_index2
privileges:
- all
remote_cluster:
- clusters:
- remote_cluster1
privileges:
- monitor_enrich
kibana:
- base:
- all
feature: {}
spaces:
- default
copy_saved_objects_request1:
summary: Copy with createNewCopies
description: |
Copy a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and that has a reference to a data view.
value:
objects:
- type: dashboard
id: my-dashboard
spaces:
- marketing
includeReferences: true
copy_saved_objects_request2:
summary: Copy without createNewCopies
description: |
Copy a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and that has a reference to a data view.
value:
objects:
- type: dashboard
id: my-dashboard
spaces:
- marketing
includeReferences: true
createNewCopies: false
copy_saved_objects_response1:
summary: Copy with createNewCopies
description: |
The response for successfully copying a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. The result indicates a successful copy and all three objects are created. Since these objects were created as new copies, each entry in the successResults array includes a destinationId attribute.
value:
marketing:
success: true
successCount: 3
successResults:
- id: my-dashboard
type: dashboard
destinationId: 1e127098-5b80-417f-b0f1-c60c8395358f
meta:
icon: dashboardApp
title: Look at my dashboard
- id: my-vis
type: visualization
destinationId: a610ed80-1c73-4507-9e13-d3af736c8e04
meta:
icon: visualizeApp
title: Look at my visualization
- id: my-index-pattern
type: index-pattern
destinationId: bc3c9c70-bf6f-4bec-b4ce-f4189aa9e26b
meta:
icon: indexPatternApp
title: my-pattern-*
copy_saved_objects_response2:
summary: Copy without createNewCopies
description: |
The response for successfully copying a dashboard with the my-dashboard ID with createNewCopies turned off. The result indicates a successful copy and all three objects are created.
value:
marketing:
success: true
successCount: 3
successResults:
- id: my-dashboard
type: dashboard
meta:
icon: dashboardApp
title: Look at my dashboard
- id: my-vis
type: visualization
meta:
icon: visualizeApp
title: Look at my visualization
- id: my-index-pattern
type: index-pattern
meta:
icon: indexPatternApp
title: my-pattern-*
copy_saved_objects_response3:
summary: Failed copy response with conflict errors
description: |
A response for a failed copy of a dashboard with the my-dashboard ID including all references from the default space to the marketing and sales spaces. In this example, the dashboard has a reference to a visualization and a Canvas workpad and the visualization has a reference to an index pattern. The result indicates a successful copy for the marketing space and an unsuccessful copy for the sales space because the data view, visualization, and Canvas workpad each resulted in a conflict error. Objects are created when the error is resolved using the resolve copy conflicts API.
value:
marketing:
success: true
successCount: 4
successResults:
- id: my-dashboard
type: dashboard
meta:
icon: dashboardApp
title: Look at my dashboard
- id: my-vis
type: visualization
meta:
icon: visualizeApp
title: Look at my visualization
- id: my-canvas
type: canvas-workpad
meta:
icon: canvasApp
title: Look at my canvas
- id: my-index-pattern
type: index-pattern
meta:
icon: indexPatternApp
title: my-pattern-*
sales:
success: false
successCount: 1,
errors:
- id: my-pattern
type: index-pattern
title: my-pattern-*
error:
type: conflict
meta:
icon: indexPatternApp
title: my-pattern-*
- id: my-visualization
type: my-vis
title: Look at my visualization
error:
type: conflict
destinationId: another-vis
meta:
icon: visualizeApp
title: Look at my visualization
- id: my-canvas
type: canvas-workpad
title: Look at my canvas
error:
type: ambiguous_conflict
destinations:
- id: another-canvas
title: Look at another canvas
updatedAt: '2020-07-08T16:36:32.377Z'
- id: yet-another-canvas
title: Look at yet another canvas
updatedAt: '2020-07-05T12:29:54.849Z'
meta:
icon: canvasApp
title: Look at my canvas
successResults":
- id: my-dashboard
type: dashboard
meta:
icon: dashboardApp
title: Look at my dashboard
copy_saved_objects_response4:
summary: Failed copy with missing reference errors
description: |
The response for successfully copying a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and a Canvas workpad and the visualization has a reference to a data view. The result indicates an unsuccessful copy because the visualization resulted in a missing references error. Objects are created when the errors are resolved using the resolve copy conflicts API.
value:
marketing:
success: false
successCount: 2
errors:
- id: my-vis
type: visualization
title: Look at my visualization
error:
type: missing_references
references:
- type: index-pattern
id: my-pattern-*
meta:
icon: visualizeApp
title: Look at my visualization
successResults:
- id: my-dashboard
type: dashboard
meta:
icon: dashboardApp
title: Look at my dashboard
- id: my-canvas
type: canvas-workpad
meta:
icon: canvasApp
title: Look at my canvas
disable_legacy_url_request1:
summary: Disable legacy URL aliases
description: |
This request leaves the alias intact but the legacy URL for this alias (http://localhost:5601/s/bills-space/app/dashboards#/view/123) will no longer function. The dashboard still exists and you can access it with the new URL.
value:
aliases:
- targetSpace: bills-space
targetType: dashboard
sourceId: 123
get_shareable_references_request1:
summary: Get shareable references
description: |
Collect references and space contexts for a dashboard saved object.
value:
objects:
- type: dashboard
id: my-dashboard-id
get_shareable_references_response1:
summary: Get shareable references response
description: |
A response that includes the collected references and the spaces where the objects exist.
value:
objects:
- type: dashboard
id: my-dashboard-id
spaces:
- default
- marketing
inboundReferences: []
resolve_copy_saved_objects_request1:
summary: Resolve conflict errors
description: |
Resolve conflict errors for a data view, visualization, and Canvas workpad by overwriting the existing saved objects. NOTE: If a prior copy attempt resulted in resolvable errors, you must include a retry for each object you want to copy, including any that were returned in the successResults array. In this example, we retried copying the dashboard accordingly.
value:
objects:
- type: dashboard
id: my-dashboard
includeReferences: true
createNewCopies: false
retries:
sales:
- type: index-pattern
id: my-pattern
overwrite: true
- type: visualization
id: my-vis
overwrite: true,
destinationId: another-vis
- type: canvas
id: my-canvas
overwrite: true
destinationId: yet-another-canvas
- type: dashboard
id: my-dashboard
resolve_copy_saved_objects_request2:
summary: Resolve missing reference errors
description: |
Resolve missing reference errors for a visualization by ignoring the error. NOTE: If a prior copy attempt resulted in resolvable errors, you must include a retry for each object you want to copy, including any that were returned in the successResults array. In this example, we retried copying the dashboard and canvas accordingly.
value:
objects:
- type: dashboard
id: my-dashboard
includeReferences: true
createNewCopies: false
retries:
marketing:
- type: visualization
id: my-vis
ignoreMissingReferences: true
- type: canvas
id: my-canvas
- type: dashboard
id: my-dashboard
update_saved_objects_spaces_request1:
summary: Update saved object spaces
description: Update the spaces of each saved object and all its references.
value:
objects:
- type: index-pattern
id: 90943e30-9a47-11e8-b64d-95841ca0b247
spacesToAdd:
- test
spacesToRemove: []
update_saved_objects_spaces_response1:
summary: Update saved object spaces
description: |
The response from updating the spaces of saved objects.
value:
objects:
- type: index-pattern
id: 90943e30-9a47-11e8-b64d-95841ca0b247
spaces:
- default
- test
get_spaces_response1:
summary: Get all spaces
description: Get all spaces without specifying any options.
value:
- id: default
name: Default
description: This is the Default Space
disabledFeatures: []
imageUrl: ''
_reserved: true
- id: marketing
name: Marketing
description: This is the Marketing Space
color: null
disabledFeatures:
- apm
initials: MK
imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU
- id: sales
name: Sales
initials: MK
disabledFeatures:
- discover
imageUr": ''
solution: oblt
get_spaces_response2:
summary: Get all spaces with custom options
description: |
The user has read-only access to the Sales space. Get all spaces with the following query parameters: "purpose=shareSavedObjectsIntoSpace&include_authorized_purposes=true"
value:
- id: default
name: Default
description: This is the Default Space
disabledFeatures: []
imageUrl: ''
_reserved: true
authorizedPurposes:
any: true
copySavedObjectsIntoSpace: true
findSavedObjects: true
shareSavedObjectsIntoSpace: true
- id: marketing
name: Marketing
description: This is the Marketing Space
color: null
disabledFeatures:
- apm
initials: MK
imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU
authorizedPurposes:
any: true
copySavedObjectsIntoSpace: true
findSavedObjects: true
shareSavedObjectsIntoSpace: true
- id: sales
name: Sales
initials: MK
disabledFeatures:
- discover
imageUrl: ''
authorizedPurposes:
any: true
copySavedObjectsIntoSpace: false
findSavedObjects: true
shareSavedObjectsIntoSpace: false
create_space_request:
summary: Create a marketing space
value:
id: marketing
name: Marketing
description: This is the Marketing Space
color: null
initials: MK
disabledFeatures: []
imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAD4AAABACAYAAABC6cT1AAAGf0lEQVRoQ+3abYydRRUH8N882xYo0IqagEVjokQJKAiKBjXExC9G/aCkGowCIghCkRcrVSSKIu/FEiqgGL6gBIlAYrAqUTH6hZgQFVEMKlQFfItWoQWhZe8z5uzMLdvbfbkLxb13d+fbvfe588x/zpn/+Z9zJpmnI81T3BaAzzfLL1h8weLzZAcWXH2eGHo7zAWLL1h8nuzAjFw9G1N6Kzq8HnuM36MR8iibF3Fv4q+7cv8yDV6K13bYq2furSP8Ag8ncr/vnSnwRViJT2GfCV7yL1yHGxLb+l3EdM9lluNEnIC9xz+f2ZL4Er6Z2DrdXN3fZwp8CU7OfDHxggle8lTLbQ1nJ/7Z7yKmey5zYGZt4h2IzR8/trRc2PDlxJPTzfVcgJ+CC0wMPOa9F6cm7up3EVM9V9386MxliVdM8GwAv6hh/awCz/w7lY25OtF5ruBz4ZLP42NYNrDAFbC3YPWuILnMAfgq3oaRQQYea/stViV+sgssvjKzLvGySeaaNVfP4d7Btokgvxj/bblgpueuF1hmWcyTCmfE3J3M1lTcv0vMswM88zR+jpw4osu6me8kzkpsfLZWzxyRuabO22buxxOJ12FxnXfWgEe83pB5sOE47BsLymzscOoi7nw2JJfZreUjiUsTyzKPZm5NvBDvSuw268AzNzV8H5/Am+qCnsAXgpgSW2Zq9cyKlksbPlTd+te4quWNieMHBfiNDdciYnwsdI/MaOaWhnMTf54J8CqNj8x8JXFIZltYu+HqlmNT8YSBsHgAPw/vxvlVV4du/s0oaxbxg0TbL/jMni0nNcVjQq7+HZfgtpbzBg342TgQ63AkmsymxBW4IjE6A+D7Vzd/fyWxIM/VuCe+HzTgZ2Jpy/kNJ2FJLmLm24mPJ/42A+Bvrxt4SISwlhsaPodH26LZB8rVA3inwwebsrixJCZzX+KMxI/7AV61eVh3DV6Mx3EOvh4kN6jAg8nfUCXm4d1wE66OyxNPTQc+s3/o/MoXizL3JE5O3F3P/uBZPPF4Zr+Wi5uSO48ZPRdyCwn7YB/A35m5KhWNHox4fcNnIs0ddOCRSBxf8+cQG+Huf0l8NJVYP+nI7NXy2ar4QqIGm69JfKPOE2w/mBavCzwM11R2D+ChsUO7hyUfmwx55qDM1xJvqZ7y08TpifuGBfjeURVJnNIVGpkNiXNS0ds7jcySDitDCCWW56LJ10fRo8sNA+3qXUSZD2CtQlZh9T+1rB7h9oliembflnMbzqgSNZKbKGHdPm7OwXb1CvQ1metSETMpszmzvikCJNh/h5E5PHNl4qga/+/cxqrdeWDYgIe7X5L4cGJPJX2940lOX8pD41FnFnc4riluvQKbK0dcHJFi2IBHNTQSlguru4d2/wPOTNzRA3x5y+U1E1uqWDkETOT026XuUJzx6u7ReLhSYenQ7uHua0fKZmwfmcPqsQjxE5WVONcRxn7X89zgn/EKPMRMxOVQXmP18Mx3q3b/Y/0cQE/IhFtHESMsHFlZ1Ml3CH3DZPHImY+pxcKumNmYirtvqMBfhMuU6s3iqOQkTsMPe1tCQwO8Ajs0lxr7W+vnp1MJc9EgCNd/cy6x+9D4veXmprj5wxMw/3C4egW6zzgZOlYZzfwo3F2J7ael0pJamvlPKgWNKFft1AAcKotXoFEbD7kaoSoQPVKB35+5KHF0lai/rJo+up87jWEE/qqqwY+qrL21LWLm95lPJ16ppKw31XC3PXYPJauPEx7B6BHCgrSizRs18qiaRp8tlN3ueCTYPHH9RNaunjI8Z7wLYpT3jZSCYXQ8e9vTsRE/q+no3XMKeObgGtaintbb/AvXj4JDkNw/5hrwYPfIvlZFUbLn7G5q+eQIN09Vnho6cqvnM/Lt99RixH49wO8K0ZL41WTWHoQzvsNVkOheZqKhEGpsp3SzB+BBtZAYve7uOR9tuTaaB6l0XScdYfEQPpkTUyHEGP+XqyDBzu+NBCITUjNWHynkrbWKOuWFn1xKzqsyx0bdvS78odp0+N503Zao0uCsWuSIDku8/7EO60b41vN5+Ses9BKlTdvd8bhp9EBvJjWJAIn/vxwHe6b3tSk6JFPV4nq85oAOrx555v/x/rh3E6Lo+bnuNS4uB4Cuq0ZfvO8X1rM6q/+vnjLVqZq7v83onttc2oYF4HPJmv1gWbB4P7s0l55ZsPhcsmY/WBYs3s8uzaVn5q3F/wf70mRuBCtbjQAAAABJRU5ErkJggg==
get_space_response:
summary: Get details about a marketing space
value:
id: marketing
name: Marketing
description: This is the Marketing Space
color: null
initials: MK
disabledFeatures: []
imageUrl: ''
solution: es
update_space_request:
summary: Update a marketing space
description: Update the marketing space to remove the imageUrl.
value:
id: marketing
name: Marketing
description: This is the Marketing Space
color: null
initials: MK
disabledFeatures: []
imageUrl: ''
parameters:
APM_UI_elastic_api_version:
description: The version of the API to use
in: header
name: elastic-api-version
required: true
schema:
default: '2023-10-31'
enum:
- '2023-10-31'
type: string
APM_UI_kbn_xsrf:
description: A required header to protect against CSRF attacks
in: header
name: kbn-xsrf
required: true
schema:
example: 'true'
type: string
Cases_alert_id:
description: An identifier for the alert.
in: path
name: alertId
required: true
schema:
example: 09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540
type: string
Cases_assignees_filter:
description: |
Filters the returned cases by assignees. Valid values are `none` or unique identifiers for the user profiles. These identifiers can be found by using the suggest user profile API.
in: query
name: assignees
schema:
oneOf:
- $ref: '#/components/schemas/Cases_string'
- $ref: '#/components/schemas/Cases_string_array'
Cases_case_id:
description: The identifier for the case. To retrieve case IDs, use the search cases (`_find)` API. All non-ASCII characters must be URL encoded.
in: path
name: caseId
required: true
schema:
example: 9c235210-6834-11ea-a78c-6ffb38a34414
type: string
Cases_category:
description: Filters the returned cases by category.
in: query
name: category
schema:
oneOf:
- $ref: '#/components/schemas/Cases_case_category'
- $ref: '#/components/schemas/Cases_case_categories'
Cases_comment_id:
description: |
The identifier for the comment. To retrieve comment IDs, use the get case or search cases (`_find`) APIs.
in: path
name: commentId
required: true
schema:
example: 71ec1870-725b-11ea-a0b2-c51ea50a58e2
type: string
Cases_configuration_id:
description: An identifier for the configuration.
in: path
name: configurationId
required: true
schema:
example: 3297a0f0-b5ec-11ec-b141-0fdb20a7f9a9
type: string
Cases_connector_id:
description: An identifier for the connector. To retrieve connector IDs, use the find connectors API.
in: path
name: connectorId
required: true
schema:
example: abed3a70-71bd-11ea-a0b2-c51ea50a58e2
type: string
Cases_defaultSearchOperator:
description: he default operator to use for the simple_query_string.
example: OR
in: query
name: defaultSearchOperator
schema:
default: OR
type: string
Cases_from:
description: |
Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression.
in: query
name: from
schema:
example: now-1d
type: string
Cases_ids:
description: |
The cases that you want to removed. To get the case identifiers, use the search cases (`_find`) API. In the Dev Console, you can specify the array of cases in the following format: `ids=["e58e77e3-ef8e-4251-926f-efb115f3c4ec"]`. In `curl`, all non-ASCII characters must be URL encoded. For example: `ids=%5B%22e58e77e3-ef8e-4251-926f-efb115f3c4ec%22%5D`
in: query
name: ids
required: true
schema:
items:
example: d4e7abb0-b462-11ec-9a8d-698504725a43
maxItems: 100
minItems: 1
type: string
type: array
Cases_kbn_xsrf:
description: Cross-site request forgery protection
in: header
name: kbn-xsrf
required: true
schema:
type: string
Cases_owner_filter:
description: |
A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.
example: cases
in: query
name: owner
schema:
oneOf:
- $ref: '#/components/schemas/Cases_owner'
- $ref: '#/components/schemas/Cases_owners'
Cases_page_index:
description: The page number to return.
example: 1
in: query
name: page
required: false
schema:
default: 1
type: integer
Cases_page_size:
description: The number of items to return. Limited to 100 items.
example: 20
in: query
name: perPage
required: false
schema:
default: 20
maximum: 100
type: integer
Cases_reporters:
description: Filters the returned cases by the user name of the reporter.
example: elastic
in: query
name: reporters
schema:
oneOf:
- $ref: '#/components/schemas/Cases_string'
- $ref: '#/components/schemas/Cases_string_array'
Cases_search:
description: An Elasticsearch simple_query_string query that filters the objects in the response.
example: Case title 1
in: query
name: search
schema:
type: string
Cases_searchFields:
description: The fields to perform the simple_query_string parsed query against.
in: query
name: searchFields
schema:
oneOf:
- $ref: '#/components/schemas/Cases_searchFieldsType'
- $ref: '#/components/schemas/Cases_searchFieldsTypeArray'
Cases_severity:
description: The severity of the case.
example: low
in: query
name: severity
schema:
enum:
- critical
- high
- low
- medium
type: string
Cases_sort_order:
description: Determines the sort order.
example: desc
in: query
name: sortOrder
required: false
schema:
default: desc
enum:
- asc
- desc
type: string
Cases_sortField:
description: Determines which field is used to sort the results.
example: updatedAt
in: query
name: sortField
schema:
default: createdAt
enum:
- createdAt
- updatedAt
- closedAt
- title
- category
- status
- severity
type: string
Cases_status:
description: Filters the returned cases by state.
example: open
in: query
name: status
schema:
enum:
- closed
- in-progress
- open
type: string
Cases_tags:
description: Filters the returned cases by tags.
example: tag-1
in: query
name: tags
schema:
oneOf:
- $ref: '#/components/schemas/Cases_string'
- $ref: '#/components/schemas/Cases_string_array'
Cases_to:
description: |
Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression.
example: now+1d
in: query
name: to
schema:
type: string
Cases_user_action_types:
description: Determines the types of user actions to return.
in: query
name: types
schema:
items:
enum:
- action
- alert
- assignees
- attachment
- comment
- connector
- create_case
- description
- pushed
- settings
- severity
- status
- tags
- title
- user
example: create_case
type: string
type: array
Data_views_field_name:
description: The name of the runtime field.
in: path
name: fieldName
required: true
schema:
example: hour_of_day
type: string
Data_views_kbn_xsrf:
description: Cross-site request forgery protection
in: header
name: kbn-xsrf
required: true
schema:
type: string
Data_views_view_id:
description: An identifier for the data view.
in: path
name: viewId
required: true
schema:
example: ff959d40-b880-11e8-a6d9-e546fe2bba5f
type: string
Machine_learning_APIs_simulateParam:
description: When true, simulates the synchronization by returning only the list of actions that would be performed.
example: 'true'
in: query
name: simulate
required: false
schema:
type: boolean
Short_URL_APIs_idParam:
description: The identifier for the short URL.
in: path
name: id
required: true
schema:
type: string
SLOs_kbn_xsrf:
description: Cross-site request forgery protection
in: header
name: kbn-xsrf
required: true
schema:
type: string
SLOs_slo_id:
description: An identifier for the slo.
in: path
name: sloId
required: true
schema:
example: 9c235211-6834-11ea-a78c-6feb38a34414
type: string
SLOs_space_id:
description: An identifier for the space. If `/s/` and the identifier are omitted from the path, the default space is used.
in: path
name: spaceId
required: true
schema:
example: default
type: string
schemas:
Alerting_401_response:
properties:
error:
enum:
- Unauthorized
example: Unauthorized
type: string
message:
type: string
statusCode:
enum:
- 401
example: 401
type: integer
title: Unsuccessful rule API response
type: object
Alerting_fieldmap_properties:
title: Field map objects in the get rule types response
type: object
properties:
array:
description: Indicates whether the field is an array.
type: boolean
dynamic:
description: Indicates whether it is a dynamic field mapping.
type: boolean
format:
description: |
Indicates the format of the field. For example, if the `type` is `date_range`, the `format` can be `epoch_millis||strict_date_optional_time`.
type: string
ignore_above:
description: Specifies the maximum length of a string field. Longer strings are not indexed or stored.
type: integer
index:
description: Indicates whether field values are indexed.
type: boolean
path:
description: TBD
type: string
properties:
additionalProperties:
type: object
properties:
type:
description: The data type for each object property.
type: string
description: |
Details about the object properties. This property is applicable when `type` is `object`.
type: object
required:
description: Indicates whether the field is required.
type: boolean
scaling_factor:
description: |
The scaling factor to use when encoding values. This property is applicable when `type` is `scaled_float`. Values will be multiplied by this factor at index time and rounded to the closest long value.
type: integer
type:
description: Specifies the data type for the field.
example: scaled_float
type: string
APM_UI_400_response:
type: object
properties:
error:
description: Error type
example: Not Found
type: string
message:
description: Error message
example: Not Found
type: string
statusCode:
description: Error status code
example: 400
type: number
APM_UI_401_response:
type: object
properties:
error:
description: Error type
example: Unauthorized
type: string
message:
description: Error message
type: string
statusCode:
description: Error status code
example: 401
type: number
APM_UI_403_response:
type: object
properties:
error:
description: Error type
example: Forbidden
type: string
message:
description: Error message
type: string
statusCode:
description: Error status code
example: 403
type: number
APM_UI_404_response:
type: object
properties:
error:
description: Error type
example: Not Found
type: string
message:
description: Error message
example: Not Found
type: string
statusCode:
description: Error status code
example: 404
type: number
APM_UI_500_response:
type: object
properties:
error:
description: Error type
example: Internal Server Error
type: string
message:
description: Error message
type: string
statusCode:
description: Error status code
example: 500
type: number
APM_UI_501_response:
type: object
properties:
error:
description: Error type
example: Not Implemented
type: string
message:
description: Error message
example: Not Implemented
type: string
statusCode:
description: Error status code
example: 501
type: number
APM_UI_agent_configuration_intake_object:
type: object
properties:
agent_name:
description: The agent name is used by the UI to determine which settings to display.
type: string
service:
$ref: '#/components/schemas/APM_UI_service_object'
settings:
$ref: '#/components/schemas/APM_UI_settings_object'
required:
- service
- settings
APM_UI_agent_configuration_object:
description: Agent configuration
type: object
properties:
'@timestamp':
description: Timestamp
example: 1730194190636
type: number
agent_name:
description: Agent name
type: string
applied_by_agent:
description: Applied by agent
example: true
type: boolean
etag:
description: |
`etag` is sent by the APM agent to indicate the `etag` of the last successfully applied configuration. If the `etag` matches an existing configuration its `applied_by_agent` property will be set to `true`. Every time a configuration is edited `applied_by_agent` is reset to `false`.
example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85
type: string
service:
$ref: '#/components/schemas/APM_UI_service_object'
settings:
$ref: '#/components/schemas/APM_UI_settings_object'
required:
- service
- settings
- '@timestamp'
- etag
APM_UI_agent_configurations_response:
type: object
properties:
configurations:
description: Agent configuration
items:
$ref: '#/components/schemas/APM_UI_agent_configuration_object'
type: array
APM_UI_agent_keys_object:
type: object
properties:
name:
description: The name of the APM agent key.
type: string
privileges:
description: |
The APM agent key privileges. It can take one or more of the following values:
* `event:write`, which is required for ingesting APM agent events. * `config_agent:read`, which is required for APM agents to read agent configuration remotely.
items:
enum:
- event:write
- config_agent:read
type: string
type: array
required:
- name
- privileges
APM_UI_agent_keys_response:
type: object
properties:
agentKey:
description: Agent key
type: object
properties:
api_key:
type: string
encoded:
type: string
expiration:
format: int64
type: integer
id:
type: string
name:
type: string
required:
- id
- name
- api_key
- encoded
APM_UI_annotation_search_response:
type: object
properties:
annotations:
description: Annotations
items:
type: object
properties:
'@timestamp':
type: number
id:
type: string
text:
type: string
type:
enum:
- version
type: string
type: array
APM_UI_base_source_map_object:
type: object
properties:
compressionAlgorithm:
description: Compression Algorithm
type: string
created:
description: Created date
type: string
decodedSha256:
description: Decoded SHA-256
type: string
decodedSize:
description: Decoded size
type: number
encodedSha256:
description: Encoded SHA-256
type: string
encodedSize:
description: Encoded size
type: number
encryptionAlgorithm:
description: Encryption Algorithm
type: string
id:
description: Identifier
type: string
identifier:
description: Identifier
type: string
packageName:
description: Package name
type: string
relative_url:
description: Relative URL
type: string
type:
description: Type
type: string
APM_UI_create_annotation_object:
type: object
properties:
'@timestamp':
description: The date and time of the annotation. It must be in ISO 8601 format.
type: string
message:
description: The message displayed in the annotation. It defaults to `service.version`.
type: string
service:
description: The service that identifies the configuration to create or update.
type: object
properties:
environment:
description: The environment of the service.
type: string
version:
description: The version of the service.
type: string
required:
- version
tags:
description: |
Tags are used by the Applications UI to distinguish APM annotations from other annotations. Tags may have additional functionality in future releases. It defaults to `[apm]`. While you can add additional tags, you cannot remove the `apm` tag.
items:
type: string
type: array
required:
- '@timestamp'
- service
APM_UI_create_annotation_response:
type: object
properties:
_id:
description: Identifier
type: string
_index:
description: Index
type: string
_source:
description: Response
type: object
properties:
'@timestamp':
type: string
annotation:
type: object
properties:
title:
type: string
type:
type: string
event:
type: object
properties:
created:
type: string
message:
type: string
service:
type: object
properties:
environment:
type: string
name:
type: string
version:
type: string
tags:
items:
type: string
type: array
APM_UI_delete_agent_configurations_response:
type: object
properties:
result:
description: Result
type: string
APM_UI_delete_service_object:
description: Service
type: object
properties:
service:
$ref: '#/components/schemas/APM_UI_service_object'
required:
- service
APM_UI_search_agent_configuration_object:
type: object
properties:
error:
description: |
If provided, the agent configuration will be marked as error and `applied_by_agent` will be set to `false`.
This is useful for cases where the agent configuration was not applied successfully.
type: string
etag:
description: If etags match then `applied_by_agent` field will be set to `true`
example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85
type: string
mark_as_applied_by_agent:
description: |
`markAsAppliedByAgent=true` means "force setting it to true regardless of etag".
This is needed for Jaeger agent that doesn't have etags
type: boolean
service:
$ref: '#/components/schemas/APM_UI_service_object'
required:
- service
APM_UI_search_agent_configuration_response:
type: object
properties:
_id:
description: Identifier
type: string
_index:
description: Index
type: string
_score:
description: Score
type: number
_source:
$ref: '#/components/schemas/APM_UI_agent_configuration_object'
APM_UI_service_agent_name_response:
type: object
properties:
agentName:
description: Agent name
example: nodejs
type: string
APM_UI_service_environment_object:
type: object
properties:
alreadyConfigured:
description: Already configured
type: boolean
name:
description: Service environment name
example: ALL_OPTION_VALUE
type: string
APM_UI_service_environments_response:
type: object
properties:
environments:
description: Service environment list
items:
$ref: '#/components/schemas/APM_UI_service_environment_object'
type: array
APM_UI_service_object:
description: Service
type: object
properties:
environment:
description: The environment of the service.
example: prod
type: string
name:
description: The name of the service.
example: node
type: string
APM_UI_settings_object:
additionalProperties:
type: string
description: Agent configuration settings
type: object
APM_UI_single_agent_configuration_response:
allOf:
- type: object
properties:
id:
type: string
required:
- id
- $ref: '#/components/schemas/APM_UI_agent_configuration_object'
APM_UI_source_maps_response:
type: object
properties:
artifacts:
description: Artifacts
items:
allOf:
- type: object
properties:
body:
type: object
properties:
bundleFilepath:
type: string
serviceName:
type: string
serviceVersion:
type: string
sourceMap:
type: object
properties:
file:
type: string
mappings:
type: string
sourceRoot:
type: string
sources:
items:
type: string
type: array
sourcesContent:
items:
type: string
type: array
version:
type: number
- $ref: '#/components/schemas/APM_UI_base_source_map_object'
type: array
APM_UI_upload_source_map_object:
type: object
properties:
bundle_filepath:
description: The absolute path of the final bundle as used in the web application.
type: string
service_name:
description: The name of the service that the service map should apply to.
type: string
service_version:
description: The version of the service that the service map should apply to.
type: string
sourcemap:
description: |
The source map. It can be a string or file upload. It must follow the
[source map format specification](https://tc39.es/ecma426/).
format: binary
type: string
required:
- service_name
- service_version
- bundle_filepath
- sourcemap
APM_UI_upload_source_maps_response:
allOf:
- type: object
properties:
body:
type: string
- $ref: '#/components/schemas/APM_UI_base_source_map_object'
Cases_actions:
enum:
- add
- create
- delete
- push_to_service
- update
example: create
type: string
Cases_add_alert_comment_request_properties:
description: Defines properties for case comment requests when type is alert.
type: object
properties:
alertId:
$ref: '#/components/schemas/Cases_alert_identifiers'
index:
$ref: '#/components/schemas/Cases_alert_indices'
owner:
$ref: '#/components/schemas/Cases_owner'
rule:
$ref: '#/components/schemas/Cases_rule'
type:
description: The type of comment.
enum:
- alert
example: alert
type: string
required:
- alertId
- index
- owner
- rule
- type
title: Add case comment request properties for alerts
Cases_add_case_comment_request:
description: The add comment to case API request body varies depending on whether you are adding an alert or a comment.
discriminator:
mapping:
alert: '#/components/schemas/Cases_add_alert_comment_request_properties'
user: '#/components/schemas/Cases_add_user_comment_request_properties'
propertyName: type
oneOf:
- $ref: '#/components/schemas/Cases_add_alert_comment_request_properties'
- $ref: '#/components/schemas/Cases_add_user_comment_request_properties'
title: Add case comment request
Cases_add_case_file_request:
description: Defines the file that will be attached to the case. Optional parameters will be generated automatically from the file metadata if not defined.
type: object
properties:
file:
description: The file being attached to the case.
format: binary
type: string
filename:
description: The desired name of the file being attached to the case, it can be different than the name of the file in the filesystem. **This should not include the file extension.**
type: string
required:
- file
title: Add case file request properties
Cases_add_user_comment_request_properties:
description: Defines properties for case comment requests when type is user.
properties:
comment:
description: The new comment. It is required only when `type` is `user`.
example: A new comment.
maxLength: 30000
type: string
owner:
$ref: '#/components/schemas/Cases_owner'
type:
description: The type of comment.
enum:
- user
example: user
type: string
required:
- comment
- owner
- type
title: Add case comment request properties for user comments
type: object
Cases_alert_comment_response_properties:
title: Add case comment response properties for alerts
type: object
properties:
alertId:
items:
example: a6e12ac4-7bce-457b-84f6-d7ce8deb8446
type: string
type: array
created_at:
example: '2023-11-06T19:29:38.424Z'
format: date-time
type: string
created_by:
type: object
properties:
email:
example: null
nullable: true
type: string
full_name:
example: null
nullable: true
type: string
profile_uid:
example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0
type: string
username:
example: elastic
nullable: true
type: string
required:
- email
- full_name
- username
id:
example: 73362370-ab1a-11ec-985f-97e55adae8b9
type: string
index:
items:
example: .internal.alerts-security.alerts-default-000001
type: string
type: array
owner:
$ref: '#/components/schemas/Cases_owner'
pushed_at:
example: null
format: date-time
nullable: true
type: string
pushed_by:
nullable: true
type: object
properties:
email:
example: null
nullable: true
type: string
full_name:
example: null
nullable: true
type: string
profile_uid:
example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0
type: string
username:
example: elastic
nullable: true
type: string
required:
- email
- full_name
- username
rule:
type: object
properties:
id:
description: The rule identifier.
example: 94d80550-aaf4-11ec-985f-97e55adae8b9
nullable: true
type: string
name:
description: The rule name.
example: security_rule
nullable: true
type: string
type:
enum:
- alert
example: alert
type: string
updated_at:
format: date-time
nullable: true
type: string
updated_by:
nullable: true
type: object
properties:
email:
example: null
nullable: true
type: string
full_name:
example: null
nullable: true
type: string
profile_uid:
example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0
type: string
username:
example: elastic
nullable: true
type: string
required:
- email
- full_name
- username
version:
example: WzMwNDgsMV0=
type: string
required:
- type
Cases_alert_identifiers:
description: |
The alert identifiers. It is required only when `type` is `alert`. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; `index` must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
example: 6b24c4dc44bc720cfc92797f3d61fff952f2b2627db1fb4f8cc49f4530c4ff42
oneOf:
- type: string
- items:
type: string
maxItems: 1000
type: array
title: Alert identifiers
x-state: Technical preview
Cases_alert_indices:
description: |
The alert indices. It is required only when `type` is `alert`. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the `alertId` array. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
oneOf:
- type: string
- items:
type: string
maxItems: 1000
type: array
title: Alert indices
x-state: Technical preview
Cases_alert_response_properties:
type: object
properties:
attached_at:
format: date-time
type: string
id:
description: The alert identifier.
type: string
index:
description: The alert index.
type: string
Cases_assignees:
description: An array containing users that are assigned to the case.
items:
type: object
properties:
uid:
description: A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
example: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0
type: string
required:
- uid
maxItems: 10
nullable: true
type: array
Cases_attachment_totals:
description: Counts of alerts, events, and user comments attached to a case.
properties:
alerts:
description: Number of alert attachments on the case.
type: integer
events:
description: Number of event attachments on the case.
type: integer
userComments:
description: Number of user comment attachments on the case.
type: integer
required:
- alerts
- events
- userComments
title: Attachment totals
type: object
Cases_case_categories:
items:
$ref: '#/components/schemas/Cases_case_category'
maxItems: 100
type: array
Cases_case_category:
description: A word or phrase that categorizes the case.
maxLength: 50
type: string
Cases_case_close_sync_reason:
description: |
The close reason to sync to attached alerts when closing the case. Can be one of following predefined reasons: [false_positive, duplicate, true_positive, benign_positive, automated_closure, other] or a custom reason provided by the user.
oneOf:
- enum:
- false_positive
- duplicate
- true_positive
- benign_positive
- automated_closure
- other
type: string
- type: string
Cases_case_description:
description: The description for the case.
maxLength: 30000
type: string
Cases_case_observable:
description: A single observable attached to a case.
properties:
createdAt:
description: When the observable was created.
example: '2024-11-14T10:00:00.000Z'
format: date-time
type: string
description:
description: An optional description for the observable.
example: Source IP
nullable: true
type: string
id:
description: The observable identifier.
example: df927ab8-54ed-47d6-be07-9948c255c097
type: string
typeKey:
description: The observable type key.
example: observable-type-ipv4
type: string
updatedAt:
description: When the observable was last updated.
example: '2024-11-14T10:00:00.000Z'
format: date-time
nullable: true
type: string
value:
description: The observable value.
example: 10.0.0.8
type: string
required:
- id
- typeKey
- value
- description
- createdAt
- updatedAt
title: Case observable
type: object
Cases_case_response_closed_by_properties:
nullable: true
properties:
email:
example: null
nullable: true
type: string
full_name:
example: null
nullable: true
type: string
profile_uid:
example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0
type: string
username:
example: elastic
nullable: true
type: string
required:
- email
- full_name
- username
title: Case response properties for closed_by
type: object
Cases_case_response_created_by_properties:
title: Case response properties for created_by
type: object
properties:
email:
example: null
nullable: true
type: string
full_name:
example: null
nullable: true
type: string
profile_uid:
example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0
type: string
username:
example: elastic
nullable: true
type: string
required:
- email
- full_name
- username
Cases_case_response_get_case:
description: |
Case details returned by the get case API. The comments property is not included in the response. Use the find case comments API to retrieve comments. totalComment reflects the actual number of user comments.
properties:
assignees:
$ref: '#/components/schemas/Cases_assignees'
category:
description: The case category.
nullable: true
type: string
closed_at:
format: date-time
nullable: true
type: string
closed_by:
$ref: '#/components/schemas/Cases_case_response_closed_by_properties'
connector:
discriminator:
mapping:
.cases-webhook: '#/components/schemas/Cases_connector_properties_cases_webhook'
.jira: '#/components/schemas/Cases_connector_properties_jira'
.none: '#/components/schemas/Cases_connector_properties_none'
.resilient: '#/components/schemas/Cases_connector_properties_resilient'
.servicenow: '#/components/schemas/Cases_connector_properties_servicenow'
.servicenow-sir: '#/components/schemas/Cases_connector_properties_servicenow_sir'
.swimlane: '#/components/schemas/Cases_connector_properties_swimlane'
propertyName: type
oneOf:
- $ref: '#/components/schemas/Cases_connector_properties_none'
- $ref: '#/components/schemas/Cases_connector_properties_cases_webhook'
- $ref: '#/components/schemas/Cases_connector_properties_jira'
- $ref: '#/components/schemas/Cases_connector_properties_resilient'
- $ref: '#/components/schemas/Cases_connector_properties_servicenow'
- $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir'
- $ref: '#/components/schemas/Cases_connector_properties_swimlane'
title: Case response properties for connectors
created_at:
example: '2022-05-13T09:16:17.416Z'
format: date-time
type: string
created_by:
$ref: '#/components/schemas/Cases_case_response_created_by_properties'
customFields:
description: Custom field values for the case.
items:
type: object
properties:
key:
description: |
The unique identifier for the custom field. The key value must exist in the case configuration settings.
type: string
type:
description: |
The custom field type. It must match the type specified in the case configuration settings.
enum:
- text
- toggle
type: string
value:
description: |
The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`.
oneOf:
- maxLength: 160
minLength: 1
nullable: true
type: string
- type: boolean
type: array
description:
example: A case description.
type: string
duration:
description: |
The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.
example: 120
nullable: true
type: integer
external_service:
$ref: '#/components/schemas/Cases_external_service'
id:
example: 66b9aa00-94fa-11ea-9f74-e7e108796192
type: string
incremental_id:
description: |
A monotonically increasing number assigned to each case, unique per space. This value is generated asynchronously after the case is created and may not be present immediately in the response.
example: 1
nullable: true
type: integer
observables:
description: Observables attached to the case.
items:
$ref: '#/components/schemas/Cases_case_observable'
type: array
owner:
$ref: '#/components/schemas/Cases_owner'
settings:
$ref: '#/components/schemas/Cases_settings'
severity:
$ref: '#/components/schemas/Cases_case_severity'
status:
$ref: '#/components/schemas/Cases_case_status'
tags:
example:
- tag-1
items:
type: string
type: array
title:
example: Case title 1
type: string
total_observables:
description: The number of observables attached to the case.
example: 0
nullable: true
type: integer
totalAlerts:
example: 0
type: integer
totalComment:
description: The number of user comments on the case. Use the find case comments API to retrieve comment content.
example: 1
type: integer
totalEvents:
description: The number of events attached to the case.
example: 0
type: integer
updated_at:
format: date-time
nullable: true
type: string
updated_by:
$ref: '#/components/schemas/Cases_case_response_updated_by_properties'
version:
example: WzUzMiwxXQ==
type: string
required:
- closed_at
- closed_by
- connector
- created_at
- created_by
- description
- duration
- external_service
- id
- observables
- owner
- settings
- severity
- status
- tags
- title
- totalAlerts
- totalComment
- total_observables
- updated_at
- updated_by
- version
title: Get case response
type: object
Cases_case_response_properties:
title: Case response properties
type: object
properties:
assignees:
$ref: '#/components/schemas/Cases_assignees'
category:
description: The case category.
nullable: true
type: string
closed_at:
format: date-time
nullable: true
type: string
closed_by:
$ref: '#/components/schemas/Cases_case_response_closed_by_properties'
comments:
description: An array of comment objects for the case.
items:
discriminator:
mapping:
alert: '#/components/schemas/Cases_alert_comment_response_properties'
event: '#/components/schemas/Cases_event_comment_response_properties'
user: '#/components/schemas/Cases_user_comment_response_properties'
propertyName: type
oneOf:
- $ref: '#/components/schemas/Cases_alert_comment_response_properties'
- $ref: '#/components/schemas/Cases_event_comment_response_properties'
- $ref: '#/components/schemas/Cases_user_comment_response_properties'
maxItems: 10000
title: Case response properties for comments
type: array
connector:
discriminator:
mapping:
.cases-webhook: '#/components/schemas/Cases_connector_properties_cases_webhook'
.jira: '#/components/schemas/Cases_connector_properties_jira'
.none: '#/components/schemas/Cases_connector_properties_none'
.resilient: '#/components/schemas/Cases_connector_properties_resilient'
.servicenow: '#/components/schemas/Cases_connector_properties_servicenow'
.servicenow-sir: '#/components/schemas/Cases_connector_properties_servicenow_sir'
.swimlane: '#/components/schemas/Cases_connector_properties_swimlane'
propertyName: type
oneOf:
- $ref: '#/components/schemas/Cases_connector_properties_none'
- $ref: '#/components/schemas/Cases_connector_properties_cases_webhook'
- $ref: '#/components/schemas/Cases_connector_properties_jira'
- $ref: '#/components/schemas/Cases_connector_properties_resilient'
- $ref: '#/components/schemas/Cases_connector_properties_servicenow'
- $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir'
- $ref: '#/components/schemas/Cases_connector_properties_swimlane'
title: Case response properties for connectors
created_at:
example: '2022-05-13T09:16:17.416Z'
format: date-time
type: string
created_by:
$ref: '#/components/schemas/Cases_case_response_created_by_properties'
customFields:
description: Custom field values for the case.
items:
type: object
properties:
key:
description: |
The unique identifier for the custom field. The key value must exist in the case configuration settings.
type: string
type:
description: |
The custom field type. It must match the type specified in the case configuration settings.
enum:
- text
- toggle
type: string
value:
description: |
The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`.
oneOf:
- maxLength: 160
minLength: 1
nullable: true
type: string
- type: boolean
type: array
description:
example: A case description.
type: string
duration:
description: |
The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.
example: 120
nullable: true
type: integer
external_service:
$ref: '#/components/schemas/Cases_external_service'
id:
example: 66b9aa00-94fa-11ea-9f74-e7e108796192
type: string
incremental_id:
description: |
A monotonically increasing number assigned to each case, unique per space. This value is generated asynchronously after the case is created and may not be present immediately in the response.
example: 1
nullable: true
type: integer
observables:
description: Observables attached to the case.
items:
$ref: '#/components/schemas/Cases_case_observable'
type: array
owner:
$ref: '#/components/schemas/Cases_owner'
settings:
$ref: '#/components/schemas/Cases_settings'
severity:
$ref: '#/components/schemas/Cases_case_severity'
status:
$ref: '#/components/schemas/Cases_case_status'
tags:
example:
- tag-1
items:
type: string
type: array
title:
example: Case title 1
type: string
total_observables:
description: The number of observables attached to the case.
example: 0
nullable: true
type: integer
totalAlerts:
example: 0
type: integer
totalComment:
example: 0
type: integer
totalEvents:
description: The number of events attached to the case.
example: 0
type: integer
updated_at:
format: date-time
nullable: true
type: string
updated_by:
$ref: '#/components/schemas/Cases_case_response_updated_by_properties'
version:
example: WzUzMiwxXQ==
type: string
required:
- closed_at
- closed_by
- comments
- connector
- created_at
- created_by
- description
- duration
- external_service
- id
- observables
- owner
- settings
- severity
- status
- tags
- title
- totalAlerts
- totalComment
- total_observables
- updated_at
- updated_by
- version
Cases_case_response_pushed_by_properties:
nullable: true
properties:
email:
example: null
nullable: true
type: string
full_name:
example: null
nullable: true
type: string
profile_uid:
example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0
type: string
username:
example: elastic
nullable: true
type: string
required:
- email
- full_name
- username
title: Case response properties for pushed_by
type: object
Cases_case_response_updated_by_properties:
nullable: true
properties:
email:
example: null
nullable: true
type: string
full_name:
example: null
nullable: true
type: string
profile_uid:
example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0
type: string
username:
example: elastic
nullable: true
type: string
required:
- email
- full_name
- username
title: Case response properties for updated_by
type: object
Cases_case_severity:
description: The severity of the case.
enum:
- critical
- high
- low
- medium
type: string
Cases_case_status:
description: The status of the case.
enum:
- closed
- in-progress
- open
type: string
Cases_case_tags:
description: |
The words and phrases that help categorize cases. It can be an empty array.
items:
maxLength: 256
type: string
maxItems: 200
type: array
Cases_case_title:
description: A title for the case.
maxLength: 160
type: string
Cases_closure_types:
description: Indicates whether a case is automatically closed when it is pushed to external systems (`close-by-pushing`) or not automatically closed (`close-by-user`).
enum:
- close-by-pushing
- close-by-user
example: close-by-user
type: string
Cases_connector_properties_cases_webhook:
description: Defines properties for connectors when type is `.cases-webhook`.
type: object
properties:
fields:
example: null
nullable: true
type: string
id:
description: The identifier for the connector. To retrieve connector IDs, use the find connectors API.
type: string
name:
description: The name of the connector.
type: string
type:
description: The type of connector.
enum:
- .cases-webhook
example: .cases-webhook
type: string
required:
- fields
- id
- name
- type
title: Create or upate case request properties for Cases Webhook connector
Cases_connector_properties_jira:
description: Defines properties for connectors when type is `.jira`.
type: object
properties:
fields:
description: An object containing the connector fields. If you want to omit any individual field, specify null as its value.
type: object
properties:
issueType:
description: The type of issue.
nullable: true
type: string
parent:
description: The key of the parent issue, when the issue type is sub-task.
nullable: true
type: string
priority:
description: The priority of the issue.
nullable: true
type: string
required:
- issueType
- parent
- priority
id:
description: The identifier for the connector. To retrieve connector IDs, use the find connectors API.
type: string
name:
description: The name of the connector.
type: string
type:
description: The type of connector.
enum:
- .jira
example: .jira
type: string
required:
- fields
- id
- name
- type
title: Create or update case request properties for a Jira connector
Cases_connector_properties_none:
description: Defines properties for connectors when type is `.none`.
type: object
properties:
fields:
description: An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.
example: null
nullable: true
type: string
id:
description: The identifier for the connector. To create a case without a connector, use `none`. To update a case to remove the connector, specify `none`.
example: none
type: string
name:
description: The name of the connector. To create a case without a connector, use `none`. To update a case to remove the connector, specify `none`.
example: none
type: string
type:
description: The type of connector. To create a case without a connector, use `.none`. To update a case to remove the connector, specify `.none`.
enum:
- .none
example: .none
type: string
required:
- fields
- id
- name
- type
title: Create or update case request properties for no connector
Cases_connector_properties_resilient:
description: Defines properties for connectors when type is `.resilient`.
type: object
properties:
fields:
description: An object containing the connector fields. If you want to omit any individual field, specify null as its value.
nullable: true
type: object
properties:
issueTypes:
description: The type of incident.
items:
type: string
type: array
severityCode:
description: The severity code of the incident.
type: string
required:
- issueTypes
- severityCode
id:
description: The identifier for the connector.
type: string
name:
description: The name of the connector.
type: string
type:
description: The type of connector.
enum:
- .resilient
example: .resilient
type: string
required:
- fields
- id
- name
- type
title: Create case request properties for a IBM Resilient connector
Cases_connector_properties_servicenow:
description: Defines properties for connectors when type is `.servicenow`.
type: object
properties:
fields:
description: An object containing the connector fields. If you want to omit any individual field, specify null as its value.
type: object
properties:
category:
description: The category of the incident.
nullable: true
type: string
impact:
description: The effect an incident had on business.
nullable: true
type: string
severity:
description: The severity of the incident.
nullable: true
type: string
subcategory:
description: The subcategory of the incident.
nullable: true
type: string
urgency:
description: The extent to which the incident resolution can be delayed.
nullable: true
type: string
required:
- category
- impact
- severity
- subcategory
- urgency
id:
description: The identifier for the connector. To retrieve connector IDs, use the find connectors API.
type: string
name:
description: The name of the connector.
type: string
type:
description: The type of connector.
enum:
- .servicenow
example: .servicenow
type: string
required:
- fields
- id
- name
- type
title: Create case request properties for a ServiceNow ITSM connector
Cases_connector_properties_servicenow_sir:
description: Defines properties for connectors when type is `.servicenow-sir`.
type: object
properties:
fields:
description: An object containing the connector fields. If you want to omit any individual field, specify null as its value.
type: object
properties:
category:
description: The category of the incident.
nullable: true
type: string
destIp:
description: Indicates whether cases will send a comma-separated list of destination IPs.
nullable: true
type: boolean
malwareHash:
description: Indicates whether cases will send a comma-separated list of malware hashes.
nullable: true
type: boolean
malwareUrl:
description: Indicates whether cases will send a comma-separated list of malware URLs.
nullable: true
type: boolean
priority:
description: The priority of the issue.
nullable: true
type: string
sourceIp:
description: Indicates whether cases will send a comma-separated list of source IPs.
nullable: true
type: boolean
subcategory:
description: The subcategory of the incident.
nullable: true
type: string
required:
- category
- destIp
- malwareHash
- malwareUrl
- priority
- sourceIp
- subcategory
id:
description: The identifier for the connector. To retrieve connector IDs, use the find connectors API.
type: string
name:
description: The name of the connector.
type: string
type:
description: The type of connector.
enum:
- .servicenow-sir
example: .servicenow-sir
type: string
required:
- fields
- id
- name
- type
title: Create case request properties for a ServiceNow SecOps connector
Cases_connector_properties_swimlane:
description: Defines properties for connectors when type is `.swimlane`.
type: object
properties:
fields:
description: An object containing the connector fields. If you want to omit any individual field, specify null as its value.
type: object
properties:
caseId:
description: The case identifier for Swimlane connectors.
nullable: true
type: string
required:
- caseId
id:
description: The identifier for the connector. To retrieve connector IDs, use the find connectors API.
type: string
name:
description: The name of the connector.
type: string
type:
description: The type of connector.
enum:
- .swimlane
example: .swimlane
type: string
required:
- fields
- id
- name
- type
title: Create case request properties for a Swimlane connector
Cases_connector_types:
description: The type of connector.
enum:
- .cases-webhook
- .jira
- .none
- .resilient
- .servicenow
- .servicenow-sir
- .swimlane
example: .none
type: string
Cases_create_case_request:
description: The create case API request body varies depending on the type of connector.
properties:
assignees:
$ref: '#/components/schemas/Cases_assignees'
category:
$ref: '#/components/schemas/Cases_case_category'
connector:
oneOf:
- $ref: '#/components/schemas/Cases_connector_properties_none'
- $ref: '#/components/schemas/Cases_connector_properties_cases_webhook'
- $ref: '#/components/schemas/Cases_connector_properties_jira'
- $ref: '#/components/schemas/Cases_connector_properties_resilient'
- $ref: '#/components/schemas/Cases_connector_properties_servicenow'
- $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir'
- $ref: '#/components/schemas/Cases_connector_properties_swimlane'
customFields:
description: |
Custom field values for a case. Any optional custom fields that are not specified in the request are set to null.
items:
type: object
properties:
key:
description: |
The unique identifier for the custom field. The key value must exist in the case configuration settings.
type: string
type:
description: |
The custom field type. It must match the type specified in the case configuration settings.
enum:
- text
- toggle
type: string
value:
description: |
The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`.
oneOf:
- maxLength: 160
minLength: 1
nullable: true
type: string
- type: boolean
required:
- key
- type
- value
maxItems: 10
minItems: 0
type: array
description:
$ref: '#/components/schemas/Cases_case_description'
owner:
$ref: '#/components/schemas/Cases_owner'
settings:
$ref: '#/components/schemas/Cases_settings'
severity:
$ref: '#/components/schemas/Cases_case_severity'
tags:
$ref: '#/components/schemas/Cases_case_tags'
title:
$ref: '#/components/schemas/Cases_case_title'
required:
- connector
- description
- owner
- settings
- tags
- title
title: Create case request
type: object
Cases_event_comment_response_properties:
title: Case response properties for event comments
type: object
properties:
created_at:
example: '2022-05-13T09:16:17.416Z'
format: date-time
type: string
created_by:
$ref: '#/components/schemas/Cases_case_response_created_by_properties'
eventId:
items:
example: 7605e6a6f9f4f990ad9f8f6901e5f082f1f1f1665cbaf2f0f2c6f8f6b0d8a39f
type: string
type: array
id:
example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6
type: string
index:
items:
example: .internal.alerts-security.alerts-default-000001
type: string
type: array
owner:
$ref: '#/components/schemas/Cases_owner'
pushed_at:
example: null
format: date-time
nullable: true
type: string
pushed_by:
$ref: '#/components/schemas/Cases_case_response_pushed_by_properties'
type:
enum:
- event
example: event
type: string
updated_at:
example: null
format: date-time
nullable: true
type: string
updated_by:
$ref: '#/components/schemas/Cases_case_response_updated_by_properties'
version:
example: WzIwNDMxLDFd
type: string
required:
- type
Cases_external_service:
nullable: true
type: object
properties:
connector_id:
type: string
connector_name:
type: string
external_id:
type: string
external_title:
type: string
external_url:
type: string
pushed_at:
format: date-time
type: string
pushed_by:
nullable: true
type: object
properties:
email:
example: null
nullable: true
type: string
full_name:
example: null
nullable: true
type: string
profile_uid:
example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0
type: string
username:
example: elastic
nullable: true
type: string
Cases_find_comments_response:
title: Find case comments response
type: object
properties:
comments:
description: Paginated list of user comments for the case.
items:
$ref: '#/components/schemas/Cases_user_comment_response_properties'
type: array
page:
description: The current page index.
type: integer
per_page:
description: The number of items per page.
type: integer
total:
description: The total number of comments.
type: integer
required:
- comments
- page
- per_page
- total
Cases_owner:
description: |
The application that owns the cases: Stack Management, Observability, or Elastic Security.
enum:
- cases
- observability
- securitySolution
example: cases
type: string
Cases_owners:
items:
$ref: '#/components/schemas/Cases_owner'
type: array
Cases_payload_alert_comment:
type: object
properties:
comment:
type: object
properties:
alertId:
oneOf:
- example: 1c0b056b-cc9f-4b61-b5c9-cb801abd5e1d
type: string
- items:
type: string
type: array
index:
oneOf:
- example: .alerts-observability.logs.alerts-default
type: string
- items:
type: string
type: array
owner:
$ref: '#/components/schemas/Cases_owner'
rule:
type: object
properties:
id:
description: The rule identifier.
example: 94d80550-aaf4-11ec-985f-97e55adae8b9
nullable: true
type: string
name:
description: The rule name.
example: security_rule
nullable: true
type: string
type:
enum:
- alert
type: string
Cases_payload_assignees:
type: object
properties:
assignees:
$ref: '#/components/schemas/Cases_assignees'
Cases_payload_connector:
type: object
properties:
connector:
type: object
properties:
fields:
description: An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.
example: null
nullable: true
type: object
properties:
caseId:
description: The case identifier for Swimlane connectors.
type: string
category:
description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.
type: string
destIp:
description: Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors.
nullable: true
type: boolean
impact:
description: The effect an incident had on business for ServiceNow ITSM connectors.
type: string
issueType:
description: The type of issue for Jira connectors.
type: string
issueTypes:
description: The type of incident for IBM Resilient connectors.
items:
type: string
type: array
malwareHash:
description: Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors.
nullable: true
type: boolean
malwareUrl:
description: Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors.
nullable: true
type: boolean
parent:
description: The key of the parent issue, when the issue type is sub-task for Jira connectors.
type: string
priority:
description: The priority of the issue for Jira and ServiceNow SecOps connectors.
type: string
severity:
description: The severity of the incident for ServiceNow ITSM connectors.
type: string
severityCode:
description: The severity code of the incident for IBM Resilient connectors.
type: string
sourceIp:
description: Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors.
nullable: true
type: boolean
subcategory:
description: The subcategory of the incident for ServiceNow ITSM connectors.
type: string
urgency:
description: The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.
type: string
id:
description: The identifier for the connector. To create a case without a connector, use `none`.
example: none
type: string
name:
description: The name of the connector. To create a case without a connector, use `none`.
example: none
type: string
type:
$ref: '#/components/schemas/Cases_connector_types'
Cases_payload_create_case:
type: object
properties:
assignees:
$ref: '#/components/schemas/Cases_assignees'
connector:
type: object
properties:
fields:
description: An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value.
example: null
nullable: true
type: object
properties:
caseId:
description: The case identifier for Swimlane connectors.
type: string
category:
description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.
type: string
destIp:
description: Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors.
nullable: true
type: boolean
impact:
description: The effect an incident had on business for ServiceNow ITSM connectors.
type: string
issueType:
description: The type of issue for Jira connectors.
type: string
issueTypes:
description: The type of incident for IBM Resilient connectors.
items:
type: string
type: array
malwareHash:
description: Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors.
nullable: true
type: boolean
malwareUrl:
description: Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors.
nullable: true
type: boolean
parent:
description: The key of the parent issue, when the issue type is sub-task for Jira connectors.
type: string
priority:
description: The priority of the issue for Jira and ServiceNow SecOps connectors.
type: string
severity:
description: The severity of the incident for ServiceNow ITSM connectors.
type: string
severityCode:
description: The severity code of the incident for IBM Resilient connectors.
type: string
sourceIp:
description: Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors.
nullable: true
type: boolean
subcategory:
description: The subcategory of the incident for ServiceNow ITSM connectors.
type: string
urgency:
description: The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors.
type: string
id:
description: The identifier for the connector. To create a case without a connector, use `none`.
example: none
type: string
name:
description: The name of the connector. To create a case without a connector, use `none`.
example: none
type: string
type:
$ref: '#/components/schemas/Cases_connector_types'
description:
type: string
owner:
$ref: '#/components/schemas/Cases_owner'
settings:
$ref: '#/components/schemas/Cases_settings'
severity:
$ref: '#/components/schemas/Cases_case_severity'
status:
$ref: '#/components/schemas/Cases_case_status'
tags:
example:
- tag-1
items:
type: string
type: array
title:
type: string
Cases_payload_delete:
description: If the `action` is `delete` and the `type` is `delete_case`, the payload is nullable.
nullable: true
type: object
Cases_payload_description:
type: object
properties:
description:
type: string
Cases_payload_pushed:
type: object
properties:
externalService:
$ref: '#/components/schemas/Cases_external_service'
Cases_payload_settings:
type: object
properties:
settings:
$ref: '#/components/schemas/Cases_settings'
Cases_payload_severity:
type: object
properties:
severity:
$ref: '#/components/schemas/Cases_case_severity'
Cases_payload_status:
type: object
properties:
status:
$ref: '#/components/schemas/Cases_case_status'
Cases_payload_tags:
type: object
properties:
tags:
example:
- tag-1
items:
type: string
type: array
Cases_payload_title:
type: object
properties:
title:
type: string
Cases_payload_user_comment:
type: object
properties:
comment:
type: object
properties:
comment:
type: string
owner:
$ref: '#/components/schemas/Cases_owner'
type:
enum:
- user
type: string
Cases_related_case:
description: |
Summary of a case returned when listing cases that contain a given alert. This is a subset of the full case response.
properties:
createdAt:
description: When the case was created.
format: date-time
type: string
description:
description: The case description.
type: string
id:
description: The case identifier.
type: string
status:
$ref: '#/components/schemas/Cases_case_status'
title:
description: The case title.
type: string
totals:
$ref: '#/components/schemas/Cases_attachment_totals'
required:
- id
- title
- description
- status
- createdAt
- totals
title: Related case
type: object
Cases_response_4xx:
properties:
error:
example: Unauthorized
type: string
message:
type: string
statusCode:
example: 401
type: integer
title: Unsuccessful cases API response
type: object
Cases_rule:
description: |
The rule that is associated with the alerts. It is required only when `type` is `alert`. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
title: Alerting rule
type: object
properties:
id:
description: The rule identifier.
example: 94d80550-aaf4-11ec-985f-97e55adae8b9
type: string
name:
description: The rule name.
example: security_rule
type: string
x-state: Technical preview
Cases_searchFieldsType:
description: The fields to perform the `simple_query_string` parsed query against.
enum:
- description
- title
type: string
Cases_searchFieldsTypeArray:
items:
$ref: '#/components/schemas/Cases_searchFieldsType'
type: array
Cases_set_case_configuration_request:
description: External connection details, such as the closure type and default connector for cases.
properties:
closure_type:
$ref: '#/components/schemas/Cases_closure_types'
connector:
description: An object that contains the connector configuration.
type: object
properties:
fields:
description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`.
nullable: true
type: object
id:
description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API.
example: none
type: string
name:
description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API.
example: none
type: string
type:
$ref: '#/components/schemas/Cases_connector_types'
required:
- fields
- id
- name
- type
customFields:
description: Custom fields case configuration.
items:
type: object
properties:
defaultValue:
description: |
A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean.
oneOf:
- type: string
- type: boolean
key:
description: |
A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.
maxLength: 36
minLength: 1
type: string
label:
description: The custom field label that is displayed in the case.
maxLength: 50
minLength: 1
type: string
type:
description: The type of the custom field.
enum:
- text
- toggle
type: string
required:
description: |
Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated.
type: boolean
required:
- key
- label
- required
- type
maxItems: 10
minItems: 0
type: array
owner:
$ref: '#/components/schemas/Cases_owner'
templates:
$ref: '#/components/schemas/Cases_templates'
required:
- closure_type
- connector
- owner
title: Set case configuration request
type: object
Cases_settings:
description: An object that contains the case settings.
type: object
properties:
extractObservables:
description: |
When true, observables (e.g. IPs, hashes, URLs) are automatically extracted from case comments. Optional; defaults to false when omitted.
example: false
type: boolean
syncAlerts:
description: Turns alert syncing on or off.
example: true
type: boolean
required:
- syncAlerts
Cases_string:
type: string
Cases_string_array:
items:
$ref: '#/components/schemas/Cases_string'
maxItems: 100
type: array
Cases_template_tags:
description: |
The words and phrases that help categorize templates. It can be an empty array.
items:
maxLength: 256
type: string
maxItems: 200
type: array
Cases_templates:
items:
type: object
properties:
caseFields:
type: object
properties:
assignees:
$ref: '#/components/schemas/Cases_assignees'
category:
$ref: '#/components/schemas/Cases_case_category'
connector:
type: object
properties:
fields:
description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`.
nullable: true
type: object
id:
description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API.
example: none
type: string
name:
description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API.
example: none
type: string
type:
$ref: '#/components/schemas/Cases_connector_types'
customFields:
description: Custom field values in the template.
items:
type: object
properties:
key:
description: The unique key for the custom field.
type: string
type:
description: The type of the custom field.
enum:
- text
- toggle
type: string
value:
description: |
The default value for the custom field when a case uses the template. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean.
oneOf:
- type: string
- type: boolean
type: array
x-state: Technical preview
description:
$ref: '#/components/schemas/Cases_case_description'
settings:
$ref: '#/components/schemas/Cases_settings'
severity:
$ref: '#/components/schemas/Cases_case_severity'
tags:
$ref: '#/components/schemas/Cases_case_tags'
title:
$ref: '#/components/schemas/Cases_case_title'
description:
description: A description for the template.
type: string
key:
description: |
A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.
type: string
name:
description: The name of the template.
type: string
tags:
$ref: '#/components/schemas/Cases_template_tags'
type: array
x-state: Technical preview
Cases_update_alert_comment_request_properties:
description: Defines properties for case comment requests when type is alert.
type: object
properties:
alertId:
$ref: '#/components/schemas/Cases_alert_identifiers'
id:
description: |
The identifier for the comment. To retrieve comment IDs, use the get comments API.
example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6
type: string
index:
$ref: '#/components/schemas/Cases_alert_indices'
owner:
$ref: '#/components/schemas/Cases_owner'
rule:
$ref: '#/components/schemas/Cases_rule'
type:
description: The type of comment.
enum:
- alert
example: alert
type: string
version:
description: |
The current comment version. To retrieve version values, use the get comments API.
example: Wzk1LDFd
type: string
required:
- alertId
- id
- index
- owner
- rule
- type
- version
title: Update case comment request properties for alerts
Cases_update_case_comment_request:
description: The update case comment API request body varies depending on whether you are updating an alert or a comment.
discriminator:
mapping:
alert: '#/components/schemas/Cases_update_alert_comment_request_properties'
user: '#/components/schemas/Cases_update_user_comment_request_properties'
propertyName: type
oneOf:
- $ref: '#/components/schemas/Cases_update_alert_comment_request_properties'
- $ref: '#/components/schemas/Cases_update_user_comment_request_properties'
title: Update case comment request
Cases_update_case_configuration_request:
description: |
You can update settings such as the closure type, custom fields, templates, and the default connector for cases.
properties:
closure_type:
$ref: '#/components/schemas/Cases_closure_types'
connector:
description: An object that contains the connector configuration.
type: object
properties:
fields:
description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`.
nullable: true
type: object
id:
description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API.
example: none
type: string
name:
description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API.
example: none
type: string
type:
$ref: '#/components/schemas/Cases_connector_types'
required:
- fields
- id
- name
- type
customFields:
description: Custom fields case configuration.
items:
type: object
properties:
defaultValue:
description: |
A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean.
oneOf:
- type: string
- type: boolean
key:
description: |
A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.
maxLength: 36
minLength: 1
type: string
label:
description: The custom field label that is displayed in the case.
maxLength: 50
minLength: 1
type: string
type:
description: The type of the custom field.
enum:
- text
- toggle
type: string
required:
description: |
Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated.
type: boolean
required:
- key
- label
- required
- type
type: array
templates:
$ref: '#/components/schemas/Cases_templates'
version:
description: |
The version of the connector. To retrieve the version value, use the get configuration API.
example: WzIwMiwxXQ==
type: string
required:
- version
title: Update case configuration request
type: object
Cases_update_case_request:
description: The update case API request body varies depending on the type of connector.
properties:
cases:
description: An array containing one or more case objects.
items:
type: object
properties:
assignees:
$ref: '#/components/schemas/Cases_assignees'
category:
$ref: '#/components/schemas/Cases_case_category'
closeReason:
$ref: '#/components/schemas/Cases_case_close_sync_reason'
connector:
oneOf:
- $ref: '#/components/schemas/Cases_connector_properties_none'
- $ref: '#/components/schemas/Cases_connector_properties_cases_webhook'
- $ref: '#/components/schemas/Cases_connector_properties_jira'
- $ref: '#/components/schemas/Cases_connector_properties_resilient'
- $ref: '#/components/schemas/Cases_connector_properties_servicenow'
- $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir'
- $ref: '#/components/schemas/Cases_connector_properties_swimlane'
customFields:
description: |
Custom field values for a case. Any optional custom fields that are not specified in the request are set to null.
items:
type: object
properties:
key:
description: |
The unique identifier for the custom field. The key value must exist in the case configuration settings.
type: string
type:
description: |
The custom field type. It must match the type specified in the case configuration settings.
enum:
- text
- toggle
type: string
value:
description: |
The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`.
oneOf:
- maxLength: 160
minLength: 1
nullable: true
type: string
- type: boolean
required:
- key
- type
- value
maxItems: 10
minItems: 0
type: array
description:
$ref: '#/components/schemas/Cases_case_description'
id:
description: The identifier for the case.
maxLength: 30000
type: string
settings:
$ref: '#/components/schemas/Cases_settings'
severity:
$ref: '#/components/schemas/Cases_case_severity'
status:
$ref: '#/components/schemas/Cases_case_status'
tags:
$ref: '#/components/schemas/Cases_case_tags'
title:
$ref: '#/components/schemas/Cases_case_title'
version:
description: |
The current version of the case. To determine this value, use the get case or search cases (`_find`) APIs.
type: string
required:
- id
- version
maxItems: 100
minItems: 1
type: array
required:
- cases
title: Update case request
type: object
Cases_update_user_comment_request_properties:
description: Defines properties for case comment requests when type is user.
properties:
comment:
description: The new comment. It is required only when `type` is `user`.
example: A new comment.
maxLength: 30000
type: string
id:
description: |
The identifier for the comment. To retrieve comment IDs, use the get comments API.
example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6
type: string
owner:
$ref: '#/components/schemas/Cases_owner'
type:
description: The type of comment.
enum:
- user
example: user
type: string
version:
description: |
The current comment version. To retrieve version values, use the get comments API.
example: Wzk1LDFd
type: string
required:
- comment
- id
- owner
- type
- version
title: Update case comment request properties for user comments
type: object
Cases_user_actions_find_response_properties:
type: object
properties:
action:
$ref: '#/components/schemas/Cases_actions'
comment_id:
example: 578608d0-03b1-11ed-920c-974bfa104448
nullable: true
type: string
created_at:
example: '2022-05-13T09:16:17.416Z'
format: date-time
type: string
created_by:
type: object
properties:
email:
example: null
nullable: true
type: string
full_name:
example: null
nullable: true
type: string
profile_uid:
example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0
type: string
username:
example: elastic
nullable: true
type: string
required:
- email
- full_name
- username
id:
example: 22fd3e30-03b1-11ed-920c-974bfa104448
type: string
owner:
$ref: '#/components/schemas/Cases_owner'
payload:
oneOf:
- $ref: '#/components/schemas/Cases_payload_alert_comment'
- $ref: '#/components/schemas/Cases_payload_assignees'
- $ref: '#/components/schemas/Cases_payload_connector'
- $ref: '#/components/schemas/Cases_payload_create_case'
- $ref: '#/components/schemas/Cases_payload_delete'
- $ref: '#/components/schemas/Cases_payload_description'
- $ref: '#/components/schemas/Cases_payload_pushed'
- $ref: '#/components/schemas/Cases_payload_settings'
- $ref: '#/components/schemas/Cases_payload_severity'
- $ref: '#/components/schemas/Cases_payload_status'
- $ref: '#/components/schemas/Cases_payload_tags'
- $ref: '#/components/schemas/Cases_payload_title'
- $ref: '#/components/schemas/Cases_payload_user_comment'
type:
description: The type of action.
enum:
- assignees
- category
- comment
- connector
- create_case
- customFields
- delete_case
- description
- extended_fields
- observables
- pushed
- settings
- severity
- status
- tags
- title
example: create_case
type: string
version:
example: WzM1ODg4LDFd
type: string
required:
- action
- comment_id
- created_at
- created_by
- id
- owner
- payload
- type
- version
Cases_user_comment_response_properties:
title: Case response properties for user comments
type: object
properties:
comment:
example: A new comment.
type: string
created_at:
example: '2022-05-13T09:16:17.416Z'
format: date-time
type: string
created_by:
$ref: '#/components/schemas/Cases_case_response_created_by_properties'
id:
example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6
type: string
owner:
$ref: '#/components/schemas/Cases_owner'
pushed_at:
example: null
format: date-time
nullable: true
type: string
pushed_by:
$ref: '#/components/schemas/Cases_case_response_pushed_by_properties'
type:
enum:
- user
example: user
type: string
updated_at:
example: null
format: date-time
nullable: true
type: string
updated_by:
$ref: '#/components/schemas/Cases_case_response_updated_by_properties'
version:
example: WzIwNDMxLDFd
type: string
required:
- type
Data_views_400_response:
title: Bad request
type: object
properties:
error:
example: Bad Request
type: string
message:
type: string
statusCode:
example: 400
type: number
required:
- statusCode
- error
- message
Data_views_404_response:
type: object
properties:
error:
enum:
- Not Found
example: Not Found
type: string
message:
example: Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found
type: string
statusCode:
enum:
- 404
example: 404
type: integer
Data_views_allownoindex:
description: Allows the data view saved object to exist before the data is available. Defaults to `false`.
type: boolean
Data_views_create_data_view_request_object:
title: Create data view request
type: object
properties:
data_view:
description: The data view object.
type: object
properties:
allowNoIndex:
$ref: '#/components/schemas/Data_views_allownoindex'
fieldAttrs:
additionalProperties:
$ref: '#/components/schemas/Data_views_fieldattrs'
type: object
fieldFormats:
$ref: '#/components/schemas/Data_views_fieldformats'
fields:
type: object
id:
type: string
name:
description: The data view name.
type: string
namespaces:
$ref: '#/components/schemas/Data_views_namespaces'
runtimeFieldMap:
additionalProperties:
$ref: '#/components/schemas/Data_views_runtimefieldmap'
type: object
sourceFilters:
$ref: '#/components/schemas/Data_views_sourcefilters'
timeFieldName:
$ref: '#/components/schemas/Data_views_timefieldname'
title:
$ref: '#/components/schemas/Data_views_title'
type:
$ref: '#/components/schemas/Data_views_type'
typeMeta:
$ref: '#/components/schemas/Data_views_typemeta'
version:
type: string
required:
- title
override:
default: false
description: Override an existing data view if a data view with the provided title already exists.
type: boolean
required:
- data_view
Data_views_data_view_response_object:
title: Data view response properties
type: object
properties:
data_view:
type: object
properties:
allowNoIndex:
$ref: '#/components/schemas/Data_views_allownoindex'
fieldAttrs:
additionalProperties:
$ref: '#/components/schemas/Data_views_fieldattrs'
type: object
fieldFormats:
$ref: '#/components/schemas/Data_views_fieldformats'
fields:
type: object
id:
example: ff959d40-b880-11e8-a6d9-e546fe2bba5f
type: string
name:
description: The data view name.
type: string
namespaces:
$ref: '#/components/schemas/Data_views_namespaces'
runtimeFieldMap:
additionalProperties:
$ref: '#/components/schemas/Data_views_runtimefieldmap'
type: object
sourceFilters:
$ref: '#/components/schemas/Data_views_sourcefilters'
timeFieldName:
$ref: '#/components/schemas/Data_views_timefieldname'
title:
$ref: '#/components/schemas/Data_views_title'
typeMeta:
$ref: '#/components/schemas/Data_views_typemeta_response'
version:
example: WzQ2LDJd
type: string
Data_views_fieldattrs:
description: A map of field attributes by field name.
type: object
properties:
count:
description: Popularity count for the field.
type: integer
customDescription:
description: Custom description for the field.
maxLength: 300
type: string
customLabel:
description: Custom label for the field.
type: string
Data_views_fieldformats:
description: A map of field formats by field name.
type: object
Data_views_namespaces:
description: An array of space identifiers for sharing the data view between multiple spaces.
items:
default: default
type: string
type: array
Data_views_runtimefieldmap:
description: A map of runtime field definitions by field name.
type: object
properties:
script:
type: object
properties:
source:
description: Script for the runtime field.
type: string
type:
description: Mapping type of the runtime field.
type: string
required:
- script
- type
Data_views_sourcefilters:
description: The array of field names you want to filter out in Discover.
items:
type: object
properties:
value:
type: string
required:
- value
type: array
Data_views_swap_data_view_request_object:
title: Data view reference swap request
type: object
properties:
delete:
description: Deletes referenced saved object if all references are removed.
type: boolean
forId:
description: Limit the affected saved objects to one or more by identifier.
oneOf:
- type: string
- items:
type: string
type: array
forType:
description: Limit the affected saved objects by type.
type: string
fromId:
description: The saved object reference to change.
type: string
fromType:
description: |
Specify the type of the saved object reference to alter. The default value is `index-pattern` for data views.
type: string
toId:
description: New saved object reference value to replace the old value.
type: string
required:
- fromId
- toId
Data_views_timefieldname:
description: The timestamp field name, which you use for time-based data views.
type: string
Data_views_title:
description: Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (`*`).
type: string
Data_views_type:
description: When set to `rollup`, identifies the rollup data views.
type: string
Data_views_typemeta:
description: When you use rollup indices, contains the field list for the rollup data view API endpoints.
type: object
properties:
aggs:
description: A map of rollup restrictions by aggregation type and field name.
type: object
params:
description: Properties for retrieving rollup fields.
type: object
required:
- aggs
- params
Data_views_typemeta_response:
description: When you use rollup indices, contains the field list for the rollup data view API endpoints.
nullable: true
type: object
properties:
aggs:
description: A map of rollup restrictions by aggregation type and field name.
type: object
params:
description: Properties for retrieving rollup fields.
type: object
Data_views_update_data_view_request_object:
title: Update data view request
type: object
properties:
data_view:
description: |
The data view properties you want to update. Only the specified properties are updated in the data view. Unspecified fields stay as they are persisted.
type: object
properties:
allowNoIndex:
$ref: '#/components/schemas/Data_views_allownoindex'
fieldFormats:
$ref: '#/components/schemas/Data_views_fieldformats'
fields:
type: object
name:
type: string
runtimeFieldMap:
additionalProperties:
$ref: '#/components/schemas/Data_views_runtimefieldmap'
type: object
sourceFilters:
$ref: '#/components/schemas/Data_views_sourcefilters'
timeFieldName:
$ref: '#/components/schemas/Data_views_timefieldname'
title:
$ref: '#/components/schemas/Data_views_title'
type:
$ref: '#/components/schemas/Data_views_type'
typeMeta:
$ref: '#/components/schemas/Data_views_typemeta'
refresh_fields:
default: false
description: Reloads the data view fields after the data view is updated.
type: boolean
required:
- data_view
Kibana_HTTP_APIs_apm-anomaly-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: false
description: The parameters for the APM anomaly rule. These parameters are appropriate when `rule_type_id` is `apm.anomaly"`.
properties:
anomalyDetectorTypes:
description: The types of anomalies that are detected. For example, detect abnormal latency, throughput, or failed transaction rates.
items:
enum:
- txLatency
- txThroughput
- txFailureRate
type: string
minItems: 1
type: array
anomalySeverityType:
description: 'The severity of anomalies that result in an alert: critical, major, minor, or warning.'
enum:
- critical
- major
- minor
- warning
type: string
environment:
description: The environment from APM.
type: string
serviceName:
description: The service name from APM.
type: string
transactionType:
description: The transaction type from APM.
type: string
windowSize:
description: The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.
type: number
windowUnit:
description: 'The type of units for the time window: minutes, hours, or days.'
type: string
required:
- windowSize
- windowUnit
- environment
- anomalySeverityType
title: APM Anomaly Rule Params
type: object
rule_type_id:
enum:
- apm.anomaly
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: APM anomaly
type: object
Kibana_HTTP_APIs_apm-error-rate-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: false
description: The parameters for the error count rule. These parameters are appropriate when `rule_type_id` is `apm.error_rate`.
properties:
environment:
description: Filter the errors coming from your application to apply the rule to a specific environment.
type: string
errorGroupingKey:
description: Filter the errors coming from your application to apply the rule to a specific error grouping key, which is a hash of the stack trace and other properties.
type: string
groupBy:
items:
description: Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group.
type: string
type: array
searchConfiguration:
additionalProperties: false
type: object
properties:
query:
additionalProperties: false
type: object
properties:
language:
type: string
query:
anyOf:
- type: string
- additionalProperties:
nullable: true
type: object
required:
- query
- language
required:
- query
serviceName:
description: Filter the errors coming from your application to apply the rule to a specific service.
type: string
threshold:
description: The number of errors, which is the threshold for alerts.
type: number
useKqlFilter:
description: A filter in Kibana Query Language (KQL) that limits the scope of the rule.
type: boolean
windowSize:
description: The time frame in which the errors must occur (in `windowUnit` units). Generally it should be a value higher than the rule check interval to avoid gaps in detection.
type: number
windowUnit:
description: 'The type of units for the time window: minutes, hours, or days.'
type: string
required:
- windowSize
- windowUnit
- threshold
- environment
title: Error Count Rule Params
type: object
rule_type_id:
enum:
- apm.error_rate
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: Error rate
type: object
Kibana_HTTP_APIs_apm-transaction-duration-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: false
description: The parameters for the transaction duration rule. These parameters are appropriate when `rule_type_id` is `apm.transaction_duration`.
properties:
aggregationType:
description: The type of aggregation to perform.
enum:
- avg
- 95th
- 99th
type: string
environment:
description: Filter the rule to apply to a specific environment.
type: string
groupBy:
items:
description: Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group.
type: string
type: array
searchConfiguration:
additionalProperties: false
type: object
properties:
query:
additionalProperties: false
type: object
properties:
language:
type: string
query:
anyOf:
- type: string
- additionalProperties:
nullable: true
type: object
required:
- query
- language
required:
- query
serviceName:
description: Filter the rule to apply to a specific service.
type: string
threshold:
description: The latency threshold value.
type: number
transactionName:
description: Filter the rule to apply to a specific transaction name.
type: string
transactionType:
description: Filter the rule to apply to a specific transaction type.
type: string
useKqlFilter:
description: A Kibana Query Language (KQL) expression thats limits the scope of alerts.
type: boolean
windowSize:
description: The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.
type: number
windowUnit:
description: 'The type of units for the time window. For example: minutes, hours, or days.'
type: string
required:
- windowSize
- windowUnit
- threshold
- aggregationType
- environment
title: Transaction Duration Rule Params
type: object
rule_type_id:
enum:
- apm.transaction_duration
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: Transaction duration
type: object
Kibana_HTTP_APIs_apm-transaction-error-rate-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: false
description: The parameters for the transaction error rate rule. These parameters are appropriate when `rule_type_id` is `apm.transaction_error_rate`.
properties:
environment:
type: string
groupBy:
items:
type: string
type: array
searchConfiguration:
additionalProperties: false
type: object
properties:
query:
additionalProperties: false
type: object
properties:
language:
type: string
query:
anyOf:
- type: string
- additionalProperties:
nullable: true
type: object
required:
- query
- language
required:
- query
serviceName:
type: string
threshold:
type: number
transactionName:
type: string
transactionType:
type: string
useKqlFilter:
type: boolean
windowSize:
type: number
windowUnit:
type: string
required:
- windowSize
- windowUnit
- threshold
- environment
title: Transaction Error Rate Rule Params
type: object
rule_type_id:
enum:
- apm.transaction_error_rate
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: Transaction error rate
type: object
Kibana_HTTP_APIs_ClassicFieldDefinition:
additionalProperties:
$ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinitionConfig'
type: object
Kibana_HTTP_APIs_ClassicFieldDefinitionConfig:
allOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord'
- anyOf:
- additionalProperties: false
type: object
properties:
description:
type: string
format:
description: A non-empty string.
minLength: 1
type: string
type:
enum:
- keyword
- match_only_text
- long
- double
- date
- boolean
- ip
- geo_point
- integer
- short
- byte
- float
- half_float
- text
- wildcard
- version
- unsigned_long
- date_nanos
type: string
required:
- type
- additionalProperties: false
type: object
properties:
description:
type: string
type:
enum:
- system
type: string
required:
- type
Kibana_HTTP_APIs_ClassicStreamUpsertRequest:
additionalProperties: false
type: object
properties:
dashboards:
items:
type: string
type: array
queries:
items:
type: object
properties:
description:
type: string
esql:
type: object
properties:
query:
type: string
required:
- query
evidence:
items:
type: string
type: array
id:
description: A non-empty string.
minLength: 1
type: string
severity_score:
type: number
title:
description: A non-empty string.
minLength: 1
type: string
type:
default: match
enum:
- match
- stats
type: string
required:
- id
- title
- description
- esql
type: array
rules:
items:
type: string
type: array
stream:
additionalProperties: false
type: object
properties:
description:
type: string
ingest:
additionalProperties: false
type: object
properties:
classic:
additionalProperties: false
type: object
properties:
field_overrides:
$ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicFieldDefinition'
failure_store:
$ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore'
lifecycle:
$ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle'
processing:
additionalProperties: false
type: object
properties:
steps:
items:
$ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep'
type: array
updated_at: {}
required:
- steps
settings:
additionalProperties: false
type: object
properties:
index.number_of_replicas:
additionalProperties: false
type: object
properties:
value:
type: number
required:
- value
index.number_of_shards:
additionalProperties: false
type: object
properties:
value:
type: number
required:
- value
index.refresh_interval:
additionalProperties: false
type: object
properties:
value:
anyOf:
- type: string
- enum:
- -1
type: number
required:
- value
required:
- lifecycle
- processing
- settings
- failure_store
- classic
query_streams:
items:
type: object
properties:
name:
type: string
required:
- name
type: array
type:
enum:
- classic
type: string
required:
- description
- ingest
- type
required:
- dashboards
- rules
- queries
- stream
Kibana_HTTP_APIs_Condition:
anyOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_FilterCondition'
- additionalProperties: false
description: A logical AND that groups multiple conditions.
type: object
properties:
and:
description: An array of conditions. All sub-conditions must be true for this condition to be true.
items:
$ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
type: array
required:
- and
- additionalProperties: false
description: A logical OR that groups multiple conditions.
type: object
properties:
or:
description: An array of conditions. At least one sub-condition must be true for this condition to be true.
items:
$ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
type: array
required:
- or
- additionalProperties: false
description: A logical NOT that negates a condition.
type: object
properties:
not:
$ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
description: A condition that negates another condition.
required:
- not
- additionalProperties: false
description: A condition that always evaluates to false.
type: object
properties:
never:
additionalProperties: false
description: An empty object. This condition never matches.
type: object
properties: {}
required:
- never
- additionalProperties: false
description: A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
type: object
properties:
always:
additionalProperties: false
description: An empty object. This condition always matches.
type: object
properties: {}
required:
- always
description: The root condition object. It can be a simple filter or a combination of other conditions.
Kibana_HTTP_APIs_ConditionWithSteps:
allOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
- additionalProperties: false
type: object
properties:
else:
items:
$ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep'
type: array
steps:
items:
$ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep'
type: array
required:
- steps
Kibana_HTTP_APIs_ContentPackIncludedObjects:
anyOf:
- additionalProperties: false
type: object
properties:
objects:
additionalProperties: false
type: object
properties:
all:
additionalProperties: false
type: object
properties: {}
required:
- all
required:
- objects
- additionalProperties: false
type: object
properties:
objects:
additionalProperties: false
type: object
properties:
mappings:
type: boolean
queries:
items:
type: object
properties:
id:
type: string
required:
- id
type: array
routing:
items:
allOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_ContentPackIncludedObjects'
- type: object
properties:
destination:
type: string
required:
- destination
type: array
required:
- mappings
- queries
- routing
required:
- objects
Kibana_HTTP_APIs_core_status_redactedResponse:
additionalProperties: false
description: A minimal representation of Kibana's operational status.
properties:
status:
additionalProperties: false
type: object
properties:
overall:
additionalProperties: false
type: object
properties:
level:
description: Service status levels as human and machine readable values.
enum:
- available
- degraded
- unavailable
- critical
type: string
required:
- level
required:
- overall
required:
- status
title: core_status_redactedResponse
type: object
Kibana_HTTP_APIs_core_status_response:
additionalProperties: false
description: Kibana's operational status as well as a detailed breakdown of plugin statuses indication of various loads (like event loop utilization and network traffic) at time of request.
properties:
metrics:
additionalProperties: false
description: Metric groups collected by Kibana.
type: object
properties:
collection_interval_in_millis:
description: The interval at which metrics should be collected.
type: number
elasticsearch_client:
additionalProperties: false
description: Current network metrics of Kibana's Elasticsearch client.
type: object
properties:
totalActiveSockets:
description: Count of network sockets currently in use.
type: number
totalIdleSockets:
description: Count of network sockets currently idle.
type: number
totalQueuedRequests:
description: Count of requests not yet assigned to sockets.
type: number
required:
- totalActiveSockets
- totalIdleSockets
- totalQueuedRequests
last_updated:
description: The time metrics were collected.
type: string
required:
- elasticsearch_client
- last_updated
- collection_interval_in_millis
name:
description: Kibana instance name.
type: string
status:
additionalProperties: false
type: object
properties:
core:
additionalProperties: false
description: Statuses of core Kibana services.
type: object
properties:
elasticsearch:
additionalProperties: false
type: object
properties:
detail:
description: Human readable detail of the service status.
type: string
documentationUrl:
description: A URL to further documentation regarding this service.
type: string
level:
description: Service status levels as human and machine readable values.
enum:
- available
- degraded
- unavailable
- critical
type: string
meta:
additionalProperties:
nullable: true
description: An unstructured set of extra metadata about this service.
type: object
summary:
description: A human readable summary of the service status.
type: string
required:
- level
- summary
- meta
http:
additionalProperties: false
type: object
properties:
detail:
description: Human readable detail of the service status.
type: string
documentationUrl:
description: A URL to further documentation regarding this service.
type: string
level:
description: Service status levels as human and machine readable values.
enum:
- available
- degraded
- unavailable
- critical
type: string
meta:
additionalProperties:
nullable: true
description: An unstructured set of extra metadata about this service.
type: object
summary:
description: A human readable summary of the service status.
type: string
required:
- level
- summary
- meta
savedObjects:
additionalProperties: false
type: object
properties:
detail:
description: Human readable detail of the service status.
type: string
documentationUrl:
description: A URL to further documentation regarding this service.
type: string
level:
description: Service status levels as human and machine readable values.
enum:
- available
- degraded
- unavailable
- critical
type: string
meta:
additionalProperties:
nullable: true
description: An unstructured set of extra metadata about this service.
type: object
summary:
description: A human readable summary of the service status.
type: string
required:
- level
- summary
- meta
required:
- elasticsearch
- savedObjects
overall:
additionalProperties: false
type: object
properties:
detail:
description: Human readable detail of the service status.
type: string
documentationUrl:
description: A URL to further documentation regarding this service.
type: string
level:
description: Service status levels as human and machine readable values.
enum:
- available
- degraded
- unavailable
- critical
type: string
meta:
additionalProperties:
nullable: true
description: An unstructured set of extra metadata about this service.
type: object
summary:
description: A human readable summary of the service status.
type: string
required:
- level
- summary
- meta
plugins:
additionalProperties:
additionalProperties: false
type: object
properties:
detail:
description: Human readable detail of the service status.
type: string
documentationUrl:
description: A URL to further documentation regarding this service.
type: string
level:
description: Service status levels as human and machine readable values.
enum:
- available
- degraded
- unavailable
- critical
type: string
meta:
additionalProperties:
nullable: true
description: An unstructured set of extra metadata about this service.
type: object
summary:
description: A human readable summary of the service status.
type: string
required:
- level
- summary
- meta
description: A dynamic mapping of plugin ID to plugin status.
type: object
required:
- overall
- core
- plugins
uuid:
description: Unique, generated Kibana instance UUID. This UUID should persist even if the Kibana process restarts.
type: string
version:
additionalProperties: false
type: object
properties:
build_date:
description: The date and time of this build.
type: string
build_flavor:
description: The build flavour determines configuration and behavior of Kibana. On premise users will almost always run the "traditional" flavour, while other flavours are reserved for Elastic-specific use cases.
enum:
- serverless
- traditional
type: string
build_hash:
description: A unique hash value representing the git commit of this Kibana build.
type: string
build_number:
description: A monotonically increasing number, each subsequent build will have a higher number.
type: number
build_snapshot:
description: Whether this build is a snapshot build.
type: boolean
number:
description: A semantic version number.
type: string
required:
- number
- build_hash
- build_number
- build_snapshot
- build_flavor
- build_date
required:
- name
- uuid
- version
- status
- metrics
title: core_status_response
type: object
Kibana_HTTP_APIs_datasetquality-degradeddocs-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: false
description: The parameters for the degraded docs rule. These parameters are appropriate when `rule_type_id` is `datasetQuality.degradedDocs`.
properties:
comparator:
type: string
groupBy:
items:
type: string
type: array
searchConfiguration:
additionalProperties: false
type: object
properties:
index:
type: string
required:
- index
threshold:
items:
type: number
type: array
timeSize:
type: number
timeUnit:
type: string
required:
- timeUnit
- timeSize
- threshold
- comparator
- searchConfiguration
title: Degraded Docs Rule Params
type: object
rule_type_id:
enum:
- datasetQuality.degradedDocs
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: Degraded docs
type: object
Kibana_HTTP_APIs_es-query-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: false
description: The parameters for the ES query rule. These parameters are appropriate when `rule_type_id` is `.es-query`.
properties:
aggField:
description: The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`.
minLength: 1
type: string
aggType:
default: count
description: The type of aggregation to perform.
type: string
esqlQuery:
anyOf:
- items: {}
type: array
- type: boolean
- type: number
- type: object
- type: string
description: The query definition in Elasticsearch Query Language.
nullable: true
oneOf:
- additionalProperties: false
type: object
properties:
esql:
minLength: 1
type: string
required:
- esql
- not: {}
esQuery:
anyOf:
- items: {}
type: array
- type: boolean
- type: number
- type: object
- type: string
nullable: true
oneOf:
- minLength: 1
type: string
- not: {}
excludeHitsFromPreviousRun:
default: true
description: Indicates whether to exclude matches from previous runs. If `true`, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.
type: boolean
groupBy:
default: all
description: Indicates whether the aggregation is applied over all documents (`all`), grouped by row (`row`), or split into groups (`top`) using a grouping field (`termField`) where only the top groups (up to `termSize` number of groups) are checked. If grouping is used, an alert will be created for each group when it exceeds the threshold.
type: string
index:
anyOf:
- items: {}
type: array
- type: boolean
- type: number
- type: object
- type: string
description: The indices to query.
nullable: true
oneOf:
- items:
minLength: 1
type: string
minItems: 1
type: array
- not: {}
searchConfiguration:
anyOf:
- items: {}
type: array
- type: boolean
- type: number
- type: object
- type: string
description: The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch.
nullable: true
oneOf:
- additionalProperties: true
type: object
properties: {}
- not: {}
searchType:
default: esQuery
description: 'The type of query For example: `esQuery` for Elasticsearch Query DSL or `esqlQuery` for Elasticsearch Query Language (ES|QL).'
enum:
- searchSource
- esQuery
- esqlQuery
type: string
size:
description: The number of documents to pass to the configured actions when the threshold condition is met.
maximum: 10000
minimum: 0
type: number
sourceFields:
description: The sourceFields param is ignored.
items:
additionalProperties: false
type: object
properties:
label:
type: string
searchPath:
type: string
required:
- label
- searchPath
maxItems: 5
type: array
termField:
anyOf:
- minLength: 1
type: string
- items:
type: string
maxItems: 4
minItems: 2
type: array
description: The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`.
termSize:
description: This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.
minimum: 1
type: number
threshold:
items:
description: The threshold value that is used with the `thresholdComparator`. If the `thresholdComparator` is `between` or `notBetween`, you must specify the boundary values.
type: number
maxItems: 2
minItems: 1
type: array
thresholdComparator:
description: 'The comparison function for the threshold. For example: greater than, less than, greater than or equal to, between, or not between.'
enum:
- '>'
- <
- '>='
- <=
- between
- notBetween
type: string
timeField:
anyOf:
- items: {}
type: array
- type: boolean
- type: number
- type: object
- type: string
description: The field that is used to calculate the time window.
nullable: true
oneOf:
- minLength: 1
type: string
- minLength: 1
type: string
x-oas-optional: true
timeWindowSize:
description: The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.
minimum: 1
type: number
timeWindowUnit:
description: 'The type of units for the time window. For example: seconds, minutes, hours, or days.'
type: string
required:
- size
- timeWindowSize
- timeWindowUnit
- threshold
- thresholdComparator
- timeField
- searchConfiguration
- esQuery
- index
- esqlQuery
title: ES Query Rule Params
type: object
rule_type_id:
enum:
- .es-query
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: ES query
type: object
Kibana_HTTP_APIs_FailureStore:
anyOf:
- additionalProperties: false
type: object
properties:
inherit:
additionalProperties: false
type: object
properties: {}
required:
- inherit
- additionalProperties: false
type: object
properties:
disabled:
additionalProperties: false
type: object
properties: {}
required:
- disabled
- additionalProperties: false
type: object
properties:
lifecycle:
additionalProperties: false
type: object
properties:
enabled:
additionalProperties: false
type: object
properties:
data_retention:
description: A non-empty string.
minLength: 1
type: string
required:
- enabled
required:
- lifecycle
- additionalProperties: false
type: object
properties:
lifecycle:
additionalProperties: false
type: object
properties:
disabled:
additionalProperties: false
type: object
properties: {}
required:
- disabled
required:
- lifecycle
Kibana_HTTP_APIs_FieldDefinition:
additionalProperties:
$ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinitionConfig'
type: object
Kibana_HTTP_APIs_FieldDefinitionConfig:
allOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord'
- anyOf:
- additionalProperties: false
type: object
properties:
description:
type: string
format:
description: A non-empty string.
minLength: 1
type: string
type:
enum:
- keyword
- match_only_text
- long
- double
- date
- boolean
- ip
- geo_point
- integer
- short
- byte
- float
- half_float
- text
- wildcard
- version
- unsigned_long
- date_nanos
type: string
required:
- type
- additionalProperties: false
type: object
properties:
description:
type: string
format:
not: {}
type:
not: {}
required:
- description
- additionalProperties: false
type: object
properties:
description:
type: string
type:
enum:
- system
type: string
required:
- type
Kibana_HTTP_APIs_FilterCondition:
anyOf:
- additionalProperties: false
description: A condition that compares a field to a value or range using an operator as the key.
type: object
properties:
contains:
anyOf:
- type: string
- type: number
- type: boolean
description: Contains comparison value.
endsWith:
anyOf:
- type: string
- type: number
- type: boolean
description: Ends-with comparison value.
eq:
anyOf:
- type: string
- type: number
- type: boolean
description: Equality comparison value.
field:
description: The document field to filter on.
minLength: 1
type: string
gt:
anyOf:
- type: string
- type: number
- type: boolean
description: Greater-than comparison value.
gte:
anyOf:
- type: string
- type: number
- type: boolean
description: Greater-than-or-equal comparison value.
includes:
anyOf:
- type: string
- type: number
- type: boolean
description: Checks if multivalue field includes the value.
lt:
anyOf:
- type: string
- type: number
- type: boolean
description: Less-than comparison value.
lte:
anyOf:
- type: string
- type: number
- type: boolean
description: Less-than-or-equal comparison value.
neq:
anyOf:
- type: string
- type: number
- type: boolean
description: Inequality comparison value.
range:
additionalProperties: false
description: Range comparison values.
type: object
properties:
gt:
anyOf:
- type: string
- type: number
- type: boolean
description: A value that can be a string, number, or boolean.
gte:
anyOf:
- type: string
- type: number
- type: boolean
description: A value that can be a string, number, or boolean.
lt:
anyOf:
- type: string
- type: number
- type: boolean
description: A value that can be a string, number, or boolean.
lte:
anyOf:
- type: string
- type: number
- type: boolean
description: A value that can be a string, number, or boolean.
startsWith:
anyOf:
- type: string
- type: number
- type: boolean
description: Starts-with comparison value.
required:
- field
- additionalProperties: false
description: A condition that checks for the existence or non-existence of a field.
type: object
properties:
exists:
description: Indicates whether the field exists or not.
type: boolean
field:
description: The document field to check.
minLength: 1
type: string
required:
- field
description: A basic filter condition, either unary or binary.
Kibana_HTTP_APIs_geo-containment-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: false
description: The parameters for the geo containment rule. These parameters are appropriate when `rule_type_id` is `.geo-containment`.
properties:
boundaryGeoField:
minLength: 1
type: string
boundaryIndexId:
minLength: 1
type: string
boundaryIndexQuery:
nullable: true
boundaryIndexTitle:
minLength: 1
type: string
boundaryNameField:
minLength: 1
type: string
boundaryType:
minLength: 1
type: string
dateField:
minLength: 1
type: string
entity:
minLength: 1
type: string
geoField:
minLength: 1
type: string
index:
minLength: 1
type: string
indexId:
minLength: 1
type: string
indexQuery:
nullable: true
required:
- index
- indexId
- geoField
- entity
- dateField
- boundaryType
- boundaryIndexTitle
- boundaryIndexId
- boundaryGeoField
- indexQuery
- boundaryIndexQuery
title: Geo Containment Rule Params
type: object
rule_type_id:
enum:
- .geo-containment
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: Geo containment
type: object
Kibana_HTTP_APIs_index-threshold-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: false
description: The parameters for the index threshold rule. These parameters are appropriate when `rule_type_id` is `.index-threshold`.
properties:
aggField:
description: The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`.
minLength: 1
type: string
aggType:
default: count
description: The type of aggregation to perform.
type: string
filterKuery:
description: A Kibana Query Language (KQL) expression thats limits the scope of alerts.
type: string
groupBy:
default: all
description: Indicates whether the aggregation is applied over all documents (`all`) or split into groups (`top`) using a grouping field (`termField`). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to `termSize` number of groups) are checked.
type: string
index:
anyOf:
- minLength: 1
type: string
- items:
minLength: 1
type: string
minItems: 1
type: array
description: The indices to query.
termField:
description: The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`.
minLength: 1
type: string
termSize:
description: This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.
minimum: 1
type: number
threshold:
items:
type: number
maxItems: 2
minItems: 1
type: array
thresholdComparator:
description: 'The comparison function for the threshold. For example: greater than, less than, greater than or equal to, between, or not between.'
enum:
- '>'
- <
- '>='
- <=
- between
- notBetween
type: string
timeField:
description: The field that is used to calculate the time window.
minLength: 1
type: string
timeWindowSize:
description: The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.
minimum: 1
type: number
timeWindowUnit:
description: 'The type of units for the time window. For example: seconds, minutes, hours, or days.'
type: string
required:
- index
- timeField
- timeWindowSize
- timeWindowUnit
- thresholdComparator
- threshold
title: Index Threshold Rule Params
type: object
rule_type_id:
enum:
- .index-threshold
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: Index threshold
type: object
Kibana_HTTP_APIs_IngestStreamLifecycle:
anyOf:
- additionalProperties: false
type: object
properties:
dsl:
additionalProperties: false
type: object
properties:
data_retention:
description: A non-empty string.
minLength: 1
type: string
downsample:
items:
type: object
properties:
after:
description: A non-empty string.
minLength: 1
type: string
fixed_interval:
description: A non-empty string.
minLength: 1
type: string
required:
- after
- fixed_interval
type: array
required:
- dsl
- additionalProperties: false
type: object
properties:
ilm:
additionalProperties: false
type: object
properties:
policy:
description: A non-empty string.
minLength: 1
type: string
required:
- policy
required:
- ilm
- additionalProperties: false
type: object
properties:
inherit:
additionalProperties: false
type: object
properties: {}
required:
- inherit
Kibana_HTTP_APIs_logs-alert-document-count-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
anyOf:
- additionalProperties: false
type: object
properties:
count:
additionalProperties: false
type: object
properties:
comparator:
enum:
- more than
- more than or equals
- less than
- less than or equals
- equals
- does not equal
- matches
- does not match
- matches phrase
- does not match phrase
type: string
value:
type: number
required:
- comparator
- value
criteria:
items:
additionalProperties: false
type: object
properties:
comparator:
enum:
- more than
- more than or equals
- less than
- less than or equals
- equals
- does not equal
- matches
- does not match
- matches phrase
- does not match phrase
type: string
field:
type: string
value:
anyOf:
- type: string
- type: number
required:
- field
- comparator
- value
type: array
groupBy:
items:
type: string
type: array
logView:
additionalProperties: false
type: object
properties:
logViewId:
type: string
type:
enum:
- log-view-reference
type: string
required:
- logViewId
- type
timeSize:
type: number
timeUnit:
enum:
- s
- m
- h
- d
type: string
required:
- criteria
- count
- timeUnit
- timeSize
- logView
- additionalProperties: false
type: object
properties:
count:
additionalProperties: false
type: object
properties:
comparator:
enum:
- more than
- more than or equals
- less than
- less than or equals
- equals
- does not equal
- matches
- does not match
- matches phrase
- does not match phrase
type: string
value:
type: number
required:
- comparator
- value
criteria:
items:
items:
additionalProperties: false
type: object
properties:
comparator:
enum:
- more than
- more than or equals
- less than
- less than or equals
- equals
- does not equal
- matches
- does not match
- matches phrase
- does not match phrase
type: string
field:
type: string
value:
anyOf:
- type: string
- type: number
required:
- field
- comparator
- value
type: array
type: array
groupBy:
items:
type: string
type: array
logView:
additionalProperties: false
type: object
properties:
logViewId:
type: string
type:
enum:
- log-view-reference
type: string
required:
- logViewId
- type
timeSize:
type: number
timeUnit:
enum:
- s
- m
- h
- d
type: string
required:
- criteria
- count
- timeUnit
- timeSize
- logView
description: The parameters for the log threshold rule. These parameters are appropriate when `rule_type_id` is `logs.alert.document.count`.
title: Log Threshold Rule Params
rule_type_id:
enum:
- logs.alert.document.count
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: Log threshold
type: object
Kibana_HTTP_APIs_metrics-alert-inventory-threshold-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: true
description: The parameters for the metric inventory threshold rule. These parameters are appropriate when `rule_type_id` is `metrics.alert.inventory.threshold`.
properties:
alertOnNoData:
type: boolean
criteria:
items:
additionalProperties: false
type: object
properties:
comparator:
type: string
customMetric:
additionalProperties: false
type: object
properties:
aggregation:
type: string
field:
type: string
id:
type: string
label:
type: string
type:
enum:
- custom
type: string
required:
- type
- id
- field
- aggregation
metric:
type: string
threshold:
items:
type: number
type: array
timeSize:
type: number
timeUnit:
type: string
warningComparator:
type: string
warningThreshold:
items:
type: number
type: array
required:
- threshold
- comparator
- timeUnit
- timeSize
- metric
type: array
filterQuery:
type: string
nodeType:
type: string
schema:
type: string
sourceId:
type: string
required:
- criteria
- nodeType
- sourceId
title: Metric Inventory Threshold Rule Params
type: object
rule_type_id:
enum:
- metrics.alert.inventory.threshold
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: Metric inventory threshold
type: object
Kibana_HTTP_APIs_metrics-alert-threshold-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: true
description: The parameters for the metric threshold rule. These parameters are appropriate when `rule_type_id` is `metrics.alert.threshold`.
properties:
alertOnGroupDisappear:
description: If true, an alert occurs if a group that previously reported metrics does not report them again over the expected time period. This check is not recommended for dynamically scaling infrastructures that might rapidly start and stop nodes automatically.
type: boolean
alertOnNoData:
description: If true, an alert occurs if the metrics do not report any data over the expected period or if the query fails.
type: boolean
criteria:
items:
anyOf:
- additionalProperties: false
type: object
properties:
aggType:
enum:
- count
type: string
comparator:
type: string
threshold:
description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values.
items:
type: number
type: array
timeSize:
description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.
type: number
timeUnit:
description: 'The type of units for the time window: seconds, minutes, hours, or days.'
type: string
warningComparator:
type: string
warningThreshold:
items:
description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values.
type: number
type: array
required:
- threshold
- comparator
- timeUnit
- timeSize
- aggType
- additionalProperties: false
type: object
properties:
aggType:
type: string
comparator:
type: string
metric:
type: string
threshold:
description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values.
items:
type: number
type: array
timeSize:
description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.
type: number
timeUnit:
description: 'The type of units for the time window: seconds, minutes, hours, or days.'
type: string
warningComparator:
type: string
warningThreshold:
items:
description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values.
type: number
type: array
required:
- threshold
- comparator
- timeUnit
- timeSize
- metric
- aggType
- additionalProperties: false
type: object
properties:
aggType:
enum:
- custom
type: string
comparator:
type: string
customMetrics:
items:
anyOf:
- additionalProperties: false
type: object
properties:
aggType:
type: string
field:
type: string
name:
type: string
required:
- name
- aggType
- field
- additionalProperties: false
type: object
properties:
aggType:
enum:
- count
type: string
filter:
type: string
name:
type: string
required:
- name
- aggType
type: array
equation:
type: string
label:
type: string
threshold:
description: The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values.
items:
type: number
type: array
timeSize:
description: The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.
type: number
timeUnit:
description: 'The type of units for the time window: seconds, minutes, hours, or days.'
type: string
warningComparator:
type: string
warningThreshold:
items:
description: The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values.
type: number
type: array
required:
- threshold
- comparator
- timeUnit
- timeSize
- aggType
- customMetrics
type: array
filterQuery:
description: A query that limits the scope of the rule. The rule evaluates only metric data that matches the query.
type: string
groupBy:
anyOf:
- type: string
- items:
type: string
type: array
description: 'Create an alert for every unique value of the specified fields. For example, you can create a rule per host or every mount point of each host. IMPORTANT: If you include the same field in both the `filterQuery` and `groupBy`, you might receive fewer results than you expect. For example, if you filter by `cloud.region: us-east`, grouping by `cloud.region` will have no effect because the filter query can match only one region.'
sourceId:
type: string
required:
- criteria
- sourceId
title: Metric Threshold Rule Params
type: object
rule_type_id:
enum:
- metrics.alert.threshold
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: Metric threshold
type: object
Kibana_HTTP_APIs_monitoring-alert-cluster-health-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: true
description: The parameters for the cluster health rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_cluster_health`.
properties:
duration:
type: string
filterQuery:
type: string
filterQueryText:
type: string
limit:
type: string
threshold:
type: number
required:
- duration
title: Cluster Health Rule Params
type: object
rule_type_id:
enum:
- monitoring_alert_cluster_health
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: Cluster health
type: object
Kibana_HTTP_APIs_monitoring-alert-cpu-usage-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: true
description: The parameters for the CPU usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_cpu_usage`.
properties:
duration:
type: string
filterQuery:
type: string
filterQueryText:
type: string
limit:
type: string
threshold:
type: number
required:
- duration
title: CPU Usage Rule Params
type: object
rule_type_id:
enum:
- monitoring_alert_cpu_usage
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: CPU usage
type: object
Kibana_HTTP_APIs_monitoring-alert-disk-usage-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: true
description: The parameters for the disk usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_disk_usage`.
properties:
duration:
type: string
filterQuery:
type: string
filterQueryText:
type: string
limit:
type: string
threshold:
type: number
required:
- duration
title: Disk Usage Rule Params
type: object
rule_type_id:
enum:
- monitoring_alert_disk_usage
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: Disk usage
type: object
Kibana_HTTP_APIs_monitoring-alert-elasticsearch-version-mismatch-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: true
description: The parameters for the ES version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_elasticsearch_version_mismatch`.
properties:
duration:
type: string
filterQuery:
type: string
filterQueryText:
type: string
limit:
type: string
threshold:
type: number
required:
- duration
title: ES Version Mismatch Rule Params
type: object
rule_type_id:
enum:
- monitoring_alert_elasticsearch_version_mismatch
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: Elasticsearch version mismatch
type: object
Kibana_HTTP_APIs_monitoring-alert-jvm-memory-usage-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: true
description: The parameters for the memory usage rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_jvm_memory_usage`.
properties:
duration:
type: string
filterQuery:
type: string
filterQueryText:
type: string
limit:
type: string
threshold:
type: number
required:
- duration
title: Memory Usage Rule Params
type: object
rule_type_id:
enum:
- monitoring_alert_jvm_memory_usage
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: JVM memory usage
type: object
Kibana_HTTP_APIs_monitoring-alert-kibana-version-mismatch-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: true
description: The parameters for the Kibana version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_kibana_version_mismatch`.
properties:
duration:
type: string
filterQuery:
type: string
filterQueryText:
type: string
limit:
type: string
threshold:
type: number
required:
- duration
title: Kibana Version Mismatch Rule Params
type: object
rule_type_id:
enum:
- monitoring_alert_kibana_version_mismatch
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: Kibana version mismatch
type: object
Kibana_HTTP_APIs_monitoring-alert-license-expiration-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: true
description: The parameters for the license expiration rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_license_expiration`.
properties:
duration:
type: string
filterQuery:
type: string
filterQueryText:
type: string
limit:
type: string
threshold:
type: number
required:
- duration
title: License Expiration Rule Params
type: object
rule_type_id:
enum:
- monitoring_alert_license_expiration
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: License expiration
type: object
Kibana_HTTP_APIs_monitoring-alert-logstash-version-mismatch-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: true
description: The parameters for the logstash version mismatch rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_logstash_version_mismatch`.
properties:
duration:
type: string
filterQuery:
type: string
filterQueryText:
type: string
limit:
type: string
threshold:
type: number
required:
- duration
title: Logstash Version Mismatch Rule Params
type: object
rule_type_id:
enum:
- monitoring_alert_logstash_version_mismatch
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: Logstash version mismatch
type: object
Kibana_HTTP_APIs_monitoring-alert-missing-monitoring-data-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: true
description: The parameters for the missing monitoring data rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_missing_monitoring_data`.
properties:
duration:
type: string
filterQuery:
type: string
filterQueryText:
type: string
limit:
type: string
threshold:
type: number
required:
- duration
title: Missing Monitoring Data Rule Params
type: object
rule_type_id:
enum:
- monitoring_alert_missing_monitoring_data
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: Missing monitoring data
type: object
Kibana_HTTP_APIs_monitoring-alert-nodes-changed-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: true
description: The parameters for the nodes changed rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_nodes_changed`.
properties:
duration:
type: string
filterQuery:
type: string
filterQueryText:
type: string
limit:
type: string
threshold:
type: number
required:
- duration
title: Nodes Changed Rule Params
type: object
rule_type_id:
enum:
- monitoring_alert_nodes_changed
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: Nodes changed
type: object
Kibana_HTTP_APIs_monitoring-alert-thread-pool-search-rejections-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: false
description: The parameters for the thread pool search rejections rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_thread_pool_search_rejections`.
properties:
duration:
type: string
filterQuery:
type: string
filterQueryText:
type: string
threshold:
type: number
required:
- duration
title: Thread Pool Search Rejections Rule Params
type: object
rule_type_id:
enum:
- monitoring_alert_thread_pool_search_rejections
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: Thread pool search rejections
type: object
Kibana_HTTP_APIs_monitoring-alert-thread-pool-write-rejections-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: false
description: The parameters for the thread pool write rejections rule. These parameters are appropriate when `rule_type_id` is `monitoring_alert_thread_pool_write_rejections`.
properties:
duration:
type: string
filterQuery:
type: string
filterQueryText:
type: string
threshold:
type: number
required:
- duration
title: Thread Pool Write Rejections Rule Params
type: object
rule_type_id:
enum:
- monitoring_alert_thread_pool_write_rejections
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: Thread pool write rejections
type: object
Kibana_HTTP_APIs_monitoring-ccr-read-exceptions-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: true
description: The parameters for the CCR read exceptions rule. These parameters are appropriate when `rule_type_id` is `monitoring_ccr_read_exceptions`.
properties:
duration:
type: string
filterQuery:
type: string
filterQueryText:
type: string
limit:
type: string
threshold:
type: number
required:
- duration
title: CCR Read Exceptions Rule Params
type: object
rule_type_id:
enum:
- monitoring_ccr_read_exceptions
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: CCR read exceptions
type: object
Kibana_HTTP_APIs_monitoring-shard-size-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: true
description: The parameters for the large shard size rule. These parameters are appropriate when `rule_type_id` is `monitoring_shard_size`.
properties:
duration:
type: string
filterQuery:
type: string
filterQueryText:
type: string
indexPattern:
type: string
limit:
type: string
threshold:
type: number
required:
- duration
- indexPattern
title: Large Shard Size Rule Params
type: object
rule_type_id:
enum:
- monitoring_shard_size
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: Large shard size
type: object
Kibana_HTTP_APIs_new_output_elasticsearch:
additionalProperties: false
properties:
allow_edit:
items:
type: string
maxItems: 1000
type: array
ca_sha256:
nullable: true
type: string
ca_trusted_fingerprint:
nullable: true
type: string
config_yaml:
nullable: true
type: string
hosts:
items:
format: uri
type: string
maxItems: 10
minItems: 1
type: array
id:
type: string
is_default:
default: false
type: boolean
is_default_monitoring:
default: false
type: boolean
is_internal:
type: boolean
is_preconfigured:
type: boolean
name:
type: string
otel_disable_beatsauth:
nullable: true
type: boolean
otel_exporter_config_yaml:
nullable: true
type: string
preset:
enum:
- balanced
- custom
- throughput
- scale
- latency
type: string
proxy_id:
nullable: true
type: string
secrets:
additionalProperties: false
type: object
properties:
ssl:
additionalProperties: false
type: object
properties:
key:
anyOf:
- additionalProperties: false
type: object
properties:
hash:
type: string
id:
type: string
required:
- id
- type: string
shipper:
allOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper'
nullable: true
ssl:
allOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl'
nullable: true
type:
enum:
- elasticsearch
type: string
write_to_logs_streams:
nullable: true
type: boolean
required:
- name
- type
- hosts
title: new_output_elasticsearch
type: object
Kibana_HTTP_APIs_new_output_kafka:
additionalProperties: false
properties:
allow_edit:
items:
type: string
maxItems: 1000
type: array
auth_type:
enum:
- none
- user_pass
- ssl
- kerberos
type: string
broker_timeout:
type: number
ca_sha256:
nullable: true
type: string
ca_trusted_fingerprint:
nullable: true
type: string
client_id:
type: string
compression:
enum:
- gzip
- snappy
- lz4
- none
type: string
compression_level:
nullable: true
type: number
config_yaml:
nullable: true
type: string
connection_type:
enum:
- plaintext
- encryption
type: string
hash:
additionalProperties: false
type: object
properties:
hash:
type: string
random:
type: boolean
headers:
items:
additionalProperties: false
type: object
properties:
key:
type: string
value:
type: string
required:
- key
- value
maxItems: 100
type: array
hosts:
items:
type: string
maxItems: 10
minItems: 1
type: array
id:
type: string
is_default:
default: false
type: boolean
is_default_monitoring:
default: false
type: boolean
is_internal:
type: boolean
is_preconfigured:
type: boolean
key:
type: string
name:
type: string
otel_disable_beatsauth:
nullable: true
type: boolean
otel_exporter_config_yaml:
nullable: true
type: string
partition:
enum:
- random
- round_robin
- hash
type: string
password:
nullable: true
type: string
proxy_id:
nullable: true
type: string
random:
additionalProperties: false
type: object
properties:
group_events:
type: number
required_acks:
enum:
- 1
- 0
- -1
type: integer
round_robin:
additionalProperties: false
type: object
properties:
group_events:
type: number
sasl:
additionalProperties: false
nullable: true
type: object
properties:
mechanism:
enum:
- PLAIN
- SCRAM-SHA-256
- SCRAM-SHA-512
type: string
secrets:
additionalProperties: false
type: object
properties:
password:
anyOf:
- additionalProperties: false
type: object
properties:
hash:
type: string
id:
type: string
required:
- id
- type: string
ssl:
additionalProperties: false
type: object
properties:
key:
anyOf:
- additionalProperties: false
type: object
properties:
hash:
type: string
id:
type: string
required:
- id
- type: string
required:
- key
shipper:
allOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper'
nullable: true
ssl:
allOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl'
nullable: true
timeout:
type: number
topic:
type: string
type:
enum:
- kafka
type: string
username:
nullable: true
type: string
version:
type: string
required:
- name
- type
- hosts
- auth_type
title: new_output_kafka
type: object
Kibana_HTTP_APIs_new_output_logstash:
additionalProperties: false
properties:
allow_edit:
items:
type: string
maxItems: 1000
type: array
ca_sha256:
nullable: true
type: string
ca_trusted_fingerprint:
nullable: true
type: string
config_yaml:
nullable: true
type: string
hosts:
items:
type: string
maxItems: 10
minItems: 1
type: array
id:
type: string
is_default:
default: false
type: boolean
is_default_monitoring:
default: false
type: boolean
is_internal:
type: boolean
is_preconfigured:
type: boolean
name:
type: string
otel_disable_beatsauth:
nullable: true
type: boolean
otel_exporter_config_yaml:
nullable: true
type: string
proxy_id:
nullable: true
type: string
secrets:
additionalProperties: false
type: object
properties:
ssl:
additionalProperties: false
type: object
properties:
key:
anyOf:
- additionalProperties: false
type: object
properties:
hash:
type: string
id:
type: string
required:
- id
- type: string
shipper:
allOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper'
nullable: true
ssl:
allOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl'
nullable: true
type:
enum:
- logstash
type: string
required:
- name
- type
- hosts
title: new_output_logstash
type: object
Kibana_HTTP_APIs_new_output_remote_elasticsearch:
additionalProperties: false
properties:
allow_edit:
items:
type: string
maxItems: 1000
type: array
ca_sha256:
nullable: true
type: string
ca_trusted_fingerprint:
nullable: true
type: string
config_yaml:
nullable: true
type: string
hosts:
items:
format: uri
type: string
maxItems: 10
minItems: 1
type: array
id:
type: string
is_default:
default: false
type: boolean
is_default_monitoring:
default: false
type: boolean
is_internal:
type: boolean
is_preconfigured:
type: boolean
kibana_api_key:
nullable: true
type: string
kibana_url:
nullable: true
type: string
name:
type: string
otel_disable_beatsauth:
nullable: true
type: boolean
otel_exporter_config_yaml:
nullable: true
type: string
preset:
enum:
- balanced
- custom
- throughput
- scale
- latency
type: string
proxy_id:
nullable: true
type: string
secrets:
additionalProperties: false
type: object
properties:
service_token:
anyOf:
- additionalProperties: false
type: object
properties:
hash:
type: string
id:
type: string
required:
- id
- type: string
ssl:
additionalProperties: false
type: object
properties:
key:
anyOf:
- additionalProperties: false
type: object
properties:
hash:
type: string
id:
type: string
required:
- id
- type: string
service_token:
nullable: true
type: string
shipper:
allOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper'
nullable: true
ssl:
allOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl'
nullable: true
sync_integrations:
type: boolean
sync_uninstalled_integrations:
type: boolean
type:
enum:
- remote_elasticsearch
type: string
write_to_logs_streams:
nullable: true
type: boolean
required:
- name
- type
- hosts
title: new_output_remote_elasticsearch
type: object
Kibana_HTTP_APIs_observability-rules-custom-threshold-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: true
description: The parameters for the custom threshold rule. These parameters are appropriate when `rule_type_id` is `observability.rules.custom_threshold`.
properties:
alertOnGroupDisappear:
type: boolean
alertOnNoData:
type: boolean
criteria:
items:
additionalProperties: false
type: object
properties:
aggType:
enum:
- custom
type: string
comparator:
type: string
equation:
type: string
label:
type: string
metrics:
items:
anyOf:
- additionalProperties: false
type: object
properties:
aggType:
type: string
field:
type: string
filter:
type: string
name:
type: string
required:
- name
- aggType
- field
- additionalProperties: false
type: object
properties:
aggType:
enum:
- count
type: string
filter:
type: string
name:
type: string
required:
- name
- aggType
type: array
threshold:
items:
type: number
type: array
timeSize:
type: number
timeUnit:
type: string
required:
- threshold
- comparator
- timeUnit
- timeSize
- metrics
type: array
groupBy:
anyOf:
- type: string
- items:
type: string
type: array
noDataBehavior:
enum:
- recover
- remainActive
- alertOnNoData
type: string
searchConfiguration:
additionalProperties: false
type: object
properties:
filter:
items:
additionalProperties: false
type: object
properties:
meta:
additionalProperties:
nullable: true
type: object
query:
additionalProperties:
nullable: true
type: object
required:
- meta
type: array
index:
anyOf:
- type: string
- additionalProperties: false
type: object
properties:
allowHidden:
type: boolean
allowNoIndex:
type: boolean
fieldAttrs:
additionalProperties:
additionalProperties: false
type: object
properties:
count:
type: number
customDescription:
maxLength: 300
type: string
customLabel:
type: string
type: object
fieldFormats:
additionalProperties:
additionalProperties: false
type: object
properties:
id:
type: string
params:
nullable: true
required:
- params
type: object
fields:
additionalProperties:
additionalProperties: false
type: object
properties:
aggregatable:
type: boolean
count:
minimum: 0
type: number
customDescription:
maxLength: 300
type: string
customLabel:
type: string
esTypes:
items:
type: string
type: array
format:
additionalProperties: false
type: object
properties:
id:
type: string
params:
nullable: true
required:
- params
name:
maxLength: 1000
type: string
readFromDocValues:
type: boolean
runtimeField:
anyOf:
- additionalProperties: false
type: object
properties:
customDescription:
maxLength: 300
type: string
customLabel:
type: string
format:
additionalProperties: false
type: object
properties:
id:
type: string
params:
nullable: true
required:
- params
popularity:
minimum: 0
type: number
script:
additionalProperties: false
type: object
properties:
source:
type: string
required:
- source
type:
enum:
- keyword
- long
- double
- date
- ip
- boolean
- geo_point
type: string
required:
- type
- additionalProperties: false
type: object
properties:
fields:
additionalProperties:
additionalProperties: false
type: object
properties:
customDescription:
maxLength: 300
type: string
customLabel:
type: string
format:
additionalProperties: false
type: object
properties:
id:
type: string
params:
nullable: true
required:
- params
popularity:
minimum: 0
type: number
type:
enum:
- keyword
- long
- double
- date
- ip
- boolean
- geo_point
type: string
required:
- type
type: object
script:
additionalProperties: false
type: object
properties:
source:
type: string
required:
- source
type:
enum:
- composite
type: string
required:
- type
script:
maxLength: 1000000
type: string
scripted:
type: boolean
searchable:
type: boolean
shortDotsEnable:
type: boolean
subType:
additionalProperties: false
type: object
properties:
multi:
additionalProperties: false
type: object
properties:
parent:
type: string
required:
- parent
nested:
additionalProperties: false
type: object
properties:
path:
type: string
required:
- path
type:
default: string
maxLength: 1000
type: string
required:
- name
type: object
id:
type: string
managed:
type: boolean
name:
type: string
namespaces:
items:
type: string
type: array
runtimeFieldMap:
additionalProperties:
anyOf:
- additionalProperties: false
type: object
properties:
customDescription:
maxLength: 300
type: string
customLabel:
type: string
format:
additionalProperties: false
type: object
properties:
id:
type: string
params:
nullable: true
required:
- params
popularity:
minimum: 0
type: number
script:
additionalProperties: false
type: object
properties:
source:
type: string
required:
- source
type:
enum:
- keyword
- long
- double
- date
- ip
- boolean
- geo_point
type: string
required:
- type
- additionalProperties: false
type: object
properties:
fields:
additionalProperties:
additionalProperties: false
type: object
properties:
customDescription:
maxLength: 300
type: string
customLabel:
type: string
format:
additionalProperties: false
type: object
properties:
id:
type: string
params:
nullable: true
required:
- params
popularity:
minimum: 0
type: number
type:
enum:
- keyword
- long
- double
- date
- ip
- boolean
- geo_point
type: string
required:
- type
type: object
script:
additionalProperties: false
type: object
properties:
source:
type: string
required:
- source
type:
enum:
- composite
type: string
required:
- type
type: object
sourceFilters:
items:
additionalProperties: false
type: object
properties:
clientId:
anyOf:
- type: string
- type: number
value:
type: string
required:
- value
type: array
timeFieldName:
type: string
title:
type: string
type:
type: string
typeMeta:
additionalProperties: true
type: object
properties: {}
version:
type: string
required:
- title
query:
additionalProperties: false
type: object
properties:
language:
type: string
query:
type: string
required:
- language
- query
required:
- index
- query
required:
- criteria
- searchConfiguration
title: Custom Threshold Rule Params
type: object
rule_type_id:
enum:
- observability.rules.custom_threshold
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: Custom threshold
type: object
Kibana_HTTP_APIs_output_elasticsearch:
additionalProperties: true
properties:
allow_edit:
items:
type: string
maxItems: 1000
type: array
ca_sha256:
nullable: true
type: string
ca_trusted_fingerprint:
nullable: true
type: string
config_yaml:
nullable: true
type: string
hosts:
items:
format: uri
type: string
maxItems: 10
minItems: 1
type: array
id:
type: string
is_default:
default: false
type: boolean
is_default_monitoring:
default: false
type: boolean
is_internal:
type: boolean
is_preconfigured:
type: boolean
name:
type: string
otel_disable_beatsauth:
nullable: true
type: boolean
otel_exporter_config_yaml:
nullable: true
type: string
preset:
enum:
- balanced
- custom
- throughput
- scale
- latency
type: string
proxy_id:
nullable: true
type: string
secrets:
additionalProperties: true
type: object
properties:
ssl:
additionalProperties: true
type: object
properties:
key:
anyOf:
- additionalProperties: true
type: object
properties:
hash:
type: string
id:
type: string
required:
- id
- type: string
shipper:
allOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper'
nullable: true
ssl:
allOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl'
nullable: true
type:
enum:
- elasticsearch
type: string
write_to_logs_streams:
nullable: true
type: boolean
required:
- name
- type
- hosts
title: output_elasticsearch
type: object
Kibana_HTTP_APIs_output_kafka:
additionalProperties: true
properties:
allow_edit:
items:
type: string
maxItems: 1000
type: array
auth_type:
enum:
- none
- user_pass
- ssl
- kerberos
type: string
broker_timeout:
type: number
ca_sha256:
nullable: true
type: string
ca_trusted_fingerprint:
nullable: true
type: string
client_id:
type: string
compression:
enum:
- gzip
- snappy
- lz4
- none
type: string
compression_level:
nullable: true
type: number
config_yaml:
nullable: true
type: string
connection_type:
enum:
- plaintext
- encryption
type: string
hash:
additionalProperties: true
type: object
properties:
hash:
type: string
random:
type: boolean
headers:
items:
additionalProperties: true
type: object
properties:
key:
type: string
value:
type: string
required:
- key
- value
maxItems: 100
type: array
hosts:
items:
type: string
maxItems: 10
minItems: 1
type: array
id:
type: string
is_default:
default: false
type: boolean
is_default_monitoring:
default: false
type: boolean
is_internal:
type: boolean
is_preconfigured:
type: boolean
key:
type: string
name:
type: string
otel_disable_beatsauth:
nullable: true
type: boolean
otel_exporter_config_yaml:
nullable: true
type: string
partition:
enum:
- random
- round_robin
- hash
type: string
password:
nullable: true
type: string
proxy_id:
nullable: true
type: string
random:
additionalProperties: true
type: object
properties:
group_events:
type: number
required_acks:
enum:
- 1
- 0
- -1
type: integer
round_robin:
additionalProperties: true
type: object
properties:
group_events:
type: number
sasl:
additionalProperties: true
nullable: true
type: object
properties:
mechanism:
enum:
- PLAIN
- SCRAM-SHA-256
- SCRAM-SHA-512
type: string
secrets:
additionalProperties: true
type: object
properties:
password:
anyOf:
- additionalProperties: true
type: object
properties:
hash:
type: string
id:
type: string
required:
- id
- type: string
ssl:
additionalProperties: true
type: object
properties:
key:
anyOf:
- additionalProperties: true
type: object
properties:
hash:
type: string
id:
type: string
required:
- id
- type: string
required:
- key
shipper:
allOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper'
nullable: true
ssl:
allOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl'
nullable: true
timeout:
type: number
topic:
type: string
type:
enum:
- kafka
type: string
username:
nullable: true
type: string
version:
type: string
required:
- name
- type
- hosts
- auth_type
title: output_kafka
type: object
Kibana_HTTP_APIs_output_logstash:
additionalProperties: true
properties:
allow_edit:
items:
type: string
maxItems: 1000
type: array
ca_sha256:
nullable: true
type: string
ca_trusted_fingerprint:
nullable: true
type: string
config_yaml:
nullable: true
type: string
hosts:
items:
type: string
maxItems: 10
minItems: 1
type: array
id:
type: string
is_default:
default: false
type: boolean
is_default_monitoring:
default: false
type: boolean
is_internal:
type: boolean
is_preconfigured:
type: boolean
name:
type: string
otel_disable_beatsauth:
nullable: true
type: boolean
otel_exporter_config_yaml:
nullable: true
type: string
proxy_id:
nullable: true
type: string
secrets:
additionalProperties: true
type: object
properties:
ssl:
additionalProperties: true
type: object
properties:
key:
anyOf:
- additionalProperties: true
type: object
properties:
hash:
type: string
id:
type: string
required:
- id
- type: string
shipper:
allOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper'
nullable: true
ssl:
allOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl'
nullable: true
type:
enum:
- logstash
type: string
required:
- name
- type
- hosts
title: output_logstash
type: object
Kibana_HTTP_APIs_output_remote_elasticsearch:
additionalProperties: true
properties:
allow_edit:
items:
type: string
maxItems: 1000
type: array
ca_sha256:
nullable: true
type: string
ca_trusted_fingerprint:
nullable: true
type: string
config_yaml:
nullable: true
type: string
hosts:
items:
format: uri
type: string
maxItems: 10
minItems: 1
type: array
id:
type: string
is_default:
default: false
type: boolean
is_default_monitoring:
default: false
type: boolean
is_internal:
type: boolean
is_preconfigured:
type: boolean
kibana_api_key:
nullable: true
type: string
kibana_url:
nullable: true
type: string
name:
type: string
otel_disable_beatsauth:
nullable: true
type: boolean
otel_exporter_config_yaml:
nullable: true
type: string
preset:
enum:
- balanced
- custom
- throughput
- scale
- latency
type: string
proxy_id:
nullable: true
type: string
secrets:
additionalProperties: true
type: object
properties:
service_token:
anyOf:
- additionalProperties: true
type: object
properties:
hash:
type: string
id:
type: string
required:
- id
- type: string
ssl:
additionalProperties: true
type: object
properties:
key:
anyOf:
- additionalProperties: true
type: object
properties:
hash:
type: string
id:
type: string
required:
- id
- type: string
service_token:
nullable: true
type: string
shipper:
allOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper'
nullable: true
ssl:
allOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl'
nullable: true
sync_integrations:
type: boolean
sync_uninstalled_integrations:
type: boolean
type:
enum:
- remote_elasticsearch
type: string
write_to_logs_streams:
nullable: true
type: boolean
required:
- name
- type
- hosts
title: output_remote_elasticsearch
type: object
Kibana_HTTP_APIs_output_shipper:
additionalProperties: true
properties:
compression_level:
nullable: true
type: number
disk_queue_compression_enabled:
nullable: true
type: boolean
disk_queue_enabled:
default: false
nullable: true
type: boolean
disk_queue_encryption_enabled:
nullable: true
type: boolean
disk_queue_max_size:
nullable: true
type: number
disk_queue_path:
nullable: true
type: string
loadbalance:
nullable: true
type: boolean
max_batch_bytes:
nullable: true
type: number
mem_queue_events:
nullable: true
type: number
queue_flush_timeout:
nullable: true
type: number
required:
- disk_queue_path
- disk_queue_max_size
- disk_queue_encryption_enabled
- disk_queue_compression_enabled
- compression_level
- loadbalance
- mem_queue_events
- queue_flush_timeout
- max_batch_bytes
title: output_shipper
type: object
Kibana_HTTP_APIs_output_ssl:
additionalProperties: true
properties:
certificate:
type: string
certificate_authorities:
items:
type: string
maxItems: 10
type: array
key:
type: string
verification_mode:
enum:
- full
- none
- certificate
- strict
type: string
title: output_ssl
type: object
Kibana_HTTP_APIs_QueryStreamUpsertRequest:
additionalProperties: false
type: object
properties:
dashboards:
items:
type: string
type: array
queries:
items:
type: object
properties:
description:
type: string
esql:
type: object
properties:
query:
type: string
required:
- query
evidence:
items:
type: string
type: array
id:
description: A non-empty string.
minLength: 1
type: string
severity_score:
type: number
title:
description: A non-empty string.
minLength: 1
type: string
type:
default: match
enum:
- match
- stats
type: string
required:
- id
- title
- description
- esql
type: array
rules:
items:
type: string
type: array
stream:
additionalProperties: false
type: object
properties:
description:
type: string
field_descriptions:
additionalProperties:
type: string
type: object
query:
additionalProperties: false
type: object
properties:
esql:
type: string
view:
type: string
required:
- view
- esql
query_streams:
items:
type: object
properties:
name:
type: string
required:
- name
type: array
type:
enum:
- query
type: string
required:
- description
- type
- query
required:
- dashboards
- rules
- queries
- stream
Kibana_HTTP_APIs_RecursiveRecord:
additionalProperties:
anyOf:
- anyOf:
- type: string
- type: number
- type: boolean
- nullable: true
- {}
- items:
anyOf:
- type: string
- type: number
- type: boolean
- nullable: true
- {}
type: array
- items: {}
type: array
- $ref: '#/components/schemas/Kibana_HTTP_APIs_RecursiveRecord'
type: object
Kibana_HTTP_APIs_security_query_roles_body:
additionalProperties: false
description: The request body for querying roles.
properties:
filters:
$ref: '#/components/schemas/Kibana_HTTP_APIs_security_query_roles_filters'
from:
type: number
query:
type: string
size:
type: number
sort:
$ref: '#/components/schemas/Kibana_HTTP_APIs_security_query_roles_sort'
title: security_query_roles_body
type: object
required: []
Kibana_HTTP_APIs_security_query_roles_filters:
additionalProperties: false
description: The filter criteria for the query.
properties:
showReservedRoles:
type: boolean
title: security_query_roles_filters
type: object
x-oas-optional: true
Kibana_HTTP_APIs_security_query_roles_sort:
additionalProperties: false
description: The sort criteria for the query.
properties:
direction:
enum:
- asc
- desc
type: string
field:
type: string
required:
- field
- direction
title: security_query_roles_sort
type: object
x-oas-optional: true
Kibana_HTTP_APIs_security_role_elasticsearch:
additionalProperties: false
description: The Elasticsearch cluster, index, and remote cluster security privileges for the role.
properties:
cluster:
items:
description: Cluster privileges that define the cluster level actions that users can perform.
type: string
maxItems: 100
type: array
indices:
items:
$ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_indices_privileges'
maxItems: 1000
type: array
remote_cluster:
items:
$ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_remote_cluster_privileges'
maxItems: 100
type: array
remote_indices:
items:
$ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_remote_indices_privileges'
maxItems: 1000
type: array
run_as:
items:
description: A username that members of this role can impersonate.
type: string
maxItems: 100
type: array
title: security_role_elasticsearch
type: object
Kibana_HTTP_APIs_security_role_indices_privileges:
additionalProperties: false
description: The indices privileges entry.
properties:
allow_restricted_indices:
description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too.
type: boolean
field_security:
additionalProperties:
items:
description: The document fields that the role members have read access to.
type: string
maxItems: 1000
type: array
type: object
names:
items:
description: The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*).
type: string
maxItems: 100
minItems: 1
type: array
privileges:
items:
description: The index level privileges that the role members have for the data streams and indices.
type: string
maxItems: 100
minItems: 1
type: array
query:
description: A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members.
type: string
required:
- names
- privileges
title: security_role_indices_privileges
type: object
Kibana_HTTP_APIs_security_role_kibana_privilege:
additionalProperties: false
description: The Kibana privilege entry for the role.
properties:
base:
anyOf:
- items: {}
type: array
- type: boolean
- type: number
- type: object
- type: string
nullable: true
oneOf:
- items:
description: A base privilege that grants applies to all spaces.
type: string
maxItems: 50
type: array
- items:
description: A base privilege that applies to specific spaces.
type: string
maxItems: 50
type: array
feature:
additionalProperties:
items:
description: The privileges that the role member has for the feature.
type: string
maxItems: 100
type: array
type: object
spaces:
anyOf:
- items:
enum:
- '*'
type: string
maxItems: 1
minItems: 1
type: array
- items:
description: A space that the privilege applies to.
type: string
maxItems: 1000
type: array
default:
- '*'
required:
- base
title: security_role_kibana_privilege
type: object
Kibana_HTTP_APIs_security_role_put_payload:
additionalProperties: false
description: The role definition to create or update.
properties:
description:
description: A description for the role.
maxLength: 2048
type: string
elasticsearch:
$ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_elasticsearch'
kibana:
items:
$ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_kibana_privilege'
type: array
metadata:
additionalProperties:
nullable: true
type: object
required:
- elasticsearch
title: security_role_put_payload
type: object
Kibana_HTTP_APIs_security_role_remote_cluster_privileges:
additionalProperties: false
description: The remote cluster privileges entry.
properties:
clusters:
items:
description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.
type: string
maxItems: 100
minItems: 1
type: array
privileges:
items:
description: The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges.
type: string
maxItems: 100
minItems: 1
type: array
required:
- privileges
- clusters
title: security_role_remote_cluster_privileges
type: object
Kibana_HTTP_APIs_security_role_remote_indices_privileges:
additionalProperties: false
description: The remote indices privileges entry.
properties:
allow_restricted_indices:
description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too.
type: boolean
clusters:
items:
description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.
type: string
maxItems: 100
minItems: 1
type: array
field_security:
additionalProperties:
items:
description: The document fields that the role members have read access to.
type: string
maxItems: 1000
type: array
type: object
names:
items:
description: A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*).
type: string
maxItems: 100
minItems: 1
type: array
privileges:
items:
description: The index level privileges that role members have for the specified indices.
type: string
maxItems: 100
minItems: 1
type: array
query:
description: 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. '
type: string
required:
- clusters
- names
- privileges
title: security_role_remote_indices_privileges
type: object
Kibana_HTTP_APIs_security_roles_bulk_create_or_update_payload:
additionalProperties: false
description: The request body for bulk creating or updating roles.
properties:
roles:
additionalProperties:
$ref: '#/components/schemas/Kibana_HTTP_APIs_security_role_put_payload'
type: object
required:
- roles
title: security_roles_bulk_create_or_update_payload
type: object
Kibana_HTTP_APIs_slo-rules-burnrate-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: false
description: The parameters for the slo burn rate rule. These parameters are appropriate when `rule_type_id` is `slo.rules.burnRate`.
properties:
dependencies:
items:
additionalProperties: false
type: object
properties:
actionGroupsToSuppressOn:
items:
type: string
type: array
ruleId:
type: string
required:
- ruleId
- actionGroupsToSuppressOn
type: array
sloId:
type: string
windows:
items:
additionalProperties: false
type: object
properties:
actionGroup:
type: string
burnRateThreshold:
type: number
id:
type: string
longWindow:
additionalProperties: false
type: object
properties:
unit:
type: string
value:
type: number
required:
- value
- unit
maxBurnRateThreshold:
nullable: true
type: number
shortWindow:
additionalProperties: false
type: object
properties:
unit:
type: string
value:
type: number
required:
- value
- unit
required:
- id
- burnRateThreshold
- maxBurnRateThreshold
- longWindow
- shortWindow
- actionGroup
type: array
required:
- sloId
- windows
title: SLO Burn Rate Rule Params
type: object
rule_type_id:
enum:
- slo.rules.burnRate
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: SLO burn rate
type: object
Kibana_HTTP_APIs_StreamlangConditionBlock:
additionalProperties: false
type: object
properties:
condition:
$ref: '#/components/schemas/Kibana_HTTP_APIs_ConditionWithSteps'
customIdentifier:
type: string
required:
- condition
Kibana_HTTP_APIs_StreamlangStep:
anyOf:
- anyOf:
- additionalProperties: false
description: Grok processor - Extract fields from text using grok patterns
type: object
properties:
action:
enum:
- grok
type: string
customIdentifier:
description: Custom identifier to correlate this processor across outputs
minLength: 1
type: string
description:
description: Human-readable notes about this processor step
type: string
from:
description: Source field to parse with grok patterns
minLength: 1
type: string
ignore_failure:
description: Continue pipeline execution if this processor fails
type: boolean
ignore_missing:
description: Skip processing when source field is missing
type: boolean
pattern_definitions:
additionalProperties:
type: string
type: object
patterns:
description: Grok patterns applied in order to extract fields
items:
description: A non-empty string.
minLength: 1
type: string
minItems: 1
type: array
where:
$ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
description: Conditional expression controlling whether this processor runs
required:
- action
- from
- patterns
- additionalProperties: false
description: Dissect processor - Extract fields from text using a lightweight, delimiter-based parser
type: object
properties:
action:
enum:
- dissect
type: string
append_separator:
description: Separator inserted when target fields are concatenated
minLength: 1
type: string
customIdentifier:
description: Custom identifier to correlate this processor across outputs
minLength: 1
type: string
description:
description: Human-readable notes about this processor step
type: string
from:
description: Source field to parse with dissect pattern
minLength: 1
type: string
ignore_failure:
description: Continue pipeline execution if this processor fails
type: boolean
ignore_missing:
description: Skip processing when source field is missing
type: boolean
pattern:
description: Dissect pattern describing field boundaries
minLength: 1
type: string
where:
$ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
description: Conditional expression controlling whether this processor runs
required:
- action
- from
- pattern
- additionalProperties: false
description: Date processor - Parse dates from strings using one or more expected formats
type: object
properties:
action:
enum:
- date
type: string
customIdentifier:
description: Custom identifier to correlate this processor across outputs
minLength: 1
type: string
description:
description: Human-readable notes about this processor step
type: string
formats:
description: Accepted input date formats, tried in order
items:
description: A non-empty string.
minLength: 1
type: string
type: array
from:
description: Source field containing the date/time text
minLength: 1
type: string
ignore_failure:
description: Continue pipeline execution if this processor fails
type: boolean
locale:
description: Optional locale for date parsing
minLength: 1
type: string
output_format:
description: Optional output format for storing the parsed date as text
minLength: 1
type: string
timezone:
description: Optional timezone for date parsing
minLength: 1
type: string
to:
description: Target field for the parsed date (defaults to source)
minLength: 1
type: string
where:
$ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
description: Conditional expression controlling whether this processor runs
required:
- action
- from
- formats
- additionalProperties: false
type: object
properties:
action:
enum:
- drop_document
type: string
customIdentifier:
description: Custom identifier to correlate this processor across outputs
minLength: 1
type: string
description:
description: Human-readable notes about this processor step
type: string
ignore_failure:
description: Continue pipeline execution if this processor fails
type: boolean
where:
$ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
description: Conditional expression controlling whether this processor runs
required:
- action
- additionalProperties: false
type: object
properties:
action:
enum:
- math
type: string
customIdentifier:
description: Custom identifier to correlate this processor across outputs
minLength: 1
type: string
description:
description: Human-readable notes about this processor step
type: string
expression:
description: A non-empty string.
minLength: 1
type: string
ignore_failure:
description: Continue pipeline execution if this processor fails
type: boolean
ignore_missing:
type: boolean
to:
minLength: 1
type: string
where:
$ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
description: Conditional expression controlling whether this processor runs
required:
- action
- expression
- to
- additionalProperties: false
description: Rename processor - Change a field name and optionally its location
type: object
properties:
action:
enum:
- rename
type: string
customIdentifier:
description: Custom identifier to correlate this processor across outputs
minLength: 1
type: string
description:
description: Human-readable notes about this processor step
type: string
from:
description: Existing source field to rename or move
minLength: 1
type: string
ignore_failure:
description: Continue pipeline execution if this processor fails
type: boolean
ignore_missing:
description: Skip when source field is missing
type: boolean
override:
description: Allow overwriting the target field if it already exists
type: boolean
to:
description: New field name or destination path
minLength: 1
type: string
where:
$ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
description: Conditional expression controlling whether this processor runs
required:
- action
- from
- to
- additionalProperties: false
description: Set processor - Assign a literal or copied value to a field (mutually exclusive inputs)
type: object
properties:
action:
enum:
- set
type: string
copy_from:
description: Copy value from another field instead of providing a literal
minLength: 1
type: string
customIdentifier:
description: Custom identifier to correlate this processor across outputs
minLength: 1
type: string
description:
description: Human-readable notes about this processor step
type: string
ignore_failure:
description: Continue pipeline execution if this processor fails
type: boolean
override:
description: Allow overwriting an existing target field
type: boolean
to:
description: Target field to set or create
minLength: 1
type: string
value:
description: Literal value to assign to the target field
where:
$ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
description: Conditional expression controlling whether this processor runs
required:
- action
- to
- additionalProperties: false
description: Append processor - Append one or more values to an existing or new array field
type: object
properties:
action:
enum:
- append
type: string
allow_duplicates:
description: If true, do not deduplicate appended values
type: boolean
customIdentifier:
description: Custom identifier to correlate this processor across outputs
minLength: 1
type: string
description:
description: Human-readable notes about this processor step
type: string
ignore_failure:
description: Continue pipeline execution if this processor fails
type: boolean
to:
description: Array field to append values to
minLength: 1
type: string
value:
description: Values to append (must be literal, no templates)
items: {}
minItems: 1
type: array
where:
$ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
description: Conditional expression controlling whether this processor runs
required:
- action
- to
- value
- additionalProperties: false
description: Remove by prefix processor - Remove a field and all nested fields matching the prefix
type: object
properties:
action:
enum:
- remove_by_prefix
type: string
customIdentifier:
description: Custom identifier to correlate this processor across outputs
minLength: 1
type: string
description:
description: Human-readable notes about this processor step
type: string
from:
description: Field to remove along with all its nested fields
minLength: 1
type: string
ignore_failure:
description: Continue pipeline execution if this processor fails
type: boolean
required:
- action
- from
- additionalProperties: false
description: Remove processor - Delete one or more fields from the document
type: object
properties:
action:
enum:
- remove
type: string
customIdentifier:
description: Custom identifier to correlate this processor across outputs
minLength: 1
type: string
description:
description: Human-readable notes about this processor step
type: string
from:
description: Field to remove from the document
minLength: 1
type: string
ignore_failure:
description: Continue pipeline execution if this processor fails
type: boolean
ignore_missing:
description: Skip processing when source field is missing
type: boolean
where:
$ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
description: Conditional expression controlling whether this processor runs
required:
- action
- from
- additionalProperties: false
type: object
properties:
action:
enum:
- replace
type: string
customIdentifier:
description: Custom identifier to correlate this processor across outputs
minLength: 1
type: string
description:
description: Human-readable notes about this processor step
type: string
from:
minLength: 1
type: string
ignore_failure:
description: Continue pipeline execution if this processor fails
type: boolean
ignore_missing:
type: boolean
pattern:
minLength: 1
type: string
replacement:
type: string
to:
minLength: 1
type: string
where:
$ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
description: Conditional expression controlling whether this processor runs
required:
- action
- from
- pattern
- replacement
- additionalProperties: false
description: Redact processor - Mask sensitive data using Grok patterns
type: object
properties:
action:
enum:
- redact
type: string
customIdentifier:
description: Custom identifier to correlate this processor across outputs
minLength: 1
type: string
description:
description: Human-readable notes about this processor step
type: string
from:
description: Source field to redact sensitive data from
minLength: 1
type: string
ignore_failure:
description: Continue pipeline execution if this processor fails
type: boolean
ignore_missing:
description: Skip processing when source field is missing (defaults to true)
type: boolean
pattern_definitions:
additionalProperties:
type: string
description: Custom pattern definitions to use in the patterns
type: object
patterns:
description: Grok patterns to match sensitive data (for example, "%{IP:client}", "%{EMAILADDRESS:email}")
items:
description: A non-empty string.
minLength: 1
type: string
minItems: 1
type: array
prefix:
description: Prefix to prepend to the redacted pattern name (defaults to "<")
type: string
suffix:
description: Suffix to append to the redacted pattern name (defaults to ">")
type: string
where:
$ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
description: Conditional expression controlling whether this processor runs
required:
- action
- from
- patterns
- additionalProperties: false
type: object
properties:
action:
enum:
- uppercase
type: string
customIdentifier:
description: Custom identifier to correlate this processor across outputs
minLength: 1
type: string
description:
description: Human-readable notes about this processor step
type: string
from:
minLength: 1
type: string
ignore_failure:
description: Continue pipeline execution if this processor fails
type: boolean
ignore_missing:
type: boolean
to:
minLength: 1
type: string
where:
$ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
description: Conditional expression controlling whether this processor runs
required:
- action
- from
- additionalProperties: false
type: object
properties:
action:
enum:
- lowercase
type: string
customIdentifier:
description: Custom identifier to correlate this processor across outputs
minLength: 1
type: string
description:
description: Human-readable notes about this processor step
type: string
from:
minLength: 1
type: string
ignore_failure:
description: Continue pipeline execution if this processor fails
type: boolean
ignore_missing:
type: boolean
to:
minLength: 1
type: string
where:
$ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
description: Conditional expression controlling whether this processor runs
required:
- action
- from
- additionalProperties: false
type: object
properties:
action:
enum:
- trim
type: string
customIdentifier:
description: Custom identifier to correlate this processor across outputs
minLength: 1
type: string
description:
description: Human-readable notes about this processor step
type: string
from:
minLength: 1
type: string
ignore_failure:
description: Continue pipeline execution if this processor fails
type: boolean
ignore_missing:
type: boolean
to:
minLength: 1
type: string
where:
$ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
description: Conditional expression controlling whether this processor runs
required:
- action
- from
- additionalProperties: false
type: object
properties:
action:
enum:
- join
type: string
customIdentifier:
description: Custom identifier to correlate this processor across outputs
minLength: 1
type: string
delimiter:
type: string
description:
description: Human-readable notes about this processor step
type: string
from:
items:
minLength: 1
type: string
minItems: 1
type: array
ignore_failure:
description: Continue pipeline execution if this processor fails
type: boolean
ignore_missing:
type: boolean
to:
minLength: 1
type: string
where:
$ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
description: Conditional expression controlling whether this processor runs
required:
- action
- from
- delimiter
- to
- additionalProperties: false
description: Split processor - Split a field value into an array using a separator
type: object
properties:
action:
enum:
- split
type: string
customIdentifier:
description: Custom identifier to correlate this processor across outputs
minLength: 1
type: string
description:
description: Human-readable notes about this processor step
type: string
from:
description: Source field to split into an array
minLength: 1
type: string
ignore_failure:
description: Continue pipeline execution if this processor fails
type: boolean
ignore_missing:
description: Skip processing when source field is missing
type: boolean
preserve_trailing:
description: Preserve empty trailing fields in the split result
type: boolean
separator:
description: Regex separator used to split the field value into an array
minLength: 1
type: string
to:
description: Target field for the split array (defaults to source)
minLength: 1
type: string
where:
$ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
description: Conditional expression controlling whether this processor runs
required:
- action
- from
- separator
- additionalProperties: false
type: object
properties:
action:
enum:
- sort
type: string
customIdentifier:
description: Custom identifier to correlate this processor across outputs
minLength: 1
type: string
description:
description: Human-readable notes about this processor step
type: string
from:
description: Array field to sort
minLength: 1
type: string
ignore_failure:
description: Continue pipeline execution if this processor fails
type: boolean
ignore_missing:
description: Skip processing when source field is missing
type: boolean
order:
description: Sort order - "asc" (ascending) or "desc" (descending). Defaults to "asc"
enum:
- asc
- desc
type: string
to:
description: Target field for the sorted array (defaults to source)
minLength: 1
type: string
where:
$ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
description: Conditional expression controlling whether this processor runs
required:
- action
- from
- additionalProperties: false
description: Convert processor - Change the data type of a field value (integer, long, double, boolean, or string)
type: object
properties:
action:
enum:
- convert
type: string
customIdentifier:
description: Custom identifier to correlate this processor across outputs
minLength: 1
type: string
description:
description: Human-readable notes about this processor step
type: string
from:
description: Source field to convert to a different data type
minLength: 1
type: string
ignore_failure:
description: Continue pipeline execution if this processor fails
type: boolean
ignore_missing:
description: Skip processing when source field is missing
type: boolean
to:
description: Target field for the converted value (defaults to source)
minLength: 1
type: string
type:
description: 'Target data type: integer, long, double, boolean, or string'
enum:
- integer
- long
- double
- boolean
- string
type: string
where:
$ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
description: Conditional expression controlling whether this processor runs
required:
- action
- from
- type
- additionalProperties: false
type: object
properties:
action:
enum:
- concat
type: string
customIdentifier:
description: Custom identifier to correlate this processor across outputs
minLength: 1
type: string
description:
description: Human-readable notes about this processor step
type: string
from:
items:
anyOf:
- type: object
properties:
type:
enum:
- field
type: string
value:
minLength: 1
type: string
required:
- type
- value
- type: object
properties:
type:
enum:
- literal
type: string
value:
type: string
required:
- type
- value
minItems: 1
type: array
ignore_failure:
description: Continue pipeline execution if this processor fails
type: boolean
ignore_missing:
type: boolean
to:
minLength: 1
type: string
where:
$ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
description: Conditional expression controlling whether this processor runs
required:
- action
- from
- to
- allOf:
- additionalProperties: false
type: object
properties:
action:
enum:
- network_direction
type: string
customIdentifier:
description: Custom identifier to correlate this processor across outputs
minLength: 1
type: string
description:
description: Human-readable notes about this processor step
type: string
destination_ip:
minLength: 1
type: string
ignore_failure:
description: Continue pipeline execution if this processor fails
type: boolean
ignore_missing:
type: boolean
source_ip:
minLength: 1
type: string
target_field:
minLength: 1
type: string
where:
$ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
description: Conditional expression controlling whether this processor runs
required:
- action
- source_ip
- destination_ip
- anyOf:
- additionalProperties: false
type: object
properties:
internal_networks:
items:
type: string
type: array
required:
- internal_networks
- additionalProperties: false
type: object
properties:
internal_networks_field:
minLength: 1
type: string
required:
- internal_networks_field
- additionalProperties: false
description: JsonExtract processor - Extract values from JSON strings using JSONPath-like selectors
type: object
properties:
action:
enum:
- json_extract
type: string
customIdentifier:
description: Custom identifier to correlate this processor across outputs
minLength: 1
type: string
description:
description: Human-readable notes about this processor step
type: string
extractions:
description: List of extraction specifications
items:
description: A single extraction specification
type: object
properties:
selector:
description: JSONPath-like selector to extract value (e.g., "user.id", "$.metadata.client.ip", "items[0].name")
minLength: 1
type: string
target_field:
description: Target field to store the extracted value
minLength: 1
type: string
type:
description: Data type for the extracted value. Defaults to "keyword". Ensures consistent types across transpilers.
enum:
- keyword
- integer
- long
- double
- boolean
type: string
required:
- selector
- target_field
minItems: 1
type: array
field:
description: Source field containing the JSON string to parse
minLength: 1
type: string
ignore_failure:
description: Continue pipeline execution if this processor fails
type: boolean
ignore_missing:
description: Skip processing when source field is missing
type: boolean
where:
$ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
description: Conditional expression controlling whether this processor runs
required:
- action
- field
- extractions
- additionalProperties: false
type: object
properties:
action:
enum:
- enrich
type: string
customIdentifier:
description: Custom identifier to correlate this processor across outputs
minLength: 1
type: string
description:
description: Human-readable notes about this processor step
type: string
ignore_failure:
description: Continue pipeline execution if this processor fails
type: boolean
ignore_missing:
type: boolean
override:
type: boolean
policy_name:
description: A non-empty string.
minLength: 1
type: string
to:
minLength: 1
type: string
where:
$ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
description: Conditional expression controlling whether this processor runs
required:
- action
- policy_name
- to
- additionalProperties: false
description: Manual ingest pipeline wrapper around native Elasticsearch processors
type: object
properties:
action:
description: Manual ingest pipeline - executes raw Elasticsearch ingest processors
enum:
- manual_ingest_pipeline
type: string
customIdentifier:
description: Custom identifier to correlate this processor across outputs
minLength: 1
type: string
description:
description: Human-readable notes about this processor step
type: string
ignore_failure:
description: Continue pipeline execution if this processor fails
type: boolean
on_failure:
description: Fallback processors to run when a processor fails
items:
additionalProperties: {}
type: object
type: array
processors:
description: List of raw Elasticsearch ingest processors to run
items:
additionalProperties: {}
type: object
type: array
tag:
description: Optional ingest processor tag for Elasticsearch
type: string
where:
$ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
description: Conditional expression controlling whether this processor runs
required:
- action
- processors
- $ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangConditionBlock'
Kibana_HTTP_APIs_StreamUpsertRequest:
anyOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_WiredStreamUpsertRequest'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_ClassicStreamUpsertRequest'
- $ref: '#/components/schemas/Kibana_HTTP_APIs_QueryStreamUpsertRequest'
Kibana_HTTP_APIs_transform-health-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: false
description: The parameters for the transform health rule. These parameters are appropriate when `rule_type_id` is `transform_health`.
properties:
excludeTransforms:
default: []
items:
type: string
nullable: true
type: array
includeTransforms:
items:
type: string
type: array
testsConfig:
additionalProperties: false
nullable: true
type: object
properties:
errorMessages:
additionalProperties: false
nullable: true
type: object
properties:
enabled:
default: false
type: boolean
healthCheck:
additionalProperties: false
nullable: true
type: object
properties:
enabled:
default: true
type: boolean
notStarted:
additionalProperties: false
nullable: true
type: object
properties:
enabled:
default: true
type: boolean
required:
- notStarted
- errorMessages
- healthCheck
required:
- includeTransforms
- testsConfig
title: Transform Health Rule Params
type: object
rule_type_id:
enum:
- transform_health
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: Transform health
type: object
Kibana_HTTP_APIs_update_output_elasticsearch:
additionalProperties: false
properties:
allow_edit:
items:
type: string
maxItems: 1000
type: array
ca_sha256:
nullable: true
type: string
ca_trusted_fingerprint:
nullable: true
type: string
config_yaml:
nullable: true
type: string
hosts:
items:
format: uri
type: string
maxItems: 10
minItems: 1
type: array
id:
type: string
is_default:
type: boolean
is_default_monitoring:
type: boolean
is_internal:
type: boolean
is_preconfigured:
type: boolean
name:
type: string
otel_disable_beatsauth:
nullable: true
type: boolean
otel_exporter_config_yaml:
nullable: true
type: string
preset:
enum:
- balanced
- custom
- throughput
- scale
- latency
type: string
proxy_id:
nullable: true
type: string
secrets:
additionalProperties: false
type: object
properties:
ssl:
additionalProperties: false
type: object
properties:
key:
anyOf:
- additionalProperties: false
type: object
properties:
hash:
type: string
id:
type: string
required:
- id
- type: string
shipper:
allOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper'
nullable: true
ssl:
allOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl'
nullable: true
type:
enum:
- elasticsearch
type: string
write_to_logs_streams:
nullable: true
type: boolean
title: update_output_elasticsearch
type: object
Kibana_HTTP_APIs_update_output_kafka:
additionalProperties: false
properties:
allow_edit:
items:
type: string
maxItems: 1000
type: array
auth_type:
enum:
- none
- user_pass
- ssl
- kerberos
type: string
broker_timeout:
type: number
ca_sha256:
nullable: true
type: string
ca_trusted_fingerprint:
nullable: true
type: string
client_id:
type: string
compression:
enum:
- gzip
- snappy
- lz4
- none
type: string
compression_level:
nullable: true
type: number
config_yaml:
nullable: true
type: string
connection_type:
enum:
- plaintext
- encryption
type: string
hash:
additionalProperties: false
type: object
properties:
hash:
type: string
random:
type: boolean
headers:
items:
additionalProperties: false
type: object
properties:
key:
type: string
value:
type: string
required:
- key
- value
maxItems: 100
type: array
hosts:
items:
type: string
maxItems: 10
minItems: 1
type: array
id:
type: string
is_default:
default: false
type: boolean
is_default_monitoring:
default: false
type: boolean
is_internal:
type: boolean
is_preconfigured:
type: boolean
key:
type: string
name:
type: string
otel_disable_beatsauth:
nullable: true
type: boolean
otel_exporter_config_yaml:
nullable: true
type: string
partition:
enum:
- random
- round_robin
- hash
type: string
password:
nullable: true
type: string
proxy_id:
nullable: true
type: string
random:
additionalProperties: false
type: object
properties:
group_events:
type: number
required_acks:
enum:
- 1
- 0
- -1
type: integer
round_robin:
additionalProperties: false
type: object
properties:
group_events:
type: number
sasl:
additionalProperties: false
nullable: true
type: object
properties:
mechanism:
enum:
- PLAIN
- SCRAM-SHA-256
- SCRAM-SHA-512
type: string
secrets:
additionalProperties: false
type: object
properties:
password:
anyOf:
- additionalProperties: false
type: object
properties:
hash:
type: string
id:
type: string
required:
- id
- type: string
ssl:
additionalProperties: false
type: object
properties:
key:
anyOf:
- additionalProperties: false
type: object
properties:
hash:
type: string
id:
type: string
required:
- id
- type: string
required:
- key
shipper:
allOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper'
nullable: true
ssl:
allOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl'
nullable: true
timeout:
type: number
topic:
type: string
type:
enum:
- kafka
type: string
username:
nullable: true
type: string
version:
type: string
required:
- name
title: update_output_kafka
type: object
Kibana_HTTP_APIs_update_output_logstash:
additionalProperties: false
properties:
allow_edit:
items:
type: string
maxItems: 1000
type: array
ca_sha256:
nullable: true
type: string
ca_trusted_fingerprint:
nullable: true
type: string
config_yaml:
nullable: true
type: string
hosts:
items:
type: string
maxItems: 10
minItems: 1
type: array
id:
type: string
is_default:
type: boolean
is_default_monitoring:
type: boolean
is_internal:
type: boolean
is_preconfigured:
type: boolean
name:
type: string
otel_disable_beatsauth:
nullable: true
type: boolean
otel_exporter_config_yaml:
nullable: true
type: string
proxy_id:
nullable: true
type: string
secrets:
additionalProperties: false
type: object
properties:
ssl:
additionalProperties: false
type: object
properties:
key:
anyOf:
- additionalProperties: false
type: object
properties:
hash:
type: string
id:
type: string
required:
- id
- type: string
shipper:
allOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper'
nullable: true
ssl:
allOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl'
nullable: true
type:
enum:
- logstash
type: string
title: update_output_logstash
type: object
Kibana_HTTP_APIs_update_output_remote_elasticsearch:
additionalProperties: false
properties:
allow_edit:
items:
type: string
maxItems: 1000
type: array
ca_sha256:
nullable: true
type: string
ca_trusted_fingerprint:
nullable: true
type: string
config_yaml:
nullable: true
type: string
hosts:
items:
format: uri
type: string
maxItems: 10
minItems: 1
type: array
id:
type: string
is_default:
type: boolean
is_default_monitoring:
type: boolean
is_internal:
type: boolean
is_preconfigured:
type: boolean
kibana_api_key:
nullable: true
type: string
kibana_url:
nullable: true
type: string
name:
type: string
otel_disable_beatsauth:
nullable: true
type: boolean
otel_exporter_config_yaml:
nullable: true
type: string
preset:
enum:
- balanced
- custom
- throughput
- scale
- latency
type: string
proxy_id:
nullable: true
type: string
secrets:
additionalProperties: false
type: object
properties:
service_token:
anyOf:
- additionalProperties: false
type: object
properties:
hash:
type: string
id:
type: string
required:
- id
- type: string
ssl:
additionalProperties: false
type: object
properties:
key:
anyOf:
- additionalProperties: false
type: object
properties:
hash:
type: string
id:
type: string
required:
- id
- type: string
service_token:
nullable: true
type: string
shipper:
allOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_shipper'
nullable: true
ssl:
allOf:
- $ref: '#/components/schemas/Kibana_HTTP_APIs_output_ssl'
nullable: true
sync_integrations:
type: boolean
sync_uninstalled_integrations:
type: boolean
type:
enum:
- remote_elasticsearch
type: string
write_to_logs_streams:
nullable: true
type: boolean
title: update_output_remote_elasticsearch
type: object
Kibana_HTTP_APIs_WiredStreamUpsertRequest:
additionalProperties: false
type: object
properties:
dashboards:
items:
type: string
type: array
queries:
items:
type: object
properties:
description:
type: string
esql:
type: object
properties:
query:
type: string
required:
- query
evidence:
items:
type: string
type: array
id:
description: A non-empty string.
minLength: 1
type: string
severity_score:
type: number
title:
description: A non-empty string.
minLength: 1
type: string
type:
default: match
enum:
- match
- stats
type: string
required:
- id
- title
- description
- esql
type: array
rules:
items:
type: string
type: array
stream:
additionalProperties: false
type: object
properties:
description:
type: string
ingest:
additionalProperties: false
type: object
properties:
failure_store:
$ref: '#/components/schemas/Kibana_HTTP_APIs_FailureStore'
lifecycle:
$ref: '#/components/schemas/Kibana_HTTP_APIs_IngestStreamLifecycle'
processing:
additionalProperties: false
type: object
properties:
steps:
items:
$ref: '#/components/schemas/Kibana_HTTP_APIs_StreamlangStep'
type: array
updated_at: {}
required:
- steps
settings:
additionalProperties: false
type: object
properties:
index.number_of_replicas:
additionalProperties: false
type: object
properties:
value:
type: number
required:
- value
index.number_of_shards:
additionalProperties: false
type: object
properties:
value:
type: number
required:
- value
index.refresh_interval:
additionalProperties: false
type: object
properties:
value:
anyOf:
- type: string
- enum:
- -1
type: number
required:
- value
wired:
additionalProperties: false
type: object
properties:
draft:
type: boolean
fields:
$ref: '#/components/schemas/Kibana_HTTP_APIs_FieldDefinition'
routing:
items:
type: object
properties:
destination:
description: A non-empty string.
minLength: 1
type: string
draft:
type: boolean
status:
enum:
- enabled
- disabled
type: string
where:
$ref: '#/components/schemas/Kibana_HTTP_APIs_Condition'
required:
- destination
- where
type: array
required:
- fields
- routing
required:
- lifecycle
- processing
- settings
- failure_store
- wired
query_streams:
items:
type: object
properties:
name:
type: string
required:
- name
type: array
type:
enum:
- wired
type: string
required:
- description
- ingest
- type
required:
- dashboards
- rules
- queries
- stream
Kibana_HTTP_APIs_xpack-ml-anomaly-detection-alert-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: false
description: The parameters for the anomaly detection rule. These parameters are appropriate when `rule_type_id` is `xpack.ml.anomaly_detection_alert"`.
properties:
includeInterim:
default: true
type: boolean
jobSelection:
additionalProperties: false
type: object
properties:
groupIds:
default: []
items:
type: string
type: array
jobIds:
default: []
items:
type: string
type: array
kqlQueryString:
nullable: true
type: string
lookbackInterval:
nullable: true
type: string
resultType:
enum:
- record
- bucket
- influencer
type: string
severity:
maximum: 100
minimum: 0
type: number
topNBuckets:
minimum: 1
nullable: true
type: number
required:
- jobSelection
- severity
- resultType
- lookbackInterval
- topNBuckets
- kqlQueryString
title: Anomaly Detection Rule Params
type: object
rule_type_id:
enum:
- xpack.ml.anomaly_detection_alert
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: Anomaly detection
type: object
Kibana_HTTP_APIs_xpack-ml-anomaly-detection-jobs-health-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: false
description: The parameters for the anomaly detection jobs health rule. These parameters are appropriate when `rule_type_id` is `xpack.ml.anomaly_detection_jobs_health"`.
properties:
excludeJobs:
additionalProperties: false
nullable: true
type: object
properties:
groupIds:
default: []
items:
type: string
type: array
jobIds:
default: []
items:
type: string
type: array
includeJobs:
additionalProperties: false
type: object
properties:
groupIds:
default: []
items:
type: string
type: array
jobIds:
default: []
items:
type: string
type: array
testsConfig:
additionalProperties: false
nullable: true
type: object
properties:
behindRealtime:
additionalProperties: false
nullable: true
type: object
properties:
enabled:
default: true
type: boolean
timeInterval:
nullable: true
type: string
required:
- timeInterval
datafeed:
additionalProperties: false
nullable: true
type: object
properties:
enabled:
default: true
type: boolean
delayedData:
additionalProperties: false
nullable: true
type: object
properties:
docsCount:
minimum: 1
nullable: true
type: number
enabled:
default: true
type: boolean
timeInterval:
nullable: true
type: string
required:
- docsCount
- timeInterval
errorMessages:
additionalProperties: false
nullable: true
type: object
properties:
enabled:
default: true
type: boolean
mml:
additionalProperties: false
nullable: true
type: object
properties:
enabled:
default: true
type: boolean
required:
- datafeed
- mml
- delayedData
- behindRealtime
- errorMessages
required:
- includeJobs
- excludeJobs
- testsConfig
title: Anomaly Detection Jobs Health Rule Params
type: object
rule_type_id:
enum:
- xpack.ml.anomaly_detection_jobs_health
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: Anomaly detection jobs health
type: object
Kibana_HTTP_APIs_xpack-synthetics-alerts-monitorstatus-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: false
description: The parameters for the synthetics monitor status rule. These parameters are appropriate when `rule_type_id` is `xpack.synthetics.alerts.monitorStatus`.
properties:
condition:
additionalProperties: false
type: object
properties:
alertOnNoData:
type: boolean
downThreshold:
type: number
groupBy:
type: string
includeRetests:
type: boolean
locationsThreshold:
type: number
recoveryStrategy:
enum:
- firstUp
- conditionNotMet
type: string
window:
anyOf:
- additionalProperties: false
type: object
properties:
time:
additionalProperties: false
type: object
properties:
size:
default: 5
type: number
unit:
default: m
enum:
- s
- m
- h
- d
type: string
required:
- time
- additionalProperties: false
type: object
properties:
numberOfChecks:
default: 5
maximum: 100
minimum: 1
type: number
required:
- window
kqlQuery:
type: string
locations:
items:
type: string
type: array
monitorIds:
items:
type: string
type: array
monitorTypes:
items:
type: string
type: array
projects:
items:
type: string
type: array
tags:
items:
type: string
type: array
title: Synthetics Monitor Status Rule Params
type: object
rule_type_id:
enum:
- xpack.synthetics.alerts.monitorStatus
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: Synthetics monitor status
type: object
Kibana_HTTP_APIs_xpack-synthetics-alerts-tls-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: false
description: The parameters for the synthetics tls rule. These parameters are appropriate when `rule_type_id` is `xpack.synthetics.alerts.tls`.
properties:
certAgeThreshold:
type: number
certExpirationThreshold:
type: number
kqlQuery:
type: string
locations:
items:
type: string
type: array
monitorIds:
items:
type: string
type: array
monitorTypes:
items:
type: string
type: array
projects:
items:
type: string
type: array
search:
type: string
tags:
items:
type: string
type: array
title: Synthetics TLS Rule Params
type: object
rule_type_id:
enum:
- xpack.synthetics.alerts.tls
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: Synthetics TLS
type: object
Kibana_HTTP_APIs_xpack-uptime-alerts-durationanomaly-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: false
description: The parameters for the uptime duration anomaly rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.durationAnomaly`.
properties:
monitorId:
type: string
severity:
type: number
stackVersion:
type: string
required:
- monitorId
- severity
title: Uptime Duration Anomaly Rule Params
type: object
rule_type_id:
enum:
- xpack.uptime.alerts.durationAnomaly
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: Uptime duration anomaly
type: object
Kibana_HTTP_APIs_xpack-uptime-alerts-monitorstatus-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: false
description: The parameters for the uptime monitor status rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.monitorStatus`.
properties:
availability:
additionalProperties: false
type: object
properties:
range:
type: number
rangeUnit:
type: string
threshold:
type: string
required:
- range
- rangeUnit
- threshold
filters:
anyOf:
- additionalProperties: false
type: object
properties:
monitor.type:
items:
type: string
type: array
observer.geo.name:
items:
type: string
type: array
tags:
items:
type: string
type: array
url.port:
items:
type: string
type: array
- type: string
isAutoGenerated:
type: boolean
locations:
items:
type: string
type: array
numTimes:
type: number
search:
type: string
shouldCheckAvailability:
type: boolean
shouldCheckStatus:
type: boolean
stackVersion:
type: string
timerange:
additionalProperties: false
type: object
properties:
from:
type: string
to:
type: string
required:
- from
- to
timerangeCount:
type: number
timerangeUnit:
type: string
version:
type: number
required:
- numTimes
- shouldCheckStatus
- shouldCheckAvailability
title: Uptime Monitor Status Rule Params
type: object
rule_type_id:
enum:
- xpack.uptime.alerts.monitorStatus
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: Uptime monitor status
type: object
Kibana_HTTP_APIs_xpack-uptime-alerts-tlscertificate-create-rule-body-alerting:
additionalProperties: false
properties:
actions:
default: []
items:
additionalProperties: false
description: An action that runs under defined conditions.
type: object
properties:
alerts_filter:
additionalProperties: false
description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
type: object
properties:
query:
additionalProperties: false
type: object
properties:
dsl:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
type: string
filters:
description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
items:
additionalProperties: false
type: object
properties:
$state:
additionalProperties: false
type: object
properties:
store:
description: A filter can be either specific to an application context or applied globally.
enum:
- appState
- globalState
type: string
required:
- store
meta:
additionalProperties:
description: An object with fields such as "controlledBy", "disabled", "field", "group", "index", "isMultiIndex", "key", "negate", "params", "type", "value"
nullable: true
type: object
query:
additionalProperties:
description: A query for the filter.
nullable: true
type: object
required:
- meta
type: array
kql:
description: A filter written in Kibana Query Language (KQL).
type: string
required:
- kql
- filters
timeframe:
additionalProperties: false
description: Defines a period that limits whether the action runs.
type: object
properties:
days:
description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
items:
enum:
- 1
- 2
- 3
- 4
- 5
- 6
- 7
type: integer
type: array
hours:
additionalProperties: false
description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
type: object
properties:
end:
description: The end of the time frame in 24-hour notation (`hh:mm`).
type: string
start:
description: The start of the time frame in 24-hour notation (`hh:mm`).
type: string
required:
- start
- end
timezone:
description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
type: string
required:
- days
- hours
- timezone
frequency:
additionalProperties: false
type: object
properties:
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
type: string
summary:
description: Indicates whether the action is a summary.
type: boolean
throttle:
description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- summary
- notify_when
- throttle
group:
description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
type: string
id:
description: The identifier for the connector saved object.
type: string
params:
additionalProperties:
nullable: true
default: {}
description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
type: object
use_alert_data_for_template:
description: Indicates whether to use alert data as a template.
type: boolean
uuid:
description: A universally unique identifier (UUID) for the action.
type: string
required:
- id
type: array
alert_delay:
additionalProperties: false
description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
type: object
properties:
active:
description: The number of consecutive runs that must meet the rule conditions.
type: number
required:
- active
artifacts:
additionalProperties: false
type: object
properties:
dashboards:
items:
additionalProperties: false
type: object
properties:
id:
type: string
required:
- id
maxItems: 10
type: array
investigation_guide:
additionalProperties: false
type: object
properties:
blob:
maxLength: 10000
type: string
required:
- blob
consumer:
description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
type: string
enabled:
default: true
description: Indicates whether you want to run the rule on an interval basis after it is created.
type: boolean
flapping:
additionalProperties: false
description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
nullable: true
type: object
properties:
enabled:
description: Determines whether the rule can enter the flapping state. By default, rules can enter the flapping state.
type: boolean
look_back_window:
description: The minimum number of runs in which the threshold must be met.
maximum: 20
minimum: 2
type: number
status_change_threshold:
description: The minimum number of times an alert must switch states in the look back window.
maximum: 20
minimum: 2
type: number
required:
- look_back_window
- status_change_threshold
name:
description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
type: string
notify_when:
description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
enum:
- onActionGroupChange
- onActiveAlert
- onThrottleInterval
nullable: true
type: string
params:
additionalProperties: false
description: The parameters for the uptime tls rule. These parameters are appropriate when `rule_type_id` is `xpack.uptime.alerts.tlsCertificate`.
properties:
certAgeThreshold:
type: number
certExpirationThreshold:
type: number
search:
type: string
stackVersion:
type: string
title: Uptime TLS Rule Params
type: object
rule_type_id:
enum:
- xpack.uptime.alerts.tlsCertificate
type: string
schedule:
additionalProperties: false
description: The check interval, which specifies how frequently the rule conditions are checked.
type: object
properties:
interval:
description: The interval is specified in seconds, minutes, hours, or days.
type: string
required:
- interval
tags:
default: []
description: The tags for the rule.
items:
type: string
type: array
throttle:
description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
nullable: true
type: string
required:
- name
- consumer
- schedule
- rule_type_id
- params
title: Uptime TLS certificate
type: object
Machine_learning_APIs_mlSync200Response:
properties:
datafeedsAdded:
additionalProperties:
$ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds'
description: If a saved object for an anomaly detection job is missing a datafeed identifier, it is added when you run the sync machine learning saved objects API.
type: object
datafeedsRemoved:
additionalProperties:
$ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds'
description: If a saved object for an anomaly detection job references a datafeed that no longer exists, it is deleted when you run the sync machine learning saved objects API.
type: object
savedObjectsCreated:
$ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated'
savedObjectsDeleted:
$ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted'
title: Successful sync API response
type: object
Machine_learning_APIs_mlSync4xxResponse:
properties:
error:
example: Unauthorized
type: string
message:
type: string
statusCode:
example: 401
type: integer
title: Unsuccessful sync API response
type: object
Machine_learning_APIs_mlSyncResponseAnomalyDetectors:
description: The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.
properties:
success:
$ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess'
title: Sync API response for anomaly detection jobs
type: object
Machine_learning_APIs_mlSyncResponseDatafeeds:
description: The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status.
properties:
success:
$ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess'
title: Sync API response for datafeeds
type: object
Machine_learning_APIs_mlSyncResponseDataFrameAnalytics:
description: The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.
properties:
success:
$ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess'
title: Sync API response for data frame analytics jobs
type: object
Machine_learning_APIs_mlSyncResponseSavedObjectsCreated:
description: If saved objects are missing for machine learning jobs or trained models, they are created when you run the sync machine learning saved objects API.
properties:
anomaly-detector:
additionalProperties:
$ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors'
description: If saved objects are missing for anomaly detection jobs, they are created.
type: object
data-frame-analytics:
additionalProperties:
$ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics'
description: If saved objects are missing for data frame analytics jobs, they are created.
type: object
trained-model:
additionalProperties:
$ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels'
description: If saved objects are missing for trained models, they are created.
type: object
title: Sync API response for created saved objects
type: object
Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted:
description: If saved objects exist for machine learning jobs or trained models that no longer exist, they are deleted when you run the sync machine learning saved objects API.
properties:
anomaly-detector:
additionalProperties:
$ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors'
description: If there are saved objects exist for nonexistent anomaly detection jobs, they are deleted.
type: object
data-frame-analytics:
additionalProperties:
$ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics'
description: If there are saved objects exist for nonexistent data frame analytics jobs, they are deleted.
type: object
trained-model:
additionalProperties:
$ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels'
description: If there are saved objects exist for nonexistent trained models, they are deleted.
type: object
title: Sync API response for deleted saved objects
type: object
Machine_learning_APIs_mlSyncResponseSuccess:
description: The success or failure of the synchronization.
type: boolean
Machine_learning_APIs_mlSyncResponseTrainedModels:
description: The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status.
properties:
success:
$ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess'
title: Sync API response for trained models
type: object
Observability_AI_Assistant_API_Function:
type: object
properties:
description:
description: The description of the function.
type: string
name:
description: The name of the function.
type: string
parameters:
description: The parameters of the function.
type: object
Observability_AI_Assistant_API_FunctionCall:
description: Details of the function call within the message.
type: object
properties:
arguments:
description: The arguments for the function call.
type: string
name:
description: The name of the function.
type: string
trigger:
description: The trigger of the function call.
enum:
- assistant
- user
- elastic
type: string
required:
- name
- trigger
Observability_AI_Assistant_API_Instruction:
oneOf:
- description: A simple instruction represented as a string.
type: string
- description: A detailed instruction with an ID and text.
type: object
properties:
id:
description: A unique identifier for the instruction.
type: string
text:
description: The text of the instruction.
type: string
required:
- id
- text
Observability_AI_Assistant_API_Message:
name: Message
type: object
properties:
'@timestamp':
description: The timestamp when the message was created.
type: string
message:
description: The main content of the message.
type: object
properties:
content:
description: The content of the message.
type: string
data:
description: Additional data associated with the message.
type: string
event:
description: The event related to the message.
type: string
function_call:
$ref: '#/components/schemas/Observability_AI_Assistant_API_FunctionCall'
name:
description: The name associated with the message.
type: string
role:
$ref: '#/components/schemas/Observability_AI_Assistant_API_MessageRoleEnum'
required:
- role
required:
- '@timestamp'
- message
Observability_AI_Assistant_API_MessageRoleEnum:
description: The role of the message sender.
enum:
- system
- assistant
- function
- user
- elastic
type: string
Saved_objects_400_response:
title: Bad request
type: object
properties:
error:
enum:
- Bad Request
type: string
message:
type: string
statusCode:
enum:
- 400
type: integer
required:
- error
- message
- statusCode
Security_AI_Assistant_API_AnonymizationFieldCreateProps:
type: object
properties:
allowed:
description: Whether this field is allowed to be sent to the model.
example: true
type: boolean
anonymized:
description: Whether this field should be anonymized.
example: false
type: boolean
field:
description: Name of the anonymization field to create.
example: host.name
type: string
required:
- field
Security_AI_Assistant_API_AnonymizationFieldDetailsInError:
type: object
properties:
id:
description: The ID of the anonymization field.
example: field12
type: string
name:
description: Name of the anonymization field.
example: host.name
type: string
required:
- id
Security_AI_Assistant_API_AnonymizationFieldResponse:
type: object
properties:
allowed:
description: Whether this field is allowed to be sent to the model.
example: true
type: boolean
anonymized:
description: Whether this field should be anonymized.
example: false
type: boolean
createdAt:
description: Timestamp of when the anonymization field was created.
example: '2023-10-31T12:00:00Z'
type: string
createdBy:
description: Username of the person who created the anonymization field.
example: user1
type: string
field:
description: Name of the anonymization field.
example: url.domain
type: string
id:
$ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString'
description: The ID of the anonymization field.
namespace:
description: Kibana space in which this anonymization field exists.
example: default
type: string
timestamp:
$ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyTimestamp'
description: Timestamp when the anonymization field was initially created.
updatedAt:
description: Timestamp of the last update.
example: '2023-10-31T12:00:00Z'
type: string
updatedBy:
description: Username of the person who last updated the field.
example: user1
type: string
required:
- id
- field
Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason:
description: Reason why the anonymization field was not modified.
enum:
- ANONYMIZATION_FIELD_NOT_MODIFIED
type: string
Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult:
type: object
properties:
id:
description: The ID of the anonymization field that was not modified.
example: field4
type: string
name:
description: Name of the anonymization field that was not modified.
example: user.name
type: string
skip_reason:
$ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason'
description: Reason why the anonymization field was not modified.
required:
- id
- skip_reason
Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse:
type: object
properties:
anonymization_fields_count:
description: Total number of anonymization fields processed.
example: 5
type: integer
attributes:
type: object
properties:
errors:
description: List of errors that occurred during the bulk operation.
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError'
type: array
results:
$ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults'
summary:
$ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary'
required:
- results
- summary
message:
description: Message providing information about the bulk action result.
example: Bulk action completed successfully
type: string
status_code:
description: HTTP status code returned.
example: 200
type: integer
success:
description: Indicates if the bulk action was successful.
example: true
type: boolean
required:
- attributes
Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults:
type: object
properties:
created:
description: List of anonymization fields successfully created.
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse'
type: array
deleted:
items:
description: Array of IDs of anonymization fields that were deleted.
example: field3
type: string
type: array
skipped:
description: List of anonymization fields that were skipped during the operation.
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult'
type: array
updated:
description: List of anonymization fields successfully updated.
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse'
type: array
required:
- updated
- created
- deleted
- skipped
Security_AI_Assistant_API_AnonymizationFieldUpdateProps:
type: object
properties:
allowed:
description: Whether this field is allowed to be sent to the model.
example: true
type: boolean
anonymized:
description: Whether this field should be anonymized.
example: false
type: boolean
id:
description: The ID of the anonymization field to update.
example: field8
type: string
required:
- id
Security_AI_Assistant_API_ApiConfig:
type: object
properties:
actionTypeId:
description: Action type ID
example: actionType456
type: string
connectorId:
description: Connector ID
example: connector123
type: string
defaultSystemPromptId:
description: Default system prompt ID
example: systemPrompt001
type: string
model:
description: Model
example: gpt-4
type: string
provider:
$ref: '#/components/schemas/Security_AI_Assistant_API_Provider'
description: Provider
example: OpenAI
required:
- connectorId
- actionTypeId
Security_AI_Assistant_API_BaseContentReference:
description: The basis of a content reference
type: object
properties:
id:
description: Id of the content reference
example: content123
type: string
type:
description: Type of the content reference
example: SecurityAlert
type: string
required:
- id
- type
Security_AI_Assistant_API_BaseInterruptResumeValue:
description: The basis of an interrupt resume value
type: object
properties:
type:
$ref: '#/components/schemas/Security_AI_Assistant_API_InterruptType'
description: Type of the resume value
example: SELECT_OPTION
required:
- type
Security_AI_Assistant_API_BaseInterruptValue:
description: The basis of an agent interrupt
type: object
properties:
expired:
description: Whether the interrupt has expired and can no longer be resumed.
example: false
type: boolean
threadId:
description: Thread ID of the graph execution that produced this message.
example:
type: string
type:
$ref: '#/components/schemas/Security_AI_Assistant_API_InterruptType'
description: Type of the interrupt
example: SELECT_OPTION
required:
- type
- threadId
Security_AI_Assistant_API_BulkCrudActionSummary:
type: object
properties:
failed:
description: The number of failed actions.
example: 0
type: integer
skipped:
description: The number of skipped actions.
example: 1
type: integer
succeeded:
description: The number of successfully performed actions.
example: 10
type: integer
total:
description: The total number of actions attempted.
example: 12
type: integer
required:
- failed
- skipped
- succeeded
- total
Security_AI_Assistant_API_ChatCompleteProps:
description: The request payload for creating a chat completion.
example:
connectorId: conn-001
conversationId: abc123
isStream: true
langSmithApiKey:
langSmithProject: security_ai_project
messages:
- content: How do I detect ransomware on my endpoints?
data:
device_id: device-567
fields_to_anonymize:
- device.name
- file.path
role: user
model: gpt-4
persist: true
promptId: prompt_456
responseLanguage: en
type: object
properties:
connectorId:
description: Required connector identifier to route the request.
example: conn-001
type: string
conversationId:
$ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString'
description: Existing conversation ID to continue.
isStream:
description: If true, the response will be streamed in chunks.
example: true
type: boolean
langSmithApiKey:
description: API key for LangSmith integration.
example:
type: string
langSmithProject:
description: LangSmith project name for tracing.
example: security_ai_project
type: string
messages:
description: List of chat messages exchanged so far.
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessage'
type: array
model:
description: Model ID or name to use for the response.
example: gpt-4
type: string
persist:
description: Whether to persist the chat and response to storage.
example: true
type: boolean
promptId:
description: Prompt template identifier.
example: prompt_001
type: string
responseLanguage:
description: ISO language code for the assistant's response.
example: en
type: string
required:
- messages
- persist
- connectorId
Security_AI_Assistant_API_ChatMessage:
description: A message exchanged within the AI chat conversation.
type: object
properties:
content:
description: The textual content of the message.
example: What security incidents have been reported today?
type: string
data:
$ref: '#/components/schemas/Security_AI_Assistant_API_MessageData'
description: Metadata to attach to the context of the message.
fields_to_anonymize:
description: List of field names within the data object that should be anonymized.
example:
- user.name
- source.ip
items:
type: string
type: array
role:
$ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessageRole'
description: The sender role of the message.
required:
- role
Security_AI_Assistant_API_ChatMessageRole:
description: The role associated with the message in the chat.
enum:
- system
- user
- assistant
example: user
type: string
Security_AI_Assistant_API_ContentReferences:
additionalProperties:
oneOf:
- $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryContentReference'
- $ref: '#/components/schemas/Security_AI_Assistant_API_SecurityAlertContentReference'
- $ref: '#/components/schemas/Security_AI_Assistant_API_SecurityAlertsPageContentReference'
- $ref: '#/components/schemas/Security_AI_Assistant_API_ProductDocumentationContentReference'
- $ref: '#/components/schemas/Security_AI_Assistant_API_EsqlContentReference'
- $ref: '#/components/schemas/Security_AI_Assistant_API_HrefContentReference'
additionalProperties: false
description: A union of all content reference types
type: object
Security_AI_Assistant_API_ConversationCategory:
description: The conversation category.
enum:
- assistant
- insights
example: assistant
type: string
Security_AI_Assistant_API_ConversationCreateProps:
type: object
properties:
apiConfig:
$ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig'
description: LLM API configuration.
category:
$ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory'
description: The conversation category.
example: assistant
excludeFromLastConversationStorage:
description: Exclude from last conversation storage.
type: boolean
id:
description: The conversation id.
example: conversation123
type: string
messages:
description: The conversation messages.
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_Message'
type: array
replacements:
$ref: '#/components/schemas/Security_AI_Assistant_API_Replacements'
title:
description: The conversation title.
example: Security AI Assistant Setup
type: string
required:
- title
Security_AI_Assistant_API_ConversationResponse:
type: object
properties:
apiConfig:
$ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig'
description: LLM API configuration.
category:
$ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory'
description: The conversation category.
example: assistant
createdAt:
description: The time conversation was created.
example: '2025-04-30T14:00:00Z'
type: string
createdBy:
$ref: '#/components/schemas/Security_AI_Assistant_API_User'
description: The user who created the conversation.
excludeFromLastConversationStorage:
description: Exclude from last conversation storage.
type: boolean
id:
$ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString'
messages:
description: The conversation messages.
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_Message'
type: array
namespace:
description: Kibana space
example: default
type: string
replacements:
$ref: '#/components/schemas/Security_AI_Assistant_API_Replacements'
timestamp:
$ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyTimestamp'
title:
description: The conversation title.
example: Security AI Assistant Setup
type: string
updatedAt:
description: The last time conversation was updated.
example: '2025-04-30T16:30:00Z'
type: string
users:
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_User'
type: array
required:
- id
- title
- createdAt
- createdBy
- users
- namespace
- category
Security_AI_Assistant_API_ConversationUpdateProps:
type: object
properties:
apiConfig:
$ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig'
description: LLM API configuration.
category:
$ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory'
description: The conversation category.
example: assistant
excludeFromLastConversationStorage:
description: Exclude from last conversation storage.
type: boolean
id:
$ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString'
messages:
description: The conversation messages.
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_Message'
type: array
replacements:
$ref: '#/components/schemas/Security_AI_Assistant_API_Replacements'
title:
description: The conversation title.
example: Updated Security AI Assistant Setup
type: string
users:
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_User'
type: array
required:
- id
Security_AI_Assistant_API_DeleteResponseFields:
type: object
properties:
id:
$ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString'
required:
- id
Security_AI_Assistant_API_DocumentEntry:
allOf:
- type: object
properties:
global:
description: Whether this Knowledge Base Entry is global, defaults to false.
example: false
type: boolean
name:
description: Name of the Knowledge Base Entry.
example: Example Entry
type: string
namespace:
description: Kibana Space, defaults to 'default' space.
example: default
type: string
users:
description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_User'
type: array
required:
- name
- namespace
- global
- users
- $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields'
- $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryResponseFields'
Security_AI_Assistant_API_DocumentEntryCreateFields:
allOf:
- type: object
properties:
global:
description: Whether this Knowledge Base Entry is global, defaults to false.
example: false
type: boolean
name:
description: Name of the Knowledge Base Entry.
example: Example Entry
type: string
namespace:
description: Kibana Space, defaults to 'default' space.
example: default
type: string
users:
description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_User'
type: array
required:
- name
- $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields'
- $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields'
Security_AI_Assistant_API_DocumentEntryOptionalFields:
type: object
properties:
required:
description: Whether this resource should always be included, defaults to false.
example: false
type: boolean
vector:
$ref: '#/components/schemas/Security_AI_Assistant_API_Vector'
Security_AI_Assistant_API_DocumentEntryRequiredFields:
type: object
properties:
kbResource:
$ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResource'
source:
description: Source document name or filepath.
example: /documents/example.txt
type: string
text:
description: Knowledge Base Entry content.
example: This is the content of the document.
type: string
type:
description: Entry type.
enum:
- document
example: document
type: string
required:
- type
- kbResource
- source
- text
Security_AI_Assistant_API_DocumentEntryResponseFields:
allOf:
- $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields'
- $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields'
Security_AI_Assistant_API_DocumentEntryUpdateFields:
allOf:
- type: object
properties:
global:
description: Whether this Knowledge Base Entry is global, defaults to false.
example: false
type: boolean
id:
$ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString'
name:
description: Name of the Knowledge Base Entry.
example: Example Entry
type: string
namespace:
description: Kibana Space, defaults to 'default' space.
example: default
type: string
users:
description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_User'
type: array
required:
- id
- $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields'
Security_AI_Assistant_API_EsqlContentReference:
allOf:
- $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference'
- type: object
properties:
label:
description: Label of the query
example: High Severity Alerts
type: string
query:
description: An ESQL query
example: SELECT * FROM alerts WHERE severity = "high"
type: string
timerange:
description: Time range to select in the time picker.
type: object
properties:
from:
example: '2025-04-01T00:00:00Z'
type: string
to:
example: '2025-04-30T23:59:59Z'
type: string
required:
- from
- to
type:
enum:
- EsqlQuery
example: EsqlQuery
type: string
required:
- type
- query
- label
description: References an ESQL query
Security_AI_Assistant_API_FindAnonymizationFieldsSortField:
enum:
- created_at
- anonymized
- allowed
- field
- updated_at
type: string
Security_AI_Assistant_API_FindConversationsSortField:
description: The field by which to sort the conversations. Possible values are `created_at`, `title`, and `updated_at`.
enum:
- created_at
- title
- updated_at
example: created_at
type: string
Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField:
description: Fields available for sorting Knowledge Base Entries.
enum:
- created_at
- is_default
- title
- updated_at
example: title
type: string
Security_AI_Assistant_API_FindPromptsSortField:
description: Field by which to sort the prompts.
enum:
- created_at
- is_default
- name
- updated_at
example: created_at
type: string
Security_AI_Assistant_API_HrefContentReference:
allOf:
- $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference'
- type: object
properties:
href:
description: URL to the external resource
type: string
label:
description: Label of the query
type: string
type:
enum:
- Href
type: string
required:
- type
- href
description: References an external URL
Security_AI_Assistant_API_IndexEntry:
allOf:
- type: object
properties:
global:
description: Whether this Knowledge Base Entry is global, defaults to false.
example: false
type: boolean
name:
description: Name of the Knowledge Base Entry.
example: Example Entry
type: string
namespace:
description: Kibana Space, defaults to 'default' space.
example: default
type: string
users:
description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_User'
type: array
required:
- name
- namespace
- global
- users
- $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields'
- $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryResponseFields'
Security_AI_Assistant_API_IndexEntryCreateFields:
allOf:
- type: object
properties:
global:
description: Whether this Knowledge Base Entry is global, defaults to false.
example: false
type: boolean
name:
description: Name of the Knowledge Base Entry.
example: Example Entry
type: string
namespace:
description: Kibana Space, defaults to 'default' space.
example: default
type: string
users:
description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_User'
type: array
required:
- name
- $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields'
- $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields'
Security_AI_Assistant_API_IndexEntryOptionalFields:
type: object
properties:
inputSchema:
$ref: '#/components/schemas/Security_AI_Assistant_API_InputSchema'
outputFields:
description: Fields to extract from the query result, defaults to all fields if not provided or empty.
example:
- title
- author
items:
type: string
type: array
Security_AI_Assistant_API_IndexEntryRequiredFields:
type: object
properties:
description:
description: Description for when this index or data stream should be queried for Knowledge Base content. Passed to the LLM as a tool description.
example: Query this index for general knowledge base content.
type: string
field:
description: Field to query for Knowledge Base content.
example: content
type: string
index:
description: Index or Data Stream to query for Knowledge Base content.
example: knowledge_base_index
type: string
queryDescription:
description: Description of query field used to fetch Knowledge Base content. Passed to the LLM as part of the tool input schema.
example: Search for documents containing the specified keywords.
type: string
type:
description: Entry type.
enum:
- index
example: index
type: string
required:
- type
- index
- field
- description
- queryDescription
Security_AI_Assistant_API_IndexEntryResponseFields:
allOf:
- $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields'
- $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields'
Security_AI_Assistant_API_IndexEntryUpdateFields:
allOf:
- type: object
properties:
global:
description: Whether this Knowledge Base Entry is global, defaults to false.
example: false
type: boolean
id:
$ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString'
name:
description: Name of the Knowledge Base Entry.
example: Example Entry
type: string
namespace:
description: Kibana Space, defaults to 'default' space.
example: default
type: string
users:
description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_User'
type: array
required:
- id
- $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields'
Security_AI_Assistant_API_InputSchema:
description: Array of objects defining the input schema, allowing the LLM to extract structured data to be used in retrieval.
items:
type: object
properties:
description:
description: Description of the field.
example: The title of the document.
type: string
fieldName:
description: Name of the field.
example: title
type: string
fieldType:
description: Type of the field.
example: string
type: string
required:
- fieldName
- fieldType
- description
type: array
Security_AI_Assistant_API_InputTextInterruptResumeValue:
allOf:
- $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue'
- type: object
properties:
type:
enum:
- INPUT_TEXT
example: INPUT_TEXT
type: string
value:
description: Text value used to resume the graph execution with.
example: .logs*
type: string
required:
- value
- type
description: A resume value for input text
Security_AI_Assistant_API_InputTextInterruptValue:
allOf:
- $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptValue'
- type: object
properties:
description:
description: Description of action required
example: What is the index you would like to use for the query.
type: string
placeholder:
description: Placeholder text for the input field
example: Enter index pattern here...
type: string
type:
enum:
- INPUT_TEXT
example: INPUT_TEXT
type: string
required:
- type
description: Interrupt that requests user to provide text input
Security_AI_Assistant_API_InterruptResumeValue:
description: Union of the interrupt resume values
oneOf:
- $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptResumeValue'
additionalProperties: false
- $ref: '#/components/schemas/Security_AI_Assistant_API_InputTextInterruptResumeValue'
additionalProperties: false
Security_AI_Assistant_API_InterruptType:
description: The type of interrupt
enum:
- SELECT_OPTION
- INPUT_TEXT
type: string
Security_AI_Assistant_API_InterruptValue:
description: Union of the interrupt values
oneOf:
- $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptValue'
additionalProperties: false
- $ref: '#/components/schemas/Security_AI_Assistant_API_InputTextInterruptValue'
additionalProperties: false
Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason:
description: Reason why a Knowledge Base Entry was skipped during the bulk action.
enum:
- KNOWLEDGE_BASE_ENTRY_NOT_MODIFIED
type: string
Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult:
type: object
properties:
id:
description: ID of the skipped Knowledge Base Entry.
example: '123'
type: string
name:
description: Name of the skipped Knowledge Base Entry.
example: Skipped Entry
type: string
skip_reason:
$ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason'
required:
- id
- skip_reason
Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse:
type: object
properties:
attributes:
type: object
properties:
errors:
description: List of errors encountered during the bulk action.
example:
- err_code: UPDATE_FAILED
knowledgeBaseEntries:
- id: '456'
name: Error Entry
message: Failed to update entry.
statusCode: 400
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError'
type: array
results:
$ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults'
summary:
$ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary'
required:
- results
- summary
knowledgeBaseEntriesCount:
description: Total number of Knowledge Base Entries processed.
example: 8
type: integer
message:
description: Message describing the result of the bulk action.
example: Bulk action completed successfully.
type: string
statusCode:
description: HTTP status code of the response.
example: 200
type: integer
success:
description: Indicates whether the bulk action was successful.
example: true
type: boolean
required:
- attributes
Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults:
type: object
properties:
created:
description: List of Knowledge Base Entries that were successfully created.
example:
- id: '456'
kbResource: user
name: New Entry
source: manual
text: This is the content of the new entry.
type: document
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse'
type: array
deleted:
description: List of IDs of Knowledge Base Entries that were successfully deleted.
example:
- '789'
items:
type: string
type: array
skipped:
description: List of Knowledge Base Entries that were skipped during the bulk action.
example:
- id: '123'
name: Skipped Entry
skip_reason: KNOWLEDGE_BASE_ENTRY_NOT_MODIFIED
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult'
type: array
updated:
description: List of Knowledge Base Entries that were successfully updated.
example:
- id: '123'
kbResource: user
name: Updated Entry
source: manual
text: Updated content.
type: document
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse'
type: array
required:
- updated
- created
- deleted
- skipped
Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary:
type: object
properties:
failed:
description: Number of Knowledge Base Entries that failed during the bulk action.
example: 2
type: integer
skipped:
description: Number of Knowledge Base Entries that were skipped during the bulk action.
example: 1
type: integer
succeeded:
description: Number of Knowledge Base Entries that were successfully processed during the bulk action.
example: 5
type: integer
total:
description: Total number of Knowledge Base Entries involved in the bulk action.
example: 8
type: integer
required:
- failed
- skipped
- succeeded
- total
Security_AI_Assistant_API_KnowledgeBaseEntryContentReference:
allOf:
- $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference'
- type: object
properties:
knowledgeBaseEntryId:
description: Id of the Knowledge Base Entry
example: kbentry456
type: string
knowledgeBaseEntryName:
description: Name of the knowledge base entry
example: Network Security Best Practices
type: string
type:
enum:
- KnowledgeBaseEntry
example: KnowledgeBaseEntry
type: string
required:
- type
- knowledgeBaseEntryId
- knowledgeBaseEntryName
description: References a knowledge base entry
Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps:
anyOf:
- $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields'
- $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields'
discriminator:
mapping:
document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields'
index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields'
propertyName: type
Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError:
type: object
properties:
id:
description: ID of the Knowledge Base Entry that encountered an error.
example: '456'
type: string
name:
description: Name of the Knowledge Base Entry that encountered an error.
example: Error Entry
type: string
required:
- id
Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema:
additionalProperties: false
type: object
properties:
error:
description: Error type or category.
example: Not Found
type: string
message:
description: Detailed error message.
example: The requested Knowledge Base Entry was not found.
type: string
statusCode:
description: HTTP status code of the error.
example: 404
type: number
required:
- statusCode
- error
- message
Security_AI_Assistant_API_KnowledgeBaseEntryResponse:
anyOf:
- $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntry'
- $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntry'
discriminator:
mapping:
document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntry'
index: '#/components/schemas/Security_AI_Assistant_API_IndexEntry'
propertyName: type
Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps:
anyOf:
- $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields'
- $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields'
discriminator:
mapping:
document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields'
index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields'
propertyName: type
Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps:
anyOf:
- $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields'
- $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields'
discriminator:
mapping:
document: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields'
index: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields'
propertyName: type
Security_AI_Assistant_API_KnowledgeBaseReadResponse200:
type: object
properties:
defend_insights_exists:
description: Indicates if Defend Insights documentation exists in the KnowledgeBase.
example: true
type: boolean
elser_exists:
description: Indicates if the ELSER model exists for the KnowledgeBase.
example: true
type: boolean
is_setup_available:
description: Indicates if the setup process is available for the KnowledgeBase.
example: true
type: boolean
is_setup_in_progress:
description: Indicates if the setup process is currently in progress.
example: false
type: boolean
product_documentation_status:
description: The status of the product documentation in the KnowledgeBase.
example: complete
type: string
security_labs_exists:
description: Indicates if Security Labs documentation exists in the KnowledgeBase.
example: true
type: boolean
user_data_exists:
description: Indicates if user data exists in the KnowledgeBase.
example: false
type: boolean
Security_AI_Assistant_API_KnowledgeBaseResource:
description: Knowledge Base resource name for grouping entries, e.g. 'security_labs', 'user', etc.
enum:
- security_labs
- defend_insights
- user
example: security_labs
type: string
Security_AI_Assistant_API_KnowledgeBaseResponse:
description: AI assistant KnowledgeBase.
type: object
properties:
success:
description: Identify the success of the method execution.
example: true
type: boolean
Security_AI_Assistant_API_KnowledgeBaseResponse400:
type: object
properties:
error:
description: A short description of the error.
example: Bad Request
type: string
message:
description: A detailed error message.
example: Invalid resource ID provided.
type: string
statusCode:
description: The HTTP status code of the error.
example: 400
type: number
Security_AI_Assistant_API_Message:
description: AI assistant conversation message.
type: object
properties:
content:
description: Message content.
example: Hello, how can I assist you today?
type: string
id:
$ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString'
description: Message id
isError:
description: Is error message.
example: false
type: boolean
metadata:
$ref: '#/components/schemas/Security_AI_Assistant_API_MessageMetadata'
description: Metadata
reader:
$ref: '#/components/schemas/Security_AI_Assistant_API_Reader'
description: Message content.
refusal:
description: Refusal reason returned by the model when content is filtered.
type: string
role:
$ref: '#/components/schemas/Security_AI_Assistant_API_MessageRole'
description: Message role.
example: assistant
timestamp:
$ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyTimestamp'
description: The timestamp message was sent or received.
example: '2025-04-30T15:30:00Z'
traceData:
$ref: '#/components/schemas/Security_AI_Assistant_API_TraceData'
description: Trace data
user:
$ref: '#/components/schemas/Security_AI_Assistant_API_User'
description: The user who sent the message.
required:
- timestamp
- content
- role
Security_AI_Assistant_API_MessageData:
additionalProperties: true
description: ECS-style metadata attached to the message.
example:
alert_id: alert-456
user_id: abc123
type: object
Security_AI_Assistant_API_MessageMetadata:
description: Message metadata
type: object
properties:
contentReferences:
$ref: '#/components/schemas/Security_AI_Assistant_API_ContentReferences'
description: Data referred to by the message content.
interruptResumeValue:
$ref: '#/components/schemas/Security_AI_Assistant_API_InterruptResumeValue'
description: When the agent is resumed after an interrupt, this field is populated with the details of the resume value.
interruptValue:
$ref: '#/components/schemas/Security_AI_Assistant_API_InterruptValue'
description: When the agent is interrupted (for example, when user input is required), this field is populated with the details of the interrupt. Messages containing interruptValues in the metadata are excluded from the LLM context.
Security_AI_Assistant_API_MessageRole:
description: Message role.
enum:
- system
- user
- assistant
example: assistant
type: string
Security_AI_Assistant_API_NonEmptyString:
description: A string that does not contain only whitespace characters.
example: I am a string
format: nonempty
minLength: 1
type: string
Security_AI_Assistant_API_NonEmptyTimestamp:
description: A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters.
example: '2023-10-31T12:00:00Z'
format: nonempty
minLength: 1
type: string
Security_AI_Assistant_API_NormalizedAnonymizationFieldError:
type: object
properties:
anonymization_fields:
description: Array of anonymization fields that caused the error.
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError'
type: array
err_code:
description: Error code indicating the type of failure.
example: UPDATE_FAILED
type: string
message:
description: Error message.
example: Failed to update anonymization field.
type: string
status_code:
description: Status code of the response.
example: 400
type: integer
required:
- message
- status_code
- anonymization_fields
Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError:
type: object
properties:
err_code:
description: Specific error code for the issue.
example: UPDATE_FAILED
type: string
knowledgeBaseEntries:
description: List of Knowledge Base Entries that encountered the error.
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError'
type: array
message:
description: Error message describing the issue.
example: Failed to update entry.
type: string
statusCode:
description: HTTP status code associated with the error.
example: 400
type: integer
required:
- message
- statusCode
- knowledgeBaseEntries
Security_AI_Assistant_API_NormalizedPromptError:
type: object
properties:
err_code:
description: A code representing the error type.
type: string
message:
description: A message describing the error encountered.
type: string
prompts:
description: List of prompts that encountered errors.
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_PromptDetailsInError'
type: array
status_code:
description: The HTTP status code associated with the error.
type: integer
required:
- message
- status_code
- prompts
Security_AI_Assistant_API_ProductDocumentationContentReference:
allOf:
- $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference'
- type: object
properties:
title:
description: Title of the documentation
example: Getting Started with Security AI Assistant
type: string
type:
enum:
- ProductDocumentation
example: ProductDocumentation
type: string
url:
description: URL to the documentation
example: https://docs.example.com/security-ai-assistant
type: string
required:
- type
- title
- url
description: References the product documentation
Security_AI_Assistant_API_PromptCreateProps:
type: object
properties:
categories:
description: List of categories for the prompt.
example:
- security
- verification
items:
type: string
type: array
color:
description: The color associated with the prompt.
example: blue
type: string
consumer:
description: The consumer associated with the prompt.
example: admin
type: string
content:
description: The content of the prompt.
example: Please verify the security settings.
type: string
isDefault:
description: Whether this prompt should be the default.
example: false
type: boolean
isNewConversationDefault:
description: Whether this prompt should be the default for new conversations.
example: true
type: boolean
name:
description: The name of the prompt.
example: New Security Prompt
type: string
promptType:
$ref: '#/components/schemas/Security_AI_Assistant_API_PromptType'
description: The type of the prompt.
example: system
required:
- name
- content
- promptType
Security_AI_Assistant_API_PromptDetailsInError:
type: object
properties:
id:
description: The ID of the prompt that encountered an error.
type: string
name:
description: The name of the prompt that encountered an error.
type: string
required:
- id
Security_AI_Assistant_API_PromptResponse:
type: object
properties:
categories:
description: Categories associated with the prompt.
items:
type: string
type: array
color:
description: The color associated with the prompt.
type: string
consumer:
description: The consumer that the prompt is associated with.
type: string
content:
description: The content of the prompt.
type: string
createdAt:
description: The timestamp of when the prompt was created.
type: string
createdBy:
description: The user who created the prompt.
type: string
id:
$ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString'
isDefault:
description: Whether this prompt is the default.
type: boolean
isNewConversationDefault:
description: Whether this prompt is the default for new conversations.
type: boolean
name:
description: The name of the prompt.
type: string
namespace:
description: Kibana space where the prompt is located.
type: string
promptType:
$ref: '#/components/schemas/Security_AI_Assistant_API_PromptType'
description: The type of the prompt.
timestamp:
$ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyTimestamp'
updatedAt:
description: The timestamp of when the prompt was last updated.
type: string
updatedBy:
description: The user who last updated the prompt.
type: string
users:
description: List of users associated with the prompt.
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_User'
type: array
required:
- id
- name
- promptType
- content
Security_AI_Assistant_API_PromptsBulkActionSkipReason:
description: Reason why a prompt was skipped during the bulk action.
enum:
- PROMPT_FIELD_NOT_MODIFIED
type: string
Security_AI_Assistant_API_PromptsBulkActionSkipResult:
type: object
properties:
id:
description: The ID of the prompt that was skipped.
type: string
name:
description: The name of the prompt that was skipped.
type: string
skip_reason:
$ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason'
description: The reason for skipping the prompt.
required:
- id
- skip_reason
Security_AI_Assistant_API_PromptsBulkCrudActionResponse:
type: object
properties:
attributes:
type: object
properties:
errors:
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedPromptError'
type: array
results:
$ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults'
summary:
$ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary'
required:
- results
- summary
message:
description: A message describing the result of the bulk action.
example: Bulk action completed successfully.
type: string
prompts_count:
description: The number of prompts processed in the bulk action.
example: 6
type: integer
status_code:
description: The HTTP status code of the response.
example: 200
type: integer
success:
description: Indicates if the bulk action was successful.
example: true
type: boolean
required:
- attributes
Security_AI_Assistant_API_PromptsBulkCrudActionResults:
type: object
properties:
created:
description: List of prompts that were created.
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse'
type: array
deleted:
description: List of IDs of prompts that were deleted.
items:
type: string
type: array
skipped:
description: List of prompts that were skipped.
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult'
type: array
updated:
description: List of prompts that were updated.
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse'
type: array
required:
- updated
- created
- deleted
- skipped
Security_AI_Assistant_API_PromptType:
description: Type of the prompt (either system or quick).
enum:
- system
- quick
type: string
Security_AI_Assistant_API_PromptUpdateProps:
type: object
properties:
categories:
description: The updated categories for the prompt.
example:
- security
- alert
items:
type: string
type: array
color:
description: The updated color associated with the prompt.
example: green
type: string
consumer:
description: The updated consumer for the prompt.
example: user123
type: string
content:
description: The updated content for the prompt.
example: Updated content for security prompt.
type: string
id:
description: The ID of the prompt to update.
example: prompt123
type: string
isDefault:
description: Whether this prompt should be the default.
example: true
type: boolean
isNewConversationDefault:
description: Whether the prompt should be the default for new conversations.
example: false
type: boolean
required:
- id
Security_AI_Assistant_API_Provider:
description: Provider
enum:
- OpenAI
- Azure OpenAI
- Other
example: OpenAI
type: string
Security_AI_Assistant_API_Reader:
additionalProperties: true
type: object
Security_AI_Assistant_API_Replacements:
additionalProperties:
type: string
description: Replacements object used to anonymize/deanonymize messages
type: object
Security_AI_Assistant_API_ResponseFields:
type: object
properties:
createdAt:
description: Time the Knowledge Base Entry was created.
example: '2023-01-01T12:00:00Z'
type: string
createdBy:
description: User who created the Knowledge Base Entry.
example: admin
type: string
id:
$ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString'
updatedAt:
description: Time the Knowledge Base Entry was last updated.
example: '2023-01-02T12:00:00Z'
type: string
updatedBy:
description: User who last updated the Knowledge Base Entry.
example: editor
type: string
required:
- id
- createdAt
- createdBy
- updatedAt
- updatedBy
Security_AI_Assistant_API_SecurityAlertContentReference:
allOf:
- $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference'
- type: object
properties:
alertId:
description: ID of the Alert
example: alert789
type: string
type:
enum:
- SecurityAlert
example: SecurityAlert
type: string
required:
- type
- alertId
description: References a security alert
Security_AI_Assistant_API_SecurityAlertsPageContentReference:
allOf:
- $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference'
- type: object
properties:
type:
enum:
- SecurityAlertsPage
example: SecurityAlertsPage
type: string
required:
- type
description: References the security alerts page
Security_AI_Assistant_API_SelectOptionInterruptOption:
description: A request approval option
type: object
properties:
buttonColor:
enum:
- text
- accent
- accentSecondary
- primary
- success
- warning
- danger
- neutral
- risk
example: danger
type: string
label:
example: Option 1
type: string
value:
example: option_1
type: string
required:
- label
- value
Security_AI_Assistant_API_SelectOptionInterruptResumeValue:
allOf:
- $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue'
- type: object
properties:
type:
enum:
- SELECT_OPTION
example: SELECT_OPTION
type: string
value:
description: The value of the selected option to resume the graph execution with
example: option_1
type: string
required:
- value
- type
description: A request approval resume schema
Security_AI_Assistant_API_SelectOptionInterruptValue:
allOf:
- $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptValue'
- type: object
properties:
description:
description: Description of action required
example: Select one of the options
type: string
options:
description: List of actions to choose from
example:
- label: Option 1
- label: Option 2
items:
$ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptOption'
type: array
type:
enum:
- SELECT_OPTION
example: SELECT_OPTION
type: string
required:
- type
- description
- options
description: Interrupt that requests user to select one of the provided options
Security_AI_Assistant_API_SortOrder:
description: The order in which results are sorted.
enum:
- asc
- desc
example: asc
type: string
Security_AI_Assistant_API_TraceData:
description: Trace Data
type: object
properties:
traceId:
description: Could be any string, not necessarily a UUID
example: d9876543-f0a1-2345-6789-abcdef123456
type: string
transactionId:
description: Could be any string, not necessarily a UUID
example: a1234567-bc89-0def-1234-56789abcdef0
type: string
Security_AI_Assistant_API_User:
description: Could be any string, not necessarily a UUID.
type: object
properties:
id:
description: User id.
example: user123
type: string
name:
description: User name.
example: John Doe
type: string
Security_AI_Assistant_API_Vector:
description: Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings.
type: object
properties:
modelId:
description: ID of the model used to create the embeddings.
example: bert-base-uncased
type: string
tokens:
additionalProperties:
type: number
description: Tokens with their corresponding values.
example:
token1: 0.123
token2: 0.456
type: object
required:
- modelId
- tokens
Security_Attack_discovery_API_AnonymizationFieldResponse:
type: object
properties:
allowed:
description: Whether this field is allowed to be sent to the model.
example: true
type: boolean
anonymized:
description: Whether this field should be anonymized.
example: false
type: boolean
createdAt:
description: Timestamp of when the anonymization field was created.
example: '2023-10-31T12:00:00Z'
type: string
createdBy:
description: Username of the person who created the anonymization field.
example: user1
type: string
field:
description: Name of the anonymization field.
example: url.domain
type: string
id:
$ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString'
description: The ID of the anonymization field.
namespace:
description: Kibana space in which this anonymization field exists.
example: default
type: string
timestamp:
$ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyTimestamp'
description: Timestamp when the anonymization field was initially created.
updatedAt:
description: Timestamp of the last update.
example: '2023-10-31T12:00:00Z'
type: string
updatedBy:
description: Username of the person who last updated the field.
example: user1
type: string
required:
- id
- field
Security_Attack_discovery_API_ApiConfig:
type: object
properties:
actionTypeId:
description: Action type ID
example: actionType456
type: string
connectorId:
description: Connector ID
example: connector123
type: string
defaultSystemPromptId:
description: Default system prompt ID
example: systemPrompt001
type: string
model:
description: Model
example: gpt-4
type: string
provider:
$ref: '#/components/schemas/Security_Attack_discovery_API_Provider'
description: Provider
example: OpenAI
required:
- connectorId
- actionTypeId
Security_Attack_discovery_API_AttackDiscoveryApiAlert:
description: An attack discovery that's also an alert (Public API with snake_case)
type: object
properties:
alert_ids:
description: The alert IDs that the attack discovery is based on
items:
type: string
type: array
alert_rule_uuid:
description: The optional kibana.alert.rule.uuid of the rule that generated this attack discovery (not applicable to ad hock runs)
type: string
alert_start:
description: The optional time the attack discovery alert was created
type: string
alert_updated_at:
description: The optional time the attack discovery alert was last updated
type: string
alert_updated_by_user_id:
description: The optional id of the user who last updated the attack discovery alert
type: string
alert_updated_by_user_name:
description: The optional username of the user who updated the attack discovery alert
type: string
alert_workflow_status:
description: The optional kibana.alert.workflow_status of this attack discovery
type: string
alert_workflow_status_updated_at:
description: The optional time the attack discovery alert workflow status was last updated
type: string
assignees:
description: The optional array of user-IDs who have been assigned the attack
items:
type: string
type: array
connector_id:
description: The ID of the connector that generated the attack discovery
type: string
connector_name:
description: The (human readable) name of the connector that generated the attack discovery
type: string
details_markdown:
description: Details of the attack with bulleted markdown that always uses special syntax for field names and values from the source data.
type: string
entity_summary_markdown:
description: An optional, short (no more than a sentence) summary of the attack discovery featuring only the host.name and user.name fields (when they are applicable), using the same syntax
type: string
generation_uuid:
description: The generation ID of the run that created the attack discovery
type: string
id:
description: The unique ID of the attack discovery
type: string
index:
description: The concrete Elasticsearch index where this attack discovery is stored
type: string
mitre_attack_tactics:
description: An optional array of MITRE ATT&CK tactic for the attack discovery
items:
type: string
type: array
replacements:
$ref: '#/components/schemas/Security_Attack_discovery_API_Replacements'
description: Key-value pairs that are used to replace placeholders in the markdown fields
risk_score:
description: The optional, (but typically populated after generation) risk score of the alert
type: integer
summary_markdown:
description: A markdown summary of attack discovery, using the same syntax
type: string
tags:
description: The optional array of tags assigned the attack
items:
type: string
type: array
timestamp:
$ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyTimestamp'
description: The time the attack discovery was generated
title:
description: A title for the attack discovery, in plain text
type: string
user_id:
description: The optional id of the user who generated the attack discovery
type: string
user_name:
description: The optional username of the user who generated the attack discovery, (not applicable to attack discoveries generated by rules)
type: string
users:
description: The optional array of users who may view the attack discovery. When empty, (or not present), all users may view the attack discovery.
items:
$ref: '#/components/schemas/Security_Attack_discovery_API_User'
type: array
required:
- alert_ids
- connector_id
- connector_name
- details_markdown
- generation_uuid
- id
- summary_markdown
- timestamp
- title
Security_Attack_discovery_API_AttackDiscoveryApiSchedule:
description: An Attack Discovery schedule
type: object
properties:
actions:
description: The Attack Discovery schedule actions
items:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction'
type: array
created_at:
description: The date the schedule was created
format: date-time
type: string
created_by:
description: The name of the user that created the schedule
type: string
enabled:
description: Indicates whether the schedule is enabled
type: boolean
id:
description: UUID of Attack Discovery schedule
type: string
last_execution:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecution'
description: The Attack Discovery schedule last execution summary
name:
description: The name of the schedule
type: string
params:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams'
description: The Attack Discovery schedule configuration parameters
schedule:
$ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule'
description: The Attack Discovery schedule interval
updated_at:
description: The date the schedule was updated
format: date-time
type: string
updated_by:
description: The name of the user that updated the schedule
type: string
required:
- id
- name
- created_by
- updated_by
- created_at
- updated_at
- enabled
- params
- schedule
- actions
Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction:
oneOf:
- $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction'
- $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction'
Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter:
additionalProperties: true
type: object
Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency:
description: The action frequency defines when the action runs (for example, only on schedule execution or at specific time intervals).
type: object
properties:
notify_when:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen'
summary:
description: Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
type: boolean
throttle:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle'
nullable: true
required:
- summary
- notify_when
- throttle
Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionGroup:
description: Groups actions by use cases. Use `default` for alert notifications.
type: string
Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId:
description: The connector ID.
type: string
Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen:
description: 'The condition for throttling the notification: `onActionGroupChange`, `onActiveAlert`, or `onThrottleInterval`'
enum:
- onActiveAlert
- onThrottleInterval
- onActionGroupChange
type: string
Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams:
additionalProperties: true
description: Object containing the allowed connector fields, which varies according to the connector type.
type: object
Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle:
description: Defines how often schedule actions are taken. Time interval in seconds, minutes, hours, or days.
example: 1h
pattern: ^[1-9]\d*[smhd]$
type: string
Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps:
description: An Attack Discovery schedule create properties
type: object
properties:
actions:
description: The Attack Discovery schedule actions
items:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction'
type: array
enabled:
description: Indicates whether the schedule is enabled
type: boolean
name:
description: The name of the schedule
type: string
params:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams'
description: The Attack Discovery schedule configuration parameters
schedule:
$ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule'
description: The Attack Discovery schedule interval
required:
- name
- params
- schedule
Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecution:
description: An Attack Discovery schedule execution information
type: object
properties:
date:
description: Date of the execution
format: date-time
type: string
duration:
description: Duration of the execution
type: number
message:
type: string
status:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecutionStatus'
description: Status of the execution
required:
- date
- status
- last_duration
Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecutionStatus:
description: An Attack Discovery schedule execution status
enum:
- ok
- active
- error
- unknown
- warning
type: string
Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction:
type: object
properties:
action_type_id:
description: The action type used for sending notifications.
type: string
alerts_filter:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter'
frequency:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency'
group:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionGroup'
id:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId'
params:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams'
uuid:
$ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString'
required:
- action_type_id
- group
- id
- params
Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams:
description: An Attack Discovery schedule params
type: object
properties:
alerts_index_pattern:
description: The index pattern to get alerts from
type: string
api_config:
allOf:
- $ref: '#/components/schemas/Security_Attack_discovery_API_ApiConfig'
- type: object
properties:
name:
description: The name of the connector
type: string
required:
- name
description: LLM API configuration.
combined_filter:
additionalProperties: true
type: object
end:
type: string
filters:
$ref: '#/components/schemas/Security_Attack_discovery_API_Filters'
query:
$ref: '#/components/schemas/Security_Attack_discovery_API_Query'
size:
type: number
start:
type: string
required:
- alerts_index_pattern
- api_config
- size
Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction:
type: object
properties:
action_type_id:
description: The action type used for sending notifications.
type: string
id:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId'
params:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams'
uuid:
$ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString'
required:
- action_type_id
- id
- params
Security_Attack_discovery_API_AttackDiscoveryApiScheduleUpdateProps:
description: An Attack Discovery schedule update properties
type: object
properties:
actions:
description: The Attack Discovery schedule actions
items:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction'
type: array
name:
description: The name of the schedule
type: string
params:
$ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams'
description: The Attack Discovery schedule configuration parameters
schedule:
$ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule'
description: The Attack Discovery schedule interval
required:
- name
- params
- schedule
- actions
Security_Attack_discovery_API_AttackDiscoveryFindSortField:
description: Allowed field names to sort Attack Discovery results by. Clients should only pass one of the listed values.
enum:
- '@timestamp'
type: string
Security_Attack_discovery_API_AttackDiscoveryGeneration:
type: object
properties:
alerts_context_count:
description: The number of alerts sent as context (max kibana.alert.rule.execution.metrics.alert_counts.active) to the LLM for the generation
type: number
connector_id:
description: The connector id (event.dataset) for this generation
type: string
connector_stats:
description: Stats applicable to the connector for this generation
type: object
properties:
average_successful_duration_nanoseconds:
description: The average duration (avg event.duration) in nanoseconds of successful generations for the same connector id, for the current user
type: number
successful_generations:
description: The number of successful generations for the same connector id, for the current user
type: number
discoveries:
description: The number of new Attack discovery alerts (max kibana.alert.rule.execution.metrics.alert_counts.new) for this generation
type: number
end:
description: When generation ended (max event.end)
type: string
execution_uuid:
description: The unique identifier (kibana.alert.rule.execution.uuid) for the generation
type: string
loading_message:
description: Generation loading message (kibana.alert.rule.execution.status)
type: string
reason:
description: Reason for failed generations (event.reason)
type: string
start:
description: When generation started (min event.start)
type: string
status:
description: The status of the attack discovery generation
enum:
- canceled
- dismissed
- failed
- started
- succeeded
type: string
required:
- connector_id
- discoveries
- execution_uuid
- loading_message
- start
- status
Security_Attack_discovery_API_AttackDiscoveryGenerationConfig:
type: object
properties:
alertsIndexPattern:
description: |
The (space specific) index pattern that contains the alerts to use as
context for the attack discovery.
Example: .alerts-security.alerts-default
type: string
anonymizationFields:
description: The list of fields, and whether or not they are anonymized, allowed to be sent to LLMs. Consider using the output of the `/api/security_ai_assistant/anonymization_fields/_find` API (for a specific Kibana space) to provide this value.
items:
$ref: '#/components/schemas/Security_Attack_discovery_API_AnonymizationFieldResponse'
type: array
apiConfig:
$ref: '#/components/schemas/Security_Attack_discovery_API_ApiConfig'
description: LLM API configuration.
connectorName:
type: string
end:
type: string
filter:
additionalProperties: true
description: |-
An Elasticsearch-style query DSL object used to filter alerts. For example:
```json {
"filter": {
"bool": {
"must": [],
"filter": [
{
"bool": {
"should": [
{
"term": {
"user.name": { "value": "james" }
}
}
],
"minimum_should_match": 1
}
}
],
"should": [],
"must_not": []
}
}
} ```
type: object
model:
type: string
replacements:
$ref: '#/components/schemas/Security_Attack_discovery_API_Replacements'
size:
type: number
start:
type: string
subAction:
enum:
- invokeAI
- invokeStream
type: string
required:
- apiConfig
- alertsIndexPattern
- anonymizationFields
- size
- subAction
Security_Attack_discovery_API_AttackDiscoveryGenericError:
description: Error response for Attack discovery schedule operations when the request is rejected. Uses `status_code` (snake_case), `error`, and `message` to match the implementation.
type: object
properties:
error:
description: Error type
example: Bad Request
type: string
message:
description: Human-readable error message describing what went wrong
example: Invalid request parameters.
type: string
status_code:
description: HTTP status code
example: 400
type: number
Security_Attack_discovery_API_Filters:
description: The filter array used to define the conditions for when alerts are selected as an Attack Discovery context. Defaults to an empty array.
items: {}
type: array
Security_Attack_discovery_API_IntervalApiSchedule:
type: object
properties:
interval:
description: The schedule interval
type: string
required:
- interval
Security_Attack_discovery_API_NonEmptyString:
description: A string that does not contain only whitespace characters.
example: I am a string
format: nonempty
minLength: 1
type: string
Security_Attack_discovery_API_NonEmptyTimestamp:
description: A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters.
example: '2023-10-31T12:00:00Z'
format: nonempty
minLength: 1
type: string
Security_Attack_discovery_API_Provider:
description: Provider
enum:
- OpenAI
- Azure OpenAI
- Other
example: OpenAI
type: string
Security_Attack_discovery_API_Query:
description: An query condition to filter alerts
type: object
properties:
language:
type: string
query:
oneOf:
- type: string
- additionalProperties: true
type: object
required:
- query
- language
Security_Attack_discovery_API_Replacements:
additionalProperties:
type: string
description: Replacements object used to anonymize/deanonymize messages
type: object
Security_Attack_discovery_API_SortOrder:
description: The order in which results are sorted.
enum:
- asc
- desc
example: asc
type: string
Security_Attack_discovery_API_User:
description: Could be any string, not necessarily a UUID.
type: object
properties:
id:
description: User id.
example: user123
type: string
name:
description: User name.
example: John Doe
type: string
Security_Detections_API_AlertAssignees:
type: object
properties:
add:
items:
description: A list of user profile `uid`s to assign. Users need to activate their user profile by logging into Kibana at least once.
format: nonempty
minLength: 1
type: string
type: array
remove:
items:
description: A list of user profile `uid`s to unassign. Users need to activate their user profile by logging into Kibana at least once.
format: nonempty
minLength: 1
type: string
type: array
required:
- add
- remove
Security_Detections_API_AlertIds:
description: A list of alerts `id`s.
items:
format: nonempty
minLength: 1
type: string
minItems: 1
type: array
Security_Detections_API_AlertsIndex:
deprecated: true
description: (deprecated) Has no effect.
type: string
Security_Detections_API_AlertsIndexMigrationError:
type: object
properties:
error:
type: object
properties:
message:
type: string
status_code:
type: string
required:
- message
- status_code
index:
type: string
required:
- index
- error
Security_Detections_API_AlertsIndexMigrationSuccess:
type: object
properties:
index:
type: string
migration_id:
type: string
migration_index:
type: string
required:
- index
- migration_id
- migration_index
Security_Detections_API_AlertsIndexNamespace:
description: Has no effect.
type: string
Security_Detections_API_AlertsReindexOptions:
type: object
properties:
requests_per_second:
description: The throttle for the migration task in sub-requests per second. Corresponds to requests_per_second on the Reindex API.
minimum: 1
type: integer
size:
description: Number of alerts to migrate per batch. Corresponds to the source.size option on the Reindex API.
minimum: 1
type: integer
slices:
description: The number of subtasks for the migration task. Corresponds to slices on the Reindex API.
minimum: 1
type: integer
Security_Detections_API_AlertsSort:
oneOf:
- $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations'
- items:
$ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations'
type: array
Security_Detections_API_AlertsSortCombinations:
anyOf:
- type: string
- additionalProperties: true
type: object
Security_Detections_API_AlertStatusExceptClosed:
description: The status of an alert, which can be `open`, `acknowledged`, `in-progress`, or `closed`.
enum:
- open
- acknowledged
- in-progress
type: string
Security_Detections_API_AlertSuppression:
description: Defines alert suppression configuration.
type: object
properties:
duration:
$ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration'
group_by:
$ref: '#/components/schemas/Security_Detections_API_AlertSuppressionGroupBy'
missing_fields_strategy:
$ref: '#/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy'
required:
- group_by
Security_Detections_API_AlertSuppressionDuration:
type: object
properties:
unit:
$ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDurationUnit'
value:
minimum: 1
type: integer
required:
- value
- unit
Security_Detections_API_AlertSuppressionDurationUnit:
description: Time unit
enum:
- s
- m
- h
type: string
Security_Detections_API_AlertSuppressionGroupBy:
items:
type: string
maxItems: 3
minItems: 1
type: array
Security_Detections_API_AlertSuppressionMissingFieldsStrategy:
description: |-
Describes how alerts will be generated for documents with missing suppress by fields:
doNotSuppress - per each document a separate alert will be created
suppress - only alert will be created per suppress by bucket
enum:
- doNotSuppress
- suppress
type: string
Security_Detections_API_AlertTag:
description: Use alert tags to organize related alerts into categories that you can filter and group.
format: nonempty
minLength: 1
type: string
Security_Detections_API_AlertTags:
description: List of keywords to organize related alerts into categories that you can filter and group.
items:
$ref: '#/components/schemas/Security_Detections_API_AlertTag'
type: array
Security_Detections_API_AlertVersion:
type: object
properties:
count:
type: integer
version:
type: integer
required:
- version
- count
Security_Detections_API_AnomalyThreshold:
description: Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100.
minimum: 0
type: integer
Security_Detections_API_BuildingBlockType:
description: |
Determines if the rule acts as a building block. If yes, the value must be `default`.
By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts.
For more information, refer to [About building block rules](https://www.elastic.co/docs/solutions/security/detect-and-alert/about-building-block-rules).
type: string
Security_Detections_API_BulkActionEditPayload:
anyOf:
- $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTags'
- $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns'
- $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields'
- $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline'
- $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions'
- $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule'
- $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadAlertSuppression'
Security_Detections_API_BulkActionEditPayloadAlertSuppression:
anyOf:
- $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppression'
- $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold'
- $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression'
Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression:
type: object
properties:
type:
enum:
- delete_alert_suppression
type: string
required:
- type
Security_Detections_API_BulkActionEditPayloadIndexPatterns:
description: |
Edits index patterns of rulesClient.
- `add_index_patterns` adds index patterns to rules. If an index pattern already exists for a rule, no changes are made.
- `delete_index_patterns` removes index patterns from rules. If an index pattern does not exist for a rule, no changes are made.
- `set_index_patterns` sets index patterns for rules, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made.
type: object
properties:
overwrite_data_views:
description: Resets the data view for the rule.
type: boolean
type:
enum:
- add_index_patterns
- delete_index_patterns
- set_index_patterns
type: string
value:
$ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
required:
- type
- value
Security_Detections_API_BulkActionEditPayloadInvestigationFields:
description: |
Edits investigation fields of rules.
- `add_investigation_fields` adds investigation fields to rules. If an investigation field already exists for a rule, no changes are made.
- `delete_investigation_fields` removes investigation fields from rules. If an investigation field does not exist for a rule, no changes are made.
- `set_investigation_fields` sets investigation fields for rules. If the set of investigation fields is the same as the existing investigation fields, no changes are made.
type: object
properties:
type:
enum:
- add_investigation_fields
- delete_investigation_fields
- set_investigation_fields
type: string
value:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
required:
- type
- value
Security_Detections_API_BulkActionEditPayloadRuleActions:
description: |
Edits rule actions of rules.
- `add_rule_actions` adds rule actions to rules. This action is non-idempotent, meaning that even if the same rule action already exists for a rule, it will be added again with a new unique ID.
- `set_rule_actions` sets rule actions for rules. This action is non-idempotent, meaning that even if the same set of rule actions already exists for a rule, it will be set again and the actions will receive new unique IDs.
type: object
properties:
type:
enum:
- add_rule_actions
- set_rule_actions
type: string
value:
type: object
properties:
actions:
items:
$ref: '#/components/schemas/Security_Detections_API_NormalizedRuleAction'
type: array
throttle:
$ref: '#/components/schemas/Security_Detections_API_ThrottleForBulkActions'
required:
- actions
required:
- type
- value
Security_Detections_API_BulkActionEditPayloadSchedule:
description: |
Overwrites schedule of rules.
- `set_schedule` sets a schedule for rules. If the same schedule already exists for a rule, no changes are made.
Both `interval` and `lookback` have a format of "{integer}{time_unit}", where accepted time units are `s` for seconds, `m` for minutes, and `h` for hours. The integer must be positive and larger than 0. Examples: "45s", "30m", "6h"
type: object
properties:
type:
enum:
- set_schedule
type: string
value:
type: object
properties:
interval:
description: Interval in which the rule runs. For example, `"1h"` means the rule runs every hour.
example: 1h
pattern: ^[1-9]\d*[smh]$
type: string
lookback:
description: |
Lookback time for the rules.
Additional look-back time that the rule analyzes. For example, "10m" means the rule analyzes the last 10 minutes of data in addition to the frequency interval.
example: 1h
pattern: ^[1-9]\d*[smh]$
type: string
required:
- interval
- lookback
required:
- type
- value
Security_Detections_API_BulkActionEditPayloadSetAlertSuppression:
type: object
properties:
type:
enum:
- set_alert_suppression
type: string
value:
$ref: '#/components/schemas/Security_Detections_API_AlertSuppression'
required:
- type
- value
Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold:
type: object
properties:
type:
enum:
- set_alert_suppression_for_threshold
type: string
value:
$ref: '#/components/schemas/Security_Detections_API_ThresholdAlertSuppression'
required:
- type
- value
Security_Detections_API_BulkActionEditPayloadTags:
description: |
Edits tags of rules.
- `add_tags` adds tags to rules. If a tag already exists for a rule, no changes are made.
- `delete_tags` removes tags from rules. If a tag does not exist for a rule, no changes are made.
- `set_tags` sets tags for rules, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made.
type: object
properties:
type:
enum:
- add_tags
- delete_tags
- set_tags
type: string
value:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
required:
- type
- value
Security_Detections_API_BulkActionEditPayloadTimeline:
description: |
Edits timeline of rules.
- `set_timeline` sets a timeline for rules. If the same timeline already exists for a rule, no changes are made.
type: object
properties:
type:
enum:
- set_timeline
type: string
value:
type: object
properties:
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
required:
- timeline_id
- timeline_title
required:
- type
- value
Security_Detections_API_BulkActionsDryRunErrCode:
enum:
- IMMUTABLE
- PREBUILT_CUSTOMIZATION_LICENSE
- MACHINE_LEARNING_AUTH
- MACHINE_LEARNING_INDEX_PATTERN
- ESQL_INDEX_PATTERN
- MANUAL_RULE_RUN_FEATURE
- MANUAL_RULE_RUN_DISABLED_RULE
- THRESHOLD_RULE_TYPE_IN_SUPPRESSION
- UNSUPPORTED_RULE_IN_SUPPRESSION_FOR_THRESHOLD
- RULE_FILL_GAPS_DISABLED_RULE
- USER_INSUFFICIENT_RULE_PRIVILEGES
type: string
Security_Detections_API_BulkActionSkipResult:
type: object
properties:
id:
type: string
name:
type: string
skip_reason:
oneOf:
- $ref: '#/components/schemas/Security_Detections_API_BulkEditSkipReason'
- $ref: '#/components/schemas/Security_Detections_API_BulkGapsFillingSkipReason'
required:
- id
- skip_reason
Security_Detections_API_BulkDeleteRules:
type: object
properties:
action:
enum:
- delete
type: string
gap_auto_fill_scheduler_id:
description: Gap auto fill scheduler ID used to determine gap fill status for rules
type: string
gap_fill_statuses:
description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*).
items:
$ref: '#/components/schemas/Security_Detections_API_GapFillStatus'
type: array
gaps_range_end:
description: Gaps range end, valid only when query is provided
type: string
gaps_range_start:
description: Gaps range start, valid only when query is provided
type: string
ids:
description: |
Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here.
Only valid when query property is undefined.
items:
type: string
minItems: 1
type: array
query:
description: Query to filter rules.
type: string
required:
- action
Security_Detections_API_BulkDisableRules:
type: object
properties:
action:
enum:
- disable
type: string
gap_auto_fill_scheduler_id:
description: Gap auto fill scheduler ID used to determine gap fill status for rules
type: string
gap_fill_statuses:
description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*).
items:
$ref: '#/components/schemas/Security_Detections_API_GapFillStatus'
type: array
gaps_range_end:
description: Gaps range end, valid only when query is provided
type: string
gaps_range_start:
description: Gaps range start, valid only when query is provided
type: string
ids:
description: |
Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here.
Only valid when query property is undefined.
items:
type: string
minItems: 1
type: array
query:
description: Query to filter rules.
type: string
required:
- action
Security_Detections_API_BulkDuplicateRules:
type: object
properties:
action:
enum:
- duplicate
type: string
duplicate:
description: Duplicate object that describes applying an update action.
type: object
properties:
include_exceptions:
description: Whether to copy exceptions from the original rule
type: boolean
include_expired_exceptions:
description: Whether to copy expired exceptions from the original rule
type: boolean
required:
- include_exceptions
- include_expired_exceptions
gap_auto_fill_scheduler_id:
description: Gap auto fill scheduler ID used to determine gap fill status for rules
type: string
gap_fill_statuses:
description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*).
items:
$ref: '#/components/schemas/Security_Detections_API_GapFillStatus'
type: array
gaps_range_end:
description: Gaps range end, valid only when query is provided
type: string
gaps_range_start:
description: Gaps range start, valid only when query is provided
type: string
ids:
description: |
Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here.
Only valid when query property is undefined.
items:
type: string
minItems: 1
type: array
query:
description: Query to filter rules.
type: string
required:
- action
Security_Detections_API_BulkEditActionResponse:
type: object
properties:
attributes:
type: object
properties:
errors:
items:
$ref: '#/components/schemas/Security_Detections_API_NormalizedRuleError'
type: array
results:
$ref: '#/components/schemas/Security_Detections_API_BulkEditActionResults'
summary:
$ref: '#/components/schemas/Security_Detections_API_BulkEditActionSummary'
required:
- results
- summary
message:
type: string
rules_count:
type: integer
status_code:
type: integer
success:
type: boolean
required:
- attributes
Security_Detections_API_BulkEditActionResults:
type: object
properties:
created:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleResponse'
type: array
deleted:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleResponse'
type: array
skipped:
items:
$ref: '#/components/schemas/Security_Detections_API_BulkActionSkipResult'
type: array
updated:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleResponse'
type: array
required:
- updated
- created
- deleted
- skipped
Security_Detections_API_BulkEditActionSummary:
description: A rule can only be skipped when the bulk action to be performed on it results in nothing being done. For example, if the `edit` action is used to add a tag to a rule that already has that tag, or to delete an index pattern that is not specified in a rule. Objects returned in `attributes.results.skipped` will only include rules' `id`, `name`, and `skip_reason`.
type: object
properties:
failed:
type: integer
skipped:
type: integer
succeeded:
type: integer
total:
type: integer
required:
- failed
- skipped
- succeeded
- total
Security_Detections_API_BulkEditRules:
type: object
properties:
action:
enum:
- edit
type: string
edit:
description: Array of objects containing the edit operations
items:
$ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayload'
minItems: 1
type: array
gap_auto_fill_scheduler_id:
description: Gap auto fill scheduler ID used to determine gap fill status for rules
type: string
gap_fill_statuses:
description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*).
items:
$ref: '#/components/schemas/Security_Detections_API_GapFillStatus'
type: array
gaps_range_end:
description: Gaps range end, valid only when query is provided
type: string
gaps_range_start:
description: Gaps range start, valid only when query is provided
type: string
ids:
description: |
Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here.
Only valid when query property is undefined.
items:
type: string
minItems: 1
type: array
query:
description: Query to filter rules.
type: string
required:
- action
- edit
Security_Detections_API_BulkEditSkipReason:
enum:
- RULE_NOT_MODIFIED
type: string
Security_Detections_API_BulkEnableRules:
type: object
properties:
action:
enum:
- enable
type: string
gap_auto_fill_scheduler_id:
description: Gap auto fill scheduler ID used to determine gap fill status for rules
type: string
gap_fill_statuses:
description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*).
items:
$ref: '#/components/schemas/Security_Detections_API_GapFillStatus'
type: array
gaps_range_end:
description: Gaps range end, valid only when query is provided
type: string
gaps_range_start:
description: Gaps range start, valid only when query is provided
type: string
ids:
description: |
Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here.
Only valid when query property is undefined.
items:
type: string
minItems: 1
type: array
query:
description: Query to filter rules.
type: string
required:
- action
Security_Detections_API_BulkExportActionResponse:
type: string
Security_Detections_API_BulkExportRules:
type: object
properties:
action:
enum:
- export
type: string
gap_auto_fill_scheduler_id:
description: Gap auto fill scheduler ID used to determine gap fill status for rules
type: string
gap_fill_statuses:
description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*).
items:
$ref: '#/components/schemas/Security_Detections_API_GapFillStatus'
type: array
gaps_range_end:
description: Gaps range end, valid only when query is provided
type: string
gaps_range_start:
description: Gaps range start, valid only when query is provided
type: string
ids:
description: |
Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here.
Only valid when query property is undefined.
items:
type: string
minItems: 1
type: array
query:
description: Query to filter rules.
type: string
required:
- action
Security_Detections_API_BulkGapsFillingSkipReason:
enum:
- NO_GAPS_TO_FILL
type: string
Security_Detections_API_BulkManualRuleFillGaps:
type: object
properties:
action:
enum:
- fill_gaps
type: string
fill_gaps:
description: Object that describes applying a manual gap fill action for the specified time range.
type: object
properties:
end_date:
description: End date of the manual gap fill
type: string
start_date:
description: Start date of the manual gap fill
type: string
required:
- start_date
- end_date
gap_auto_fill_scheduler_id:
description: Gap auto fill scheduler ID used to determine gap fill status for rules
type: string
gap_fill_statuses:
description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*).
items:
$ref: '#/components/schemas/Security_Detections_API_GapFillStatus'
type: array
gaps_range_end:
description: Gaps range end, valid only when query is provided
type: string
gaps_range_start:
description: Gaps range start, valid only when query is provided
type: string
ids:
description: |
Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here.
Only valid when query property is undefined.
items:
type: string
minItems: 1
type: array
query:
description: Query to filter rules.
type: string
required:
- action
- fill_gaps
Security_Detections_API_BulkManualRuleRun:
type: object
properties:
action:
enum:
- run
type: string
gap_auto_fill_scheduler_id:
description: Gap auto fill scheduler ID used to determine gap fill status for rules
type: string
gap_fill_statuses:
description: Gap fill statuses to filter rules with gaps by status (used together with gaps_range_*).
items:
$ref: '#/components/schemas/Security_Detections_API_GapFillStatus'
type: array
gaps_range_end:
description: Gaps range end, valid only when query is provided
type: string
gaps_range_start:
description: Gaps range start, valid only when query is provided
type: string
ids:
description: |
Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here.
Only valid when query property is undefined.
items:
type: string
minItems: 1
type: array
query:
description: Query to filter rules.
type: string
run:
description: Object that describes applying a manual rule run action.
type: object
properties:
end_date:
description: End date of the manual rule run
type: string
start_date:
description: Start date of the manual rule run
type: string
required:
- start_date
- end_date
required:
- action
- run
Security_Detections_API_CloseAlertsByIds:
type: object
properties:
reason:
$ref: '#/components/schemas/Security_Detections_API_Reason'
signal_ids:
description: 'List of alert ids. Use field `_id` on alert document or `kibana.alert.uuid`. Note: signals are a deprecated term for alerts.'
items:
format: nonempty
minLength: 1
type: string
minItems: 1
type: array
status:
enum:
- closed
type: string
required:
- signal_ids
- status
Security_Detections_API_CloseAlertsByQuery:
type: object
properties:
conflicts:
default: abort
enum:
- abort
- proceed
type: string
query:
additionalProperties: true
type: object
reason:
$ref: '#/components/schemas/Security_Detections_API_Reason'
status:
enum:
- closed
type: string
required:
- query
- status
Security_Detections_API_ConcurrentSearches:
minimum: 1
type: integer
Security_Detections_API_DataViewId:
type: string
Security_Detections_API_DefaultParams:
type: object
properties:
command:
enum:
- isolate
type: string
comment:
type: string
required:
- command
Security_Detections_API_EcsMapping:
additionalProperties:
type: object
properties:
field:
type: string
value:
oneOf:
- type: string
- items:
type: string
type: array
description: 'Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}'
type: object
Security_Detections_API_EndpointResponseAction:
type: object
properties:
action_type_id:
enum:
- .endpoint
type: string
params:
oneOf:
- $ref: '#/components/schemas/Security_Detections_API_DefaultParams'
- $ref: '#/components/schemas/Security_Detections_API_ProcessesParams'
- $ref: '#/components/schemas/Security_Detections_API_RunscriptParams'
required:
- action_type_id
- params
Security_Detections_API_EqlOptionalFields:
type: object
properties:
alert_suppression:
$ref: '#/components/schemas/Security_Detections_API_AlertSuppression'
data_view_id:
$ref: '#/components/schemas/Security_Detections_API_DataViewId'
event_category_override:
$ref: '#/components/schemas/Security_Detections_API_EventCategoryOverride'
filters:
$ref: '#/components/schemas/Security_Detections_API_RuleFilterArray'
index:
$ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
tiebreaker_field:
$ref: '#/components/schemas/Security_Detections_API_TiebreakerField'
timestamp_field:
$ref: '#/components/schemas/Security_Detections_API_TimestampField'
Security_Detections_API_EqlQueryLanguage:
enum:
- eql
type: string
Security_Detections_API_EqlRequiredFields:
type: object
properties:
language:
$ref: '#/components/schemas/Security_Detections_API_EqlQueryLanguage'
description: Query language to use
query:
$ref: '#/components/schemas/Security_Detections_API_RuleQuery'
type:
description: Rule type
enum:
- eql
type: string
required:
- type
- query
- language
Security_Detections_API_EqlRule:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
required:
- name
- description
- risk_score
- severity
- version
- tags
- enabled
- risk_score_mapping
- severity_mapping
- interval
- from
- to
- actions
- exceptions_list
- author
- false_positives
- references
- max_signals
- threat
- setup
- related_integrations
- required_fields
- $ref: '#/components/schemas/Security_Detections_API_ResponseFields'
- $ref: '#/components/schemas/Security_Detections_API_EqlRuleResponseFields'
Security_Detections_API_EqlRuleCreateFields:
allOf:
- $ref: '#/components/schemas/Security_Detections_API_EqlRequiredFields'
- $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields'
Security_Detections_API_EqlRuleCreateProps:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_id:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
required:
- name
- description
- risk_score
- severity
- $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateFields'
Security_Detections_API_EqlRulePatchFields:
allOf:
- type: object
properties:
language:
$ref: '#/components/schemas/Security_Detections_API_EqlQueryLanguage'
description: Query language to use
query:
$ref: '#/components/schemas/Security_Detections_API_RuleQuery'
type:
description: Rule type
enum:
- eql
type: string
- $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields'
Security_Detections_API_EqlRulePatchProps:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
id:
$ref: '#/components/schemas/Security_Detections_API_UUID'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_id:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
- $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchFields'
Security_Detections_API_EqlRuleResponseFields:
allOf:
- $ref: '#/components/schemas/Security_Detections_API_EqlRequiredFields'
- $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields'
Security_Detections_API_EqlRuleUpdateProps:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
id:
$ref: '#/components/schemas/Security_Detections_API_UUID'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_id:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
required:
- name
- description
- risk_score
- severity
- $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateFields'
Security_Detections_API_ErrorSchema:
additionalProperties: false
type: object
properties:
error:
type: object
properties:
message:
type: string
status_code:
minimum: 400
type: integer
required:
- status_code
- message
id:
type: string
item_id:
minLength: 1
type: string
list_id:
minLength: 1
type: string
rule_id:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
required:
- error
Security_Detections_API_EsqlQueryLanguage:
enum:
- esql
type: string
Security_Detections_API_EsqlRule:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
required:
- name
- description
- risk_score
- severity
- version
- tags
- enabled
- risk_score_mapping
- severity_mapping
- interval
- from
- to
- actions
- exceptions_list
- author
- false_positives
- references
- max_signals
- threat
- setup
- related_integrations
- required_fields
- $ref: '#/components/schemas/Security_Detections_API_ResponseFields'
- $ref: '#/components/schemas/Security_Detections_API_EsqlRuleResponseFields'
Security_Detections_API_EsqlRuleCreateFields:
allOf:
- $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields'
- $ref: '#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields'
Security_Detections_API_EsqlRuleCreateProps:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_id:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
required:
- name
- description
- risk_score
- severity
- $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateFields'
Security_Detections_API_EsqlRuleOptionalFields:
type: object
properties:
alert_suppression:
$ref: '#/components/schemas/Security_Detections_API_AlertSuppression'
Security_Detections_API_EsqlRulePatchProps:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
id:
$ref: '#/components/schemas/Security_Detections_API_UUID'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
language:
$ref: '#/components/schemas/Security_Detections_API_EsqlQueryLanguage'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
query:
$ref: '#/components/schemas/Security_Detections_API_RuleQuery'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_id:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
type:
description: Rule type
enum:
- esql
type: string
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
- $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields'
Security_Detections_API_EsqlRuleRequiredFields:
type: object
properties:
language:
$ref: '#/components/schemas/Security_Detections_API_EsqlQueryLanguage'
query:
$ref: '#/components/schemas/Security_Detections_API_RuleQuery'
type:
description: Rule type
enum:
- esql
type: string
required:
- type
- language
- query
Security_Detections_API_EsqlRuleResponseFields:
allOf:
- $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields'
- $ref: '#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields'
Security_Detections_API_EsqlRuleUpdateProps:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
id:
$ref: '#/components/schemas/Security_Detections_API_UUID'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_id:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
required:
- name
- description
- risk_score
- severity
- $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateFields'
Security_Detections_API_EventCategoryOverride:
type: string
Security_Detections_API_ExceptionListType:
description: The exception type
enum:
- detection
- rule_default
- endpoint
- endpoint_trusted_apps
- endpoint_trusted_devices
- endpoint_events
- endpoint_host_isolation_exceptions
- endpoint_blocklists
type: string
Security_Detections_API_ExternalRuleCustomizedFields:
description: An array of customized field names — that is, fields that the user has modified from their base value. Defaults to an empty array.
items:
type: object
properties:
field_name:
description: Name of a user-modified field in the rule object.
type: string
required:
- field_name
type: array
Security_Detections_API_ExternalRuleHasBaseVersion:
description: Determines whether an external/prebuilt rule has its original, unmodified version present when the calculation of its customization status is performed (`rule_source.is_customized` and `rule_source.customized_fields`).
type: boolean
Security_Detections_API_ExternalRuleSource:
description: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
type: object
properties:
customized_fields:
$ref: '#/components/schemas/Security_Detections_API_ExternalRuleCustomizedFields'
has_base_version:
$ref: '#/components/schemas/Security_Detections_API_ExternalRuleHasBaseVersion'
is_customized:
$ref: '#/components/schemas/Security_Detections_API_IsExternalRuleCustomized'
type:
enum:
- external
type: string
required:
- type
- is_customized
- has_base_version
- customized_fields
Security_Detections_API_FindRulesSortField:
enum:
- created_at
- createdAt
- enabled
- execution_summary.last_execution.date
- execution_summary.last_execution.metrics.execution_gap_duration_s
- execution_summary.last_execution.metrics.total_indexing_duration_ms
- execution_summary.last_execution.metrics.total_search_duration_ms
- execution_summary.last_execution.status
- name
- risk_score
- riskScore
- severity
- updated_at
- updatedAt
type: string
Security_Detections_API_GapFillStatus:
enum:
- unfilled
- in_progress
- filled
- error
type: string
Security_Detections_API_HistoryWindowStart:
description: Start date to use when checking if a term has been seen before. Supports relative dates – for example, now-30d will search the last 30 days of data when checking if a term is new. We do not recommend using absolute dates, which can cause issues with rule performance due to querying increasing amounts of data over time.
format: nonempty
minLength: 1
type: string
Security_Detections_API_IndexMigrationStatus:
type: object
properties:
index:
$ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
is_outdated:
type: boolean
migrations:
items:
$ref: '#/components/schemas/Security_Detections_API_MigrationStatus'
type: array
signal_versions:
items:
$ref: '#/components/schemas/Security_Detections_API_AlertVersion'
type: array
version:
type: integer
required:
- index
- version
- signal_versions
- migrations
- is_outdated
Security_Detections_API_IndexPatternArray:
description: |
Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → `securitySolution:defaultIndex`).
> info
> This field is not supported for ES|QL rules.
items:
type: string
type: array
Security_Detections_API_InternalRuleSource:
description: Type of rule source for internally sourced rules, i.e. created within the Kibana apps.
type: object
properties:
type:
enum:
- internal
type: string
required:
- type
Security_Detections_API_InvestigationFields:
description: |
Schema for fields relating to investigation fields. These are user defined fields we use to highlight
in various features in the UI such as alert details flyout and exceptions auto-population from alert.
type: object
properties:
field_names:
items:
$ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
minItems: 1
type: array
required:
- field_names
Security_Detections_API_InvestigationGuide:
description: Notes to help investigate alerts produced by the rule.
type: string
Security_Detections_API_IsExternalRuleCustomized:
description: Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
type: boolean
Security_Detections_API_IsRuleEnabled:
description: Determines whether the rule is enabled. Defaults to true.
type: boolean
Security_Detections_API_IsRuleImmutable:
deprecated: true
description: This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the `rule_source` field.
type: boolean
Security_Detections_API_ItemsPerSearch:
minimum: 1
type: integer
Security_Detections_API_KqlQueryLanguage:
enum:
- kuery
- lucene
type: string
Security_Detections_API_MachineLearningJobId:
description: Machine learning job ID(s) the rule monitors for anomaly scores.
oneOf:
- type: string
- items:
type: string
minItems: 1
type: array
Security_Detections_API_MachineLearningRule:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
required:
- name
- description
- risk_score
- severity
- version
- tags
- enabled
- risk_score_mapping
- severity_mapping
- interval
- from
- to
- actions
- exceptions_list
- author
- false_positives
- references
- max_signals
- threat
- setup
- related_integrations
- required_fields
- $ref: '#/components/schemas/Security_Detections_API_ResponseFields'
- $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields'
Security_Detections_API_MachineLearningRuleCreateFields:
allOf:
- $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields'
- $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields'
Security_Detections_API_MachineLearningRuleCreateProps:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_id:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
required:
- name
- description
- risk_score
- severity
- $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields'
Security_Detections_API_MachineLearningRuleOptionalFields:
type: object
properties:
alert_suppression:
$ref: '#/components/schemas/Security_Detections_API_AlertSuppression'
Security_Detections_API_MachineLearningRulePatchFields:
allOf:
- type: object
properties:
anomaly_threshold:
$ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold'
machine_learning_job_id:
$ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId'
type:
description: Rule type
enum:
- machine_learning
type: string
- $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields'
Security_Detections_API_MachineLearningRulePatchProps:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
id:
$ref: '#/components/schemas/Security_Detections_API_UUID'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_id:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
- $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchFields'
Security_Detections_API_MachineLearningRuleRequiredFields:
type: object
properties:
anomaly_threshold:
$ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold'
machine_learning_job_id:
$ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId'
type:
description: Rule type
enum:
- machine_learning
type: string
required:
- type
- machine_learning_job_id
- anomaly_threshold
Security_Detections_API_MachineLearningRuleResponseFields:
allOf:
- $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields'
- $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields'
Security_Detections_API_MachineLearningRuleUpdateProps:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
id:
$ref: '#/components/schemas/Security_Detections_API_UUID'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_id:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
required:
- name
- description
- risk_score
- severity
- $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields'
Security_Detections_API_MaxSignals:
default: 100
description: |
Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run [advanced setting](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#rule-ui-advanced-params) value).
> info
> This setting can be superseded by the [Kibana configuration setting](https://www.elastic.co/docs/reference/kibana/configuration-reference/alerting-settings) `xpack.alerting.rules.run.alerts.max`, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, the rule can generate no more than 1000 alerts even if `max_signals` is set higher.
minimum: 1
type: integer
Security_Detections_API_MigrationCleanupResult:
type: object
properties:
destinationIndex:
type: string
error:
type: object
properties:
message:
type: string
status_code:
type: integer
required:
- message
- status_code
id:
type: string
sourceIndex:
type: string
status:
enum:
- success
- failure
- pending
type: string
updated:
format: date-time
type: string
version:
type: string
required:
- id
- destinationIndex
- status
- sourceIndex
- version
- updated
Security_Detections_API_MigrationFinalizationResult:
type: object
properties:
completed:
type: boolean
destinationIndex:
type: string
error:
type: object
properties:
message:
type: string
status_code:
type: integer
required:
- message
- status_code
id:
type: string
sourceIndex:
type: string
status:
enum:
- success
- failure
- pending
type: string
updated:
format: date-time
type: string
version:
type: string
required:
- id
- completed
- destinationIndex
- status
- sourceIndex
- version
- updated
Security_Detections_API_MigrationStatus:
type: object
properties:
id:
$ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
status:
enum:
- success
- failure
- pending
type: string
updated:
format: date-time
type: string
version:
type: integer
required:
- id
- status
- version
- updated
Security_Detections_API_NewTermsFields:
description: Fields to monitor for new values.
items:
type: string
maxItems: 3
minItems: 1
type: array
Security_Detections_API_NewTermsRule:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
required:
- name
- description
- risk_score
- severity
- version
- tags
- enabled
- risk_score_mapping
- severity_mapping
- interval
- from
- to
- actions
- exceptions_list
- author
- false_positives
- references
- max_signals
- threat
- setup
- related_integrations
- required_fields
- $ref: '#/components/schemas/Security_Detections_API_ResponseFields'
- $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleResponseFields'
Security_Detections_API_NewTermsRuleCreateFields:
allOf:
- $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields'
- $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields'
- $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields'
Security_Detections_API_NewTermsRuleCreateProps:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_id:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
required:
- name
- description
- risk_score
- severity
- $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields'
Security_Detections_API_NewTermsRuleDefaultableFields:
type: object
properties:
language:
$ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage'
Security_Detections_API_NewTermsRuleOptionalFields:
type: object
properties:
alert_suppression:
$ref: '#/components/schemas/Security_Detections_API_AlertSuppression'
data_view_id:
$ref: '#/components/schemas/Security_Detections_API_DataViewId'
filters:
$ref: '#/components/schemas/Security_Detections_API_RuleFilterArray'
index:
$ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
Security_Detections_API_NewTermsRulePatchFields:
allOf:
- type: object
properties:
history_window_start:
$ref: '#/components/schemas/Security_Detections_API_HistoryWindowStart'
new_terms_fields:
$ref: '#/components/schemas/Security_Detections_API_NewTermsFields'
query:
$ref: '#/components/schemas/Security_Detections_API_RuleQuery'
type:
description: Rule type
enum:
- new_terms
type: string
- $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields'
- $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields'
Security_Detections_API_NewTermsRulePatchProps:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
id:
$ref: '#/components/schemas/Security_Detections_API_UUID'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_id:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
- $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchFields'
Security_Detections_API_NewTermsRuleRequiredFields:
type: object
properties:
history_window_start:
$ref: '#/components/schemas/Security_Detections_API_HistoryWindowStart'
new_terms_fields:
$ref: '#/components/schemas/Security_Detections_API_NewTermsFields'
query:
$ref: '#/components/schemas/Security_Detections_API_RuleQuery'
type:
description: Rule type
enum:
- new_terms
type: string
required:
- type
- query
- new_terms_fields
- history_window_start
Security_Detections_API_NewTermsRuleResponseFields:
allOf:
- $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields'
- $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields'
- type: object
properties:
language:
$ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage'
required:
- language
Security_Detections_API_NewTermsRuleUpdateProps:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
id:
$ref: '#/components/schemas/Security_Detections_API_UUID'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_id:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
required:
- name
- description
- risk_score
- severity
- $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields'
Security_Detections_API_NonEmptyString:
description: A string that does not contain only whitespace characters
format: nonempty
minLength: 1
type: string
Security_Detections_API_NormalizedRuleAction:
additionalProperties: false
type: object
properties:
alerts_filter:
$ref: '#/components/schemas/Security_Detections_API_RuleActionAlertsFilter'
frequency:
$ref: '#/components/schemas/Security_Detections_API_RuleActionFrequency'
group:
$ref: '#/components/schemas/Security_Detections_API_RuleActionGroup'
id:
$ref: '#/components/schemas/Security_Detections_API_RuleActionId'
params:
$ref: '#/components/schemas/Security_Detections_API_RuleActionParams'
required:
- id
- params
Security_Detections_API_NormalizedRuleError:
type: object
properties:
err_code:
$ref: '#/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode'
message:
type: string
rules:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleDetailsInError'
type: array
status_code:
type: integer
required:
- message
- status_code
- rules
Security_Detections_API_OsqueryParams:
type: object
properties:
ecs_mapping:
$ref: '#/components/schemas/Security_Detections_API_EcsMapping'
pack_id:
description: 'To specify a query pack, use the packId field. Example: "packId": "processes_elastic"'
type: string
queries:
items:
$ref: '#/components/schemas/Security_Detections_API_OsqueryQuery'
type: array
query:
description: 'To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"'
type: string
saved_query_id:
description: 'To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"'
type: string
timeout:
description: 'A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.'
type: number
Security_Detections_API_OsqueryQuery:
type: object
properties:
ecs_mapping:
$ref: '#/components/schemas/Security_Detections_API_EcsMapping'
id:
description: Query ID
type: string
platform:
type: string
query:
description: Query to run
type: string
removed:
type: boolean
snapshot:
type: boolean
version:
description: Query version
type: string
required:
- id
- query
Security_Detections_API_OsqueryResponseAction:
type: object
properties:
action_type_id:
enum:
- .osquery
type: string
params:
$ref: '#/components/schemas/Security_Detections_API_OsqueryParams'
required:
- action_type_id
- params
Security_Detections_API_PlatformErrorResponse:
type: object
properties:
error:
type: string
message:
type: string
statusCode:
type: integer
required:
- statusCode
- error
- message
Security_Detections_API_ProcessesParams:
type: object
properties:
command:
description: 'To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"'
enum:
- kill-process
- suspend-process
type: string
comment:
description: 'Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"'
type: string
config:
type: object
properties:
field:
description: Field to use instead of process.pid
type: string
overwrite:
default: true
description: Whether to overwrite field with process.pid
type: boolean
required:
- field
required:
- command
- config
Security_Detections_API_QueryAlertsBodyParams:
type: object
properties:
_source:
oneOf:
- type: boolean
- type: string
- items:
type: string
type: array
aggs:
additionalProperties: true
type: object
fields:
items:
type: string
type: array
query:
additionalProperties: true
type: object
runtime_mappings:
additionalProperties: true
type: object
size:
minimum: 0
type: integer
sort:
$ref: '#/components/schemas/Security_Detections_API_AlertsSort'
track_total_hits:
type: boolean
Security_Detections_API_QueryRule:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
required:
- name
- description
- risk_score
- severity
- version
- tags
- enabled
- risk_score_mapping
- severity_mapping
- interval
- from
- to
- actions
- exceptions_list
- author
- false_positives
- references
- max_signals
- threat
- setup
- related_integrations
- required_fields
- $ref: '#/components/schemas/Security_Detections_API_ResponseFields'
- $ref: '#/components/schemas/Security_Detections_API_QueryRuleResponseFields'
Security_Detections_API_QueryRuleCreateFields:
allOf:
- $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields'
- $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields'
- $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields'
Security_Detections_API_QueryRuleCreateProps:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_id:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
required:
- name
- description
- risk_score
- severity
- $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields'
Security_Detections_API_QueryRuleDefaultableFields:
type: object
properties:
language:
$ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage'
query:
$ref: '#/components/schemas/Security_Detections_API_RuleQuery'
Security_Detections_API_QueryRuleOptionalFields:
type: object
properties:
alert_suppression:
$ref: '#/components/schemas/Security_Detections_API_AlertSuppression'
data_view_id:
$ref: '#/components/schemas/Security_Detections_API_DataViewId'
filters:
$ref: '#/components/schemas/Security_Detections_API_RuleFilterArray'
index:
$ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
saved_id:
$ref: '#/components/schemas/Security_Detections_API_SavedQueryId'
Security_Detections_API_QueryRulePatchFields:
allOf:
- type: object
properties:
type:
description: Rule type
enum:
- query
type: string
- $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields'
- $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields'
Security_Detections_API_QueryRulePatchProps:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
id:
$ref: '#/components/schemas/Security_Detections_API_UUID'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_id:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
- $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchFields'
Security_Detections_API_QueryRuleRequiredFields:
type: object
properties:
type:
description: Rule type
enum:
- query
type: string
required:
- type
Security_Detections_API_QueryRuleResponseFields:
allOf:
- $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields'
- $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields'
- type: object
properties:
language:
$ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage'
query:
$ref: '#/components/schemas/Security_Detections_API_RuleQuery'
required:
- query
- language
Security_Detections_API_QueryRuleUpdateProps:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
id:
$ref: '#/components/schemas/Security_Detections_API_UUID'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_id:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
required:
- name
- description
- risk_score
- severity
- $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields'
Security_Detections_API_Reason:
description: 'The reason for closing the alerts. Can be one of following predefined reasons: [false_positive, duplicate, true_positive, benign_positive, automated_closure, other] or a custom reason provided by the user through the advanced settings.'
oneOf:
- $ref: '#/components/schemas/Security_Detections_API_ReasonEnum'
- type: string
Security_Detections_API_ReasonEnum:
enum:
- false_positive
- duplicate
- true_positive
- benign_positive
- automated_closure
- other
type: string
Security_Detections_API_RelatedIntegration:
description: |
Related integration is a potential dependency of a rule. It's assumed that if the user installs
one of the related integrations of a rule, the rule might start to work properly because it will
have source events (generated by this integration) potentially matching the rule's query.
NOTE: Proper work is not guaranteed, because a related integration, if installed, can be
configured differently or generate data that is not necessarily relevant for this rule.
Related integration is a combination of a Fleet package and (optionally) one of the
package's "integrations" that this package contains. It is represented by 3 properties:
- `package`: name of the package (required, unique id)
- `version`: version of the package (required, semver-compatible)
- `integration`: name of the integration of this package (optional, id within the package)
There are Fleet packages like `windows` that contain only one integration; in this case,
`integration` should be unspecified. There are also packages like `aws` and `azure` that contain
several integrations; in this case, `integration` should be specified.
example:
integration: activitylogs
package: azure
version: ~1.1.6
type: object
properties:
integration:
$ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
package:
$ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
version:
$ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
required:
- package
- version
Security_Detections_API_RelatedIntegrationArray:
items:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegration'
type: array
Security_Detections_API_RequiredField:
description: |
Describes an Elasticsearch field that is needed for the rule to function.
Almost all types of Security rules check source event documents for a match to some kind of
query or filter. If a document has certain field with certain values, then it's a match and
the rule will generate an alert.
Required field is an event field that must be present in the source indices of a given rule.
@example
const standardEcsField: RequiredField = {
name: 'event.action',
type: 'keyword',
ecs: true,
};
@example
const nonEcsField: RequiredField = {
name: 'winlog.event_data.AttributeLDAPDisplayName',
type: 'keyword',
ecs: false,
};
type: object
properties:
ecs:
description: Indicates whether the field is ECS-compliant. This property is only present in responses. Its value is computed based on field’s name and type.
type: boolean
name:
description: Name of an Elasticsearch field
format: nonempty
minLength: 1
type: string
type:
description: Type of the Elasticsearch field
format: nonempty
minLength: 1
type: string
required:
- name
- type
- ecs
Security_Detections_API_RequiredFieldArray:
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredField'
type: array
Security_Detections_API_RequiredFieldInput:
description: Input parameters to create a RequiredField. Does not include the `ecs` field, because `ecs` is calculated on the backend based on the field name and type.
type: object
properties:
name:
description: Name of an Elasticsearch field
format: nonempty
minLength: 1
type: string
type:
description: Type of the Elasticsearch field
format: nonempty
minLength: 1
type: string
required:
- name
- type
Security_Detections_API_ResponseAction:
discriminator:
mapping:
.endpoint: '#/components/schemas/Security_Detections_API_EndpointResponseAction'
.osquery: '#/components/schemas/Security_Detections_API_OsqueryResponseAction'
propertyName: action_type_id
oneOf:
- $ref: '#/components/schemas/Security_Detections_API_OsqueryResponseAction'
- $ref: '#/components/schemas/Security_Detections_API_EndpointResponseAction'
Security_Detections_API_ResponseFields:
type: object
properties:
created_at:
format: date-time
type: string
created_by:
type: string
execution_summary:
$ref: '#/components/schemas/Security_Detections_API_RuleExecutionSummary'
id:
$ref: '#/components/schemas/Security_Detections_API_UUID'
immutable:
$ref: '#/components/schemas/Security_Detections_API_IsRuleImmutable'
required_fields:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldArray'
revision:
$ref: '#/components/schemas/Security_Detections_API_RuleRevision'
rule_id:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
rule_source:
$ref: '#/components/schemas/Security_Detections_API_RuleSource'
updated_at:
format: date-time
type: string
updated_by:
type: string
required:
- id
- rule_id
- immutable
- rule_source
- updated_at
- updated_by
- created_at
- created_by
- revision
- related_integrations
- required_fields
Security_Detections_API_RiskScore:
description: |
A numerical representation of the alert's severity from 0 to 100, where:
* `0` - `21` represents low severity
* `22` - `47` represents medium severity
* `48` - `73` represents high severity
* `74` - `100` represents critical severity
maximum: 100
minimum: 0
type: integer
Security_Detections_API_RiskScoreMapping:
description: Overrides generated alerts' risk_score with a value from the source event
items:
type: object
properties:
field:
description: Source event field used to override the default `risk_score`.
type: string
operator:
enum:
- equals
type: string
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
value:
type: string
required:
- field
- operator
- value
type: array
Security_Detections_API_RuleAction:
type: object
properties:
action_type_id:
description: |
The action type used for sending notifications, can be:
- `.slack`
- `.slack_api`
- `.email`
- `.index`
- `.pagerduty`
- `.swimlane`
- `.webhook`
- `.servicenow`
- `.servicenow-itom`
- `.servicenow-sir`
- `.jira`
- `.resilient`
- `.opsgenie`
- `.teams`
- `.torq`
- `.tines`
- `.d3security`
type: string
alerts_filter:
$ref: '#/components/schemas/Security_Detections_API_RuleActionAlertsFilter'
frequency:
$ref: '#/components/schemas/Security_Detections_API_RuleActionFrequency'
group:
$ref: '#/components/schemas/Security_Detections_API_RuleActionGroup'
id:
$ref: '#/components/schemas/Security_Detections_API_RuleActionId'
params:
$ref: '#/components/schemas/Security_Detections_API_RuleActionParams'
uuid:
$ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
required:
- action_type_id
- id
- params
Security_Detections_API_RuleActionAlertsFilter:
additionalProperties: true
description: |
Object containing an action’s conditional filters.
- `timeframe` (object, optional): Object containing the time frame for when this action can be run.
- `days` (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between `1-7`, where `1` is Monday and `7` is Sunday. To select all days of the week, enter an empty array.
- `hours` (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format `hh:mm` in `24` hour time. A start of `00:00` and an end of `24:00` means the action can run all day.
- start (string, required): Start time in `hh:mm` format.
- end (string, required): End time in `hh:mm` format.
- `timezone` (string, required): An ISO timezone name, such as `Europe/Madrid` or `America/New_York`. Specific offsets such as `UTC` or `UTC+1` will also work, but lack built-in DST.
- `query` (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run.
- `kql` (string, required): A KQL string.
- `filters` (array of objects, required): Array of filter objects, as defined in the `kbn-es-query` package.
type: object
Security_Detections_API_RuleActionFrequency:
description: The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
type: object
properties:
notifyWhen:
$ref: '#/components/schemas/Security_Detections_API_RuleActionNotifyWhen'
summary:
description: Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
type: boolean
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
nullable: true
required:
- summary
- notifyWhen
- throttle
Security_Detections_API_RuleActionGroup:
description: Optionally groups actions by use cases. Use `default` for alert notifications.
type: string
Security_Detections_API_RuleActionId:
description: The connector ID.
type: string
Security_Detections_API_RuleActionNotifyWhen:
description: Defines how often rules run actions.
enum:
- onActiveAlert
- onThrottleInterval
- onActionGroupChange
type: string
Security_Detections_API_RuleActionParams:
additionalProperties: true
description: |
Object containing the allowed connector fields, which varies according to the connector type.
For Slack:
- `message` (string, required): The notification message.
For email:
- `to`, `cc`, `bcc` (string): Email addresses to which the notifications are sent. At least one field must have a value.
- `subject` (string, optional): Email subject line.
- `message` (string, required): Email body text.
For Webhook:
- `body` (string, required): JSON payload.
For PagerDuty:
- `severity` (string, required): Severity of on the alert notification, can be: `Critical`, `Error`, `Warning` or `Info`.
- `eventAction` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`.
- `dedupKey` (string, optional): Groups alert notifications with the same PagerDuty alert.
- `timestamp` (DateTime, optional): ISO-8601 format [timestamp](https://v2.developer.pagerduty.com/docs/types#datetime).
- `component` (string, optional): Source machine component responsible for the event, for example `security-solution`.
- `group` (string, optional): Enables logical grouping of service components.
- `source` (string, optional): The affected system. Defaults to the Kibana saved object ID of the action.
- `summary` (string, options): Summary of the event. Defaults to `No summary provided`. Maximum length is 1024 characters.
- `class` (string, optional): Value indicating the class/type of the event.
type: object
Security_Detections_API_RuleActionThrottle:
description: Defines how often rule actions are taken.
oneOf:
- enum:
- no_actions
- rule
type: string
- description: Time interval in seconds, minutes, hours, or days.
example: 1h
pattern: ^[1-9]\d*[smhd]$
type: string
Security_Detections_API_RuleAuthorArray:
description: The rule’s author.
items:
type: string
type: array
Security_Detections_API_RuleCreateProps:
anyOf:
- $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps'
- $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps'
- $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps'
- $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps'
- $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps'
- $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps'
- $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps'
- $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps'
discriminator:
mapping:
eql: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps'
esql: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps'
machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps'
new_terms: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps'
query: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps'
saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps'
threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps'
threshold: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps'
propertyName: type
Security_Detections_API_RuleDescription:
description: The rule’s description.
example: Detects anomalous Windows process creation events.
minLength: 1
type: string
Security_Detections_API_RuleDetailsInError:
type: object
properties:
id:
type: string
name:
type: string
required:
- id
Security_Detections_API_RuleExceptionList:
description: |
Array of [exception containers](https://www.elastic.co/docs/solutions/security/detect-and-alert/detection-rule-concepts), which define exceptions that prevent the rule from generating alerts even when its other criteria are met.
type: object
properties:
id:
description: ID of the exception container
format: nonempty
minLength: 1
type: string
list_id:
description: List ID of the exception container
format: nonempty
minLength: 1
type: string
namespace_type:
description: Determines the exceptions validity in rule's Kibana space
enum:
- agnostic
- single
type: string
type:
$ref: '#/components/schemas/Security_Detections_API_ExceptionListType'
required:
- id
- list_id
- type
- namespace_type
Security_Detections_API_RuleExecutionMetrics:
type: object
properties:
execution_gap_duration_s:
description: Duration in seconds of execution gap
minimum: 0
type: integer
frozen_indices_queried_count:
description: Count of frozen indices queried during the rule execution. These indices could not be entirely excluded after applying the time range filter.
minimum: 0
type: integer
gap_range:
description: Range of the execution gap
type: object
properties:
gte:
description: Start date of the execution gap
type: string
lte:
description: End date of the execution gap
type: string
required:
- gte
- lte
gap_reason:
description: Detected reason for the execution gap
type: object
properties:
type:
description: The type of reason for the gap (rule_disabled or rule_did_not_run)
enum:
- rule_disabled
- rule_did_not_run
type: string
required:
- type
total_enrichment_duration_ms:
description: Total time spent enriching documents during current rule execution cycle
minimum: 0
type: integer
total_indexing_duration_ms:
description: Total time spent indexing documents during current rule execution cycle
minimum: 0
type: integer
total_search_duration_ms:
description: Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
minimum: 0
type: integer
Security_Detections_API_RuleExecutionStatus:
description: |-
Custom execution status of Security rules that is different from the status used in the Alerting Framework. We merge our custom status with the Framework's status to determine the resulting status of a rule.
- going to run - @deprecated Replaced by the 'running' status but left for backwards compatibility with rule execution events already written to Event Log in the prior versions of Kibana. Don't use when writing rule status changes.
- running - Rule execution started but not reached any intermediate or final status.
- partial failure - Rule can partially fail for various reasons either in the middle of an execution (in this case we update its status right away) or in the end of it. So currently this status can be both intermediate and final at the same time. A typical reason for a partial failure: not all the indices that the rule searches over actually exist.
- failed - Rule failed to execute due to unhandled exception or a reason defined in the business logic of its executor function.
- succeeded - Rule executed successfully without any issues. Note: this status is just an indication of a rule's "health". The rule might or might not generate any alerts despite of it.
enum:
- going to run
- running
- partial failure
- failed
- succeeded
type: string
Security_Detections_API_RuleExecutionStatusOrder:
type: integer
Security_Detections_API_RuleExecutionSummary:
description: |
Summary of the last execution of a rule.
> info
> This field is under development and its usage or schema may change
type: object
properties:
last_execution:
type: object
properties:
date:
description: Date of the last execution
format: date-time
type: string
message:
type: string
metrics:
$ref: '#/components/schemas/Security_Detections_API_RuleExecutionMetrics'
status:
$ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatus'
description: Status of the last execution
status_order:
$ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatusOrder'
required:
- date
- status
- status_order
- message
- metrics
required:
- last_execution
Security_Detections_API_RuleFalsePositiveArray:
description: String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array.
items:
type: string
type: array
Security_Detections_API_RuleFilterArray:
description: |
The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array.
> info
> This field is not supported for ES|QL rules.
items: {}
type: array
Security_Detections_API_RuleInterval:
description: Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
type: string
Security_Detections_API_RuleIntervalFrom:
description: Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
format: date-math
type: string
Security_Detections_API_RuleIntervalTo:
type: string
Security_Detections_API_RuleLicense:
description: The rule's license.
type: string
Security_Detections_API_RuleMetadata:
additionalProperties: true
description: |
Placeholder for metadata about the rule.
> info
> This field is overwritten when you save changes to the rule’s settings.
type: object
Security_Detections_API_RuleName:
description: A human-readable name for the rule.
example: Anomalous Windows Process Creation
minLength: 1
type: string
Security_Detections_API_RuleNameOverride:
description: Sets which field in the source event is used to populate the alert's `signal.rule.name` value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s `name` value is used. The source field must be a string data type.
type: string
Security_Detections_API_RuleObjectId:
$ref: '#/components/schemas/Security_Detections_API_UUID'
description: A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object `id`s.
Security_Detections_API_RulePatchProps:
anyOf:
- $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchProps'
- $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchProps'
- $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchProps'
- $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchProps'
- $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps'
- $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchProps'
- $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchProps'
- $ref: '#/components/schemas/Security_Detections_API_EsqlRulePatchProps'
Security_Detections_API_RulePreviewLoggedRequest:
type: object
properties:
description:
$ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
duration:
type: integer
request:
$ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
request_type:
$ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
Security_Detections_API_RulePreviewLogs:
type: object
properties:
duration:
description: Execution duration in milliseconds
type: integer
errors:
items:
$ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
type: array
requests:
items:
$ref: '#/components/schemas/Security_Detections_API_RulePreviewLoggedRequest'
type: array
startedAt:
$ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
warnings:
items:
$ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
type: array
required:
- errors
- warnings
- duration
Security_Detections_API_RulePreviewParams:
type: object
properties:
invocationCount:
type: integer
timeframeEnd:
format: date-time
type: string
required:
- invocationCount
- timeframeEnd
Security_Detections_API_RuleQuery:
description: |
[Query](https://www.elastic.co/docs/explore-analyze/query-filter) used by the rule to create alerts.
- For indicator match rules, only the query’s results are used to determine whether an alert is generated.
- ES|QL rules have additional query requirements. Refer to [Create ES|QL](https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule#create-esql-rule) rules for more information.
type: string
Security_Detections_API_RuleReferenceArray:
description: Array containing notes about or references to relevant information about the rule. Defaults to an empty array.
items:
type: string
type: array
Security_Detections_API_RuleResponse:
anyOf:
- $ref: '#/components/schemas/Security_Detections_API_EqlRule'
- $ref: '#/components/schemas/Security_Detections_API_QueryRule'
- $ref: '#/components/schemas/Security_Detections_API_SavedQueryRule'
- $ref: '#/components/schemas/Security_Detections_API_ThresholdRule'
- $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRule'
- $ref: '#/components/schemas/Security_Detections_API_MachineLearningRule'
- $ref: '#/components/schemas/Security_Detections_API_NewTermsRule'
- $ref: '#/components/schemas/Security_Detections_API_EsqlRule'
discriminator:
mapping:
eql: '#/components/schemas/Security_Detections_API_EqlRule'
esql: '#/components/schemas/Security_Detections_API_EsqlRule'
machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRule'
new_terms: '#/components/schemas/Security_Detections_API_NewTermsRule'
query: '#/components/schemas/Security_Detections_API_QueryRule'
saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRule'
threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRule'
threshold: '#/components/schemas/Security_Detections_API_ThresholdRule'
propertyName: type
Security_Detections_API_RuleRevision:
description: |
The rule's revision number.
It represents the version of rule's object in Kibana. It is set to `0` when the rule is installed or created and then gets incremented on each update.
> info
> Not all updates to any rule fields will increment the revision. Only those fields that are considered static `rule parameters` can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by `1`. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments.
minimum: 0
type: integer
Security_Detections_API_RuleSignatureId:
description: A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same `rule_id`s.
type: string
Security_Detections_API_RuleSource:
description: Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
discriminator:
propertyName: type
oneOf:
- $ref: '#/components/schemas/Security_Detections_API_ExternalRuleSource'
- $ref: '#/components/schemas/Security_Detections_API_InternalRuleSource'
Security_Detections_API_RuleTagArray:
description: String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
items:
type: string
type: array
Security_Detections_API_RuleUpdateProps:
anyOf:
- $ref: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps'
- $ref: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps'
- $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps'
- $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps'
- $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps'
- $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps'
- $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps'
- $ref: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps'
discriminator:
mapping:
eql: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps'
esql: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps'
machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps'
new_terms: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps'
query: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps'
saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps'
threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps'
threshold: '#/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps'
propertyName: type
Security_Detections_API_RuleVersion:
description: |
The rule's version number.
- For prebuilt rules it represents the version of the rule's content in the source [detection-rules](https://github.com/elastic/detection-rules) repository (and the corresponding `security_detection_engine` Fleet package that is used for distributing prebuilt rules).
- For custom rules it is set to `1` when the rule is created.
> info
> It is not incremented on each update. Compare this to the `revision` field.
minimum: 1
type: integer
Security_Detections_API_RunScriptOsConfigValues:
minProperties: 1
type: object
properties:
scriptId:
type: string
scriptInput:
type: string
timeout:
description: Specify the timeout in seconds for the script execution
example: 60
type: integer
Security_Detections_API_RunscriptParams:
description: |
> warn
> This functionality is currently not available
type: object
properties:
command:
enum:
- runscript
type: string
comment:
description: Add a note that explains or describes the action. You can find your comment in the response actions history log
type: string
config:
type: object
properties:
linux:
$ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues'
macos:
$ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues'
windows:
$ref: '#/components/schemas/Security_Detections_API_RunScriptOsConfigValues'
required:
- command
Security_Detections_API_SavedObjectResolveAliasPurpose:
enum:
- savedObjectConversion
- savedObjectImport
type: string
Security_Detections_API_SavedObjectResolveAliasTargetId:
type: string
Security_Detections_API_SavedObjectResolveOutcome:
enum:
- exactMatch
- aliasMatch
- conflict
type: string
Security_Detections_API_SavedQueryId:
description: Kibana [saved search](https://www.elastic.co/docs/explore-analyze/discover/search-sessions) used by the rule to create alerts.
type: string
Security_Detections_API_SavedQueryRule:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
required:
- name
- description
- risk_score
- severity
- version
- tags
- enabled
- risk_score_mapping
- severity_mapping
- interval
- from
- to
- actions
- exceptions_list
- author
- false_positives
- references
- max_signals
- threat
- setup
- related_integrations
- required_fields
- $ref: '#/components/schemas/Security_Detections_API_ResponseFields'
- $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields'
Security_Detections_API_SavedQueryRuleCreateFields:
allOf:
- $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields'
- $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields'
- $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields'
Security_Detections_API_SavedQueryRuleCreateProps:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_id:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
required:
- name
- description
- risk_score
- severity
- $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields'
Security_Detections_API_SavedQueryRuleDefaultableFields:
type: object
properties:
language:
$ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage'
Security_Detections_API_SavedQueryRuleOptionalFields:
type: object
properties:
alert_suppression:
$ref: '#/components/schemas/Security_Detections_API_AlertSuppression'
data_view_id:
$ref: '#/components/schemas/Security_Detections_API_DataViewId'
filters:
$ref: '#/components/schemas/Security_Detections_API_RuleFilterArray'
index:
$ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
query:
$ref: '#/components/schemas/Security_Detections_API_RuleQuery'
Security_Detections_API_SavedQueryRulePatchFields:
allOf:
- type: object
properties:
saved_id:
$ref: '#/components/schemas/Security_Detections_API_SavedQueryId'
type:
description: Rule type
enum:
- saved_query
type: string
- $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields'
- $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields'
Security_Detections_API_SavedQueryRulePatchProps:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
id:
$ref: '#/components/schemas/Security_Detections_API_UUID'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_id:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
- $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchFields'
Security_Detections_API_SavedQueryRuleRequiredFields:
type: object
properties:
saved_id:
$ref: '#/components/schemas/Security_Detections_API_SavedQueryId'
type:
description: Rule type
enum:
- saved_query
type: string
required:
- type
- saved_id
Security_Detections_API_SavedQueryRuleResponseFields:
allOf:
- $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields'
- $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields'
- type: object
properties:
language:
$ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage'
required:
- language
Security_Detections_API_SavedQueryRuleUpdateProps:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
id:
$ref: '#/components/schemas/Security_Detections_API_UUID'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_id:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
required:
- name
- description
- risk_score
- severity
- $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields'
Security_Detections_API_SetAlertAssigneesBody:
type: object
properties:
assignees:
$ref: '#/components/schemas/Security_Detections_API_AlertAssignees'
description: Details about the assignees to assign and unassign.
ids:
$ref: '#/components/schemas/Security_Detections_API_AlertIds'
required:
- assignees
- ids
Security_Detections_API_SetAlertsStatusByIds:
discriminator:
mapping:
closed: '#/components/schemas/Security_Detections_API_CloseAlertsByIds'
propertyName: status
oneOf:
- $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByIds'
- $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByIdsBase'
Security_Detections_API_SetAlertsStatusByIdsBase:
type: object
properties:
signal_ids:
description: 'List of alert ids. Use field `_id` on alert document or `kibana.alert.uuid`. Note: signals are a deprecated term for alerts.'
items:
format: nonempty
minLength: 1
type: string
minItems: 1
type: array
status:
$ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed'
required:
- signal_ids
- status
Security_Detections_API_SetAlertsStatusByQuery:
discriminator:
mapping:
closed: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery'
propertyName: status
oneOf:
- $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery'
- $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByQueryBase'
Security_Detections_API_SetAlertsStatusByQueryBase:
type: object
properties:
conflicts:
default: abort
enum:
- abort
- proceed
type: string
query:
additionalProperties: true
type: object
status:
$ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed'
required:
- query
- status
Security_Detections_API_SetAlertTags:
description: Object with list of tags to add and remove.
type: object
properties:
tags_to_add:
$ref: '#/components/schemas/Security_Detections_API_AlertTags'
tags_to_remove:
$ref: '#/components/schemas/Security_Detections_API_AlertTags'
required:
- tags_to_add
- tags_to_remove
Security_Detections_API_SetAlertTagsBody:
type: object
properties:
ids:
$ref: '#/components/schemas/Security_Detections_API_AlertIds'
tags:
$ref: '#/components/schemas/Security_Detections_API_SetAlertTags'
required:
- ids
- tags
Security_Detections_API_SetupGuide:
description: Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
type: string
Security_Detections_API_Severity:
description: |
Severity level of alerts produced by the rule, which must be one of the following:
* `low`: Alerts that are of interest but generally not considered to be security incidents
* `medium`: Alerts that require investigation
* `high`: Alerts that require immediate investigation
* `critical`: Alerts that indicate it is highly likely a security incident has occurred
enum:
- low
- medium
- high
- critical
type: string
Security_Detections_API_SeverityMapping:
description: Overrides generated alerts' severity with values from the source event
items:
type: object
properties:
field:
description: Source event field used to override the default `severity`.
type: string
operator:
enum:
- equals
type: string
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
value:
type: string
required:
- field
- operator
- severity
- value
type: array
Security_Detections_API_SiemErrorResponse:
type: object
properties:
message:
type: string
status_code:
type: integer
required:
- status_code
- message
Security_Detections_API_SkippedAlertsIndexMigration:
type: object
properties:
index:
type: string
required:
- index
Security_Detections_API_SortOrder:
enum:
- asc
- desc
type: string
Security_Detections_API_Threat:
description: |
> info
> Currently, only threats described using the MITRE ATT&CK™ framework are supported.
type: object
properties:
framework:
description: Relevant attack framework
type: string
tactic:
$ref: '#/components/schemas/Security_Detections_API_ThreatTactic'
technique:
description: Array containing information on the attack techniques (optional)
items:
$ref: '#/components/schemas/Security_Detections_API_ThreatTechnique'
type: array
required:
- framework
- tactic
Security_Detections_API_ThreatArray:
items:
$ref: '#/components/schemas/Security_Detections_API_Threat'
type: array
Security_Detections_API_ThreatFilters:
items:
description: Query and filter context array used to filter documents from the Elasticsearch index containing the threat values
type: array
Security_Detections_API_ThreatIndex:
description: Elasticsearch indices used to check which field values generate alerts.
items:
type: string
type: array
Security_Detections_API_ThreatIndicatorPath:
description: Defines the path to the threat indicator in the indicator documents (optional)
type: string
Security_Detections_API_ThreatMapping:
description: |
Array of entries objects that define mappings between the source event fields and the values in the Elasticsearch threat index. Each entries object must contain these fields:
- field: field from the event indices on which the rule runs
- type: must be mapping
- value: field from the Elasticsearch threat index
You can use Boolean and and or logic to define the conditions for when matching fields and values generate alerts. Sibling entries objects are evaluated using or logic, whereas multiple entries in a single entries object use and logic. See Example of Threat Match rule which uses both `and` and `or` logic.
items:
type: object
properties:
entries:
items:
$ref: '#/components/schemas/Security_Detections_API_ThreatMappingEntry'
type: array
required:
- entries
minItems: 1
type: array
Security_Detections_API_ThreatMappingEntry:
type: object
properties:
field:
$ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
negate:
type: boolean
type:
enum:
- mapping
type: string
value:
$ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
required:
- field
- type
- value
Security_Detections_API_ThreatMatchRule:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
required:
- name
- description
- risk_score
- severity
- version
- tags
- enabled
- risk_score_mapping
- severity_mapping
- interval
- from
- to
- actions
- exceptions_list
- author
- false_positives
- references
- max_signals
- threat
- setup
- related_integrations
- required_fields
- $ref: '#/components/schemas/Security_Detections_API_ResponseFields'
- $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields'
Security_Detections_API_ThreatMatchRuleCreateFields:
allOf:
- $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields'
- $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields'
- $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields'
Security_Detections_API_ThreatMatchRuleCreateProps:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_id:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
required:
- name
- description
- risk_score
- severity
- $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields'
Security_Detections_API_ThreatMatchRuleDefaultableFields:
type: object
properties:
language:
$ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage'
Security_Detections_API_ThreatMatchRuleOptionalFields:
type: object
properties:
alert_suppression:
$ref: '#/components/schemas/Security_Detections_API_AlertSuppression'
concurrent_searches:
$ref: '#/components/schemas/Security_Detections_API_ConcurrentSearches'
data_view_id:
$ref: '#/components/schemas/Security_Detections_API_DataViewId'
filters:
$ref: '#/components/schemas/Security_Detections_API_RuleFilterArray'
index:
$ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
items_per_search:
$ref: '#/components/schemas/Security_Detections_API_ItemsPerSearch'
saved_id:
$ref: '#/components/schemas/Security_Detections_API_SavedQueryId'
threat_filters:
$ref: '#/components/schemas/Security_Detections_API_ThreatFilters'
threat_indicator_path:
$ref: '#/components/schemas/Security_Detections_API_ThreatIndicatorPath'
threat_language:
$ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage'
Security_Detections_API_ThreatMatchRulePatchFields:
allOf:
- type: object
properties:
query:
$ref: '#/components/schemas/Security_Detections_API_RuleQuery'
threat_index:
$ref: '#/components/schemas/Security_Detections_API_ThreatIndex'
threat_mapping:
$ref: '#/components/schemas/Security_Detections_API_ThreatMapping'
threat_query:
$ref: '#/components/schemas/Security_Detections_API_ThreatQuery'
type:
description: Rule type
enum:
- threat_match
type: string
- $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields'
- $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields'
Security_Detections_API_ThreatMatchRulePatchProps:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
id:
$ref: '#/components/schemas/Security_Detections_API_UUID'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_id:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
- $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields'
Security_Detections_API_ThreatMatchRuleRequiredFields:
type: object
properties:
query:
$ref: '#/components/schemas/Security_Detections_API_RuleQuery'
threat_index:
$ref: '#/components/schemas/Security_Detections_API_ThreatIndex'
threat_mapping:
$ref: '#/components/schemas/Security_Detections_API_ThreatMapping'
threat_query:
$ref: '#/components/schemas/Security_Detections_API_ThreatQuery'
type:
description: Rule type
enum:
- threat_match
type: string
required:
- type
- query
- threat_query
- threat_mapping
- threat_index
Security_Detections_API_ThreatMatchRuleResponseFields:
allOf:
- $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields'
- $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields'
- type: object
properties:
language:
$ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage'
required:
- language
Security_Detections_API_ThreatMatchRuleUpdateProps:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
id:
$ref: '#/components/schemas/Security_Detections_API_UUID'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_id:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
required:
- name
- description
- risk_score
- severity
- $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields'
Security_Detections_API_ThreatQuery:
description: Query used to determine which fields in the Elasticsearch index are used for generating alerts.
type: string
Security_Detections_API_ThreatSubtechnique:
type: object
properties:
id:
description: Subtechnique ID
type: string
name:
description: Subtechnique name
type: string
reference:
description: Subtechnique reference
type: string
required:
- id
- name
- reference
Security_Detections_API_ThreatTactic:
description: |
Object containing information on the attack type
type: object
properties:
id:
description: Tactic ID
type: string
name:
description: Tactic name
type: string
reference:
description: Tactic reference
type: string
required:
- id
- name
- reference
Security_Detections_API_ThreatTechnique:
type: object
properties:
id:
description: Technique ID
type: string
name:
description: Technique name
type: string
reference:
description: Technique reference
type: string
subtechnique:
description: |
Array containing more specific information on the attack technique.
items:
$ref: '#/components/schemas/Security_Detections_API_ThreatSubtechnique'
type: array
required:
- id
- name
- reference
Security_Detections_API_Threshold:
type: object
properties:
cardinality:
$ref: '#/components/schemas/Security_Detections_API_ThresholdCardinality'
field:
$ref: '#/components/schemas/Security_Detections_API_ThresholdField'
value:
$ref: '#/components/schemas/Security_Detections_API_ThresholdValue'
required:
- field
- value
Security_Detections_API_ThresholdAlertSuppression:
description: Defines alert suppression configuration.
type: object
properties:
duration:
$ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration'
required:
- duration
Security_Detections_API_ThresholdCardinality:
description: The field on which the cardinality is applied.
items:
type: object
properties:
field:
description: The field on which to calculate and compare the cardinality.
type: string
value:
description: The threshold value from which an alert is generated based on unique number of values of cardinality.field.
minimum: 0
type: integer
required:
- field
- value
type: array
Security_Detections_API_ThresholdField:
description: The field on which the threshold is applied. If you specify an empty array ([]), alerts are generated when the query returns at least the number of results specified in the value field.
oneOf:
- type: string
- items:
type: string
maxItems: 5
minItems: 0
type: array
Security_Detections_API_ThresholdRule:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
required:
- name
- description
- risk_score
- severity
- version
- tags
- enabled
- risk_score_mapping
- severity_mapping
- interval
- from
- to
- actions
- exceptions_list
- author
- false_positives
- references
- max_signals
- threat
- setup
- related_integrations
- required_fields
- $ref: '#/components/schemas/Security_Detections_API_ResponseFields'
- $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleResponseFields'
Security_Detections_API_ThresholdRuleCreateFields:
allOf:
- $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields'
- $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields'
- $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields'
Security_Detections_API_ThresholdRuleCreateProps:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_id:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
required:
- name
- description
- risk_score
- severity
- $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields'
Security_Detections_API_ThresholdRuleDefaultableFields:
type: object
properties:
language:
$ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage'
Security_Detections_API_ThresholdRuleOptionalFields:
type: object
properties:
alert_suppression:
$ref: '#/components/schemas/Security_Detections_API_ThresholdAlertSuppression'
data_view_id:
$ref: '#/components/schemas/Security_Detections_API_DataViewId'
filters:
$ref: '#/components/schemas/Security_Detections_API_RuleFilterArray'
index:
$ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
saved_id:
$ref: '#/components/schemas/Security_Detections_API_SavedQueryId'
Security_Detections_API_ThresholdRulePatchFields:
allOf:
- type: object
properties:
query:
$ref: '#/components/schemas/Security_Detections_API_RuleQuery'
threshold:
$ref: '#/components/schemas/Security_Detections_API_Threshold'
type:
description: Rule type
enum:
- threshold
type: string
- $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields'
- $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields'
Security_Detections_API_ThresholdRulePatchProps:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
id:
$ref: '#/components/schemas/Security_Detections_API_UUID'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_id:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
- $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchFields'
Security_Detections_API_ThresholdRuleRequiredFields:
type: object
properties:
query:
$ref: '#/components/schemas/Security_Detections_API_RuleQuery'
threshold:
$ref: '#/components/schemas/Security_Detections_API_Threshold'
type:
description: Rule type
enum:
- threshold
type: string
required:
- type
- query
- threshold
Security_Detections_API_ThresholdRuleResponseFields:
allOf:
- $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields'
- $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields'
- type: object
properties:
language:
$ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage'
required:
- language
Security_Detections_API_ThresholdRuleUpdateProps:
allOf:
- type: object
properties:
actions:
description: Array defining the automated actions (notifications) taken when alerts are generated.
items:
$ref: '#/components/schemas/Security_Detections_API_RuleAction'
type: array
alias_purpose:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
alias_target_id:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
author:
$ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
building_block_type:
$ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
description:
$ref: '#/components/schemas/Security_Detections_API_RuleDescription'
enabled:
$ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
exceptions_list:
items:
$ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
type: array
false_positives:
$ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
from:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
id:
$ref: '#/components/schemas/Security_Detections_API_UUID'
interval:
$ref: '#/components/schemas/Security_Detections_API_RuleInterval'
investigation_fields:
$ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
license:
$ref: '#/components/schemas/Security_Detections_API_RuleLicense'
max_signals:
$ref: '#/components/schemas/Security_Detections_API_MaxSignals'
meta:
$ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
name:
$ref: '#/components/schemas/Security_Detections_API_RuleName'
namespace:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
note:
$ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
outcome:
$ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
output_index:
$ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
references:
$ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
related_integrations:
$ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
required_fields:
description: |
Elasticsearch fields and their types that need to be present for the rule to function.
> info
> The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data.
items:
$ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
type: array
response_actions:
items:
$ref: '#/components/schemas/Security_Detections_API_ResponseAction'
type: array
risk_score:
$ref: '#/components/schemas/Security_Detections_API_RiskScore'
risk_score_mapping:
$ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
rule_id:
$ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
rule_name_override:
$ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
setup:
$ref: '#/components/schemas/Security_Detections_API_SetupGuide'
severity:
$ref: '#/components/schemas/Security_Detections_API_Severity'
severity_mapping:
$ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
tags:
$ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
threat:
$ref: '#/components/schemas/Security_Detections_API_ThreatArray'
throttle:
$ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
timeline_id:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
timeline_title:
$ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
timestamp_override:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
timestamp_override_fallback_disabled:
$ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
to:
$ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
version:
$ref: '#/components/schemas/Security_Detections_API_RuleVersion'
required:
- name
- description
- risk_score
- severity
- $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields'
Security_Detections_API_ThresholdValue:
description: The threshold value from which an alert is generated.
minimum: 1
type: integer
Security_Detections_API_ThrottleForBulkActions:
description: |
Defines the maximum interval in which a rule’s actions are executed.
> info
> The rule level `throttle` field is deprecated in Elastic Security 8.8 and will remain active for at least the next 12 months.
> In Elastic Security 8.8 and later, you can use the `frequency` field to define frequencies for individual actions. Actions without frequencies will acquire a converted version of the rule’s `throttle` field. In the response, the converted `throttle` setting appears in the individual actions' `frequency` field.
enum:
- rule
- 1h
- 1d
- 7d
type: string
Security_Detections_API_TiebreakerField:
description: Sets a secondary field for sorting events
type: string
Security_Detections_API_TimelineTemplateId:
description: Timeline template ID
type: string
Security_Detections_API_TimelineTemplateTitle:
description: Timeline template title
type: string
Security_Detections_API_TimestampField:
description: Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with `timestamp_override`, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field.
type: string
Security_Detections_API_TimestampOverride:
description: Sets the time field used to query indices. When unspecified, rules query the `@timestamp` field. The source field must be an Elasticsearch date data type.
type: string
Security_Detections_API_TimestampOverrideFallbackDisabled:
description: Disables the fallback to the event's @timestamp field
type: boolean
Security_Detections_API_UUID:
description: A universally unique identifier
format: uuid
type: string
Security_Detections_API_WarningSchema:
type: object
properties:
actionPath:
type: string
buttonLabel:
type: string
message:
type: string
type:
type: string
required:
- type
- message
- actionPath
Security_Endpoint_Exceptions_API_EndpointList:
oneOf:
- $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionList'
- additionalProperties: false
type: object
Security_Endpoint_Exceptions_API_EndpointListItem:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem'
Security_Endpoint_Exceptions_API_ExceptionList:
type: object
properties:
_version:
description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
type: string
created_at:
description: Autogenerated date of object creation.
format: date-time
type: string
created_by:
description: Autogenerated value - user that created object.
type: string
description:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription'
id:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId'
immutable:
type: boolean
list_id:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId'
meta:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta'
name:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName'
namespace_type:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType'
os_types:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray'
tags:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags'
tie_breaker_id:
description: Field used in search to ensure all containers are sorted and returned correctly.
type: string
type:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType'
updated_at:
description: Autogenerated date of last object update.
format: date-time
type: string
updated_by:
description: Autogenerated value - user that last updated object.
type: string
version:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion'
required:
- id
- list_id
- type
- name
- description
- immutable
- namespace_type
- version
- tie_breaker_id
- created_at
- created_by
- updated_at
- updated_by
Security_Endpoint_Exceptions_API_ExceptionListDescription:
description: Describes the exception list.
example: This list tracks allowlisted values.
type: string
Security_Endpoint_Exceptions_API_ExceptionListHumanId:
description: |
The exception list's human-readable string identifier.
For endpoint artifacts, use one of the following values:
* `endpoint_list`: [Elastic Endpoint exception list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions)
* `endpoint_trusted_apps`: [Trusted applications list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications)
* `endpoint_trusted_devices`: [Trusted devices list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices)
* `endpoint_event_filters`: [Event filters list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters)
* `endpoint_host_isolation_exceptions`: [Host isolation exceptions list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions)
* `endpoint_blocklists`: [Blocklists list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist)
example: simple_list
format: nonempty
minLength: 1
type: string
Security_Endpoint_Exceptions_API_ExceptionListId:
description: Exception list's identifier.
example: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85
format: nonempty
minLength: 1
type: string
Security_Endpoint_Exceptions_API_ExceptionListItem:
type: object
properties:
_version:
description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
type: string
comments:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray'
created_at:
description: Autogenerated date of object creation.
format: date-time
type: string
created_by:
description: Autogenerated value - user that created object.
type: string
description:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription'
entries:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray'
expire_time:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime'
id:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId'
item_id:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId'
list_id:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId'
meta:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta'
name:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName'
namespace_type:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType'
os_types:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray'
tags:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags'
tie_breaker_id:
description: Field used in search to ensure all containers are sorted and returned correctly.
type: string
type:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType'
updated_at:
description: Autogenerated date of last object update.
format: date-time
type: string
updated_by:
description: Autogenerated value - user that last updated object.
type: string
required:
- id
- item_id
- list_id
- type
- name
- description
- entries
- namespace_type
- comments
- tie_breaker_id
- created_at
- created_by
- updated_at
- updated_by
Security_Endpoint_Exceptions_API_ExceptionListItemComment:
type: object
properties:
comment:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
created_at:
description: Autogenerated date of object creation.
format: date-time
type: string
created_by:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
id:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
updated_at:
description: Autogenerated date of last object update.
format: date-time
type: string
updated_by:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
required:
- id
- comment
- created_at
- created_by
Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray:
description: |
Array of comment fields:
- comment (string): Comments about the exception item.
items:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment'
type: array
Security_Endpoint_Exceptions_API_ExceptionListItemDescription:
description: Describes the exception list.
type: string
Security_Endpoint_Exceptions_API_ExceptionListItemEntry:
anyOf:
- $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch'
- $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny'
- $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList'
- $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists'
- $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested'
- $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard'
discriminator:
propertyName: type
Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray:
items:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry'
type: array
Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists:
type: object
properties:
field:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
operator:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator'
type:
enum:
- exists
type: string
required:
- type
- field
- operator
Security_Endpoint_Exceptions_API_ExceptionListItemEntryList:
type: object
properties:
field:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
list:
type: object
properties:
id:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ListId'
type:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ListType'
required:
- id
- type
operator:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator'
type:
enum:
- list
type: string
required:
- type
- field
- list
- operator
Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch:
type: object
properties:
field:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
operator:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator'
type:
enum:
- match
type: string
value:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
required:
- type
- field
- value
- operator
Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny:
type: object
properties:
field:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
operator:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator'
type:
enum:
- match_any
type: string
value:
items:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
minItems: 1
type: array
required:
- type
- field
- value
- operator
Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard:
type: object
properties:
field:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
operator:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator'
type:
enum:
- wildcard
type: string
value:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
required:
- type
- field
- value
- operator
Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested:
type: object
properties:
entries:
items:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem'
minItems: 1
type: array
field:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
type:
enum:
- nested
type: string
required:
- type
- field
- entries
Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem:
oneOf:
- $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch'
- $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny'
- $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists'
Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator:
enum:
- excluded
- included
type: string
Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime:
description: The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
format: date-time
type: string
Security_Endpoint_Exceptions_API_ExceptionListItemHumanId:
description: Human readable string identifier, e.g. `trusted-linux-processes`
example: simple_list_item
format: nonempty
minLength: 1
type: string
Security_Endpoint_Exceptions_API_ExceptionListItemId:
description: Exception's identifier.
example: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2
format: nonempty
minLength: 1
type: string
Security_Endpoint_Exceptions_API_ExceptionListItemMeta:
additionalProperties: true
type: object
Security_Endpoint_Exceptions_API_ExceptionListItemName:
description: Exception list name.
format: nonempty
minLength: 1
type: string
Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray:
items:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType'
type: array
Security_Endpoint_Exceptions_API_ExceptionListItemTags:
items:
description: String array containing words and phrases to help categorize exception items.
format: nonempty
minLength: 1
type: string
type: array
Security_Endpoint_Exceptions_API_ExceptionListItemType:
enum:
- simple
type: string
Security_Endpoint_Exceptions_API_ExceptionListMeta:
additionalProperties: true
description: Placeholder for metadata about the list container.
type: object
Security_Endpoint_Exceptions_API_ExceptionListName:
description: The name of the exception list.
example: My exception list
type: string
Security_Endpoint_Exceptions_API_ExceptionListOsType:
description: Use this field to specify the operating system.
enum:
- linux
- macos
- windows
type: string
Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray:
description: Use this field to specify the operating system. Only enter one value.
items:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType'
type: array
Security_Endpoint_Exceptions_API_ExceptionListTags:
description: String array containing words and phrases to help categorize exception containers.
items:
type: string
type: array
Security_Endpoint_Exceptions_API_ExceptionListType:
description: The type of exception list to be created. Different list types may denote where they can be utilized.
enum:
- detection
- rule_default
- endpoint
- endpoint_trusted_apps
- endpoint_trusted_devices
- endpoint_events
- endpoint_host_isolation_exceptions
- endpoint_blocklists
type: string
Security_Endpoint_Exceptions_API_ExceptionListVersion:
description: The document version, automatically increasd on updates.
minimum: 1
type: integer
Security_Endpoint_Exceptions_API_ExceptionNamespaceType:
description: |
Determines whether the exception container is available in all Kibana spaces or just the space
in which it is created, where:
- `single`: Only available in the Kibana space in which it is created.
- `agnostic`: Available in all Kibana spaces.
For endpoint artifacts, the `namespace_type` must always be `agnostic`. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments.
enum:
- agnostic
- single
type: string
Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter:
$ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
Security_Endpoint_Exceptions_API_ListId:
description: Value list's identifier.
example: 21b01cfb-058d-44b9-838c-282be16c91cd
format: nonempty
minLength: 1
type: string
Security_Endpoint_Exceptions_API_ListType:
description: |
Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:
- `keyword`: Many ECS fields are Elasticsearch keywords
- `ip`: IP addresses
- `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)
enum:
- binary
- boolean
- byte
- date
- date_nanos
- date_range
- double
- double_range
- float
- float_range
- geo_point
- geo_shape
- half_float
- integer
- integer_range
- ip
- ip_range
- keyword
- long
- long_range
- shape
- short
- text
type: string
Security_Endpoint_Exceptions_API_NonEmptyString:
description: A string that does not contain only whitespace characters
format: nonempty
minLength: 1
type: string
Security_Endpoint_Exceptions_API_PlatformErrorResponse:
type: object
properties:
error:
type: string
message:
type: string
statusCode:
type: integer
required:
- statusCode
- error
- message
Security_Endpoint_Exceptions_API_SiemErrorResponse:
type: object
properties:
message:
type: string
status_code:
type: integer
required:
- status_code
- message
Security_Endpoint_Management_API_ActionDetailsResponse:
discriminator:
mapping:
cancel: '#/components/schemas/Security_Endpoint_Management_API_Cancel'
execute: '#/components/schemas/Security_Endpoint_Management_API_Execute'
get-file: '#/components/schemas/Security_Endpoint_Management_API_GetFile'
isolate: '#/components/schemas/Security_Endpoint_Management_API_Isolate'
kill-process: '#/components/schemas/Security_Endpoint_Management_API_KillProcess'
memory-dump: '#/components/schemas/Security_Endpoint_Management_API_MemoryDump'
running-processes: '#/components/schemas/Security_Endpoint_Management_API_RunningProcesses'
runscript: '#/components/schemas/Security_Endpoint_Management_API_Runscript'
scan: '#/components/schemas/Security_Endpoint_Management_API_Scan'
suspend-process: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcess'
unisolate: '#/components/schemas/Security_Endpoint_Management_API_Unisolate'
upload: '#/components/schemas/Security_Endpoint_Management_API_Upload'
propertyName: command
oneOf:
- $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcess'
- $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFile'
- $ref: '#/components/schemas/Security_Endpoint_Management_API_Execute'
- $ref: '#/components/schemas/Security_Endpoint_Management_API_Runscript'
- $ref: '#/components/schemas/Security_Endpoint_Management_API_Upload'
- $ref: '#/components/schemas/Security_Endpoint_Management_API_Scan'
- $ref: '#/components/schemas/Security_Endpoint_Management_API_Cancel'
- $ref: '#/components/schemas/Security_Endpoint_Management_API_Isolate'
- $ref: '#/components/schemas/Security_Endpoint_Management_API_Unisolate'
- $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcess'
- $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcesses'
- $ref: '#/components/schemas/Security_Endpoint_Management_API_MemoryDump'
Security_Endpoint_Management_API_ActionStateSuccessResponse:
type: object
properties:
body:
type: object
properties:
data:
type: object
properties:
canEncrypt:
description: Whether the Kibana instance has encryption enabled for response actions.
type: boolean
required:
- data
required:
- body
Security_Endpoint_Management_API_ActionStatusSuccessResponse:
type: object
properties:
body:
type: object
properties:
data:
type: object
properties:
agent_id:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId'
pending_actions:
$ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema'
required:
- agent_id
- pending_actions
required:
- data
required:
- body
Security_Endpoint_Management_API_AgentId:
description: Agent ID
type: string
Security_Endpoint_Management_API_AgentIds:
description: A list of agent IDs. Max of 250.
example:
- agent-id-1
- agent-id-2
minLength: 1
oneOf:
- items:
minLength: 1
type: string
maxItems: 250
minItems: 1
type: array
- minLength: 1
type: string
Security_Endpoint_Management_API_AgentTypes:
description: List of agent types to retrieve. Defaults to `endpoint`.
enum:
- endpoint
- sentinel_one
- crowdstrike
- microsoft_defender_endpoint
example: endpoint
type: string
Security_Endpoint_Management_API_Cancel:
allOf:
- $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails'
- type: object
properties:
outputs:
additionalProperties:
type: object
properties:
content:
type: object
properties:
code:
type: string
type: object
parameters:
type: object
properties:
id:
format: uuid
type: string
Security_Endpoint_Management_API_CancelRouteRequestBody:
allOf:
- type: object
properties:
agent_type:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
alert_ids:
description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50.
example:
- alert-id-1
- alert-id-2
items:
minLength: 1
type: string
maxItems: 50
minItems: 1
type: array
case_ids:
description: The IDs of cases where the action taken will be logged. Max of 50.
example:
- case-id-1
- case-id-2
items:
minLength: 1
type: string
maxItems: 50
minItems: 1
type: array
comment:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
endpoint_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
parameters:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
- type: object
properties:
parameters:
type: object
properties:
id:
description: ID of the response action to cancel
example: 7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d
minLength: 1
type: string
required:
- id
required:
- parameters
Security_Endpoint_Management_API_CloudFileScriptParameters:
type: object
properties:
cloudFile:
description: Script name in cloud storage.
minLength: 1
type: string
commandLine:
description: Command line arguments.
minLength: 1
type: string
timeout:
description: Timeout in seconds.
minimum: 1
type: integer
required:
- cloudFile
Security_Endpoint_Management_API_Command:
description: The command for the response action
enum:
- isolate
- unisolate
- kill-process
- suspend-process
- running-processes
- get-file
- execute
- upload
- scan
- runscript
- cancel
- memory-dump
minLength: 1
type: string
Security_Endpoint_Management_API_Commands:
description: A list of response action command names.
example:
- isolate
- unisolate
items:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Command'
maxItems: 50
type: array
Security_Endpoint_Management_API_Comment:
description: Optional comment
example: This is a comment
type: string
Security_Endpoint_Management_API_DownloadUri:
type: object
properties:
downloadUri:
description: |
The server relative URI to download the file associated with the output of the response action.
URI does **not** include the space prefix
example: /api/endpoint/action/497f6eca-6276/file/35645-6276-4993/download
format: uri-reference
type: string
Security_Endpoint_Management_API_EndDate:
description: An end date in ISO format or Date Math format.
example: '2023-10-31T23:59:59.999Z'
type: string
Security_Endpoint_Management_API_EndpointIds:
description: List of endpoint IDs (cannot contain empty strings). Max of 250.
example:
- endpoint-id-1
- endpoint-id-2
items:
minLength: 1
type: string
maxItems: 250
minItems: 1
type: array
Security_Endpoint_Management_API_EndpointMetadataResponse:
example:
host_status: healthy
last_checkin: '2023-07-04T15:48:57.360Z'
metadata:
'@timestamp': '2023-07-04T15:48:57.3609346Z'
agent:
build:
original: 'version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab'
id: abb8a826-6812-448c-a571-6d8269b51449
type: endpoint
version: 7.16.0
data_stream:
dataset: endpoint.metadata
namespace: default
type: metrics
ecs:
version: 1.11.0
elastic:
agent:
id: abb8a826-6812-448c-a571-6d8269b51449
Endpoint:
capabilities:
- isolation
configuration:
isolation: false
policy:
applied:
endpoint_policy_version: '2'
id: d5371dcd-93b7-4627-af88-4084f7d6aa3e
name: test
status: success
version: '3'
state:
isolation: false
status: enrolled
event:
action: endpoint_metadata
agent_id_status: verified
category:
- host
created: '2023-07-04T15:48:57.3609346Z'
dataset: endpoint.metadata
id: MNtRc++KoKHXXwlj+++++OhZ
ingested: '2023-07-04T15:48:58Z'
kind: metric
module: endpoint
sequence: 43757
type:
- info
host:
architecture: x86_64
hostname: WinDev2104Eval
id: 17d9cabc-7edd-43bc-bacb-8da5f5e6c0e5
ip:
- 10.0.2.15
- fe80::21a6:63d3:d70e:e3ad
- 127.0.0.1
- '::1'
mac:
- 08:00:27:b1:1d:5a
name: WinDev2104Eval
os:
Ext:
variant: Windows 10 Enterprise Evaluation
family: windows
full: Windows 10 Enterprise Evaluation 20H2 (10.0.19042.906)
kernel: 20H2 (10.0.19042.906)
name: Windows
platform: windows
type: windows
version: 20H2 (10.0.19042.906)
message: Endpoint metadata
policy_info:
agent:
applied:
id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753
revision: 3
configured:
id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753
revision: 3
endpoint:
id: d5371dcd-93b7-4627-af88-4084f7d6aa3e
revision: 2
type: object
properties: {}
Security_Endpoint_Management_API_Execute:
allOf:
- $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails'
- type: object
properties:
outputs:
additionalProperties:
type: object
properties:
content:
allOf:
- $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri'
- type: object
properties:
code:
type: string
cwd:
type: string
output_file_id:
type: string
output_file_stderr_truncated:
type: boolean
output_file_stdout_truncated:
type: boolean
shell_code:
type: number
stderr:
type: string
stderr_truncated:
type: boolean
stdout:
type: string
stdout_truncated:
type: boolean
type: object
parameters:
type: object
properties:
command:
type: string
timeout:
type: number
Security_Endpoint_Management_API_ExecuteRouteRequestBody:
allOf:
- type: object
properties:
agent_type:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
alert_ids:
description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50.
example:
- alert-id-1
- alert-id-2
items:
minLength: 1
type: string
maxItems: 50
minItems: 1
type: array
case_ids:
description: The IDs of cases where the action taken will be logged. Max of 50.
example:
- case-id-1
- case-id-2
items:
minLength: 1
type: string
maxItems: 50
minItems: 1
type: array
comment:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
endpoint_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
parameters:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
- type: object
properties:
parameters:
type: object
properties:
command:
description: The shell command to execute on the endpoint.
minLength: 1
type: string
timeout:
description: The maximum timeout value in seconds before the command is terminated.
minimum: 1
type: integer
required:
- command
required:
- parameters
Security_Endpoint_Management_API_GetEndpointActionListResponse:
example:
data:
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: running-processes
completedAt: '2022-08-08T09:50:47.672Z'
createdBy: elastic
id: b3d6de74-36b0-4fa8-be46-c375bf1771bf
isCompleted: true
isExpired: false
startedAt: '2022-08-08T15:24:57.402Z'
wasSuccessful: true
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: isolate
completedAt: '2022-08-08T10:41:57.352Z'
createdBy: elastic
id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3
isCompleted: true
isExpired: false
startedAt: '2022-08-08T15:23:37.359Z'
wasSuccessful: true
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: kill-process
comment: bad process - taking up too much cpu
completedAt: '2022-08-08T09:44:50.952Z'
createdBy: elastic
id: 5bc92c86-b8e6-42dd-837f-12ad29e09caa
isCompleted: true
isExpired: false
startedAt: '2022-08-08T14:38:44.125Z'
wasSuccessful: true
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: unisolate
comment: Not a threat to the network
completedAt: '2022-08-08T09:40:47.398Z'
createdBy: elastic
id: 790d54e0-3aa3-4e5b-8255-3ce9d851246a
isCompleted: true
isExpired: false
startedAt: '2022-08-08T14:38:15.391Z'
wasSuccessful: true
elasticAgentIds:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
endDate: now
page: 1
pageSize: 10
startDate: now-24h/h
total: 4
type: object
properties:
agentTypes:
description: The list of agent types the query was filtered by.
items:
type: string
type: array
commands:
description: The list of commands the query was filtered by.
items:
type: string
type: array
data:
description: The list of response actions.
items:
$ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails'
type: array
elasticAgentIds:
description: The list of elastic agent IDs the query was filtered by.
items:
type: string
type: array
endDate:
description: The end date filter applied to the query.
type: string
page:
description: The current page number.
type: integer
pageSize:
description: The number of items per page.
type: integer
startDate:
description: The start date filter applied to the query.
type: string
statuses:
description: The list of statuses the query was filtered by.
items:
type: string
type: array
total:
description: The total number of response actions matching the query.
type: integer
userIds:
description: The list of user IDs the query was filtered by.
items:
type: string
type: array
Security_Endpoint_Management_API_GetFile:
allOf:
- $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails'
- type: object
properties:
outputs:
additionalProperties:
type: object
properties:
content:
allOf:
- $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri'
- type: object
properties:
code:
type: string
contents:
items:
type: object
properties:
file_name:
type: string
path:
type: string
sha256:
type: string
size:
type: number
type:
type: string
type: array
zip_size:
type: number
type: object
parameters:
type: object
properties:
path:
type: string
Security_Endpoint_Management_API_GetFileRouteRequestBody:
allOf:
- type: object
properties:
agent_type:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
alert_ids:
description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50.
example:
- alert-id-1
- alert-id-2
items:
minLength: 1
type: string
maxItems: 50
minItems: 1
type: array
case_ids:
description: The IDs of cases where the action taken will be logged. Max of 50.
example:
- case-id-1
- case-id-2
items:
minLength: 1
type: string
maxItems: 50
minItems: 1
type: array
comment:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
endpoint_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
parameters:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
- type: object
properties:
parameters:
type: object
properties:
path:
description: The full file path to retrieve from the endpoint.
type: string
required:
- path
required:
- parameters
Security_Endpoint_Management_API_GetProcessesRouteRequestBody:
type: object
properties:
agent_type:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
alert_ids:
description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50.
example:
- alert-id-1
- alert-id-2
items:
minLength: 1
type: string
maxItems: 50
minItems: 1
type: array
case_ids:
description: The IDs of cases where the action taken will be logged. Max of 50.
example:
- case-id-1
- case-id-2
items:
minLength: 1
type: string
maxItems: 50
minItems: 1
type: array
comment:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
endpoint_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
parameters:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
Security_Endpoint_Management_API_HostPathScriptParameters:
type: object
properties:
commandLine:
description: Command line arguments.
minLength: 1
type: string
hostPath:
description: Absolute or relative path of script on host machine.
minLength: 1
type: string
timeout:
description: Timeout in seconds.
minimum: 1
type: integer
required:
- hostPath
Security_Endpoint_Management_API_HostStatuses:
description: A set of agent health statuses to filter by.
example:
- healthy
- updating
items:
enum:
- healthy
- offline
- updating
- inactive
- unenrolled
type: string
maxItems: 20
type: array
Security_Endpoint_Management_API_Isolate:
allOf:
- $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails'
- description: Details of an isolate action response.
type: object
Security_Endpoint_Management_API_IsolateRouteResponse:
type: object
properties:
action:
description: The action ID (legacy field, same as `data.id`).
type: string
data:
$ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails'
Security_Endpoint_Management_API_KillProcess:
allOf:
- $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails'
- type: object
properties:
outputs:
additionalProperties:
type: object
properties:
content:
oneOf:
- type: object
properties:
code:
type: string
command:
type: string
pid:
type: number
- type: object
properties:
code:
type: string
command:
type: string
entity_id:
type: string
- type: object
properties:
code:
type: string
command:
type: string
process_name:
type: string
type: object
parameters:
oneOf:
- type: object
properties:
pid:
description: The process ID (PID) of the process to terminate.
minimum: 1
type: number
- type: object
properties:
entity_id:
description: The entity ID of the process to terminate.
minLength: 1
type: string
- type: object
properties:
process_name:
description: The name of the process to terminate. Valid for SentinelOne agent type only.
type: string
Security_Endpoint_Management_API_KillProcessRouteRequestBody:
allOf:
- type: object
properties:
agent_type:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
alert_ids:
description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50.
example:
- alert-id-1
- alert-id-2
items:
minLength: 1
type: string
maxItems: 50
minItems: 1
type: array
case_ids:
description: The IDs of cases where the action taken will be logged. Max of 50.
example:
- case-id-1
- case-id-2
items:
minLength: 1
type: string
maxItems: 50
minItems: 1
type: array
comment:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
endpoint_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
parameters:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
- type: object
properties:
parameters:
oneOf:
- type: object
properties:
pid:
description: The process ID (PID) of the process to terminate.
example: 123
minimum: 1
type: integer
- type: object
properties:
entity_id:
description: The entity ID of the process to terminate.
example: abc123
minLength: 1
type: string
- type: object
properties:
process_name:
description: The name of the process to terminate. Valid for SentinelOne agent type only.
example: Elastic
minLength: 1
type: string
required:
- parameters
Security_Endpoint_Management_API_Kuery:
description: A KQL string.
example: 'united.endpoint.host.os.name : ''Windows'''
type: string
Security_Endpoint_Management_API_MDERunScriptParameters:
description: Parameters for Run Script response action against Microsoft Defender Endpoint agent type.
example:
agent_type: microsoft_defender_endpoint
endpoint_ids:
- endpoint-id-1
parameters:
args: '-param1 value1 -param2 value2'
scriptName: my-script.ps1
properties:
args:
description: Optional command line arguments for the script.
minLength: 1
type: string
scriptName:
description: The name of the script to execute from the cloud storage.
minLength: 1
type: string
required:
- scriptName
title: Microsoft Defender Endpoint Run Script Parameters
type: object
Security_Endpoint_Management_API_MemoryDump:
allOf:
- $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails'
- type: object
properties:
outputs:
additionalProperties:
type: object
properties:
content:
properties:
code:
type: string
disk_free_space:
description: The free space on the host machine in bytes after the memory dump is written to disk
type: number
file_size:
description: The size of the memory dump compressed file in bytes
type: string
path:
description: The path to the memory dump compressed file on the host machine
type: string
title: Memory dump output
type: object
type: object
parameters:
oneOf:
- properties:
type:
description: Kernel-level memory dump
enum:
- kernel
type: string
required:
- type
title: Kernel memory dump
type: object
- properties:
pid:
description: The process ID (PID)
type: number
type:
description: Process-level memory dump using a process ID
enum:
- process
type: string
required:
- type
- pid
title: Process memory dump with PID
type: object
- properties:
entity_id:
description: The process entity ID
type: string
type:
description: Process-level memory dump using an entity ID
enum:
- process
type: string
required:
- type
- entity_id
title: Process memory dump with entity ID
type: object
required:
- parameters
Security_Endpoint_Management_API_MemoryDumpRouteRequestBody:
allOf:
- type: object
properties:
agent_type:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
alert_ids:
description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50.
example:
- alert-id-1
- alert-id-2
items:
minLength: 1
type: string
maxItems: 50
minItems: 1
type: array
case_ids:
description: The IDs of cases where the action taken will be logged. Max of 50.
example:
- case-id-1
- case-id-2
items:
minLength: 1
type: string
maxItems: 50
minItems: 1
type: array
comment:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
endpoint_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
parameters:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
- type: object
properties:
parameters:
oneOf:
- description: Dump the entire kernel memory.
type: object
properties:
type:
enum:
- kernel
type: string
required:
- type
- description: Dump the entire memory of a process using the PID.
type: object
properties:
pid:
type: number
type:
enum:
- process
type: string
required:
- type
- pid
- description: Dump the entire memory of a process using the entity ID.
type: object
properties:
entity_id:
type: string
type:
enum:
- process
type: string
required:
- type
- entity_id
required:
- parameters
Security_Endpoint_Management_API_MetadataListResponse:
example:
data:
- host_status: healthy
last_checkin: '2023-07-04T15:47:57.432Z'
metadata:
'@timestamp': '2023-07-04T15:47:57.432173535Z'
agent:
build:
original: 'version: 7.16.0, compiled: Tue Nov 16 16:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab'
id: 285297c6-3bff-4b83-9a07-f3e749801123
type: endpoint
version: 7.16.0
data_stream:
dataset: endpoint.metadata
namespace: default
type: metrics
ecs:
version: 1.11.0
elastic:
agent:
id: 285297c6-3bff-4b83-9a07-f3e749801123
Endpoint:
capabilities:
- isolation
configuration:
isolation: false
policy:
applied:
endpoint_policy_version: '2'
id: d5371dcd-93b7-4627-af88-4084f7d6aa3e
name: test
status: success
version: '3'
state:
isolation: false
status: enrolled
event:
action: endpoint_metadata
agent_id_status: verified
category:
- host
created: '2023-07-04T15:47:57.432173535Z'
dataset: endpoint.metadata
id: MNtSXK/SkhEBnmgt++++++7S
ingested: '2023-07-04T15:47:58Z'
kind: metric
module: endpoint
sequence: 400
type:
- info
host:
architecture: x86_64
hostname: david-Xubuntu
id: 0cfead88e2024bd8a27476352b5ab264
ip:
- 127.0.0.1
- '::1'
- 10.0.2.15
- fe80::2ac7:8e15:b957:2fa1
mac:
- 08:00:27:e6:78:8b
name: david-Xubuntu
os:
Ext:
variant: Ubuntu
family: ubuntu
full: Ubuntu 20.04.2
kernel: '5.8.0-59-generic #66~20.04.1-Ubuntu SMP Thu Jun 17 11:14:10 UTC 2021'
name: Linux
platform: ubuntu
type: linux
version: 20.04.2
message: Endpoint metadata
policy_info:
agent:
applied:
id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753
revision: 0
configured:
id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753
revision: 3
endpoint:
id: d5371dcd-93b7-4627-af88-4084f7d6aa3e
revision: 2
- host_status: healthy
last_checkin: '2023-07-04T15:44:31.491Z'
metadata:
'@timestamp': '2023-07-04T15:44:31.4917849Z'
agent:
build:
original: 'version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab'
id: abb8a826-6812-448c-a571-6d8269b51449
type: endpoint
version: 7.16.0
data_stream:
dataset: endpoint.metadata
namespace: default
type: metrics
ecs:
version: 1.11.0
elastic:
agent:
id: abb8a826-6812-448c-a571-6d8269b51449
Endpoint:
capabilities:
- isolation
configuration:
isolation: false
policy:
applied:
endpoint_policy_version: '2'
id: d5371dcd-93b7-4627-af88-4084f7d6aa3e
name: test
status: success
version: '3'
state:
isolation: false
status: enrolled
event:
action: endpoint_metadata
agent_id_status: verified
category:
- host
created: '2023-07-04T15:44:31.4917849Z'
dataset: endpoint.metadata
id: MNtRc++KoKHXXwlj+++++/N9
ingested: '2023-07-04T15:44:33Z'
kind: metric
module: endpoint
sequence: 5159
type:
- info
host:
architecture: x86_64
hostname: WinDev2104Eval
id: 17d9cabc-7edd-43bc-bacb-8da5f5e6c0e5
ip:
- 10.0.2.15
- fe80::21a6:63d3:d70e:e3ad
- 127.0.0.1
- '::1'
mac:
- 08:00:27:b1:1d:5a
name: WinDev2104Eval
os:
Ext:
variant: Windows 10 Enterprise Evaluation
family: windows
full: Windows 10 Enterprise Evaluation 20H2 (10.0.19042.906)
kernel: 20H2 (10.0.19042.906)
name: Windows
platform: windows
type: windows
version: 20H2 (10.0.19042.906)
message: Endpoint metadata
policy_info:
agent:
applied:
id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753
revision: 0
configured:
id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753
revision: 3
endpoint:
id: d5371dcd-93b7-4627-af88-4084f7d6aa3e
revision: 2
page: 0
pageSize: 10
sortDirection: desc
sortField: enrolled_at
total: 2
type: object
properties: {}
Security_Endpoint_Management_API_Page:
default: 1
description: Page number
example: 1
minimum: 1
type: integer
Security_Endpoint_Management_API_PageSize:
default: 10
description: Number of items per page
example: 10
maximum: 100
minimum: 1
type: integer
Security_Endpoint_Management_API_Parameters:
description: Parameters object
type: object
Security_Endpoint_Management_API_PendingActionDataType:
description: Number of pending actions of this type.
type: integer
Security_Endpoint_Management_API_PendingActionsSchema:
oneOf:
- type: object
properties:
execute:
$ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType'
description: Number of pending execute actions.
get-file:
$ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType'
description: Number of pending get-file actions.
isolate:
$ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType'
description: Number of pending isolate actions.
kill-process:
$ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType'
description: Number of pending kill-process actions.
running-processes:
$ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType'
description: Number of pending running-processes (get processes) actions.
scan:
$ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType'
description: Number of pending scan actions.
suspend-process:
$ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType'
description: Number of pending suspend-process actions.
unisolate:
$ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType'
description: Number of pending unisolate (release) actions.
upload:
$ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType'
description: Number of pending upload actions.
- additionalProperties: true
type: object
Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse:
type: object
properties:
note:
description: A note associated with the protection updates for the given package policy.
type: string
Security_Endpoint_Management_API_RawScriptParameters:
type: object
properties:
commandLine:
description: Command line arguments.
minLength: 1
type: string
raw:
description: Raw script content.
minLength: 1
type: string
timeout:
description: Timeout in seconds.
minimum: 1
type: integer
required:
- raw
Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: __agent__type__here_
command: __command__name__here__
createdBy: elastic
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-node-1235412
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: false
isExpired: false
outputs: {}
parameters: {}
startedAt: '2022-07-29T19:08:49.126Z'
status: pending
wasSuccessful: false
type: object
properties:
data:
$ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails'
Security_Endpoint_Management_API_ResponseActionDetails:
type: object
properties:
agents:
description: The agent IDs for the hosts that the response action was sent to
items:
format: uuid
type: string
type: array
agentState:
additionalProperties:
format: uuid
type: object
properties:
completedAt:
description: The date and time the response action was completed for the agent ID
type: string
isCompleted:
description: Whether the response action is completed for the agent ID
type: boolean
wasSuccessful:
description: Whether the response action was successful for the agent ID
type: boolean
description: The state of the response action for each agent ID that it was sent to
type: object
agentType:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
command:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Command'
completedAt:
description: The response action completion time
format: date-time
type: string
createdBy:
description: The user who created the response action
type: string
hosts:
additionalProperties:
format: uuid
type: object
properties:
name:
description: The host name
type: string
description: An object containing the host names associated with the agent IDs the response action was sent to
type: object
id:
description: The response action ID
format: uuid
type: string
isComplete:
description: Whether the response action is complete
type: boolean
isExpired:
description: Whether the response action is expired
type: boolean
outputs:
additionalProperties:
description: The agent id
format: uuid
properties:
content:
description: The response action output content for the agent ID. Exact format depends on the response action command.
oneOf:
- type: object
- type: string
type:
enum:
- json
- text
type: string
required:
- type
- content
title: Agent ID
type: object
description: |
The outputs of the response action for each agent ID that it was sent to. Content different depending on the
response action command and will only be present for agents that have responded to the response action
type: object
parameters:
description: The parameters of the response action. Content different depending on the response action command
type: object
startedAt:
description: The response action start time
format: date-time
type: string
status:
description: The response action status
type: string
wasSuccessful:
description: Whether the response action was successful
type: boolean
required:
- command
Security_Endpoint_Management_API_RunningProcesses:
allOf:
- $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails'
- type: object
properties:
outputs:
additionalProperties:
type: object
properties:
content:
oneOf:
- $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputEndpoint'
- $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne'
type: object
Security_Endpoint_Management_API_RunningProcessesOutputEndpoint:
description: Processes output for `agentType` of `endpoint`
type: object
properties:
code:
type: string
entries:
items:
type: object
properties:
command:
type: string
entity_id:
type: string
pid:
type: number
user:
type: string
type: array
Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne:
allOf:
- $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri'
- description: Processes output for `agentType` of `sentinel_one`
type: object
properties:
code:
type: string
Security_Endpoint_Management_API_Runscript:
allOf:
- $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails'
- type: object
properties:
outputs:
additionalProperties:
type: object
properties:
content:
allOf:
- $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri'
- type: object
properties:
code:
type: string
stderr:
type: string
stdout:
type: string
type: object
parameters:
oneOf:
- $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsCrowdStrike'
- $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsMicrosoft'
- $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsSentinelOne'
Security_Endpoint_Management_API_RunscriptParamsCrowdStrike:
type: object
properties:
cloudFile:
type: string
commandLine:
type: string
hostPath:
type: string
raw:
type: string
timeout:
type: number
Security_Endpoint_Management_API_RunscriptParamsMicrosoft:
type: object
properties:
args:
type: string
scriptName:
type: string
Security_Endpoint_Management_API_RunscriptParamsSentinelOne:
type: object
properties:
scriptId:
type: string
scriptInput:
type: string
Security_Endpoint_Management_API_RunScriptRouteRequestBody:
allOf:
- type: object
properties:
agent_type:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
alert_ids:
description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50.
example:
- alert-id-1
- alert-id-2
items:
minLength: 1
type: string
maxItems: 50
minItems: 1
type: array
case_ids:
description: The IDs of cases where the action taken will be logged. Max of 50.
example:
- case-id-1
- case-id-2
items:
minLength: 1
type: string
maxItems: 50
minItems: 1
type: array
comment:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
endpoint_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
parameters:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
- type: object
properties:
parameters:
description: |
One of the following set of parameters must be provided
oneOf:
- $ref: '#/components/schemas/Security_Endpoint_Management_API_RawScriptParameters'
- $ref: '#/components/schemas/Security_Endpoint_Management_API_HostPathScriptParameters'
- $ref: '#/components/schemas/Security_Endpoint_Management_API_CloudFileScriptParameters'
- $ref: '#/components/schemas/Security_Endpoint_Management_API_SentinelOneRunScriptParameters'
- $ref: '#/components/schemas/Security_Endpoint_Management_API_MDERunScriptParameters'
required:
- parameters
Security_Endpoint_Management_API_Scan:
allOf:
- $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails'
- type: object
properties:
outputs:
additionalProperties:
type: object
properties:
content:
type: object
properties:
code:
type: string
type: object
parameters:
type: object
properties:
path:
type: string
Security_Endpoint_Management_API_ScanRouteRequestBody:
allOf:
- type: object
properties:
agent_type:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
alert_ids:
description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50.
example:
- alert-id-1
- alert-id-2
items:
minLength: 1
type: string
maxItems: 50
minItems: 1
type: array
case_ids:
description: The IDs of cases where the action taken will be logged. Max of 50.
example:
- case-id-1
- case-id-2
items:
minLength: 1
type: string
maxItems: 50
minItems: 1
type: array
comment:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
endpoint_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
parameters:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
- type: object
properties:
parameters:
type: object
properties:
path:
description: The folder or file's full path (including the file name).
example: /usr/my-file.txt
type: string
required:
- path
required:
- parameters
Security_Endpoint_Management_API_SentinelOneRunScriptParameters:
description: Parameters for Run Script response action against SentinelOne agent type.
example:
agent_type: sentinel_one
endpoint_ids:
- endpoint-id-1
parameters:
scriptId: 1111-2222-3333-4444-5555-6666-7777-8888
scriptInput: '--delete --paths-to-delete /tmp/temp_file.txt,/tmp/random_file.txt'
properties:
scriptId:
description: The script ID from SentinelOne scripts library that will be executed.
minLength: 1
type: string
scriptInput:
description: The input parameter arguments for the script that was selected.
minLength: 1
type: string
required:
- scriptId
title: SentinelOne Run Script Parameters
type: object
Security_Endpoint_Management_API_SortDirection:
description: Determines the sort order.
enum:
- asc
- desc
example: desc
type: string
Security_Endpoint_Management_API_SortField:
description: Determines which field is used to sort the results.
enum:
- enrolled_at
- metadata.host.hostname
- host_status
- metadata.Endpoint.policy.applied.name
- metadata.Endpoint.policy.applied.status
- metadata.host.os.name
- metadata.host.ip
- metadata.agent.version
- last_checkin
example: enrolled_at
type: string
Security_Endpoint_Management_API_StartDate:
description: A start date in ISO 8601 format or Date Math format.
example: '2023-10-31T00:00:00.000Z'
type: string
Security_Endpoint_Management_API_SuccessResponse:
description: A generic successful response.
type: object
Security_Endpoint_Management_API_SuspendProcess:
allOf:
- $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails'
- type: object
properties:
outputs:
additionalProperties:
type: object
properties:
content:
oneOf:
- type: object
properties:
code:
type: string
command:
type: string
pid:
type: number
- type: object
properties:
code:
type: string
command:
type: string
entity_id:
type: string
type: object
parameters:
oneOf:
- type: object
properties:
pid:
description: The process ID (PID) of the process to terminate.
minimum: 1
type: number
- type: object
properties:
entity_id:
description: The entity ID of the process to terminate.
minLength: 1
type: string
Security_Endpoint_Management_API_SuspendProcessRouteRequestBody:
allOf:
- type: object
properties:
agent_type:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
alert_ids:
description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50.
example:
- alert-id-1
- alert-id-2
items:
minLength: 1
type: string
maxItems: 50
minItems: 1
type: array
case_ids:
description: The IDs of cases where the action taken will be logged. Max of 50.
example:
- case-id-1
- case-id-2
items:
minLength: 1
type: string
maxItems: 50
minItems: 1
type: array
comment:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
endpoint_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
parameters:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
- type: object
properties:
parameters:
oneOf:
- type: object
properties:
pid:
description: The process ID (PID) of the process to suspend.
example: 123
minimum: 1
type: integer
- type: object
properties:
entity_id:
description: The entity ID of the process to suspend.
example: abc123
minLength: 1
type: string
required:
- parameters
Security_Endpoint_Management_API_Type:
description: Type of response action
enum:
- automated
- manual
type: string
Security_Endpoint_Management_API_Types:
description: List of types of response actions
example:
- automated
- manual
items:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Type'
maxLength: 2
minLength: 1
type: array
Security_Endpoint_Management_API_Unisolate:
allOf:
- $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails'
- description: Details of an unisolate action response.
type: object
Security_Endpoint_Management_API_UnisolateRouteResponse:
type: object
properties:
action:
description: The action ID (legacy field, same as `data.id`).
type: string
data:
$ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails'
Security_Endpoint_Management_API_Upload:
allOf:
- $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails'
- type: object
properties:
outputs:
additionalProperties:
type: object
properties:
content:
type: object
properties:
code:
type: string
disk_free_space:
type: number
path:
type: string
type: object
parameters:
description: |
The parameters for upload returned on the details are derived via the API from the file that
was uploaded at the time that the response action was submitted
type: object
properties:
file_id:
type: string
file_name:
type: string
file_sha256:
type: string
file_size:
type: number
Security_Endpoint_Management_API_UploadRouteRequestBody:
allOf:
- type: object
properties:
agent_type:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
alert_ids:
description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. Max of 50.
example:
- alert-id-1
- alert-id-2
items:
minLength: 1
type: string
maxItems: 50
minItems: 1
type: array
case_ids:
description: The IDs of cases where the action taken will be logged. Max of 50.
example:
- case-id-1
- case-id-2
items:
minLength: 1
type: string
maxItems: 50
minItems: 1
type: array
comment:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
endpoint_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
parameters:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
- type: object
properties:
file:
description: The binary content of the file.
example: RWxhc3RpYw==
format: binary
type: string
parameters:
type: object
properties:
overwrite:
default: false
description: Overwrite the file on the host if it already exists.
example: false
type: boolean
required:
- parameters
- file
Security_Endpoint_Management_API_UserIds:
description: A list of user IDs. Max of 50.
example:
- user-id-1
- user-id-2
oneOf:
- items:
minLength: 1
type: string
maxItems: 50
minItems: 1
type: array
- minLength: 1
type: string
Security_Endpoint_Management_API_WithOutputs:
description: A list of action IDs that should include the complete output of the action. Max of 50.
example:
- action-id-1
- action-id-2
oneOf:
- items:
minLength: 1
type: string
maxItems: 50
minItems: 1
type: array
- minLength: 1
type: string
Security_Entity_Analytics_API_Asset:
additionalProperties: false
description: Asset metadata associated with the entity.
type: object
properties:
business_unit:
description: Business unit the asset belongs to.
type: string
criticality:
$ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel'
description: The criticality level assigned to this asset.
nullable: true
environment:
description: Deployment environment (for example, production, staging).
type: string
id:
description: Unique identifier for the asset.
type: string
model:
description: Model name or number.
type: string
name:
description: Human-readable asset name.
type: string
owner:
description: The owner of the asset.
type: string
serial_number:
description: Serial number of the asset.
type: string
vendor:
description: Vendor or manufacturer.
type: string
Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem:
type: object
properties:
index:
type: integer
message:
type: string
required:
- message
- index
Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats:
type: object
properties:
failed:
type: integer
successful:
type: integer
total:
type: integer
required:
- successful
- failed
- total
Security_Entity_Analytics_API_AssetCriticalityLevel:
description: The criticality level of the asset.
enum:
- low_impact
- medium_impact
- high_impact
- extreme_impact
type: string
Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload:
description: The criticality level of the asset for bulk upload. The value `unassigned` is used to indicate that the criticality level is not assigned and is only used for bulk upload.
enum:
- low_impact
- medium_impact
- high_impact
- extreme_impact
- unassigned
type: string
Security_Entity_Analytics_API_AssetCriticalityRecord:
allOf:
- $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord'
- $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts'
- type: object
properties:
'@timestamp':
description: The time the record was created or updated.
example: '2017-07-21T17:32:28Z'
format: date-time
type: string
required:
- '@timestamp'
example:
'@timestamp': '2024-08-02T11:15:34.290Z'
asset:
criticality: high_impact
criticality_level: high_impact
host:
asset:
criticality: high_impact
name: my_host
id_field: host.name
id_value: my_host
Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts:
type: object
properties:
asset:
type: object
properties:
criticality:
$ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel'
required:
- asset
entity:
type: object
properties:
asset:
type: object
properties:
criticality:
$ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel'
required:
- criticality
id:
type: string
required:
- id
host:
type: object
properties:
asset:
type: object
properties:
criticality:
$ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel'
required:
- criticality
name:
type: string
required:
- name
service:
type: object
properties:
asset:
type: object
properties:
criticality:
$ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel'
required:
- criticality
name:
type: string
required:
- name
user:
type: object
properties:
asset:
type: object
properties:
criticality:
$ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel'
required:
- criticality
name:
type: string
required:
- name
required:
- asset
Security_Entity_Analytics_API_AssetCriticalityRecordIdParts:
type: object
properties:
id_field:
$ref: '#/components/schemas/Security_Entity_Analytics_API_IdField'
description: The field representing the ID.
example: host.name
id_value:
description: The ID value of the asset.
type: string
required:
- id_value
- id_field
Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse:
type: object
properties:
cleanup_successful:
example: false
type: boolean
errors:
items:
type: object
properties:
error:
type: string
seq:
type: integer
required:
- seq
- error
type: array
required:
- cleanup_successful
- errors
Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse:
type: object
properties:
errors:
items:
type: object
properties:
error:
type: string
seq:
type: integer
required:
- seq
- error
type: array
risk_engine_saved_object_configured:
example: false
type: boolean
required:
- risk_engine_saved_object_configured
- errors
Security_Entity_Analytics_API_CreateAssetCriticalityRecord:
allOf:
- $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts'
- type: object
properties:
criticality_level:
$ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel'
required:
- criticality_level
Security_Entity_Analytics_API_DateRange:
description: Defines the lookback period for filtering source data by timestamp.
type: object
properties:
end:
description: End of the lookback period (date math or ISO string, e.g. "now")
type: string
start:
description: Start of the lookback period (date math or ISO string, e.g. "now-10d")
type: string
required:
- start
- end
Security_Entity_Analytics_API_EngineComponentResource:
description: The type of Elasticsearch or Kibana resource backing an engine component.
enum:
- entity_engine
- entity_definition
- index
- data_stream
- component_template
- index_template
- ingest_pipeline
- enrich_policy
- task
- transform
- ilm_policy
type: string
Security_Entity_Analytics_API_EngineComponentStatus:
description: Status of an individual Elasticsearch or Kibana resource backing an engine.
type: object
properties:
errors:
description: Errors reported by this component, if any.
items:
type: object
properties:
message:
description: Detailed error message.
type: string
title:
description: Short error title.
type: string
type: array
health:
description: The health status of the component.
enum:
- green
- yellow
- red
- unavailable
- unknown
type: string
id:
description: Unique identifier for the component.
type: string
installed:
description: Whether the component is currently installed.
type: boolean
metadata:
$ref: '#/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata'
resource:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentResource'
required:
- id
- installed
- resource
Security_Entity_Analytics_API_EngineDataviewUpdateResult:
description: The result of applying data view index changes to a single engine.
type: object
properties:
changes:
description: The changes applied to the engine.
type: object
properties:
indexPatterns:
description: The updated list of index patterns now used by the engine.
items:
type: string
type: array
type:
description: The entity type of the engine that was updated.
type: string
required:
- type
Security_Entity_Analytics_API_EngineDescriptor:
description: Describes a single entity engine, including its configuration and current status.
type: object
properties:
delay:
default: 1m
description: The delay before the transform processes new data, allowing late-arriving documents to be included.
example: 1m
pattern: '[smdh]$'
type: string
docsPerSecond:
description: Throttle value for the number of documents processed per second. Use -1 for no throttle.
type: integer
error:
description: Present when the engine status is `error`. Describes the failure.
type: object
properties:
action:
description: The lifecycle action that caused the error.
enum:
- init
type: string
message:
description: A human-readable error message.
type: string
required:
- message
- action
fieldHistoryLength:
description: The number of historical values retained per field.
example: 10
type: integer
filter:
description: An optional Kibana Query Language (KQL) filter applied to source documents before aggregation.
example: 'host.name: "my-host"'
type: string
frequency:
default: 1m
description: How often the transform runs.
example: 1m
pattern: '[smdh]$'
type: string
indexPattern:
$ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern'
lookbackPeriod:
default: 24h
description: How far back the transform looks when calculating aggregations.
example: 24h
pattern: '[smdh]$'
type: string
status:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EngineStatus'
timeout:
default: 180s
description: The timeout for initializing the aggregating transform.
example: 180s
pattern: '[smdh]$'
type: string
timestampField:
description: The field used as the timestamp for source documents.
example: '@timestamp'
type: string
type:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType'
required:
- type
- indexPattern
- status
- fieldHistoryLength
Security_Entity_Analytics_API_EngineMetadata:
additionalProperties: false
description: Internal metadata attached to an entity by the engine that produced it.
type: object
properties:
Type:
description: The engine type that produced this entity record.
type: string
required:
- Type
Security_Entity_Analytics_API_EngineStatus:
description: The current operational status of an entity engine.
enum:
- installing
- started
- stopped
- updating
- error
type: string
Security_Entity_Analytics_API_EntitiesContainer:
description: A collection of entities to upsert in bulk.
type: object
properties:
entities:
description: The entities to create or update.
items:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntityContainer'
type: array
required:
- entities
Security_Entity_Analytics_API_Entity:
description: An entity record from the Entity Store. The `entity` namespace is a root-level field in the latest index, unlike source logs where it is nested under `host`, `user`, or `service`.
oneOf:
- $ref: '#/components/schemas/Security_Entity_Analytics_API_UserEntity'
- $ref: '#/components/schemas/Security_Entity_Analytics_API_HostEntity'
- $ref: '#/components/schemas/Security_Entity_Analytics_API_ServiceEntity'
- $ref: '#/components/schemas/Security_Entity_Analytics_API_GenericEntity'
Security_Entity_Analytics_API_EntityAnalyticsPrivileges:
type: object
properties:
has_all_required:
type: boolean
has_read_permissions:
type: boolean
has_write_permissions:
type: boolean
privileges:
type: object
properties:
elasticsearch:
type: object
properties:
cluster:
additionalProperties:
type: boolean
type: object
index:
additionalProperties:
additionalProperties:
type: boolean
type: object
type: object
kibana:
additionalProperties:
type: boolean
type: object
required:
- elasticsearch
required:
- has_all_required
- privileges
Security_Entity_Analytics_API_EntityContainer:
description: A wrapper that pairs an entity type with the entity record to upsert.
type: object
properties:
record:
$ref: '#/components/schemas/Security_Entity_Analytics_API_Entity'
description: The entity record to create or update.
type:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType'
description: The entity type of the record.
required:
- type
- record
Security_Entity_Analytics_API_EntityField:
additionalProperties: false
description: Core entity fields shared across all entity types. The `entity` namespace is a root-level field in the Entity Store latest index.
type: object
properties:
attributes:
additionalProperties: false
description: Boolean flags describing characteristics of the entity.
type: object
properties:
asset:
description: Whether the entity is classified as an asset.
type: boolean
managed:
description: Whether the entity is managed (for example, via a directory service).
type: boolean
mfa_enabled:
description: Whether multi-factor authentication is enabled for the entity.
type: boolean
privileged:
description: Whether the entity has elevated privileges.
type: boolean
behaviors:
additionalProperties: false
description: Boolean flags indicating observed behavioral signals.
type: object
properties:
brute_force_victim:
description: Whether the entity has been targeted by brute-force attacks.
type: boolean
new_country_login:
description: Whether the entity has logged in from a new country.
type: boolean
used_usb_device:
description: Whether the entity has used a USB device.
type: boolean
EngineMetadata:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EngineMetadata'
id:
description: Unique identifier for this entity.
example: arn:aws:iam::123456789012:user/jane.doe
type: string
lifecycle:
additionalProperties: false
description: Timestamps tracking the entity lifecycle.
type: object
properties:
first_seen:
description: When the entity was first observed.
format: date-time
type: string
last_activity:
description: When the entity last generated activity.
format: date-time
type: string
last_seen:
description: When the entity was last observed.
format: date-time
type: string
name:
description: Human-readable name of the entity.
example: jane.doe
type: string
relationships:
additionalProperties: false
description: Connections between this entity and other entities.
type: object
properties:
accessed_frequently_by:
description: Entity IDs that frequently access this entity.
items:
type: string
type: array
accesses_frequently:
description: Entity IDs this entity accesses frequently.
items:
type: string
type: array
accesses_infrequently:
description: Entity IDs this entity accesses infrequently.
items:
type: string
type: array
communicates_with:
description: Entity IDs this entity communicates with.
items:
type: string
type: array
dependent_of:
description: Entity IDs that depend on this entity.
items:
type: string
type: array
depends_on:
description: Entity IDs this entity depends on.
items:
type: string
type: array
owned_by:
description: Entity IDs that own this entity.
items:
type: string
type: array
owns:
description: Entity IDs owned by this entity.
items:
type: string
type: array
supervised_by:
description: Entity IDs that supervise this entity.
items:
type: string
type: array
supervises:
description: Entity IDs supervised by this entity.
items:
type: string
type: array
risk:
additionalProperties: false
description: Risk scoring information for the entity.
type: object
properties:
calculated_level:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels'
description: Lexical description of the entity's risk.
example: Critical
calculated_score:
description: The raw numeric value of the given entity's risk score.
format: double
type: number
calculated_score_norm:
description: The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
format: double
maximum: 100
minimum: 0
type: number
source:
description: The source that produced this entity record.
type: string
sub_type:
description: Optional sub-type classification for the entity.
type: string
type:
description: The entity type.
example: user
type: string
required:
- id
Security_Entity_Analytics_API_EntityRiskLevels:
enum:
- Unknown
- Low
- Moderate
- High
- Critical
type: string
Security_Entity_Analytics_API_EntityRiskScoreRecord:
type: object
properties:
'@timestamp':
description: The time at which the risk score was calculated.
example: '2017-07-21T17:32:28Z'
format: date-time
type: string
calculated_level:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels'
description: Lexical description of the entity's risk.
example: Critical
calculated_score:
description: The raw numeric value of the given entity's risk score.
format: double
type: number
calculated_score_norm:
description: The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
format: double
maximum: 100
minimum: 0
type: number
calculation_run_id:
description: Unique identifier for the scoring run that produced this document.
type: string
category_1_count:
description: The number of risk input documents that contributed to the Category 1 score (`category_1_score`).
type: integer
category_1_score:
description: The contribution of Category 1 to the overall risk score (`calculated_score`). Category 1 contains Detection Engine Alerts.
format: double
type: number
category_2_count:
type: integer
category_2_score:
format: double
type: number
criticality_level:
$ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel'
criticality_modifier:
format: double
type: number
id_field:
description: The identifier field defining this risk score. Coupled with `id_value`, uniquely identifies the entity being scored.
example: host.name
type: string
id_value:
description: The identifier value defining this risk score. Coupled with `id_field`, uniquely identifies the entity being scored.
example: example.host
type: string
inputs:
description: A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes.
items:
$ref: '#/components/schemas/Security_Entity_Analytics_API_RiskScoreInput'
type: array
modifiers:
description: A list of modifiers that were applied to the risk score calculation.
items:
type: object
properties:
contribution:
format: double
type: number
metadata:
additionalProperties: true
type: object
modifier_value:
format: double
type: number
subtype:
type: string
type:
type: string
required:
- type
- contribution
type: array
notes:
items:
type: string
type: array
related_entities:
items:
type: object
properties:
entity_id:
type: string
relationship_type:
type: string
type: array
score_type:
description: Distinguishes base, propagated, and resolution scores.
enum:
- base
- propagated
- resolution
type: string
required:
- '@timestamp'
- id_field
- id_value
- calculated_level
- calculated_score
- calculated_score_norm
- category_1_score
- category_1_count
- inputs
- notes
Security_Entity_Analytics_API_EntitySourceType:
enum:
- index
- entity_analytics_integration
- store
type: string
Security_Entity_Analytics_API_EntityType:
description: The type of entity.
enum:
- user
- host
- service
- generic
type: string
Security_Entity_Analytics_API_Filter:
type: object
properties:
kuery:
oneOf:
- type: string
- type: object
Security_Entity_Analytics_API_GenericEntity:
additionalProperties: false
description: A generic entity record. Maps only the `entity` and `asset` namespaces. Add additional field mappings here as needed.
type: object
properties:
'@timestamp':
description: The time the entity record was last updated.
format: date-time
type: string
asset:
$ref: '#/components/schemas/Security_Entity_Analytics_API_Asset'
additionalProperties: false
entity:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField'
required:
- entity
Security_Entity_Analytics_API_HostEntity:
additionalProperties: false
description: An entity record representing a host, stored in the Entity Store latest index.
type: object
properties:
'@timestamp':
description: The time the entity record was last updated.
format: date-time
type: string
asset:
$ref: '#/components/schemas/Security_Entity_Analytics_API_Asset'
additionalProperties: false
entity:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField'
event:
additionalProperties: false
type: object
properties:
ingested:
description: When the event was ingested into Elasticsearch.
format: date-time
type: string
host:
additionalProperties: false
description: Elastic Common Schema (ECS) host fields collected on the entity.
type: object
properties:
architecture:
description: Observed CPU architectures.
items:
type: string
type: array
domain:
description: Observed host domains.
items:
type: string
type: array
entity:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField'
hostname:
description: Observed hostnames.
items:
type: string
type: array
id:
description: Observed host IDs.
items:
type: string
type: array
ip:
description: Observed IP addresses.
items:
type: string
type: array
mac:
description: Observed MAC addresses.
items:
type: string
type: array
name:
description: Primary host name.
type: string
os:
additionalProperties: false
description: Elastic Common Schema (ECS) host.os fields collected on the entity latest index.
type: object
properties:
family:
type: string
full:
type: string
kernel:
type: string
name:
oneOf:
- type: string
- items:
type: string
type: array
platform:
type: string
type:
oneOf:
- type: string
- items:
type: string
type: array
version:
type: string
risk:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord'
type:
description: Observed host types.
items:
type: string
type: array
required:
- name
required:
- entity
Security_Entity_Analytics_API_IdField:
enum:
- host.name
- user.name
- service.name
- entity.id
type: string
Security_Entity_Analytics_API_IndexPattern:
description: An additional Elasticsearch index pattern to include as a source for entity data. Merged with the default data view indices when the engine runs.
example: logs-*
type: string
Security_Entity_Analytics_API_InspectQuery:
description: Debug information about the Elasticsearch query executed.
type: object
properties:
dsl:
description: Elasticsearch query DSL that was executed.
items:
type: string
type: array
response:
description: Raw Elasticsearch responses.
items:
type: string
type: array
required:
- dsl
- response
Security_Entity_Analytics_API_Integrations:
type: object
properties:
syncData:
description: integrations latest full sync and update syncData
type: object
properties:
lastFullSync:
description: Timestamp of the last full sync from integrations
format: date-time
type: string
lastUpdateProcessed:
description: Timestamp of the last update processed from integrations
format: date-time
type: string
syncMarkerIndex:
description: Index to read latest sync markers from
type: string
Security_Entity_Analytics_API_Interval:
description: Interval in which enrich policy runs. For example, `"1h"` means the rule runs every hour. Must be less than or equal to half the duration of the lookback period,
example: 1h
pattern: ^[1-9]\d*[smh]$
type: string
Security_Entity_Analytics_API_Matcher:
type: object
properties:
fields:
items:
type: string
type: array
values:
description: |
Matcher values. Must be either an array of strings (e.g. group or role names) or an array of booleans (e.g. integration-derived flags like privileged_group_member). Mixed types are intentionally not supported for simplicity and predictability.
oneOf:
- items:
type: string
type: array
- items:
type: boolean
type: array
required:
- fields
- values
Security_Entity_Analytics_API_Metadata:
$ref: '#/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata'
Security_Entity_Analytics_API_MonitoredUserDoc:
allOf:
- $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc'
- type: object
properties:
'@timestamp':
format: date-time
type: string
event:
type: object
properties:
'@timestamp':
format: date-time
type: string
ingested:
format: date-time
type: string
user:
type: object
properties:
entity:
type: object
properties:
attributes:
type: object
properties:
Privileged:
description: Indicates if the user is privileged.
type: boolean
is_privileged:
description: Indicates if the user is privileged.
type: boolean
name:
type: string
Security_Entity_Analytics_API_MonitoredUserUpdateDoc:
type: object
properties:
entity_analytics_monitoring:
type: object
properties:
labels:
items:
$ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringLabel'
type: array
id:
type: string
labels:
type: object
properties:
source_ids:
items:
type: string
type: array
source_integrations:
items:
type: string
type: array
sources:
items:
enum:
- csv
- index_sync
- api
type: array
user:
type: object
properties:
is_privileged:
description: Indicates if the user is privileged.
type: boolean
name:
type: string
Security_Entity_Analytics_API_MonitoringEngineDescriptor:
type: object
properties:
error:
type: object
properties:
message:
description: Error message typically only present if the engine is in error state
type: string
status:
$ref: '#/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus'
required:
- status
Security_Entity_Analytics_API_MonitoringEntitySource:
allOf:
- $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEntitySourceProperties'
- type: object
properties:
id:
type: string
required:
- type
- name
- id
- managed
Security_Entity_Analytics_API_MonitoringEntitySourceProperties:
allOf:
- $ref: '#/components/schemas/Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties'
- type: object
properties:
managed:
type: boolean
Security_Entity_Analytics_API_MonitoringLabel:
type: object
properties:
field:
type: string
source:
type: string
value:
type: string
required:
- field
- value
- source
Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus:
description: The status of the Privilege Monitoring Engine
enum:
- started
- error
- disabled
- not_installed
type: string
Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem:
type: object
properties:
index:
nullable: true
type: integer
message:
type: string
username:
nullable: true
type: string
required:
- message
- index
- username
Security_Entity_Analytics_API_PrivmonUserCsvUploadStats:
type: object
properties:
failedOperations:
type: integer
successfulOperations:
type: integer
totalOperations:
type: integer
uploaded:
type: integer
required:
- successfulOperations
- uploaded
- failedOperations
- totalOperations
Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse:
type: object
properties:
full_error:
type: string
message:
type: string
required:
- message
- full_error
Security_Entity_Analytics_API_RiskEngineScheduleNowResponse:
type: object
properties:
success:
type: boolean
Security_Entity_Analytics_API_RiskScoreInput:
description: A generic representation of a document contributing to a Risk Score.
type: object
properties:
category:
description: The risk category of the risk input document.
example: category_1
type: string
contribution_score:
format: double
type: number
description:
description: A human-readable description of the risk input document.
example: 'Generated from Detection Engine Rule: Malware Prevention Alert'
type: string
entity_id:
description: The EUID of the entity within the graph that generated this alert.
type: string
id:
description: The unique identifier (`_id`) of the original source document
example: 91a93376a507e86cfbf282166275b89f9dbdb1f0be6c8103c6ff2909ca8e1a1c
type: string
index:
description: The unique index (`_index`) of the original source document
example: .internal.alerts-security.alerts-default-000001
type: string
risk_score:
description: The weighted risk score of the risk input document.
format: double
maximum: 100
minimum: 0
type: number
timestamp:
description: The @timestamp of the risk input document.
example: '2017-07-21T17:32:28Z'
type: string
required:
- id
- index
- description
- category
Security_Entity_Analytics_API_ServiceEntity:
additionalProperties: false
description: An entity record representing a service, stored in the Entity Store latest index.
type: object
properties:
'@timestamp':
description: The time the entity record was last updated.
format: date-time
type: string
asset:
$ref: '#/components/schemas/Security_Entity_Analytics_API_Asset'
additionalProperties: false
entity:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField'
event:
additionalProperties: false
type: object
properties:
ingested:
description: When the event was ingested into Elasticsearch.
format: date-time
type: string
service:
additionalProperties: false
description: Elastic Common Schema (ECS) service fields collected on the entity.
type: object
properties:
entity:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField'
name:
description: Primary service name.
type: string
risk:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord'
required:
- name
required:
- entity
Security_Entity_Analytics_API_StoreStatus:
description: The overall operational status of the Entity Store.
enum:
- not_installed
- installing
- running
- stopped
- error
type: string
Security_Entity_Analytics_API_TaskManagerUnavailableResponse:
description: Task manager is unavailable
type: object
properties:
message:
type: string
status_code:
minimum: 400
type: integer
required:
- status_code
- message
Security_Entity_Analytics_API_TransformStatsMetadata:
description: Statistics from the underlying Elasticsearch transform.
type: object
properties:
delete_time_in_ms:
description: Total time spent deleting documents, in milliseconds.
type: integer
documents_deleted:
description: Total number of documents deleted from the destination index.
type: integer
documents_indexed:
description: Total number of documents written to the destination index.
type: integer
documents_processed:
description: Total number of source documents processed.
type: integer
exponential_avg_checkpoint_duration_ms:
description: Exponential moving average of checkpoint duration, in milliseconds.
type: integer
exponential_avg_documents_indexed:
description: Exponential moving average of documents indexed per checkpoint.
type: integer
exponential_avg_documents_processed:
description: Exponential moving average of documents processed per checkpoint.
type: integer
index_failures:
description: Total number of failed index operations.
type: integer
index_time_in_ms:
description: Total time spent indexing documents, in milliseconds.
type: integer
index_total:
description: Total number of index operations.
type: integer
pages_processed:
description: Number of composite aggregation pages processed.
type: integer
processing_time_in_ms:
description: Total time spent processing results, in milliseconds.
type: integer
processing_total:
description: Total number of processing operations.
type: integer
search_failures:
description: Total number of failed search operations.
type: integer
search_time_in_ms:
description: Total time spent on search queries, in milliseconds.
type: integer
search_total:
description: Total number of search operations.
type: integer
trigger_count:
description: Number of times the transform has been triggered.
type: integer
required:
- pages_processed
- documents_processed
- documents_indexed
- trigger_count
- index_time_in_ms
- index_total
- index_failures
- search_time_in_ms
- search_total
- search_failures
- processing_time_in_ms
- processing_total
- exponential_avg_checkpoint_duration_ms
- exponential_avg_documents_indexed
- exponential_avg_documents_processed
Security_Entity_Analytics_API_UpdateableMonitoringEntitySourceProperties:
type: object
properties:
enabled:
type: boolean
filter:
$ref: '#/components/schemas/Security_Entity_Analytics_API_Filter'
identifierField:
description: Field used to query the entity store for index-type sources
type: string
indexPattern:
type: string
integrationName:
type: string
integrations:
$ref: '#/components/schemas/Security_Entity_Analytics_API_Integrations'
matchers:
items:
$ref: '#/components/schemas/Security_Entity_Analytics_API_Matcher'
type: array
name:
type: string
queryRule:
description: KQL query used to filter data from the provided index patterns
type: string
range:
$ref: '#/components/schemas/Security_Entity_Analytics_API_DateRange'
type:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntitySourceType'
Security_Entity_Analytics_API_UserEntity:
additionalProperties: false
description: An entity record representing a user, stored in the Entity Store latest index.
type: object
properties:
'@timestamp':
description: The time the entity record was last updated.
format: date-time
type: string
asset:
$ref: '#/components/schemas/Security_Entity_Analytics_API_Asset'
additionalProperties: false
entity:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField'
event:
additionalProperties: false
type: object
properties:
ingested:
description: When the event was ingested into Elasticsearch.
format: date-time
type: string
user:
additionalProperties: false
description: Elastic Common Schema (ECS) user fields collected on the entity.
type: object
properties:
domain:
description: Observed user domains.
items:
type: string
type: array
email:
description: Observed email addresses.
items:
type: string
type: array
full_name:
description: Observed full names of the user.
items:
type: string
type: array
hash:
description: Observed user hashes.
items:
type: string
type: array
id:
description: Observed user IDs.
items:
type: string
type: array
name:
description: Primary user name.
type: string
risk:
$ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord'
additionalProperties: false
roles:
description: Observed roles assigned to the user.
items:
type: string
type: array
required:
- name
required:
- entity
Security_Entity_Analytics_API_UserName:
type: object
properties:
entity_analytics_monitoring:
description: Entity analytics monitoring configuration for the user
type: object
properties:
labels:
description: Array of labels associated with the user
items:
type: object
properties:
field:
description: The field name for the label
type: string
source:
description: The source where this label was created (api, csv, or index_sync)
enum:
- api
- csv
- index_sync
type: string
value:
description: The value of the label
type: string
type: array
user:
type: object
properties:
name:
description: The name of the user.
type: string
Security_Entity_Analytics_API_WatchlistCsvUploadResponseItem:
example:
matchedEntities: 1
status: success
type: object
properties:
error:
description: Error message if the row failed to process
example: Invalid entity type
type: string
matchedEntities:
description: Number of entities matched for this row
example: 1
type: integer
status:
enum:
- success
- failure
- unmatched
example: success
type: string
required:
- status
- matchedEntities
Security_Entity_Analytics_API_WatchlistEntityAssignResponseItem:
example:
euid: user:john.doe
status: success
type: object
properties:
error:
description: Error message if the entity failed to process
example: Invalid entity type
type: string
euid:
description: The EUID of the entity
example: user:john.doe
type: string
status:
enum:
- success
- failure
- not_found
example: success
type: string
required:
- euid
- status
Security_Entity_Analytics_API_WatchlistEntityUnassignResponseItem:
example:
euid: user:john.doe
status: success
type: object
properties:
error:
description: Error message if the entity failed to process
example: Invalid entity type
type: string
euid:
description: The EUID of the entity
example: user:john.doe
type: string
status:
enum:
- success
- failure
- not_found
example: success
type: string
required:
- euid
- status
Security_Entity_Analytics_API_WatchlistObject:
example:
createdAt: '2026-01-28T12:00:00.000Z'
description: High risk vendor watchlist
id: watchlist-123
managed: false
name: High Risk Vendors
riskModifier: 1.5
updatedAt: '2026-02-18T12:00:00.000Z'
type: object
properties:
createdAt:
description: Timestamp indicating when the watchlist was created
format: date-time
type: string
description:
description: Description of the watchlist
type: string
entityCount:
description: Number of entities in the watchlist
type: number
entitySourceIds:
description: List of entity source IDs associated with the watchlist
items:
type: string
type: array
id:
description: The unique ID of the watchlist
type: string
managed:
description: Indicates if the watchlist is managed by the system
type: boolean
name:
description: The name of the watchlist
type: string
riskModifier:
description: Risk score modifier associated with the watchlist
type: number
updatedAt:
description: Timestamp indicating when the watchlist was last updated
format: date-time
type: string
required:
- name
- riskModifier
- managed
Security_Exceptions_API_BlocklistHashOrPathEntry:
type: object
properties:
field:
description: File hash or path field
enum:
- file.hash.md5
- file.hash.sha1
- file.hash.sha256
- file.path
- file.path.caseless
type: string
operator:
description: Must be the value "included"
enum:
- included
type: string
type:
description: Must be match_any for blocklists
enum:
- match_any
type: string
value:
description: Array of hash values or file paths
items:
type: string
minItems: 1
type: array
required:
- field
- type
- value
- operator
Security_Exceptions_API_BlocklistLinuxProperties:
description: Blocklist list item properties (Linux, code signature not supported).
type: object
properties:
entries:
description: |
**Validation rules:**
* Hash entries: up to 3 (one for each hash type: md5, sha1, sha256)
* Path entry: only 1 allowed
items:
$ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry'
minItems: 1
type: array
list_id:
enum:
- endpoint_blocklists
example: endpoint_blocklists
type: string
os_types:
description: Linux-only
items:
enum:
- linux
type: string
maxItems: 1
minItems: 1
type: array
tags:
$ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags'
required:
- list_id
Security_Exceptions_API_BlocklistMacProperties:
description: Blocklist list item properties (macOS, code signature not supported).
type: object
properties:
entries:
description: |
**Validation rules:**
* Hash entries: up to 3 (one for each hash type: md5, sha1, sha256)
* Path entry: only 1 allowed
items:
$ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry'
minItems: 1
type: array
list_id:
enum:
- endpoint_blocklists
example: endpoint_blocklists
type: string
os_types:
description: macOS-only
items:
enum:
- macos
type: string
maxItems: 1
minItems: 1
type: array
tags:
$ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags'
required:
- list_id
Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry:
type: object
properties:
entries:
description: Nested subject_name entries
items:
type: object
properties:
field:
description: Certificate subject name
enum:
- subject_name
type: string
operator:
description: Must be the value "included"
enum:
- included
type: string
type:
description: Match type for subject name
enum:
- match
- match_any
type: string
value:
oneOf:
- description: Single subject name (used with match)
type: string
- description: Array of subject names (used with match_any)
items:
type: string
minItems: 1
type: array
required:
- field
- type
- value
- operator
minItems: 1
type: array
field:
description: Windows code signature field
enum:
- file.Ext.code_signature
type: string
type:
description: Must be nested for Windows code signature
enum:
- nested
type: string
required:
- field
- type
- entries
Security_Exceptions_API_BlocklistWindowsProperties:
description: Blocklist list item properties (Windows, supports code signature).
type: object
properties:
entries:
description: |
**Validation rules:**
* Hash entries: up to 3 (one for each hash type: md5, sha1, sha256)
* Path entry: only 1 allowed
* Code signature entry: only 1 allowed
items:
oneOf:
- $ref: '#/components/schemas/Security_Exceptions_API_BlocklistHashOrPathEntry'
- $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsCodeSignatureEntry'
minItems: 1
type: array
list_id:
enum:
- endpoint_blocklists
example: endpoint_blocklists
type: string
os_types:
description: Windows-only
items:
enum:
- windows
type: string
maxItems: 1
minItems: 1
type: array
tags:
$ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags'
required:
- list_id
Security_Exceptions_API_CreateExceptionListItemBase:
type: object
properties:
comments:
$ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray'
default: []
description:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription'
expire_time:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime'
item_id:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId'
meta:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta'
name:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName'
namespace_type:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
default: single
type:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType'
required:
- type
- name
- description
Security_Exceptions_API_CreateExceptionListItemBlocklistLinux:
allOf:
- $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase'
- $ref: '#/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties'
Security_Exceptions_API_CreateExceptionListItemBlocklistMac:
allOf:
- $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase'
- $ref: '#/components/schemas/Security_Exceptions_API_BlocklistMacProperties'
Security_Exceptions_API_CreateExceptionListItemBlocklistWindows:
allOf:
- $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase'
- $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties'
Security_Exceptions_API_CreateExceptionListItemComment:
type: object
properties:
comment:
$ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
required:
- comment
Security_Exceptions_API_CreateExceptionListItemCommentArray:
items:
$ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment'
type: array
Security_Exceptions_API_CreateExceptionListItemEndpointList:
allOf:
- $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase'
- $ref: '#/components/schemas/Security_Exceptions_API_EndpointListProperties'
Security_Exceptions_API_CreateExceptionListItemEventFilters:
allOf:
- $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase'
- $ref: '#/components/schemas/Security_Exceptions_API_EventFiltersProperties'
Security_Exceptions_API_CreateExceptionListItemGeneric:
allOf:
- $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase'
- example:
description: This is a sample detection type exception item.
entries:
- field: actingProcess.file.signer
operator: excluded
type: exists
- field: host.name
operator: included
type: match_any
value:
- saturn
- jupiter
item_id: simple_list_item
list_id: simple_list
name: Sample Exception List Item
namespace_type: single
os_types:
- linux
tags:
- malware
type: simple
type: object
properties:
entries:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray'
list_id:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId'
os_types:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray'
default: []
tags:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags'
default: []
required:
- list_id
- entries
Security_Exceptions_API_CreateExceptionListItemHostIsolation:
allOf:
- $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase'
- $ref: '#/components/schemas/Security_Exceptions_API_HostIsolationProperties'
Security_Exceptions_API_CreateExceptionListItemTrustedAppsLinux:
allOf:
- $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase'
- $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties'
Security_Exceptions_API_CreateExceptionListItemTrustedAppsMac:
allOf:
- $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase'
- $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties'
Security_Exceptions_API_CreateExceptionListItemTrustedAppsWindows:
allOf:
- $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase'
- $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties'
Security_Exceptions_API_CreateExceptionListItemTrustedDevicesMac:
allOf:
- $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase'
- $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties'
Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindows:
allOf:
- $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase'
- $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties'
Security_Exceptions_API_CreateExceptionListItemTrustedDevicesWindowsMac:
allOf:
- $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemBase'
- $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties'
Security_Exceptions_API_CreateRuleExceptionListItemComment:
type: object
properties:
comment:
$ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
required:
- comment
Security_Exceptions_API_CreateRuleExceptionListItemCommentArray:
items:
$ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment'
type: array
Security_Exceptions_API_CreateRuleExceptionListItemProps:
type: object
properties:
comments:
$ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray'
default: []
description:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription'
entries:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray'
expire_time:
format: date-time
type: string
item_id:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId'
meta:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta'
name:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName'
namespace_type:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
default: single
os_types:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray'
default: []
tags:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags'
default: []
type:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType'
required:
- type
- name
- description
- entries
Security_Exceptions_API_EndpointArtifactTags:
default: []
description: |
Tags for categorization. Special tags for scope control:
* `"policy:all"` - Global artifact (applies to all Elastic Defend policies)
* `"policy:"` - Private artifact (applies to specific Elastic Defend policy only, where `` is the Elastic Defend integration policy ID)
items:
type: string
type: array
Security_Exceptions_API_EndpointListProperties:
description: Elastic Endpoint exception list item properties.
type: object
properties:
entries:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray'
description: |
Exception entries for endpoint security exceptions (used to prevent detection rule alerts).
**Fully flexible:** Supports any field name for maximum compatibility with detection rules. No field restrictions are enforced.
list_id:
enum:
- endpoint_list
example: endpoint_list
type: string
os_types:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray'
default: []
tags:
$ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags'
required:
- list_id
Security_Exceptions_API_EventFiltersProperties:
description: Event filters list item properties.
type: object
properties:
entries:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray'
description: |
Exception entries for the event filter.
**Flexible field support:** Any event field name is allowed (e.g., `process.name`, `file.path`, `event.action`, `dns.question.name`, etc.)
**Minimum requirement:** At least 1 entry required
list_id:
enum:
- endpoint_event_filters
example: endpoint_event_filters
type: string
os_types:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray'
default: []
tags:
$ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags'
required:
- list_id
Security_Exceptions_API_ExceptionList:
type: object
properties:
_version:
description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
type: string
created_at:
description: Autogenerated date of object creation.
format: date-time
type: string
created_by:
description: Autogenerated value - user that created object.
type: string
description:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription'
id:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId'
immutable:
type: boolean
list_id:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId'
meta:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta'
name:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName'
namespace_type:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
os_types:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray'
tags:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags'
tie_breaker_id:
description: Field used in search to ensure all containers are sorted and returned correctly.
type: string
type:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType'
updated_at:
description: Autogenerated date of last object update.
format: date-time
type: string
updated_by:
description: Autogenerated value - user that last updated object.
type: string
version:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion'
required:
- id
- list_id
- type
- name
- description
- immutable
- namespace_type
- version
- tie_breaker_id
- created_at
- created_by
- updated_at
- updated_by
Security_Exceptions_API_ExceptionListDescription:
description: Describes the exception list.
example: This list tracks allowlisted values.
type: string
Security_Exceptions_API_ExceptionListHumanId:
description: |
The exception list's human-readable string identifier.
For endpoint artifacts, use one of the following values:
* `endpoint_list`: [Elastic Endpoint exception list](https://www.elastic.co/docs/solutions/security/detect-and-alert/add-manage-exceptions)
* `endpoint_trusted_apps`: [Trusted applications list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-applications)
* `endpoint_trusted_devices`: [Trusted devices list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/trusted-devices)
* `endpoint_event_filters`: [Event filters list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/event-filters)
* `endpoint_host_isolation_exceptions`: [Host isolation exceptions list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/host-isolation-exceptions)
* `endpoint_blocklists`: [Blocklists list](https://www.elastic.co/docs/solutions/security/manage-elastic-defend/blocklist)
example: simple_list
format: nonempty
minLength: 1
type: string
Security_Exceptions_API_ExceptionListId:
description: Exception list's identifier.
example: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85
format: nonempty
minLength: 1
type: string
Security_Exceptions_API_ExceptionListItem:
type: object
properties:
_version:
description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
type: string
comments:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray'
created_at:
description: Autogenerated date of object creation.
format: date-time
type: string
created_by:
description: Autogenerated value - user that created object.
type: string
description:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription'
entries:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray'
expire_time:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime'
id:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId'
item_id:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId'
list_id:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId'
meta:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta'
name:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName'
namespace_type:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
os_types:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray'
tags:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags'
tie_breaker_id:
description: Field used in search to ensure all containers are sorted and returned correctly.
type: string
type:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType'
updated_at:
description: Autogenerated date of last object update.
format: date-time
type: string
updated_by:
description: Autogenerated value - user that last updated object.
type: string
required:
- id
- item_id
- list_id
- type
- name
- description
- entries
- namespace_type
- comments
- tie_breaker_id
- created_at
- created_by
- updated_at
- updated_by
Security_Exceptions_API_ExceptionListItemComment:
type: object
properties:
comment:
$ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
created_at:
description: Autogenerated date of object creation.
format: date-time
type: string
created_by:
$ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
id:
$ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
updated_at:
description: Autogenerated date of last object update.
format: date-time
type: string
updated_by:
$ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
required:
- id
- comment
- created_at
- created_by
Security_Exceptions_API_ExceptionListItemCommentArray:
description: |
Array of comment fields:
- comment (string): Comments about the exception item.
items:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemComment'
type: array
Security_Exceptions_API_ExceptionListItemDescription:
description: Describes the exception list.
type: string
Security_Exceptions_API_ExceptionListItemEntry:
anyOf:
- $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch'
- $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny'
- $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList'
- $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists'
- $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested'
- $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard'
discriminator:
propertyName: type
Security_Exceptions_API_ExceptionListItemEntryArray:
items:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntry'
type: array
Security_Exceptions_API_ExceptionListItemEntryExists:
type: object
properties:
field:
$ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
operator:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator'
type:
enum:
- exists
type: string
required:
- type
- field
- operator
Security_Exceptions_API_ExceptionListItemEntryList:
type: object
properties:
field:
$ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
list:
type: object
properties:
id:
$ref: '#/components/schemas/Security_Exceptions_API_ListId'
type:
$ref: '#/components/schemas/Security_Exceptions_API_ListType'
required:
- id
- type
operator:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator'
type:
enum:
- list
type: string
required:
- type
- field
- list
- operator
Security_Exceptions_API_ExceptionListItemEntryMatch:
type: object
properties:
field:
$ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
operator:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator'
type:
enum:
- match
type: string
value:
$ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
required:
- type
- field
- value
- operator
Security_Exceptions_API_ExceptionListItemEntryMatchAny:
type: object
properties:
field:
$ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
operator:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator'
type:
enum:
- match_any
type: string
value:
items:
$ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
minItems: 1
type: array
required:
- type
- field
- value
- operator
Security_Exceptions_API_ExceptionListItemEntryMatchWildcard:
type: object
properties:
field:
$ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
operator:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator'
type:
enum:
- wildcard
type: string
value:
$ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
required:
- type
- field
- value
- operator
Security_Exceptions_API_ExceptionListItemEntryNested:
type: object
properties:
entries:
items:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem'
minItems: 1
type: array
field:
$ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
type:
enum:
- nested
type: string
required:
- type
- field
- entries
Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem:
oneOf:
- $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch'
- $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny'
- $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists'
Security_Exceptions_API_ExceptionListItemEntryOperator:
enum:
- excluded
- included
type: string
Security_Exceptions_API_ExceptionListItemExpireTime:
description: The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
format: date-time
type: string
Security_Exceptions_API_ExceptionListItemHumanId:
description: Human readable string identifier, e.g. `trusted-linux-processes`
example: simple_list_item
format: nonempty
minLength: 1
type: string
Security_Exceptions_API_ExceptionListItemId:
description: Exception's identifier.
example: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2
format: nonempty
minLength: 1
type: string
Security_Exceptions_API_ExceptionListItemMeta:
additionalProperties: true
type: object
Security_Exceptions_API_ExceptionListItemName:
description: Exception list name.
format: nonempty
minLength: 1
type: string
Security_Exceptions_API_ExceptionListItemOsTypeArray:
items:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType'
type: array
Security_Exceptions_API_ExceptionListItemTags:
items:
description: String array containing words and phrases to help categorize exception items.
format: nonempty
minLength: 1
type: string
type: array
Security_Exceptions_API_ExceptionListItemType:
enum:
- simple
type: string
Security_Exceptions_API_ExceptionListMeta:
additionalProperties: true
description: Placeholder for metadata about the list container.
type: object
Security_Exceptions_API_ExceptionListName:
description: The name of the exception list.
example: My exception list
type: string
Security_Exceptions_API_ExceptionListOsType:
description: Use this field to specify the operating system.
enum:
- linux
- macos
- windows
type: string
Security_Exceptions_API_ExceptionListOsTypeArray:
description: Use this field to specify the operating system. Only enter one value.
items:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType'
type: array
Security_Exceptions_API_ExceptionListsImportBulkError:
type: object
properties:
error:
type: object
properties:
message:
type: string
status_code:
type: integer
required:
- status_code
- message
id:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId'
item_id:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId'
list_id:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId'
required:
- error
Security_Exceptions_API_ExceptionListsImportBulkErrorArray:
items:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError'
type: array
Security_Exceptions_API_ExceptionListTags:
description: String array containing words and phrases to help categorize exception containers.
items:
type: string
type: array
Security_Exceptions_API_ExceptionListType:
description: The type of exception list to be created. Different list types may denote where they can be utilized.
enum:
- detection
- rule_default
- endpoint
- endpoint_trusted_apps
- endpoint_trusted_devices
- endpoint_events
- endpoint_host_isolation_exceptions
- endpoint_blocklists
type: string
Security_Exceptions_API_ExceptionListVersion:
description: The document version, automatically increasd on updates.
minimum: 1
type: integer
Security_Exceptions_API_ExceptionNamespaceType:
description: |
Determines whether the exception container is available in all Kibana spaces or just the space
in which it is created, where:
- `single`: Only available in the Kibana space in which it is created.
- `agnostic`: Available in all Kibana spaces.
For endpoint artifacts, the `namespace_type` must always be `agnostic`. Space awareness for endpoint artifacts is enforced based on Elastic Defend policy assignments.
enum:
- agnostic
- single
type: string
Security_Exceptions_API_FindExceptionListItemsFilter:
$ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
Security_Exceptions_API_FindExceptionListsFilter:
example: exception-list.attributes.name:%Detection%20List
type: string
Security_Exceptions_API_HostIsolationProperties:
description: Host isolation exceptions list item properties.
type: object
properties:
entries:
description: Exactly one entry allowed for host isolation exceptions
items:
type: object
properties:
field:
description: Must be destination.ip
enum:
- destination.ip
type: string
operator:
description: Must be the value "included"
enum:
- included
type: string
type:
description: Must be match
enum:
- match
type: string
value:
description: Valid IPv4 address or CIDR notation (e.g., "192.168.1.1" or "10.0.0.0/8")
type: string
required:
- field
- type
- value
- operator
maxItems: 1
minItems: 1
type: array
list_id:
enum:
- endpoint_host_isolation_exceptions
example: endpoint_host_isolation_exceptions
type: string
os_types:
description: Must include all three operating systems (windows, linux, macos)
items:
enum:
- windows
- linux
- macos
type: string
maxItems: 3
minItems: 3
type: array
tags:
$ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags'
required:
- list_id
Security_Exceptions_API_ListId:
description: Value list's identifier.
example: 21b01cfb-058d-44b9-838c-282be16c91cd
format: nonempty
minLength: 1
type: string
Security_Exceptions_API_ListType:
description: |
Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:
- `keyword`: Many ECS fields are Elasticsearch keywords
- `ip`: IP addresses
- `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)
enum:
- binary
- boolean
- byte
- date
- date_nanos
- date_range
- double
- double_range
- float
- float_range
- geo_point
- geo_shape
- half_float
- integer
- integer_range
- ip
- ip_range
- keyword
- long
- long_range
- shape
- short
- text
type: string
Security_Exceptions_API_NonEmptyString:
description: A string that does not contain only whitespace characters
format: nonempty
minLength: 1
type: string
Security_Exceptions_API_PlatformErrorResponse:
type: object
properties:
error:
type: string
message:
type: string
statusCode:
type: integer
required:
- statusCode
- error
- message
Security_Exceptions_API_RuleId:
$ref: '#/components/schemas/Security_Exceptions_API_UUID'
Security_Exceptions_API_SiemErrorResponse:
type: object
properties:
message:
type: string
status_code:
type: integer
required:
- status_code
- message
Security_Exceptions_API_TrustedAppHashEntry:
type: object
properties:
field:
description: Process hash field
enum:
- process.hash.md5
- process.hash.sha1
- process.hash.sha256
type: string
operator:
enum:
- included
type: string
type:
description: Hash entries only support match type
enum:
- match
type: string
value:
description: Hash value (MD5, SHA1, or SHA256)
type: string
required:
- field
- type
- value
- operator
Security_Exceptions_API_TrustedAppMacCodeSignatureEntry:
type: object
properties:
entries:
description: Must include exactly 2 entries - one for subject_name and one for trusted
items:
oneOf:
- type: object
properties:
field:
enum:
- subject_name
type: string
operator:
enum:
- included
type: string
type:
enum:
- match
type: string
value:
description: Certificate subject name
type: string
required:
- field
- type
- value
- operator
- type: object
properties:
field:
enum:
- trusted
type: string
operator:
enum:
- included
type: string
type:
enum:
- match
type: string
value:
description: Must be the string 'true'
enum:
- 'true'
type: string
required:
- field
- type
- value
- operator
maxItems: 2
minItems: 2
type: array
field:
description: macOS code signature field
enum:
- process.code_signature
type: string
type:
enum:
- nested
type: string
required:
- field
- type
- entries
Security_Exceptions_API_TrustedAppPathEntry:
type: object
properties:
field:
description: Process executable path field
enum:
- process.executable.caseless
type: string
operator:
enum:
- included
type: string
type:
description: Path supports both match and wildcard types
enum:
- match
- wildcard
type: string
value:
description: Executable path
type: string
required:
- field
- type
- value
- operator
Security_Exceptions_API_TrustedAppsLinuxProperties:
description: Trusted applications list item properties (Linux).
type: object
properties:
entries:
description: Process hash or executable path entries (code signature not supported on Linux)
items:
oneOf:
- $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry'
- $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry'
minItems: 1
type: array
list_id:
enum:
- endpoint_trusted_apps
example: endpoint_trusted_apps
type: string
os_types:
description: Must be Linux only
items:
enum:
- linux
type: string
maxItems: 1
minItems: 1
type: array
tags:
$ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags'
required:
- list_id
Security_Exceptions_API_TrustedAppsMacProperties:
description: Trusted applications list item properties (macOS).
type: object
properties:
entries:
description: Process hash, executable path, or code signature entries
items:
oneOf:
- $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry'
- $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry'
- $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppMacCodeSignatureEntry'
minItems: 1
type: array
list_id:
enum:
- endpoint_trusted_apps
example: endpoint_trusted_apps
type: string
os_types:
description: Must be macOS only
items:
enum:
- macos
type: string
maxItems: 1
minItems: 1
type: array
tags:
$ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags'
required:
- list_id
Security_Exceptions_API_TrustedAppsWindowsProperties:
description: Trusted applications list item properties (Windows).
type: object
properties:
entries:
description: Process hash, executable path, or code signature entries
items:
oneOf:
- $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppHashEntry'
- $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppPathEntry'
- $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry'
minItems: 1
type: array
list_id:
enum:
- endpoint_trusted_apps
example: endpoint_trusted_apps
type: string
os_types:
description: Must be Windows only
items:
enum:
- windows
type: string
maxItems: 1
minItems: 1
type: array
tags:
$ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags'
required:
- list_id
Security_Exceptions_API_TrustedAppWindowsCodeSignatureEntry:
type: object
properties:
entries:
description: Must include exactly 2 entries - one for subject_name and one for trusted
items:
oneOf:
- type: object
properties:
field:
enum:
- subject_name
type: string
operator:
enum:
- included
type: string
type:
enum:
- match
type: string
value:
description: Certificate subject name
type: string
required:
- field
- type
- value
- operator
- type: object
properties:
field:
enum:
- trusted
type: string
operator:
enum:
- included
type: string
type:
enum:
- match
type: string
value:
description: Must be the string 'true'
enum:
- 'true'
type: string
required:
- field
- type
- value
- operator
maxItems: 2
minItems: 2
type: array
field:
description: Windows code signature field
enum:
- process.Ext.code_signature
type: string
type:
enum:
- nested
type: string
required:
- field
- type
- entries
Security_Exceptions_API_TrustedDevicesMacProperties:
description: Trusted devices list item properties (macOS-only, username not supported).
type: object
properties:
entries:
description: Exception entries for the trusted device (duplicate field entries are not allowed)
items:
type: object
properties:
field:
description: Device field to match against
enum:
- device.serial_number
- device.type
- host.name
- device.vendor.name
- device.vendor.id
- device.product.id
- device.product.name
type: string
operator:
description: Must be the value "included"
enum:
- included
type: string
type:
description: Entry match type
enum:
- match
- wildcard
- match_any
type: string
value:
oneOf:
- description: Single value (used with match or wildcard)
type: string
- description: Array of values (used with match_any)
items:
type: string
minItems: 1
type: array
required:
- field
- type
- value
- operator
minItems: 1
type: array
list_id:
enum:
- endpoint_trusted_devices
example: endpoint_trusted_devices
type: string
os_types:
description: macOS-only
items:
enum:
- macos
type: string
maxItems: 1
minItems: 1
type: array
tags:
$ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags'
required:
- list_id
Security_Exceptions_API_TrustedDevicesWindowsMacProperties:
description: Trusted devices list item properties (Windows + macOS, username not supported).
type: object
properties:
entries:
description: Exception entries for the trusted device (duplicate field entries are not allowed, username not available when targeting both OS)
items:
type: object
properties:
field:
description: Device field to match against (username not available for multi-OS)
enum:
- device.serial_number
- device.type
- host.name
- device.vendor.name
- device.vendor.id
- device.product.id
- device.product.name
type: string
operator:
description: Must be the value "included"
enum:
- included
type: string
type:
description: Entry match type
enum:
- match
- wildcard
- match_any
type: string
value:
oneOf:
- description: Single value (used with match or wildcard)
type: string
- description: Array of values (used with match_any)
items:
type: string
minItems: 1
type: array
required:
- field
- type
- value
- operator
minItems: 1
type: array
list_id:
enum:
- endpoint_trusted_devices
example: endpoint_trusted_devices
type: string
os_types:
description: Must include both Windows and macOS (username field not allowed)
items:
enum:
- windows
- macos
type: string
maxItems: 2
minItems: 2
type: array
tags:
$ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags'
required:
- list_id
Security_Exceptions_API_TrustedDevicesWindowsProperties:
description: Trusted devices list item properties (Windows-only, allows username field).
type: object
properties:
entries:
description: Exception entries for the trusted device (duplicate field entries are not allowed)
items:
type: object
properties:
field:
description: Device field to match against (user.name is Windows-only)
enum:
- device.serial_number
- device.type
- host.name
- device.vendor.name
- device.vendor.id
- device.product.id
- device.product.name
- user.name
type: string
operator:
description: Must be the value "included"
enum:
- included
type: string
type:
description: Entry match type
enum:
- match
- wildcard
- match_any
type: string
value:
oneOf:
- description: Single value (used with match or wildcard)
type: string
- description: Array of values (used with match_any)
items:
type: string
minItems: 1
type: array
required:
- field
- type
- value
- operator
minItems: 1
type: array
list_id:
enum:
- endpoint_trusted_devices
example: endpoint_trusted_devices
type: string
os_types:
description: Must be Windows-only to allow username field
items:
enum:
- windows
type: string
maxItems: 1
minItems: 1
type: array
tags:
$ref: '#/components/schemas/Security_Exceptions_API_EndpointArtifactTags'
required:
- list_id
Security_Exceptions_API_UpdateExceptionListItemBase:
type: object
properties:
_version:
description: The version ID, normally returned by the API when the item is retrieved. Use it to ensure updates are made against the latest version.
type: string
comments:
$ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray'
default: []
description:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription'
expire_time:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime'
id:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId'
description: Either `id` or `item_id` must be specified
item_id:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId'
description: Either `id` or `item_id` must be specified
meta:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta'
name:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName'
namespace_type:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
default: single
type:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType'
required:
- type
- name
- description
Security_Exceptions_API_UpdateExceptionListItemBlocklistLinux:
allOf:
- $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase'
- $ref: '#/components/schemas/Security_Exceptions_API_BlocklistLinuxProperties'
Security_Exceptions_API_UpdateExceptionListItemBlocklistMac:
allOf:
- $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase'
- $ref: '#/components/schemas/Security_Exceptions_API_BlocklistMacProperties'
Security_Exceptions_API_UpdateExceptionListItemBlocklistWindows:
allOf:
- $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase'
- $ref: '#/components/schemas/Security_Exceptions_API_BlocklistWindowsProperties'
Security_Exceptions_API_UpdateExceptionListItemComment:
type: object
properties:
comment:
$ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
id:
$ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
required:
- comment
Security_Exceptions_API_UpdateExceptionListItemCommentArray:
items:
$ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment'
type: array
Security_Exceptions_API_UpdateExceptionListItemEndpointList:
allOf:
- $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase'
- $ref: '#/components/schemas/Security_Exceptions_API_EndpointListProperties'
Security_Exceptions_API_UpdateExceptionListItemEventFilters:
allOf:
- $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase'
- $ref: '#/components/schemas/Security_Exceptions_API_EventFiltersProperties'
Security_Exceptions_API_UpdateExceptionListItemGeneric:
allOf:
- $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase'
- example:
comments: []
description: Updated description
entries:
- field: host.name
operator: included
type: match
value: rock01
item_id: simple_list_item
name: Updated name
namespace_type: single
tags: []
type: simple
type: object
properties:
entries:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray'
list_id:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId'
os_types:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray'
default: []
tags:
$ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags'
required:
- entries
Security_Exceptions_API_UpdateExceptionListItemHostIsolation:
allOf:
- $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase'
- $ref: '#/components/schemas/Security_Exceptions_API_HostIsolationProperties'
Security_Exceptions_API_UpdateExceptionListItemTrustedAppsLinux:
allOf:
- $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase'
- $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsLinuxProperties'
Security_Exceptions_API_UpdateExceptionListItemTrustedAppsMac:
allOf:
- $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase'
- $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsMacProperties'
Security_Exceptions_API_UpdateExceptionListItemTrustedAppsWindows:
allOf:
- $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase'
- $ref: '#/components/schemas/Security_Exceptions_API_TrustedAppsWindowsProperties'
Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesMac:
allOf:
- $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase'
- $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesMacProperties'
Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindows:
allOf:
- $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase'
- $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsProperties'
Security_Exceptions_API_UpdateExceptionListItemTrustedDevicesWindowsMac:
allOf:
- $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemBase'
- $ref: '#/components/schemas/Security_Exceptions_API_TrustedDevicesWindowsMacProperties'
Security_Exceptions_API_UUID:
description: A universally unique identifier
format: uuid
type: string
Security_Lists_API_FindListItemsCursor:
description: Returns the items that come after the last item returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all items are sorted and returned correctly.
example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d
format: nonempty
minLength: 1
type: string
Security_Lists_API_FindListItemsFilter:
example: value:127.0.0.1
type: string
Security_Lists_API_FindListsCursor:
example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d
format: nonempty
minLength: 1
type: string
Security_Lists_API_FindListsFilter:
example: value:127.0.0.1
type: string
Security_Lists_API_List:
type: object
properties:
_version:
$ref: '#/components/schemas/Security_Lists_API_ListVersionId'
'@timestamp':
example: '2025-01-08T04:47:34.273Z'
format: date-time
type: string
created_at:
description: Autogenerated date of object creation.
example: '2025-01-08T04:47:34.273Z'
format: date-time
type: string
created_by:
description: Autogenerated value - user that created object.
example: elastic
type: string
description:
$ref: '#/components/schemas/Security_Lists_API_ListDescription'
id:
$ref: '#/components/schemas/Security_Lists_API_ListId'
immutable:
type: boolean
meta:
$ref: '#/components/schemas/Security_Lists_API_ListMetadata'
name:
$ref: '#/components/schemas/Security_Lists_API_ListName'
tie_breaker_id:
description: Field used in search to ensure all containers are sorted and returned correctly.
example: f5508188-b1e9-4e6e-9662-d039a7d89899
type: string
type:
$ref: '#/components/schemas/Security_Lists_API_ListType'
updated_at:
description: Autogenerated date of last object update.
example: '2025-01-08T04:47:34.273Z'
format: date-time
type: string
updated_by:
description: Autogenerated value - user that last updated object.
example: elastic
type: string
version:
$ref: '#/components/schemas/Security_Lists_API_ListVersion'
required:
- id
- type
- name
- description
- immutable
- version
- tie_breaker_id
- created_at
- created_by
- updated_at
- updated_by
Security_Lists_API_ListDescription:
description: Describes the value list.
format: nonempty
minLength: 1
type: string
Security_Lists_API_ListId:
description: Value list's identifier.
example: 21b01cfb-058d-44b9-838c-282be16c91cd
format: nonempty
minLength: 1
type: string
Security_Lists_API_ListItem:
type: object
properties:
_version:
$ref: '#/components/schemas/Security_Lists_API_ListVersionId'
'@timestamp':
example: '2025-01-08T04:47:34.273Z'
format: date-time
type: string
created_at:
description: Autogenerated date of object creation.
example: '2025-01-08T04:47:34.273Z'
format: date-time
type: string
created_by:
description: Autogenerated value - user that created object.
example: elastic
type: string
id:
$ref: '#/components/schemas/Security_Lists_API_ListItemId'
list_id:
$ref: '#/components/schemas/Security_Lists_API_ListId'
meta:
$ref: '#/components/schemas/Security_Lists_API_ListItemMetadata'
tie_breaker_id:
description: Field used in search to ensure all containers are sorted and returned correctly.
example: f5508188-b1e9-4e6e-9662-d039a7d89899
type: string
type:
$ref: '#/components/schemas/Security_Lists_API_ListType'
updated_at:
description: Autogenerated date of last object update.
example: '2025-01-08T04:47:34.273Z'
format: date-time
type: string
updated_by:
description: Autogenerated value - user that last updated object.
example: elastic
type: string
value:
$ref: '#/components/schemas/Security_Lists_API_ListItemValue'
required:
- id
- type
- list_id
- value
- tie_breaker_id
- created_at
- created_by
- updated_at
- updated_by
Security_Lists_API_ListItemId:
description: Value list item's identifier.
example: 54b01cfb-058d-44b9-838c-282be16c91cd
format: nonempty
minLength: 1
type: string
Security_Lists_API_ListItemMetadata:
additionalProperties: true
description: Placeholder for metadata about the value list item.
type: object
Security_Lists_API_ListItemPrivileges:
type: object
properties:
application:
additionalProperties:
type: boolean
type: object
cluster:
additionalProperties:
type: boolean
type: object
has_all_requested:
type: boolean
index:
additionalProperties:
additionalProperties:
type: boolean
type: object
type: object
username:
type: string
required:
- username
- has_all_requested
- cluster
- index
- application
Security_Lists_API_ListItemValue:
description: The value used to evaluate exceptions.
format: nonempty
minLength: 1
type: string
Security_Lists_API_ListMetadata:
additionalProperties: true
description: Placeholder for metadata about the value list.
type: object
Security_Lists_API_ListName:
description: Value list's name.
example: List of bad IPs
format: nonempty
minLength: 1
type: string
Security_Lists_API_ListPrivileges:
type: object
properties:
application:
additionalProperties:
type: boolean
type: object
cluster:
additionalProperties:
type: boolean
type: object
has_all_requested:
type: boolean
index:
additionalProperties:
additionalProperties:
type: boolean
type: object
type: object
username:
type: string
required:
- username
- has_all_requested
- cluster
- index
- application
Security_Lists_API_ListType:
description: |
Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:
- `keyword`: Many ECS fields are Elasticsearch keywords
- `ip`: IP addresses
- `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)
enum:
- binary
- boolean
- byte
- date
- date_nanos
- date_range
- double
- double_range
- float
- float_range
- geo_point
- geo_shape
- half_float
- integer
- integer_range
- ip
- ip_range
- keyword
- long
- long_range
- shape
- short
- text
type: string
Security_Lists_API_ListVersion:
description: The document version number.
example: 1
minimum: 1
type: integer
Security_Lists_API_ListVersionId:
description: |
The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.
example: WzIsMV0=
type: string
Security_Lists_API_PlatformErrorResponse:
type: object
properties:
error:
type: string
message:
type: string
statusCode:
type: integer
required:
- statusCode
- error
- message
Security_Lists_API_SiemErrorResponse:
type: object
properties:
message:
type: string
status_code:
type: integer
required:
- status_code
- message
Security_Osquery_API_ArrayQueries:
description: An array of queries to run.
items:
$ref: '#/components/schemas/Security_Osquery_API_ArrayQueriesItem'
type: array
Security_Osquery_API_ArrayQueriesItem:
type: object
properties:
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMapping'
id:
$ref: '#/components/schemas/Security_Osquery_API_QueryId'
platform:
$ref: '#/components/schemas/Security_Osquery_API_Platform'
query:
$ref: '#/components/schemas/Security_Osquery_API_Query'
removed:
$ref: '#/components/schemas/Security_Osquery_API_Removed'
snapshot:
$ref: '#/components/schemas/Security_Osquery_API_Snapshot'
version:
$ref: '#/components/schemas/Security_Osquery_API_Version'
Security_Osquery_API_CopyPacksResponse:
description: The response for copying a pack.
example:
data:
created_at: '2025-02-26T13:37:30.452Z'
created_by: elastic
description: My pack
enabled: false
name: my_pack_copy
policy_ids: []
queries:
- ecs_mapping:
- key: client.port
value:
field: port
id: ports
interval: 60
query: SELECT * FROM listening_ports;
removed: false
snapshot: true
timeout: 120
saved_object_id: 1c266590-381f-428c-878f-c80c1334f856
shards: []
updated_at: '2025-02-26T13:37:30.452Z'
updated_by: elastic
type: object
properties:
data:
type: object
properties:
created_at:
format: date-time
type: string
created_by:
nullable: true
type: string
created_by_profile_uid:
type: string
description:
$ref: '#/components/schemas/Security_Osquery_API_PackDescription'
enabled:
$ref: '#/components/schemas/Security_Osquery_API_Enabled'
name:
$ref: '#/components/schemas/Security_Osquery_API_PackName'
policy_ids:
$ref: '#/components/schemas/Security_Osquery_API_PolicyIds'
queries:
description: 'Pack queries in saved-object storage format (array). Note: the read endpoint returns object format.'
items:
type: object
properties:
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray'
id:
type: string
interval:
type: integer
platform:
type: string
query:
type: string
removed:
type: boolean
snapshot:
type: boolean
timeout:
type: integer
version:
type: string
type: array
saved_object_id:
description: The saved object ID of the copied pack.
type: string
shards:
description: Shard configuration as an array of key-value pairs.
items:
type: object
properties:
key:
type: string
value:
type: number
type: array
updated_at:
format: date-time
type: string
updated_by:
nullable: true
type: string
updated_by_profile_uid:
type: string
version:
description: The pack version number.
type: integer
required:
- saved_object_id
- name
required:
- data
Security_Osquery_API_CopySavedQueryResponse:
description: The response for copying a saved query.
example:
data:
created_at: '2025-02-26T13:37:30.452Z'
created_by: elastic
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: my_saved_query_copy
interval: '60'
platform: linux,darwin
query: select * from uptime;
removed: false
saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c
snapshot: true
timeout: 120
updated_at: '2025-02-26T13:37:30.452Z'
updated_by: elastic
type: object
properties:
data:
type: object
properties:
created_at:
format: date-time
type: string
created_by:
nullable: true
type: string
created_by_profile_uid:
type: string
description:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription'
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMapping'
id:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryId'
interval:
oneOf:
- type: integer
- type: string
platform:
$ref: '#/components/schemas/Security_Osquery_API_Platform'
query:
$ref: '#/components/schemas/Security_Osquery_API_Query'
removed:
$ref: '#/components/schemas/Security_Osquery_API_Removed'
saved_object_id:
type: string
snapshot:
$ref: '#/components/schemas/Security_Osquery_API_Snapshot'
timeout:
type: integer
updated_at:
format: date-time
type: string
updated_by:
nullable: true
type: string
updated_by_profile_uid:
type: string
required:
- saved_object_id
- id
required:
- data
Security_Osquery_API_CreateLiveQueryRequestBody:
example:
agent_all: true
ecs_mapping:
host.uptime:
field: total_seconds
query: select * from uptime;
type: object
properties:
agent_all:
description: When `true`, the query runs on all agents.
type: boolean
agent_ids:
description: A list of agent IDs to run the query on.
items:
type: string
type: array
agent_platforms:
description: A list of agent platforms to run the query on.
items:
type: string
type: array
agent_policy_ids:
description: A list of agent policy IDs to run the query on.
items:
type: string
type: array
alert_ids:
description: A list of alert IDs associated with the live query.
items:
type: string
type: array
case_ids:
description: A list of case IDs associated with the live query.
items:
type: string
type: array
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMapping'
event_ids:
description: A list of event IDs associated with the live query.
items:
type: string
type: array
metadata:
description: Custom metadata object associated with the live query.
nullable: true
type: object
pack_id:
$ref: '#/components/schemas/Security_Osquery_API_PackId'
queries:
$ref: '#/components/schemas/Security_Osquery_API_ArrayQueries'
query:
$ref: '#/components/schemas/Security_Osquery_API_Query'
saved_query_id:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryId'
Security_Osquery_API_CreateLiveQueryResponse:
description: The response for creating a live query.
example:
data:
'@timestamp': '2022-07-26T09:59:32.220Z'
action_id: 3c42c847-eb30-4452-80e0-728584042334
agent_all: true
agent_ids: []
agent_platforms: []
agent_policy_ids: []
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
expiration: '2022-07-26T10:04:32.220Z'
input_type: osquery
metadata:
execution_context:
name: osquery
url: /app/osquery/live_queries/new
queries:
- action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
ecs_mapping:
host.uptime:
field: total_seconds
id: 6724a474-cbba-41ef-a1aa-66aebf0879e2
query: select * from uptime;
timeout: 120
type: INPUT_ACTION
user_id: elastic
type: object
properties:
data:
type: object
properties:
'@timestamp':
description: The timestamp when the action was created.
format: date-time
type: string
action_id:
description: The ID of the action.
type: string
agent_all:
description: Whether the query targets all agents.
type: boolean
agent_ids:
description: The agent IDs targeted by the action.
items:
type: string
type: array
agent_platforms:
description: The agent platforms targeted.
items:
type: string
type: array
agent_policy_ids:
description: The agent policy IDs targeted.
items:
type: string
type: array
agents:
description: The resolved list of agent IDs.
items:
type: string
type: array
expiration:
description: The expiration date of the action.
format: date-time
type: string
input_type:
description: The input type.
type: string
metadata:
description: Custom metadata associated with the action.
type: object
pack_id:
description: The pack ID if the query was run from a pack.
type: string
queries:
description: The queries in this action.
items:
type: object
properties:
action_id:
type: string
agents:
items:
type: string
type: array
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMapping'
id:
type: string
platform:
type: string
query:
type: string
saved_query_id:
type: string
timeout:
type: integer
version:
type: string
type: array
type:
description: The action type.
type: string
user_id:
description: The user who created the action.
type: string
required:
- action_id
required:
- data
Security_Osquery_API_CreatePacksRequestBody:
example:
description: My pack
enabled: true
name: my_pack
policy_ids:
- my_policy_id
- fleet-server-policy
queries:
my_query:
ecs_mapping:
client.port:
field: port
tags:
value:
- tag1
- tag2
interval: 60
query: SELECT * FROM listening_ports;
timeout: 120
shards:
fleet-server-policy: 58
my_policy_id: 35
type: object
properties:
description:
$ref: '#/components/schemas/Security_Osquery_API_PackDescription'
enabled:
$ref: '#/components/schemas/Security_Osquery_API_Enabled'
name:
$ref: '#/components/schemas/Security_Osquery_API_PackName'
policy_ids:
$ref: '#/components/schemas/Security_Osquery_API_PolicyIds'
queries:
$ref: '#/components/schemas/Security_Osquery_API_ObjectQueries'
shards:
$ref: '#/components/schemas/Security_Osquery_API_Shards'
Security_Osquery_API_CreatePacksResponse:
description: The response for creating a pack.
example:
data:
created_at: '2025-02-26T13:37:30.452Z'
created_by: elastic
description: My pack
enabled: true
name: my_pack
policy_ids:
- my_policy_id
queries:
ports:
ecs_mapping:
client.port:
field: port
interval: 60
query: SELECT * FROM listening_ports;
removed: false
snapshot: true
timeout: 120
saved_object_id: 1c266590-381f-428c-878f-c80c1334f856
shards:
47638692-7c4c-4053-aa3e-7186f28df349: 35
5e267651-fe50-443e-8d3f-3bbc9171b618: 58
updated_at: '2025-02-26T13:37:30.452Z'
updated_by: elastic
version: 1
type: object
properties:
data:
type: object
properties:
created_at:
description: The date and time the pack was created.
format: date-time
type: string
created_by:
description: The user who created the pack.
nullable: true
type: string
created_by_profile_uid:
description: The profile UID of the user who created the pack.
type: string
description:
$ref: '#/components/schemas/Security_Osquery_API_PackDescription'
enabled:
$ref: '#/components/schemas/Security_Osquery_API_Enabled'
name:
$ref: '#/components/schemas/Security_Osquery_API_PackName'
policy_ids:
$ref: '#/components/schemas/Security_Osquery_API_PolicyIds'
queries:
$ref: '#/components/schemas/Security_Osquery_API_ObjectQueries'
saved_object_id:
description: The saved object ID of the pack.
type: string
shards:
description: Shard configuration as an array of key-value pairs.
items:
type: object
properties:
key:
type: string
value:
type: number
type: array
updated_at:
description: The date and time the pack was last updated.
format: date-time
type: string
updated_by:
description: The user who last updated the pack.
nullable: true
type: string
updated_by_profile_uid:
description: The profile UID of the user who last updated the pack.
type: string
version:
description: The pack version number.
type: integer
required:
- saved_object_id
- name
required:
- data
Security_Osquery_API_CreateSavedQueryRequestBody:
example:
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: saved_query_id
interval: '60'
platform: linux,darwin
query: select * from uptime;
timeout: 120
version: 2.8.0
type: object
properties:
description:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription'
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMapping'
id:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryId'
interval:
$ref: '#/components/schemas/Security_Osquery_API_Interval'
platform:
$ref: '#/components/schemas/Security_Osquery_API_Platform'
query:
$ref: '#/components/schemas/Security_Osquery_API_Query'
removed:
$ref: '#/components/schemas/Security_Osquery_API_Removed'
snapshot:
$ref: '#/components/schemas/Security_Osquery_API_Snapshot'
version:
$ref: '#/components/schemas/Security_Osquery_API_Version'
Security_Osquery_API_CreateSavedQueryResponse:
description: The response for creating a saved query.
example:
data:
created_at: '2025-02-26T13:37:30.452Z'
created_by: elastic
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: saved_query_id
interval: '60'
platform: linux,darwin
prebuilt: false
query: select * from uptime;
saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c
timeout: 120
updated_at: '2025-02-26T13:37:30.452Z'
updated_by: elastic
version: 2.8.0
type: object
properties:
data:
type: object
properties:
created_at:
format: date-time
type: string
created_by:
nullable: true
type: string
created_by_profile_uid:
type: string
description:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription'
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMapping'
id:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryId'
interval:
description: An interval, in seconds, on which to run the query. May be returned as number or string.
oneOf:
- type: integer
- type: string
platform:
$ref: '#/components/schemas/Security_Osquery_API_Platform'
prebuilt:
description: Whether the saved query is prebuilt.
type: boolean
query:
$ref: '#/components/schemas/Security_Osquery_API_Query'
removed:
$ref: '#/components/schemas/Security_Osquery_API_Removed'
saved_object_id:
description: The saved object ID of the saved query.
type: string
snapshot:
$ref: '#/components/schemas/Security_Osquery_API_Snapshot'
timeout:
description: The query timeout in seconds.
type: integer
updated_at:
format: date-time
type: string
updated_by:
nullable: true
type: string
updated_by_profile_uid:
type: string
version:
description: The saved query version.
oneOf:
- type: integer
- type: string
required:
- saved_object_id
- id
required:
- data
Security_Osquery_API_DefaultSuccessResponse:
example: {}
type: object
properties: {}
Security_Osquery_API_ECSMapping:
additionalProperties:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem'
description: Map osquery results columns or static values to Elastic Common Schema (ECS) fields
example:
host.uptime:
field: total_seconds
type: object
Security_Osquery_API_ECSMappingArray:
description: ECS mapping in saved-object storage format (array of key-value pairs). The find and copy pack endpoints return this format. The read endpoint returns object format (ECSMapping).
items:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingArrayItem'
type: array
Security_Osquery_API_ECSMappingArrayItem:
description: ECS mapping item in saved-object storage format (key-value pair).
type: object
properties:
key:
description: The ECS field name.
type: string
value:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem'
Security_Osquery_API_ECSMappingArrayOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray'
nullable: true
Security_Osquery_API_ECSMappingItem:
type: object
properties:
field:
description: The ECS field to map to.
example: host.uptime
type: string
value:
description: The value to map to the ECS field.
example: total_seconds
oneOf:
- type: string
- items:
type: string
type: array
Security_Osquery_API_ECSMappingOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_ECSMapping'
nullable: true
Security_Osquery_API_Enabled:
description: Enables the pack.
example: true
type: boolean
Security_Osquery_API_EnabledOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Enabled'
nullable: true
Security_Osquery_API_FindLiveQueryDetailsResponse:
example:
data:
'@timestamp': '2022-07-26T09:59:32.220Z'
action_id: 3c42c847-eb30-4452-80e0-728584042334
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
expiration: '2022-07-26T10:04:32.220Z'
queries:
- action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
docs: 0
ecs_mapping:
host.uptime:
field: total_seconds
failed: 1
id: 6724a474-cbba-41ef-a1aa-66aebf0879e2
pending: 0
query: select * from uptime;
responded: 1
saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
status: completed
successful: 0
status: completed
user_id: elastic
type: object
properties:
data:
type: object
properties:
'@timestamp':
format: date-time
type: string
action_id:
type: string
agents:
items:
type: string
type: array
expiration:
format: date-time
type: string
pack_id:
type: string
pack_name:
type: string
prebuilt_pack:
type: boolean
queries:
description: The queries with their execution status.
items:
type: object
properties:
action_id:
type: string
agents:
items:
type: string
type: array
docs:
description: Number of result documents.
type: integer
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMapping'
failed:
description: Number of failed queries.
type: integer
id:
type: string
pending:
description: Number of pending agents.
type: integer
query:
type: string
responded:
description: Total responded agents.
type: integer
saved_query_id:
type: string
status:
description: Status of this individual query.
enum:
- completed
- running
type: string
successful:
description: Number of successful agents.
type: integer
type: array
status:
description: Global status of the live query (completed, running).
enum:
- completed
- running
type: string
tags:
items:
type: string
type: array
user_id:
type: string
user_profile_uid:
type: string
Security_Osquery_API_FindLiveQueryResponse:
example:
data:
items:
- _source:
'@timestamp': '2023-10-31T00:00:00Z'
action_id: 3c42c847-eb30-4452-80e0-728584042334
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
expiration: '2023-10-31T00:00:00Z'
queries:
- action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agents:
- 16d7caf5-efd2-4212-9b62-73dafc91fa13
ecs_mapping:
host.uptime:
field: total_seconds
id: 6724a474-cbba-41ef-a1aa-66aebf0879e2
query: select * from uptime;
saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
result_counts:
error_agents: 0
responded_agents: 1
successful_agents: 1
total_rows: 42
user_id: elastic
total: 1
type: object
properties:
data:
type: object
properties:
items:
description: An array of live query action items.
items:
type: object
properties:
_source:
type: object
properties:
'@timestamp':
format: date-time
type: string
action_id:
type: string
agents:
items:
type: string
type: array
expiration:
format: date-time
type: string
pack_id:
type: string
queries:
items:
type: object
properties:
action_id:
type: string
agents:
items:
type: string
type: array
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMapping'
id:
type: string
query:
type: string
saved_query_id:
type: string
type: array
result_counts:
description: Result count statistics (present when withResultCounts is true).
type: object
properties:
error_agents:
type: integer
responded_agents:
type: integer
successful_agents:
type: integer
total_rows:
type: integer
user_id:
type: string
type: array
total:
description: The total number of live queries.
type: integer
Security_Osquery_API_FindPackResponse:
description: The details of a single query pack.
example:
data:
created_at: '2022-07-25T19:41:10.263Z'
created_by: elastic
description: ''
enabled: true
name: test_pack
namespaces:
- default
policy_ids: []
queries:
uptime:
ecs_mapping:
message:
field: days
interval: 3600
query: select * from uptime
read_only: false
saved_object_id: 3c42c847-eb30-4452-80e0-728584042334
shards: {}
type: osquery-pack
updated_at: '2022-07-25T20:12:01.455Z'
updated_by: elastic
version: 1
type: object
properties:
data:
description: The pack details.
type: object
properties:
created_at:
format: date-time
type: string
created_by:
nullable: true
type: string
created_by_profile_uid:
type: string
description:
$ref: '#/components/schemas/Security_Osquery_API_PackDescription'
enabled:
$ref: '#/components/schemas/Security_Osquery_API_Enabled'
name:
$ref: '#/components/schemas/Security_Osquery_API_PackName'
namespaces:
description: The namespaces the pack belongs to.
items:
type: string
type: array
policy_ids:
$ref: '#/components/schemas/Security_Osquery_API_PolicyIds'
queries:
$ref: '#/components/schemas/Security_Osquery_API_ObjectQueries'
read_only:
description: Whether the pack is read-only (true for prebuilt packs).
type: boolean
saved_object_id:
description: The saved object ID of the pack.
type: string
shards:
$ref: '#/components/schemas/Security_Osquery_API_Shards'
type:
description: The saved object type.
type: string
updated_at:
format: date-time
type: string
updated_by:
nullable: true
type: string
updated_by_profile_uid:
type: string
version:
description: The pack version number.
type: integer
required:
- saved_object_id
- name
required:
- data
Security_Osquery_API_FindPacksResponse:
description: A paginated list of query packs.
example:
data:
- created_at: '2023-10-31T00:00:00Z'
created_by: elastic
created_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
description: My pack description
enabled: true
name: My Pack
policy_ids: []
queries:
- ecs_mapping:
- key: host.uptime
value:
field: total_seconds
id: uptime
interval: 3600
query: select * from uptime;
read_only: false
saved_object_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
updated_at: '2023-10-31T00:00:00Z'
updated_by: elastic
updated_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
page: 1
per_page: 10
total: 1
type: object
properties:
data:
description: An array of pack objects.
items:
type: object
properties:
created_at:
format: date-time
type: string
created_by:
nullable: true
type: string
created_by_profile_uid:
type: string
description:
$ref: '#/components/schemas/Security_Osquery_API_PackDescription'
enabled:
$ref: '#/components/schemas/Security_Osquery_API_Enabled'
name:
$ref: '#/components/schemas/Security_Osquery_API_PackName'
policy_ids:
$ref: '#/components/schemas/Security_Osquery_API_PolicyIds'
queries:
description: 'Pack queries in saved-object storage format (array). Note: the read endpoint returns object format.'
items:
type: object
properties:
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMappingArray'
id:
type: string
interval:
type: integer
platform:
type: string
query:
type: string
removed:
type: boolean
snapshot:
type: boolean
timeout:
type: integer
version:
type: string
type: array
read_only:
description: Whether the pack is read-only (true for prebuilt packs).
type: boolean
saved_object_id:
description: The saved object ID of the pack.
type: string
updated_at:
format: date-time
type: string
updated_by:
nullable: true
type: string
updated_by_profile_uid:
type: string
version:
description: The pack version number.
type: integer
required:
- saved_object_id
- name
type: array
page:
description: The current page number.
type: integer
per_page:
description: The number of results per page.
type: integer
total:
description: The total number of packs.
type: integer
required:
- page
- per_page
- total
- data
Security_Osquery_API_FindSavedQueryDetailResponse:
description: The details of a single saved query.
example:
data:
created_at: '2022-07-26T09:28:08.597Z'
created_by: elastic
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: saved_query_id
interval: '60'
platform: linux,darwin
prebuilt: false
query: select * from uptime;
saved_object_id: 3c42c847-eb30-4452-80e0-728584042334
updated_at: '2022-07-26T09:28:08.597Z'
updated_by: elastic
version: 2.8.0
type: object
properties:
data:
type: object
properties:
created_at:
format: date-time
type: string
created_by:
nullable: true
type: string
created_by_profile_uid:
type: string
description:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription'
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMapping'
id:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryId'
interval:
oneOf:
- type: integer
- type: string
platform:
$ref: '#/components/schemas/Security_Osquery_API_Platform'
prebuilt:
type: boolean
query:
$ref: '#/components/schemas/Security_Osquery_API_Query'
removed:
$ref: '#/components/schemas/Security_Osquery_API_Removed'
saved_object_id:
type: string
snapshot:
$ref: '#/components/schemas/Security_Osquery_API_Snapshot'
timeout:
type: integer
updated_at:
format: date-time
type: string
updated_by:
nullable: true
type: string
updated_by_profile_uid:
type: string
version:
oneOf:
- type: integer
- type: string
required:
- saved_object_id
- id
required:
- data
Security_Osquery_API_FindSavedQueryResponse:
description: A paginated list of saved queries.
example:
data:
- created_at: '2022-07-26T09:28:08.597Z'
created_by: elastic
created_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
description: Saved query description
ecs_mapping:
host.uptime:
field: total_seconds
id: saved_query_id
interval: '60'
platform: linux,darwin
prebuilt: false
query: select * from uptime;
saved_object_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
updated_at: '2022-07-26T09:28:08.597Z'
updated_by: elastic
updated_by_profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0
version: 2.8.0
page: 1
per_page: 100
total: 11
type: object
properties:
data:
description: An array of saved query objects.
items:
type: object
properties:
created_at:
format: date-time
type: string
created_by:
nullable: true
type: string
created_by_profile_uid:
type: string
description:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription'
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMapping'
id:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryId'
interval:
oneOf:
- type: integer
- type: string
platform:
$ref: '#/components/schemas/Security_Osquery_API_Platform'
prebuilt:
type: boolean
query:
$ref: '#/components/schemas/Security_Osquery_API_Query'
removed:
$ref: '#/components/schemas/Security_Osquery_API_Removed'
saved_object_id:
type: string
snapshot:
$ref: '#/components/schemas/Security_Osquery_API_Snapshot'
timeout:
type: integer
updated_at:
format: date-time
type: string
updated_by:
nullable: true
type: string
updated_by_profile_uid:
type: string
version:
oneOf:
- type: integer
- type: string
required:
- saved_object_id
- id
type: array
page:
description: The current page number.
type: integer
per_page:
description: The number of results per page.
type: integer
total:
description: The total number of saved queries.
type: integer
required:
- page
- per_page
- total
- data
Security_Osquery_API_GetLiveQueryResultsResponse:
description: The response for getting live query results.
example:
data:
edges:
- _id: doc1
_source: {}
- _id: doc2
_source: {}
total: 2
type: object
properties:
data:
type: object
properties:
edges:
description: The result rows from the query execution.
items:
type: object
properties:
_id:
type: string
_source:
description: The Elasticsearch document source containing query results.
type: object
type: array
total:
description: The total number of result rows.
type: integer
Security_Osquery_API_GetScheduledActionResultsResponse:
example:
aggregations:
failed: 1
pending: 0
successful: 9
totalResponded: 10
totalRowCount: 42
currentPage: 0
edges:
- _id: result-001
fields:
agent_id: 16d7caf5-efd2-4212-9b62-73dafc91fa13
rows_count: 5
status: success
metadata:
executionCount: 3
packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
packName: My Pack
queryName: uptime
queryText: select * from uptime;
scheduleId: pack_my_pack_uptime
timestamp: '2024-07-26T09:00:00.000Z'
pageSize: 20
total: 10
totalPages: 1
type: object
properties:
aggregations:
$ref: '#/components/schemas/Security_Osquery_API_ScheduledActionResultsAggregations'
currentPage:
description: The current page number (zero-based).
type: integer
edges:
description: The paginated list of per-agent action results.
items:
type: object
type: array
inspect:
description: Debug/inspection data for the search query.
type: object
metadata:
$ref: '#/components/schemas/Security_Osquery_API_ScheduledExecutionMetadata'
pageSize:
description: The number of results per page.
type: integer
total:
description: The total number of action results.
type: integer
totalPages:
description: The total number of pages.
type: integer
Security_Osquery_API_GetScheduledQueryResultsResponse:
description: The response for getting scheduled query results.
example:
data:
edges:
- _id: row-001
fields:
host.uptime:
- '12345'
- _id: row-002
fields:
host.uptime:
- '67890'
total: 2
type: object
properties:
data:
description: The query results data wrapper.
type: object
properties:
edges:
description: The paginated list of query result rows.
items:
type: object
type: array
inspect:
description: Debug/inspection data for the search query.
type: object
total:
description: The total number of result rows.
type: integer
Security_Osquery_API_GetUnifiedHistoryResponse:
example:
data:
- actionId: 609c4c66-ba3d-43fa-afdd-53e244577aa0
agentCount: 5
errorCount: 0
id: 3c42c847-eb30-4452-80e0-728584042334
queryName: uptime_query
queryText: select * from uptime;
source: Live
sourceType: live
successCount: 5
timestamp: '2024-07-26T09:59:32.220Z'
totalRows: 42
userId: elastic
- agentCount: 10
errorCount: 1
executionCount: 3
id: pack_my_pack_uptime_3
packId: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d
packName: My Pack
plannedTime: '2024-07-26T09:00:00.000Z'
queryName: uptime
queryText: select * from uptime;
scheduleId: pack_my_pack_uptime
source: Scheduled
sourceType: scheduled
successCount: 9
timestamp: '2024-07-26T09:00:00.000Z'
totalRows: 100
hasMore: true
nextPage: eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3...
type: object
properties:
data:
description: The list of unified history rows for the current page.
items:
$ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRow'
type: array
hasMore:
description: Whether there are more results beyond the current page.
type: boolean
nextPage:
description: A base64-encoded cursor to fetch the next page. Absent when there are no more results.
type: string
required:
- data
- hasMore
Security_Osquery_API_Interval:
description: An interval, in seconds, on which to run the query.
example: '60'
type: string
Security_Osquery_API_IntervalOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Interval'
nullable: true
Security_Osquery_API_KueryOrUndefined:
description: The kuery to filter the results by.
example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13'
nullable: true
type: string
Security_Osquery_API_LiveHistoryRow:
allOf:
- $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase'
- type: object
properties:
actionId:
description: The Fleet action ID for the live query.
type: string
agentAll:
description: Whether the query targeted all agents.
type: boolean
agentIds:
description: List of targeted agent IDs.
items:
type: string
type: array
agentPlatforms:
description: List of targeted agent platforms.
items:
type: string
type: array
agentPolicyIds:
description: List of targeted agent policy IDs.
items:
type: string
type: array
ecsMapping:
additionalProperties: true
description: ECS mapping configuration used for the query.
type: object
queriesTotal:
description: The total number of sub-queries in the live action.
type: integer
queriesWithResults:
description: The number of sub-queries that returned results.
type: integer
savedQueryId:
description: The saved query ID, if the live query was based on a saved query.
type: string
source:
description: Whether this was a manually run live query or triggered by a rule.
enum:
- Live
- Rule
type: string
sourceType:
description: Identifies this as a live query history row.
enum:
- live
type: string
timeout:
description: The query timeout in seconds.
type: integer
userId:
description: The ID of the user who ran the query.
type: string
userProfileUid:
description: The user profile UID of the user who ran the query.
type: string
required:
- sourceType
- source
Security_Osquery_API_ObjectQueries:
additionalProperties:
$ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem'
description: An object of queries.
type: object
Security_Osquery_API_ObjectQueriesItem:
type: object
properties:
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMapping'
id:
$ref: '#/components/schemas/Security_Osquery_API_QueryId'
platform:
$ref: '#/components/schemas/Security_Osquery_API_Platform'
query:
$ref: '#/components/schemas/Security_Osquery_API_Query'
removed:
$ref: '#/components/schemas/Security_Osquery_API_Removed'
saved_query_id:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryId'
snapshot:
$ref: '#/components/schemas/Security_Osquery_API_Snapshot'
version:
$ref: '#/components/schemas/Security_Osquery_API_Version'
Security_Osquery_API_PackDescription:
description: The pack description.
example: Pack description
type: string
Security_Osquery_API_PackDescriptionOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_PackDescription'
nullable: true
Security_Osquery_API_PackId:
description: The ID of the pack.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
Security_Osquery_API_PackIdOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_PackId'
nullable: true
Security_Osquery_API_PackName:
description: The pack name.
example: my_pack
type: string
Security_Osquery_API_PageOrUndefined:
description: The page number to return. The default is 1.
example: 1
nullable: true
type: integer
Security_Osquery_API_PageSizeOrUndefined:
description: The number of results to return per page. The default is 20.
example: 20
nullable: true
type: integer
Security_Osquery_API_Platform:
description: Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, `linux,darwin`.
example: linux,darwin
type: string
Security_Osquery_API_PlatformOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Platform'
nullable: true
Security_Osquery_API_PolicyIds:
description: A list of agents policy IDs.
example:
- policyId1
- policyId2
items:
type: string
type: array
Security_Osquery_API_PolicyIdsOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_PolicyIds'
nullable: true
Security_Osquery_API_Query:
description: The SQL query you want to run.
example: select * from uptime;
type: string
Security_Osquery_API_QueryId:
description: The ID of the query.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
Security_Osquery_API_QueryOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Query'
nullable: true
Security_Osquery_API_Removed:
description: Indicates whether the query is removed.
example: false
type: boolean
Security_Osquery_API_RemovedOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Removed'
nullable: true
Security_Osquery_API_SavedQueryDescription:
description: The saved query description.
example: Saved query description
type: string
Security_Osquery_API_SavedQueryDescriptionOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription'
nullable: true
Security_Osquery_API_SavedQueryId:
description: The ID of a saved query.
example: 3c42c847-eb30-4452-80e0-728584042334
type: string
Security_Osquery_API_SavedQueryIdOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryId'
nullable: true
Security_Osquery_API_ScheduledActionResultsAggregations:
type: object
properties:
failed:
description: The number of agents that returned errors.
type: integer
pending:
description: The number of agents with pending responses.
type: integer
successful:
description: The number of agents that completed successfully.
type: integer
totalResponded:
description: The total number of agents that responded.
type: integer
totalRowCount:
description: The total number of result rows across all agents.
type: integer
Security_Osquery_API_ScheduledExecutionMetadata:
description: Execution metadata resolved from the pack saved object.
type: object
properties:
executionCount:
description: The execution count for this scheduled query run.
type: integer
packId:
description: The ID of the pack containing the query.
type: string
packName:
description: The name of the pack containing the query.
type: string
queryName:
description: The name of the query within the pack.
type: string
queryText:
description: The SQL query that was executed.
type: string
scheduleId:
description: The schedule ID for the scheduled query.
type: string
timestamp:
description: The timestamp of the most recent response for this execution.
type: string
Security_Osquery_API_ScheduledHistoryRow:
allOf:
- $ref: '#/components/schemas/Security_Osquery_API_UnifiedHistoryRowBase'
- type: object
properties:
executionCount:
description: The execution count for this scheduled query run.
type: integer
plannedTime:
description: The planned execution time for the scheduled query.
type: string
scheduleId:
description: The schedule ID for the scheduled query.
type: string
source:
description: Indicates this is a scheduled query execution.
enum:
- Scheduled
type: string
sourceType:
description: Identifies this as a scheduled query history row.
enum:
- scheduled
type: string
required:
- sourceType
- source
Security_Osquery_API_Shards:
additionalProperties:
type: number
description: An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts.
example:
policy_id: 50
type: object
Security_Osquery_API_Snapshot:
description: Indicates whether the query is a snapshot.
example: true
type: boolean
Security_Osquery_API_SnapshotOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Snapshot'
nullable: true
Security_Osquery_API_SortOrderOrUndefined:
description: Specifies the sort order.
enum:
- asc
- desc
example: desc
type: string
Security_Osquery_API_SortOrUndefined:
default: createdAt
description: The field that is used to sort the results.
example: createdAt
nullable: true
type: string
Security_Osquery_API_UnifiedHistoryRow:
discriminator:
mapping:
live: '#/components/schemas/Security_Osquery_API_LiveHistoryRow'
scheduled: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow'
propertyName: sourceType
oneOf:
- $ref: '#/components/schemas/Security_Osquery_API_LiveHistoryRow'
- $ref: '#/components/schemas/Security_Osquery_API_ScheduledHistoryRow'
Security_Osquery_API_UnifiedHistoryRowBase:
type: object
properties:
agentCount:
description: The number of agents targeted by the query.
type: integer
errorCount:
description: The number of agent responses with errors.
nullable: true
type: integer
id:
description: Unique identifier for the history row.
type: string
packId:
description: The ID of the pack containing the query.
type: string
packName:
description: The name of the pack containing the query.
type: string
queryName:
description: The name of the query, if available.
type: string
queryText:
description: The SQL query that was executed.
type: string
spaceId:
description: The Kibana space ID where the query was executed.
type: string
successCount:
description: The number of successful agent responses.
nullable: true
type: integer
timestamp:
description: The timestamp of the query execution.
type: string
totalRows:
description: The total number of result rows returned across all agents.
nullable: true
type: integer
required:
- id
- timestamp
- queryText
- agentCount
Security_Osquery_API_UpdatePacksRequestBody:
example:
name: updated_my_pack_name
type: object
properties:
description:
$ref: '#/components/schemas/Security_Osquery_API_PackDescription'
enabled:
$ref: '#/components/schemas/Security_Osquery_API_Enabled'
name:
$ref: '#/components/schemas/Security_Osquery_API_PackName'
policy_ids:
$ref: '#/components/schemas/Security_Osquery_API_PolicyIds'
queries:
$ref: '#/components/schemas/Security_Osquery_API_ObjectQueries'
shards:
$ref: '#/components/schemas/Security_Osquery_API_Shards'
Security_Osquery_API_UpdatePacksResponse:
description: The response for updating a pack.
example:
data:
created_at: '2025-02-26T13:37:30.452Z'
created_by: elastic
description: My pack
enabled: true
name: updated_my_pack_name
policy_ids:
- my_policy_id
queries:
ports:
ecs_mapping:
client.port:
field: port
interval: 60
query: SELECT * FROM listening_ports;
removed: false
snapshot: true
timeout: 120
saved_object_id: 1c266590-381f-428c-878f-c80c1334f856
shards:
47638692-7c4c-4053-aa3e-7186f28df349: 35
5e267651-fe50-443e-8d3f-3bbc9171b618: 58
updated_at: '2025-02-26T13:40:16.297Z'
updated_by: elastic
version: 1
type: object
properties:
data:
type: object
properties:
created_at:
format: date-time
type: string
created_by:
nullable: true
type: string
created_by_profile_uid:
type: string
description:
$ref: '#/components/schemas/Security_Osquery_API_PackDescription'
enabled:
$ref: '#/components/schemas/Security_Osquery_API_Enabled'
name:
$ref: '#/components/schemas/Security_Osquery_API_PackName'
policy_ids:
$ref: '#/components/schemas/Security_Osquery_API_PolicyIds'
queries:
$ref: '#/components/schemas/Security_Osquery_API_ObjectQueries'
saved_object_id:
description: The saved object ID of the pack.
type: string
shards:
$ref: '#/components/schemas/Security_Osquery_API_Shards'
updated_at:
format: date-time
type: string
updated_by:
nullable: true
type: string
updated_by_profile_uid:
type: string
version:
description: The pack version number.
type: integer
Security_Osquery_API_UpdateSavedQueryRequestBody:
example:
id: updated_my_saved_query_name
type: object
properties:
description:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription'
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMapping'
id:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryId'
interval:
$ref: '#/components/schemas/Security_Osquery_API_Interval'
platform:
$ref: '#/components/schemas/Security_Osquery_API_Platform'
query:
$ref: '#/components/schemas/Security_Osquery_API_Query'
removed:
$ref: '#/components/schemas/Security_Osquery_API_Removed'
snapshot:
$ref: '#/components/schemas/Security_Osquery_API_Snapshot'
version:
$ref: '#/components/schemas/Security_Osquery_API_Version'
Security_Osquery_API_UpdateSavedQueryResponse:
description: The response for updating a saved query.
example:
data:
created_at: '2025-02-26T13:37:30.452Z'
created_by: elastic
description: Saved query description
id: updated_my_saved_query_name
interval: '60'
query: select * from uptime;
saved_object_id: 42ba1280-2172-11ee-8523-5765fca79a3c
updated_at: '2025-02-26T13:40:16.297Z'
updated_by: elastic
version: WzQzMTcsMV0=
type: object
properties:
data:
type: object
properties:
created_at:
format: date-time
type: string
created_by:
nullable: true
type: string
created_by_profile_uid:
type: string
description:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription'
ecs_mapping:
$ref: '#/components/schemas/Security_Osquery_API_ECSMapping'
id:
$ref: '#/components/schemas/Security_Osquery_API_SavedQueryId'
interval:
oneOf:
- type: integer
- type: string
platform:
$ref: '#/components/schemas/Security_Osquery_API_Platform'
prebuilt:
type: boolean
query:
$ref: '#/components/schemas/Security_Osquery_API_Query'
removed:
$ref: '#/components/schemas/Security_Osquery_API_Removed'
saved_object_id:
type: string
snapshot:
$ref: '#/components/schemas/Security_Osquery_API_Snapshot'
timeout:
type: integer
updated_at:
format: date-time
type: string
updated_by:
nullable: true
type: string
updated_by_profile_uid:
type: string
version:
description: The saved query version.
type: string
required:
- saved_object_id
- id
required:
- data
Security_Osquery_API_Version:
description: Uses the Osquery versions greater than or equal to the specified version string.
example: 1.0.0
type: string
Security_Osquery_API_VersionOrUndefined:
$ref: '#/components/schemas/Security_Osquery_API_Version'
nullable: true
Security_Timeline_API_AssociatedFilterType:
description: |
How the note is associated with a Timeline saved object and/or an event (`eventId`). `all`: no association-based restriction from this parameter. `document_only`: document-linked notes (non-empty `eventId`) without timeline association in the API's internal sense; post-filtering drops notes without a usable `eventId`. `saved_object_only`: timeline notes with no linked event (`eventId` empty or absent); post-filtering keeps timeline-only notes. `document_and_saved_object`: notes on a timeline and linked to an event; post-filtering enforces a real `eventId`. `orphan`: not on a timeline and `eventId` is empty (stricter than missing `eventId` in some cases).
enum:
- all
- document_only
- saved_object_only
- document_and_saved_object
- orphan
type: string
Security_Timeline_API_BareNote:
allOf:
- $ref: '#/components/schemas/Security_Timeline_API_NoteCreatedAndUpdatedMetadata'
- type: object
properties:
eventId:
description: |
Elasticsearch document `_id` for the event or alert this note refers to. Same value as the `documentIds` query parameter when fetching notes via GET /api/note.
example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc
nullable: true
type: string
note:
description: The text of the note
example: This is an example text
nullable: true
type: string
timelineId:
description: The `savedObjectId` of the Timeline this note belongs to (not the note's own ID).
example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
type: string
required:
- timelineId
Security_Timeline_API_BarePinnedEvent:
allOf:
- $ref: '#/components/schemas/Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata'
- type: object
properties:
eventId:
description: The `_id` of the associated event for this pinned event.
example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc
type: string
timelineId:
description: The `savedObjectId` of the timeline that this pinned event is associated with
example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
type: string
required:
- eventId
- timelineId
Security_Timeline_API_ColumnHeaderResult:
type: object
properties:
aggregatable:
nullable: true
type: boolean
category:
nullable: true
type: string
columnHeaderType:
nullable: true
type: string
description:
nullable: true
type: string
example:
nullable: true
type: string
id:
nullable: true
type: string
indexes:
items:
type: string
nullable: true
type: array
name:
nullable: true
type: string
placeholder:
nullable: true
type: string
searchable:
nullable: true
type: boolean
type:
nullable: true
type: string
Security_Timeline_API_DataProviderQueryMatch:
type: object
properties:
enabled:
nullable: true
type: boolean
excluded:
nullable: true
type: boolean
id:
nullable: true
type: string
kqlQuery:
nullable: true
type: string
name:
nullable: true
type: string
queryMatch:
$ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult'
nullable: true
type:
$ref: '#/components/schemas/Security_Timeline_API_DataProviderType'
nullable: true
Security_Timeline_API_DataProviderResult:
type: object
properties:
and:
items:
$ref: '#/components/schemas/Security_Timeline_API_DataProviderQueryMatch'
nullable: true
type: array
enabled:
nullable: true
type: boolean
excluded:
nullable: true
type: boolean
id:
nullable: true
type: string
kqlQuery:
nullable: true
type: string
name:
nullable: true
type: string
queryMatch:
$ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult'
nullable: true
type:
$ref: '#/components/schemas/Security_Timeline_API_DataProviderType'
nullable: true
Security_Timeline_API_DataProviderType:
description: The type of data provider.
enum:
- default
- template
type: string
Security_Timeline_API_DocumentIds:
description: One document ID or an array of IDs (Elasticsearch `_id` of the event).
oneOf:
- items:
type: string
type: array
- type: string
Security_Timeline_API_FavoriteTimelineResponse:
type: object
properties:
favorite:
items:
$ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult'
type: array
savedObjectId:
type: string
templateTimelineId:
nullable: true
type: string
templateTimelineVersion:
nullable: true
type: number
timelineType:
$ref: '#/components/schemas/Security_Timeline_API_TimelineType'
version:
type: string
required:
- savedObjectId
- version
Security_Timeline_API_FavoriteTimelineResult:
description: Indicates when and who marked a Timeline as a favorite.
example:
favoriteDate: 1741337636741
userName: elastic
type: object
properties:
favoriteDate:
nullable: true
type: number
fullName:
nullable: true
type: string
userName:
nullable: true
type: string
Security_Timeline_API_FilterTimelineResult:
example:
meta:
alias: Custom filter name
disabled: false
index: .alerts-security.alerts-default,logs-*
key: '@timestamp'
negate: false,
type: exists
value: exists
query: '{"exists":{"field":"@timestamp"}}'
type: object
properties:
exists:
nullable: true
type: string
match_all:
nullable: true
type: string
meta:
nullable: true
type: object
properties:
alias:
nullable: true
type: string
controlledBy:
nullable: true
type: string
disabled:
nullable: true
type: boolean
field:
nullable: true
type: string
formattedValue:
nullable: true
type: string
index:
nullable: true
type: string
key:
nullable: true
type: string
negate:
nullable: true
type: boolean
params:
nullable: true
type: string
type:
nullable: true
type: string
value:
nullable: true
type: string
missing:
nullable: true
type: string
query:
nullable: true
type: string
range:
nullable: true
type: string
script:
nullable: true
type: string
Security_Timeline_API_GetNotesResult:
type: object
properties:
notes:
items:
$ref: '#/components/schemas/Security_Timeline_API_Note'
type: array
totalCount:
description: Number of notes returned (may be adjusted after the query when `associatedFilter` applies post-filtering).
type: number
required:
- totalCount
- notes
Security_Timeline_API_ImportTimelineResult:
type: object
properties:
errors:
description: The list of failed Timeline imports
items:
type: object
properties:
error:
description: The error containing the reason why the timeline could not be imported
type: object
properties:
message:
description: The reason why the timeline could not be imported
example: Malformed JSON
type: string
status_code:
description: The HTTP status code of the error
example: 400
type: number
id:
description: The ID of the timeline that failed to import
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
type: string
type: array
success:
description: Indicates whether any of the Timelines were successfully imports
type: boolean
success_count:
description: The amount of successfully imported/updated Timelines
example: 99
type: number
timelines_installed:
description: The amount of successfully installed Timelines
example: 80
type: number
timelines_updated:
description: The amount of successfully updated Timelines
example: 19
type: number
Security_Timeline_API_ImportTimelines:
allOf:
- $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline'
- type: object
properties:
eventNotes:
items:
$ref: '#/components/schemas/Security_Timeline_API_BareNote'
nullable: true
type: array
globalNotes:
items:
$ref: '#/components/schemas/Security_Timeline_API_BareNote'
nullable: true
type: array
pinnedEventIds:
items:
type: string
nullable: true
type: array
savedObjectId:
nullable: true
type: string
version:
nullable: true
type: string
required:
- savedObjectId
- version
- pinnedEventIds
- eventNotes
- globalNotes
Security_Timeline_API_Note:
allOf:
- $ref: '#/components/schemas/Security_Timeline_API_BareNote'
- type: object
properties:
noteId:
description: The `savedObjectId` of the note
example: 709f99c6-89b6-4953-9160-35945c8e174e
type: string
version:
description: The version of the note
example: WzQ2LDFd
type: string
required:
- noteId
- version
Security_Timeline_API_NoteCreatedAndUpdatedMetadata:
type: object
properties:
created:
description: The time the note was created, using a 13-digit Epoch timestamp.
example: 1587468588922
nullable: true
type: number
createdBy:
description: The user who created the note.
example: casetester
nullable: true
type: string
updated:
description: The last time the note was updated, using a 13-digit Epoch timestamp
example: 1741344876825
nullable: true
type: number
updatedBy:
description: The user who last updated the note
example: casetester
nullable: true
type: string
Security_Timeline_API_PersistPinnedEventResponse:
oneOf:
- $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent'
- type: object
properties:
unpinned:
description: Indicates whether the event was successfully unpinned
type: boolean
required:
- unpinned
Security_Timeline_API_PersistTimelineResponse:
$ref: '#/components/schemas/Security_Timeline_API_TimelineResponse'
Security_Timeline_API_PinnedEvent:
allOf:
- $ref: '#/components/schemas/Security_Timeline_API_BarePinnedEvent'
- type: object
properties:
pinnedEventId:
description: The `savedObjectId` of this pinned event
example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3
type: string
version:
description: The version of this pinned event
example: WzQ2LDFe
type: string
required:
- pinnedEventId
- version
Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata:
type: object
properties:
created:
description: The time the pinned event was created, using a 13-digit Epoch timestamp.
example: 1587468588922
nullable: true
type: number
createdBy:
description: The user who created the pinned event.
example: casetester
nullable: true
type: string
updated:
description: The last time the pinned event was updated, using a 13-digit Epoch timestamp
example: 1741344876825
nullable: true
type: number
updatedBy:
description: The user who last updated the pinned event
example: casetester
nullable: true
type: string
Security_Timeline_API_QueryMatchResult:
type: object
properties:
displayField:
nullable: true
type: string
displayValue:
nullable: true
type: string
field:
nullable: true
type: string
operator:
nullable: true
type: string
value:
oneOf:
- nullable: true
type: string
- items:
type: string
nullable: true
type: array
Security_Timeline_API_ResolvedTimeline:
type: object
properties:
alias_purpose:
$ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose'
alias_target_id:
type: string
outcome:
$ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveOutcome'
timeline:
$ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject'
required:
- timeline
- outcome
Security_Timeline_API_ResponseNote:
type: object
properties:
note:
$ref: '#/components/schemas/Security_Timeline_API_Note'
required:
- note
Security_Timeline_API_RowRendererId:
description: Identifies the available row renderers
enum:
- alert
- alerts
- auditd
- auditd_file
- library
- netflow
- plain
- registry
- suricata
- system
- system_dns
- system_endgame_process
- system_file
- system_fim
- system_security_event
- system_socket
- threat_match
- zeek
type: string
Security_Timeline_API_SavedObjectIds:
description: One Timeline saved object ID or an array of IDs.
oneOf:
- items:
type: string
type: array
- type: string
Security_Timeline_API_SavedObjectResolveAliasPurpose:
enum:
- savedObjectConversion
- savedObjectImport
type: string
Security_Timeline_API_SavedObjectResolveOutcome:
enum:
- exactMatch
- aliasMatch
- conflict
type: string
Security_Timeline_API_SavedTimeline:
type: object
properties:
columns:
description: The Timeline's columns
example:
- columnHeaderType: not-filtered
id: '@timestamp'
- columnHeaderType: not-filtered
id: event.category
items:
$ref: '#/components/schemas/Security_Timeline_API_ColumnHeaderResult'
nullable: true
type: array
created:
description: The time the Timeline was created, using a 13-digit Epoch timestamp.
example: 1587468588922
nullable: true
type: number
createdBy:
description: The user who created the Timeline.
example: casetester
nullable: true
type: string
dataProviders:
description: Object containing query clauses
example:
- enabled: true
excluded: false
id: id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b
name: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b
queryMatch:
field: _id,
operator: ':'
value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,
items:
$ref: '#/components/schemas/Security_Timeline_API_DataProviderResult'
nullable: true
type: array
dataViewId:
description: ID of the Timeline's Data View
example: security-solution-default
nullable: true
type: string
dateRange:
description: The Timeline's search period.
example:
end: 1587456479201
start: 1587370079200
nullable: true
type: object
properties:
end:
oneOf:
- nullable: true
type: string
- nullable: true
type: number
start:
oneOf:
- nullable: true
type: string
- nullable: true
type: number
description:
description: The Timeline's description
example: Investigating exposure of CVE XYZ
nullable: true
type: string
eqlOptions:
description: EQL query that is used in the correlation tab
example:
eventCategoryField: event.category
query: sequence\n[process where process.name == "sudo"]\n[any where true]
size: 100
timestampField: '@timestamp'
nullable: true
type: object
properties:
eventCategoryField:
nullable: true
type: string
query:
nullable: true
type: string
size:
oneOf:
- nullable: true
type: string
- nullable: true
type: number
tiebreakerField:
nullable: true
type: string
timestampField:
nullable: true
type: string
eventType:
deprecated: true
description: Event types displayed in the Timeline
example: all
nullable: true
type: string
excludedRowRendererIds:
description: A list of row renderers that should not be used when in `Event renderers` mode
items:
$ref: '#/components/schemas/Security_Timeline_API_RowRendererId'
nullable: true
type: array
favorite:
items:
$ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult'
nullable: true
type: array
filters:
description: A list of filters that should be applied to the query
items:
$ref: '#/components/schemas/Security_Timeline_API_FilterTimelineResult'
nullable: true
type: array
indexNames:
description: A list of index names to use in the query (e.g. when the default data view has been modified)
example:
- .logs*
items:
type: string
nullable: true
type: array
kqlMode:
description: |-
Indicates whether the KQL bar filters the query results or searches for additional results, where:
* `filter`: filters query results
* `search`: displays additional search results
example: search
nullable: true
type: string
kqlQuery:
$ref: '#/components/schemas/Security_Timeline_API_SerializedFilterQueryResult'
nullable: true
savedQueryId:
description: The ID of the saved query that might be used in the Query tab
example: c7b16904-02d7-4f32-b8f2-cc20f9625d6e
nullable: true
type: string
savedSearchId:
description: The ID of the saved search that is used in the ES|QL tab
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
nullable: true
type: string
sort:
$ref: '#/components/schemas/Security_Timeline_API_Sort'
nullable: true
status:
$ref: '#/components/schemas/Security_Timeline_API_TimelineStatus'
nullable: true
templateTimelineId:
description: A unique ID (UUID) for Timeline templates. For Timelines, the value is `null`.
example: 6ce1b592-84e3-4b4a-9552-f189d4b82075
nullable: true
type: string
templateTimelineVersion:
description: Timeline template version number. For Timelines, the value is `null`.
example: 12
nullable: true
type: number
timelineType:
$ref: '#/components/schemas/Security_Timeline_API_TimelineType'
nullable: true
title:
description: The Timeline's title.
example: CVE XYZ investigation
nullable: true
type: string
updated:
description: The last time the Timeline was updated, using a 13-digit Epoch timestamp
example: 1741344876825
nullable: true
type: number
updatedBy:
description: The user who last updated the Timeline
example: casetester
nullable: true
type: string
Security_Timeline_API_SavedTimelineWithSavedObjectId:
allOf:
- $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline'
- type: object
properties:
savedObjectId:
description: The `savedObjectId` of the Timeline or Timeline template
example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e
type: string
version:
description: The version of the Timeline or Timeline template
example: WzE0LDFd
type: string
required:
- savedObjectId
- version
Security_Timeline_API_SerializedFilterQueryResult:
description: KQL bar query.
example:
filterQuery: null
kuery:
expression: '_id : *'
kind: kuery
serializedQuery: '{"bool":{"should":[{"exists":{"field":"_id"}}],"minimum_should_match":1}}'
type: object
properties:
filterQuery:
nullable: true
type: object
properties:
kuery:
nullable: true
type: object
properties:
expression:
nullable: true
type: string
kind:
nullable: true
type: string
serializedQuery:
nullable: true
type: string
Security_Timeline_API_Sort:
oneOf:
- $ref: '#/components/schemas/Security_Timeline_API_SortObject'
- items:
$ref: '#/components/schemas/Security_Timeline_API_SortObject'
type: array
Security_Timeline_API_SortFieldTimeline:
description: The field to sort the timelines by.
enum:
- title
- description
- updated
- created
type: string
Security_Timeline_API_SortObject:
description: Object indicating how rows are sorted in the Timeline's grid
example:
columnId: '@timestamp'
sortDirection: desc
type: object
properties:
columnId:
nullable: true
type: string
columnType:
nullable: true
type: string
sortDirection:
nullable: true
type: string
Security_Timeline_API_TimelineResponse:
allOf:
- $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline'
- $ref: '#/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId'
- type: object
properties:
eventIdToNoteIds:
description: A list of all the notes that are associated to this Timeline.
items:
$ref: '#/components/schemas/Security_Timeline_API_Note'
nullable: true
type: array
noteIds:
description: A list of all the ids of notes that are associated to this Timeline.
example:
- 709f99c6-89b6-4953-9160-35945c8e174e
items:
type: string
nullable: true
type: array
notes:
description: A list of all the notes that are associated to this Timeline.
items:
$ref: '#/components/schemas/Security_Timeline_API_Note'
nullable: true
type: array
pinnedEventIds:
description: A list of all the ids of pinned events that are associated to this Timeline.
example:
- 983f99c6-89b6-4953-9160-35945c8a194f
items:
type: string
nullable: true
type: array
pinnedEventsSaveObject:
description: A list of all the pinned events that are associated to this Timeline.
items:
$ref: '#/components/schemas/Security_Timeline_API_PinnedEvent'
nullable: true
type: array
Security_Timeline_API_TimelineSavedToReturnObject:
allOf:
- $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline'
- type: object
properties:
eventIdToNoteIds:
items:
$ref: '#/components/schemas/Security_Timeline_API_Note'
nullable: true
type: array
noteIds:
items:
type: string
nullable: true
type: array
notes:
items:
$ref: '#/components/schemas/Security_Timeline_API_Note'
nullable: true
type: array
pinnedEventIds:
items:
type: string
nullable: true
type: array
pinnedEventsSaveObject:
items:
$ref: '#/components/schemas/Security_Timeline_API_PinnedEvent'
nullable: true
type: array
savedObjectId:
type: string
version:
type: string
required:
- savedObjectId
- version
Security_Timeline_API_TimelineStatus:
description: The status of the Timeline.
enum:
- active
- draft
- immutable
type: string
Security_Timeline_API_TimelineType:
description: The type of Timeline.
enum:
- default
- template
type: string
Short_URL_APIs_urlResponse:
type: object
properties:
accessCount:
description: Number of times the short URL has been resolved.
type: integer
accessDate:
description: Unix epoch (milliseconds) of the last time the short URL was resolved. Set to the creation time when the URL has never been accessed.
format: int64
type: integer
createDate:
description: Unix epoch (milliseconds) when the short URL was created.
format: int64
type: integer
id:
description: The identifier for the short URL.
type: string
locator:
type: object
properties:
id:
description: The identifier for the locator.
type: string
state:
description: The locator parameters.
type: object
version:
description: The version of Kibana when the short URL was created.
type: string
slug:
description: |
A random human-readable slug is automatically generated if the `humanReadableSlug` parameter is set to `true`. If it is set to `false`, a random short string is generated.
type: string
SLOs_400_response:
title: Bad request
type: object
properties:
error:
example: Bad Request
type: string
message:
example: 'Invalid value ''foo'' supplied to: [...]'
type: string
statusCode:
example: 400
type: number
required:
- statusCode
- error
- message
SLOs_401_response:
title: Unauthorized
type: object
properties:
error:
example: Unauthorized
type: string
message:
example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]"
type: string
statusCode:
example: 401
type: number
required:
- statusCode
- error
- message
SLOs_403_response:
title: Forbidden
type: object
properties:
error:
example: Forbidden
type: string
message:
example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: action [slo_write] is unauthorized for user [limited_user] for REST request [/api/observability/slos]]: action [slo_write] is unauthorized for user [limited_user]"
type: string
statusCode:
example: 403
type: number
required:
- statusCode
- error
- message
SLOs_404_response:
title: Not found
type: object
properties:
error:
example: Not Found
type: string
message:
example: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found
type: string
statusCode:
example: 404
type: number
required:
- statusCode
- error
- message
SLOs_409_response:
title: Conflict
type: object
properties:
error:
example: Conflict
type: string
message:
example: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists
type: string
statusCode:
example: 409
type: number
required:
- statusCode
- error
- message
SLOs_artifacts:
description: Links to related assets for the SLO
properties:
dashboards:
description: Array of dashboard references
items:
type: object
properties:
id:
description: Dashboard saved-object id
type: string
required:
- id
type: array
title: Artifacts
type: object
SLOs_budgeting_method:
description: The budgeting method to use when computing the rollup data.
enum:
- occurrences
- timeslices
example: occurrences
title: Budgeting method
type: string
SLOs_bulk_delete_request:
description: |
The bulk delete SLO request takes a list of SLOs Definition id to delete.
properties:
list:
description: An array of SLO Definition id
items:
description: The SLO Definition id
example: 8853df00-ae2e-11ed-90af-09bb6422b258
type: string
type: array
required:
- list
title: Bulk delete SLO request
type: object
SLOs_bulk_delete_response:
description: |
The bulk delete SLO response returns a taskId that can be used to poll for its status
properties:
taskId:
description: The taskId of the bulk delete operation
example: d08506b7-f0e8-4f8b-a06a-a83940f4db91
type: string
title: Bulk delete SLO response
type: object
SLOs_bulk_delete_status_response:
description: Indicates if the bulk deletion is completed, with the detailed results of the operation.
properties:
error:
description: The error message if the bulk deletion operation failed
example: Task not found
type: string
isDone:
description: Indicates if the bulk deletion operation is completed
example: true
type: boolean
results:
description: The results of the bulk deletion operation, including the success status and any errors for each SLO
items:
type: object
properties:
error:
description: The error message if the deletion operation failed for this SLO
example: SLO [d08506b7-f0e8-4f8b-a06a-a83940f4db91] not found
type: string
id:
description: The ID of the SLO that was deleted
example: d08506b7-f0e8-4f8b-a06a-a83940f4db91
type: string
success:
description: The result of the deletion operation for this SLO
example: true
type: boolean
type: array
title: The status of the bulk deletion
type: object
SLOs_bulk_purge_rollup_request:
description: |
The bulk purge rollup data request takes a list of SLO ids and a purge policy, then deletes the rollup data according to the purge policy. This API can be used to remove the staled data of an instance SLO that no longer get updated.
properties:
list:
description: An array of slo ids
items:
description: The SLO Definition id
example: 8853df00-ae2e-11ed-90af-09bb6422b258
type: string
type: array
purgePolicy:
description: Policy that dictates which SLI documents to purge based on age
oneOf:
- type: object
properties:
age:
description: The duration to determine which documents to purge, formatted as {duration}{unit}. This value should be greater than or equal to the time window of every SLO provided.
example: 7d
type: string
purgeType:
description: Specifies whether documents will be purged based on a specific age or on a timestamp
enum:
- fixed-age
type: string
- type: object
properties:
purgeType:
description: Specifies whether documents will be purged based on a specific age or on a timestamp
enum:
- fixed-time
type: string
timestamp:
description: The timestamp to determine which documents to purge, formatted in ISO. This value should be older than the applicable time window of every SLO provided.
example: '2024-12-31T00:00:00.000Z'
type: string
type: object
required:
- list
- purgePolicy
title: Bulk Purge Rollup data request
type: object
SLOs_bulk_purge_rollup_response:
description: |
The bulk purge rollup data response returns a task id from the elasticsearch deleteByQuery response.
properties:
taskId:
description: The task id of the purge operation
example: 8853df00-ae2e-11ed-90af-09bb6422b258
type: string
title: Bulk Purge Rollup data response
type: object
SLOs_create_slo_request:
description: |
The create SLO API request body varies depending on the type of indicator, time window and budgeting method.
properties:
artifacts:
$ref: '#/components/schemas/SLOs_artifacts'
budgetingMethod:
$ref: '#/components/schemas/SLOs_budgeting_method'
description:
description: A description for the SLO.
type: string
groupBy:
$ref: '#/components/schemas/SLOs_group_by'
id:
description: A optional and unique identifier for the SLO. Must be between 8 and 36 chars
example: my-super-slo-id
type: string
indicator:
oneOf:
- $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql'
- $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability'
- $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency'
- $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric'
- $ref: '#/components/schemas/SLOs_indicator_properties_histogram'
- $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric'
name:
description: A name for the SLO.
type: string
objective:
$ref: '#/components/schemas/SLOs_objective'
settings:
$ref: '#/components/schemas/SLOs_settings'
tags:
description: List of tags
items:
type: string
type: array
timeWindow:
$ref: '#/components/schemas/SLOs_time_window'
required:
- name
- description
- indicator
- timeWindow
- budgetingMethod
- objective
title: Create SLO request
type: object
SLOs_create_slo_response:
title: Create SLO response
type: object
properties:
id:
example: 8853df00-ae2e-11ed-90af-09bb6422b258
type: string
required:
- id
SLOs_delete_slo_instances_request:
description: |
The delete SLO instances request takes a list of SLO id and instance id, then delete the rollup and summary data. This API can be used to remove the staled data of an instance SLO that no longer get updated.
properties:
list:
description: An array of slo id and instance id
items:
type: object
properties:
instanceId:
description: The SLO instance identifier
example: 8853df00-ae2e-11ed-90af-09bb6422b258
type: string
sloId:
description: The SLO unique identifier
example: 8853df00-ae2e-11ed-90af-09bb6422b258
type: string
required:
- sloId
- instanceId
type: array
required:
- list
title: Delete SLO instances request
type: object
SLOs_error_budget:
title: Error budget
type: object
properties:
consumed:
description: The error budget consummed, as a percentage of the initial value.
example: 0.8
type: number
initial:
description: The initial error budget, as 1 - objective
example: 0.02
type: number
isEstimated:
description: Only for SLO defined with occurrences budgeting method and calendar aligned time window.
example: true
type: boolean
remaining:
description: The error budget remaining, as a percentage of the initial value.
example: 0.2
type: number
required:
- initial
- consumed
- remaining
- isEstimated
SLOs_filter:
description: Defines properties for a filter
properties:
meta:
$ref: '#/components/schemas/SLOs_filter_meta'
query:
type: object
title: Filter
type: object
SLOs_filter_meta:
description: Defines properties for a filter
properties:
alias:
nullable: true
type: string
controlledBy:
type: string
disabled:
type: boolean
field:
type: string
group:
type: string
index:
type: string
isMultiIndex:
type: boolean
key:
type: string
negate:
type: boolean
params:
type: object
type:
type: string
value:
type: string
title: FilterMeta
type: object
SLOs_find_slo_definitions_response:
description: |
A paginated response of SLO definitions matching the query.
oneOf:
- type: object
properties:
page:
example: 1
type: number
perPage:
example: 25
type: number
results:
items:
$ref: '#/components/schemas/SLOs_slo_with_summary_response'
type: array
total:
example: 34
type: number
- type: object
properties:
page:
default: 1
description: for backward compability
type: number
perPage:
description: for backward compability
example: 25
type: number
results:
items:
$ref: '#/components/schemas/SLOs_slo_with_summary_response'
type: array
searchAfter:
description: the cursor to provide to get the next paged results
example:
- some-slo-id
- other-cursor-id
items:
type: string
type: array
size:
example: 25
type: number
total:
example: 34
type: number
title: Find SLO definitions response
type: object
SLOs_find_slo_response:
description: |
A paginated response of SLOs matching the query.
properties:
page:
example: 1
type: number
perPage:
example: 25
type: number
results:
items:
$ref: '#/components/schemas/SLOs_slo_with_summary_response'
type: array
searchAfter:
type: string
size:
description: Size provided for cursor based pagination
example: 25
type: number
total:
example: 34
type: number
title: Find SLO response
type: object
SLOs_group_by:
description: optional group by field or fields to use to generate an SLO per distinct value
example:
- - service.name
- service.name
- - service.name
- service.environment
oneOf:
- type: string
- items:
type: string
type: array
title: Group by
SLOs_indicator_properties_apm_availability:
description: Defines properties for the APM availability indicator type
type: object
properties:
params:
description: An object containing the indicator parameters.
nullable: false
type: object
properties:
environment:
description: The APM service environment or "*"
example: production
type: string
filter:
description: KQL query used for filtering the data
example: 'service.foo : "bar"'
type: string
index:
description: The index used by APM metrics
example: metrics-apm*,apm*
type: string
service:
description: The APM service name
example: o11y-app
type: string
transactionName:
description: The APM transaction name or "*"
example: GET /my/api
type: string
transactionType:
description: The APM transaction type or "*"
example: request
type: string
required:
- service
- environment
- transactionType
- transactionName
- index
type:
description: The type of indicator.
example: sli.apm.transactionDuration
type: string
required:
- type
- params
title: APM availability
SLOs_indicator_properties_apm_latency:
description: Defines properties for the APM latency indicator type
type: object
properties:
params:
description: An object containing the indicator parameters.
nullable: false
type: object
properties:
environment:
description: The APM service environment or "*"
example: production
type: string
filter:
description: KQL query used for filtering the data
example: 'service.foo : "bar"'
type: string
index:
description: The index used by APM metrics
example: metrics-apm*,apm*
type: string
service:
description: The APM service name
example: o11y-app
type: string
threshold:
description: The latency threshold in milliseconds
example: 250
type: number
transactionName:
description: The APM transaction name or "*"
example: GET /my/api
type: string
transactionType:
description: The APM transaction type or "*"
example: request
type: string
required:
- service
- environment
- transactionType
- transactionName
- index
- threshold
type:
description: The type of indicator.
example: sli.apm.transactionDuration
type: string
required:
- type
- params
title: APM latency
SLOs_indicator_properties_custom_kql:
description: Defines properties for a custom query indicator type
type: object
properties:
params:
description: An object containing the indicator parameters.
nullable: false
type: object
properties:
dataViewId:
description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.
example: 03b80ab3-003d-498b-881c-3beedbaf1162
type: string
filter:
$ref: '#/components/schemas/SLOs_kql_with_filters'
good:
$ref: '#/components/schemas/SLOs_kql_with_filters_good'
index:
description: The index or index pattern to use
example: my-service-*
type: string
timestampField:
description: |
The timestamp field used in the source indice.
example: timestamp
type: string
total:
$ref: '#/components/schemas/SLOs_kql_with_filters_total'
required:
- index
- timestampField
- good
- total
type:
description: The type of indicator.
example: sli.kql.custom
type: string
required:
- type
- params
title: Custom Query
SLOs_indicator_properties_custom_metric:
description: Defines properties for a custom metric indicator type
type: object
properties:
params:
description: An object containing the indicator parameters.
nullable: false
type: object
properties:
dataViewId:
description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.
example: 03b80ab3-003d-498b-881c-3beedbaf1162
type: string
filter:
description: the KQL query to filter the documents with.
example: 'field.environment : "production" and service.name : "my-service"'
type: string
good:
description: |
An object defining the "good" metrics and equation
type: object
properties:
equation:
description: The equation to calculate the "good" metric.
example: A
type: string
metrics:
description: List of metrics with their name, aggregation type, and field.
items:
oneOf:
- type: object
properties:
aggregation:
description: The aggregation type of the metric.
enum:
- sum
example: sum
type: string
field:
description: The field of the metric.
example: processor.processed
type: string
filter:
description: The filter to apply to the metric.
example: 'processor.outcome: *'
type: string
name:
description: The name of the metric. Only valid options are A-Z
example: A
pattern: ^[A-Z]$
type: string
required:
- name
- aggregation
- field
- type: object
properties:
aggregation:
description: The aggregation type of the metric.
enum:
- doc_count
example: doc_count
type: string
filter:
description: The filter to apply to the metric.
example: 'processor.outcome: *'
type: string
name:
description: The name of the metric. Only valid options are A-Z
example: A
pattern: ^[A-Z]$
type: string
required:
- name
- aggregation
type: array
required:
- metrics
- equation
index:
description: The index or index pattern to use
example: my-service-*
type: string
timestampField:
description: |
The timestamp field used in the source indice.
example: timestamp
type: string
total:
description: |
An object defining the "total" metrics and equation
type: object
properties:
equation:
description: The equation to calculate the "total" metric.
example: A
type: string
metrics:
description: List of metrics with their name, aggregation type, and field.
items:
oneOf:
- type: object
properties:
aggregation:
description: The aggregation type of the metric.
enum:
- sum
example: sum
type: string
field:
description: The field of the metric.
example: processor.processed
type: string
filter:
description: The filter to apply to the metric.
example: 'processor.outcome: *'
type: string
name:
description: The name of the metric. Only valid options are A-Z
example: A
pattern: ^[A-Z]$
type: string
required:
- name
- aggregation
- field
- type: object
properties:
aggregation:
description: The aggregation type of the metric.
enum:
- doc_count
example: doc_count
type: string
filter:
description: The filter to apply to the metric.
example: 'processor.outcome: *'
type: string
name:
description: The name of the metric. Only valid options are A-Z
example: A
pattern: ^[A-Z]$
type: string
required:
- name
- aggregation
type: array
required:
- metrics
- equation
required:
- index
- timestampField
- good
- total
type:
description: The type of indicator.
example: sli.metric.custom
type: string
required:
- type
- params
title: Custom metric
SLOs_indicator_properties_histogram:
description: Defines properties for a histogram indicator type
type: object
properties:
params:
description: An object containing the indicator parameters.
nullable: false
type: object
properties:
dataViewId:
description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.
example: 03b80ab3-003d-498b-881c-3beedbaf1162
type: string
filter:
description: the KQL query to filter the documents with.
example: 'field.environment : "production" and service.name : "my-service"'
type: string
good:
description: |
An object defining the "good" events
type: object
properties:
aggregation:
description: The type of aggregation to use.
enum:
- value_count
- range
example: value_count
type: string
field:
description: The field use to aggregate the good events.
example: processor.latency
type: string
filter:
description: The filter for good events.
example: 'processor.outcome: "success"'
type: string
from:
description: The starting value of the range. Only required for "range" aggregations.
example: 0
type: number
to:
description: The ending value of the range. Only required for "range" aggregations.
example: 100
type: number
required:
- aggregation
- field
index:
description: The index or index pattern to use
example: my-service-*
type: string
timestampField:
description: |
The timestamp field used in the source indice.
example: timestamp
type: string
total:
description: |
An object defining the "total" events
type: object
properties:
aggregation:
description: The type of aggregation to use.
enum:
- value_count
- range
example: value_count
type: string
field:
description: The field use to aggregate the good events.
example: processor.latency
type: string
filter:
description: The filter for total events.
example: 'processor.outcome : *'
type: string
from:
description: The starting value of the range. Only required for "range" aggregations.
example: 0
type: number
to:
description: The ending value of the range. Only required for "range" aggregations.
example: 100
type: number
required:
- aggregation
- field
required:
- index
- timestampField
- good
- total
type:
description: The type of indicator.
example: sli.histogram.custom
type: string
required:
- type
- params
title: Histogram indicator
SLOs_indicator_properties_timeslice_metric:
description: Defines properties for a timeslice metric indicator type
type: object
properties:
params:
description: An object containing the indicator parameters.
nullable: false
type: object
properties:
dataViewId:
description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.
example: 03b80ab3-003d-498b-881c-3beedbaf1162
type: string
filter:
description: the KQL query to filter the documents with.
example: 'field.environment : "production" and service.name : "my-service"'
type: string
index:
description: The index or index pattern to use
example: my-service-*
type: string
metric:
description: |
An object defining the metrics, equation, and threshold to determine if it's a good slice or not
type: object
properties:
comparator:
description: The comparator to use to compare the equation to the threshold.
enum:
- GT
- GTE
- LT
- LTE
example: GT
type: string
equation:
description: The equation to calculate the metric.
example: A
type: string
metrics:
description: List of metrics with their name, aggregation type, and field.
items:
anyOf:
- $ref: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field'
- $ref: '#/components/schemas/SLOs_timeslice_metric_percentile_metric'
- $ref: '#/components/schemas/SLOs_timeslice_metric_doc_count_metric'
discriminator:
mapping:
avg: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field'
cardinality: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field'
doc_count: '#/components/schemas/SLOs_timeslice_metric_doc_count_metric'
last_value: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field'
max: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field'
min: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field'
percentile: '#/components/schemas/SLOs_timeslice_metric_percentile_metric'
std_deviation: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field'
sum: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field'
propertyName: aggregation
type: array
threshold:
description: The threshold used to determine if the metric is a good slice or not.
example: 100
type: number
required:
- metrics
- equation
- comparator
- threshold
timestampField:
description: |
The timestamp field used in the source indice.
example: timestamp
type: string
required:
- index
- timestampField
- metric
type:
description: The type of indicator.
example: sli.metric.timeslice
type: string
required:
- type
- params
title: Timeslice metric
SLOs_kql_with_filters:
description: Defines properties for a filter
oneOf:
- description: the KQL query to filter the documents with.
example: 'field.environment : "production" and service.name : "my-service"'
type: string
- type: object
properties:
filters:
items:
$ref: '#/components/schemas/SLOs_filter'
type: array
kqlQuery:
type: string
title: KQL with filters
SLOs_kql_with_filters_good:
description: The KQL query used to define the good events.
oneOf:
- description: the KQL query to filter the documents with.
example: 'request.latency <= 150 and request.status_code : "2xx"'
type: string
- type: object
properties:
filters:
items:
$ref: '#/components/schemas/SLOs_filter'
type: array
kqlQuery:
type: string
title: KQL query for good events
SLOs_kql_with_filters_total:
description: The KQL query used to define all events.
oneOf:
- description: the KQL query to filter the documents with.
example: 'field.environment : "production" and service.name : "my-service"'
type: string
- type: object
properties:
filters:
items:
$ref: '#/components/schemas/SLOs_filter'
type: array
kqlQuery:
type: string
title: KQL query for all events
SLOs_objective:
description: Defines properties for the SLO objective
type: object
properties:
target:
description: the target objective between 0 and 1 excluded
example: 0.99
exclusiveMaximum: true
exclusiveMinimum: true
maximum: 100
minimum: 0
type: number
timesliceTarget:
description: the target objective for each slice when using a timeslices budgeting method
example: 0.995
maximum: 100
minimum: 0
type: number
timesliceWindow:
description: the duration of each slice when using a timeslices budgeting method, as {duraton}{unit}
example: 5m
type: string
required:
- target
title: Objective
SLOs_settings:
description: Defines properties for SLO settings.
properties:
frequency:
default: 1m
description: The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute.
example: 5m
type: string
preventInitialBackfill:
default: false
description: Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window.
example: true
type: boolean
syncDelay:
default: 1m
description: The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval.
example: 5m
type: string
syncField:
description: The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field.
example: event.ingested
type: string
title: Settings
type: object
SLOs_slo_definition_response:
title: SLO definition response
type: object
properties:
artifacts:
$ref: '#/components/schemas/SLOs_artifacts'
budgetingMethod:
$ref: '#/components/schemas/SLOs_budgeting_method'
createdAt:
description: The creation date
example: '2023-01-12T10:03:19.000Z'
type: string
description:
description: The description of the SLO.
example: My SLO description
type: string
enabled:
description: Indicate if the SLO is enabled
example: true
type: boolean
groupBy:
$ref: '#/components/schemas/SLOs_group_by'
id:
description: The identifier of the SLO.
example: 8853df00-ae2e-11ed-90af-09bb6422b258
type: string
indicator:
discriminator:
mapping:
sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency'
sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability'
sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram'
sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql'
sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric'
sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric'
propertyName: type
oneOf:
- $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql'
- $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability'
- $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency'
- $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric'
- $ref: '#/components/schemas/SLOs_indicator_properties_histogram'
- $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric'
name:
description: The name of the SLO.
example: My Service SLO
type: string
objective:
$ref: '#/components/schemas/SLOs_objective'
revision:
description: The SLO revision
example: 2
type: number
settings:
$ref: '#/components/schemas/SLOs_settings'
tags:
description: List of tags
items:
type: string
type: array
timeWindow:
$ref: '#/components/schemas/SLOs_time_window'
updatedAt:
description: The last update date
example: '2023-01-12T10:03:19.000Z'
type: string
version:
description: The internal SLO version
example: 2
type: number
required:
- id
- name
- description
- indicator
- timeWindow
- budgetingMethod
- objective
- settings
- revision
- enabled
- groupBy
- tags
- createdAt
- updatedAt
- version
SLOs_slo_with_summary_response:
title: SLO response
type: object
properties:
budgetingMethod:
$ref: '#/components/schemas/SLOs_budgeting_method'
createdAt:
description: The creation date
example: '2023-01-12T10:03:19.000Z'
type: string
description:
description: The description of the SLO.
example: My SLO description
type: string
enabled:
description: Indicate if the SLO is enabled
example: true
type: boolean
groupBy:
$ref: '#/components/schemas/SLOs_group_by'
id:
description: The identifier of the SLO.
example: 8853df00-ae2e-11ed-90af-09bb6422b258
type: string
indicator:
discriminator:
mapping:
sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency'
sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability'
sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram'
sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql'
sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric'
sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric'
propertyName: type
oneOf:
- $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql'
- $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability'
- $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency'
- $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric'
- $ref: '#/components/schemas/SLOs_indicator_properties_histogram'
- $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric'
instanceId:
description: the value derived from the groupBy field, if present, otherwise '*'
example: host-abcde
type: string
name:
description: The name of the SLO.
example: My Service SLO
type: string
objective:
$ref: '#/components/schemas/SLOs_objective'
revision:
description: The SLO revision
example: 2
type: number
settings:
$ref: '#/components/schemas/SLOs_settings'
summary:
$ref: '#/components/schemas/SLOs_summary'
tags:
description: List of tags
items:
type: string
type: array
timeWindow:
$ref: '#/components/schemas/SLOs_time_window'
updatedAt:
description: The last update date
example: '2023-01-12T10:03:19.000Z'
type: string
version:
description: The internal SLO version
example: 2
type: number
required:
- id
- name
- description
- indicator
- timeWindow
- budgetingMethod
- objective
- settings
- revision
- summary
- enabled
- groupBy
- instanceId
- tags
- createdAt
- updatedAt
- version
SLOs_summary:
description: The SLO computed data
properties:
errorBudget:
$ref: '#/components/schemas/SLOs_error_budget'
sliValue:
example: 0.9836
type: number
status:
$ref: '#/components/schemas/SLOs_summary_status'
required:
- status
- sliValue
- errorBudget
title: Summary
type: object
SLOs_summary_status:
enum:
- NO_DATA
- HEALTHY
- DEGRADING
- VIOLATED
example: HEALTHY
title: summary status
type: string
SLOs_time_window:
description: Defines properties for the SLO time window
type: object
properties:
duration:
description: 'the duration formatted as {duration}{unit}. Accepted values for rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w (weekly) or 1M (monthly)'
example: 30d
type: string
type:
description: Indicates weither the time window is a rolling or a calendar aligned time window.
enum:
- rolling
- calendarAligned
example: rolling
type: string
required:
- duration
- type
title: Time window
SLOs_timeslice_metric_basic_metric_with_field:
type: object
properties:
aggregation:
description: The aggregation type of the metric.
enum:
- sum
- avg
- min
- max
- std_deviation
- last_value
- cardinality
example: sum
type: string
field:
description: The field of the metric.
example: processor.processed
type: string
filter:
description: The filter to apply to the metric.
example: 'processor.outcome: "success"'
type: string
name:
description: The name of the metric. Only valid options are A-Z
example: A
pattern: ^[A-Z]$
type: string
required:
- name
- aggregation
- field
title: Timeslice Metric Basic Metric with Field
SLOs_timeslice_metric_doc_count_metric:
type: object
properties:
aggregation:
description: The aggregation type of the metric. Only valid option is "doc_count"
enum:
- doc_count
example: doc_count
type: string
filter:
description: The filter to apply to the metric.
example: 'processor.outcome: "success"'
type: string
name:
description: The name of the metric. Only valid options are A-Z
example: A
pattern: ^[A-Z]$
type: string
required:
- name
- aggregation
title: Timeslice Metric Doc Count Metric
SLOs_timeslice_metric_percentile_metric:
type: object
properties:
aggregation:
description: The aggregation type of the metric. Only valid option is "percentile"
enum:
- percentile
example: percentile
type: string
field:
description: The field of the metric.
example: processor.processed
type: string
filter:
description: The filter to apply to the metric.
example: 'processor.outcome: "success"'
type: string
name:
description: The name of the metric. Only valid options are A-Z
example: A
pattern: ^[A-Z]$
type: string
percentile:
description: The percentile value.
example: 95
type: number
required:
- name
- aggregation
- field
- percentile
title: Timeslice Metric Percentile Metric
SLOs_update_slo_request:
description: |
The update SLO API request body varies depending on the type of indicator, time window and budgeting method. Partial update is handled.
properties:
artifacts:
$ref: '#/components/schemas/SLOs_artifacts'
budgetingMethod:
$ref: '#/components/schemas/SLOs_budgeting_method'
description:
description: A description for the SLO.
type: string
groupBy:
$ref: '#/components/schemas/SLOs_group_by'
indicator:
oneOf:
- $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql'
- $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability'
- $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency'
- $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric'
- $ref: '#/components/schemas/SLOs_indicator_properties_histogram'
- $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric'
name:
description: A name for the SLO.
type: string
objective:
$ref: '#/components/schemas/SLOs_objective'
settings:
$ref: '#/components/schemas/SLOs_settings'
tags:
description: List of tags
items:
type: string
type: array
timeWindow:
$ref: '#/components/schemas/SLOs_time_window'
title: Update SLO request
type: object
Synthetics_browserMonitorFields:
allOf:
- $ref: '#/components/schemas/Synthetics_commonMonitorFields'
- additionalProperties: true
type: object
properties:
ignore_https_errors:
default: false
description: Ignore HTTPS errors.
type: boolean
inline_script:
description: The inline script.
type: string
playwright_options:
description: Playwright options.
type: object
screenshots:
default: 'on'
description: The screenshot option.
enum:
- 'on'
- 'off'
- only-on-failure
type: string
synthetics_args:
description: Synthetics agent CLI arguments.
items:
type: string
type: array
type:
description: The monitor type.
enum:
- browser
type: string
required:
- inline_script
- type
title: Browser monitor fields
Synthetics_commonMonitorFields:
title: Common monitor fields
type: object
properties:
alert:
description: |
The alert configuration. The default is `{ status: { enabled: true }, tls: { enabled: true } }`.
type: object
enabled:
default: true
description: Specify whether the monitor is enabled.
type: boolean
labels:
additionalProperties:
type: string
description: |
Key-value pairs of labels to associate with the monitor. Labels can be used for filtering and grouping monitors.
type: object
locations:
description: |
The location to deploy the monitor.
Monitors can be deployed in multiple locations so that you can detect differences in availability and response times across those locations.
To list available locations you can:
- Run the `elastic-synthetics locations` command with the deployment's Kibana URL.
- Go to *Synthetics > Management* and click *Create monitor*. Locations will be listed in *Locations*.
externalDocs:
url: https://github.com/elastic/synthetics/blob/main/src/locations/public-locations.ts
items:
type: string
type: array
name:
description: The monitor name.
type: string
namespace:
default: default
description: |
The namespace field should be lowercase and not contain spaces. The namespace must not include any of the following characters: `*`, `\`, `/`, `?`, `"`, `<`, `>`, `|`, whitespace, `,`, `#`, `:`, or `-`.
type: string
params:
description: The monitor parameters.
type: string
private_locations:
description: |
The private locations to which the monitors will be deployed.
These private locations refer to locations hosted and managed by you, whereas `locations` are hosted by Elastic.
You can specify a private location using the location's name.
To list available private locations you can:
- Run the `elastic-synthetics locations` command with the deployment's Kibana URL.
- Go to *Synthetics > Settings* and click *Private locationsr*. Private locations will be listed in the table.
> info
> You can provide `locations` or `private_locations` or both. At least one is required.
items:
type: string
type: array
retest_on_failure:
default: true
description: |
Turn retesting for when a monitor fails on or off. By default, monitors are automatically retested if the monitor goes from "up" to "down". If the result of the retest is also "down", an error will be created and if configured, an alert sent. The monitor will then resume running according to the defined schedule. Using `retest_on_failure` can reduce noise related to transient problems.
type: boolean
schedule:
description: |
The monitor's schedule in minutes. Supported values are `1`, `3`, `5`, `10`, `15`, `30`, `60`, `120`, and `240`. The default value is `3` minutes for HTTP, TCP, and ICMP monitors. The default value is `10` minutes for Browser monitors.
type: number
service.name:
description: The APM service name.
type: string
tags:
description: An array of tags.
items:
type: string
type: array
timeout:
default: 16
description: |
The monitor timeout in seconds. The monitor will fail if it doesn't complete within this time.
For browser monitors, the minimum timeout is 30 seconds. Browser monitor timeouts are only applied when the monitor runs on private locations. If a browser monitor specifies a timeout but has no private locations configured, the timeout will have no effect and a warning will be returned in the response.
type: number
required:
- name
Synthetics_getParameterResponse:
title: Get parameter response
type: object
properties:
description:
description: |
The description of the parameter. It is included in the response if the user has read-only permissions to the Synthetics app.
type: string
id:
description: The unique identifier of the parameter.
type: string
key:
description: The key of the parameter.
type: string
namespaces:
description: |
The namespaces associated with the parameter. It is included in the response if the user has read-only permissions to the Synthetics app.
items:
type: string
type: array
tags:
description: |
An array of tags associated with the parameter. It is included in the response if the user has read-only permissions to the Synthetics app.
items:
type: string
type: array
value:
description: |
The value associated with the parameter. It will be included in the response if the user has write permissions.
type: string
Synthetics_getPrivateLocation:
additionalProperties: true
properties:
agentPolicyId:
description: The ID of the agent policy associated with the private location.
type: string
geo:
description: Geographic coordinates (WGS84) for the location.
type: object
properties:
lat:
description: The latitude of the location.
type: number
lon:
description: The longitude of the location.
type: number
required:
- lat
- lon
id:
description: The unique identifier of the private location.
type: string
isInvalid:
description: |
Indicates whether the location is invalid. If `true`, the location is invalid, which means the agent policy associated with the location is deleted.
type: boolean
label:
description: A label for the private location.
type: string
namespace:
description: The namespace of the location, which is the same as the namespace of the agent policy associated with the location.
type: string
title: Post a private location
type: object
Synthetics_httpMonitorFields:
allOf:
- $ref: '#/components/schemas/Synthetics_commonMonitorFields'
- additionalProperties: true
type: object
properties:
check:
description: The check request settings.
type: object
properties:
request:
description: An optional request to send to the remote host.
type: object
properties:
body:
description: Optional request body content.
type: string
headers:
description: |
A dictionary of additional HTTP headers to send. By default, Synthetics will set the User-Agent header to identify itself.
type: object
method:
description: The HTTP method to use.
enum:
- HEAD
- GET
- POST
- OPTIONS
type: string
response:
additionalProperties: true
description: The expected response.
type: object
properties:
body:
type: object
headers:
description: A dictionary of expected HTTP headers. If the header is not found, the check fails.
type: object
ipv4:
default: true
description: If `true`, ping using the ipv4 protocol.
type: boolean
ipv6:
default: true
description: If `true`, ping using the ipv6 protocol.
type: boolean
max_redirects:
default: 0
description: The maximum number of redirects to follow.
type: number
mode:
default: any
description: |
The mode of the monitor. If it is `all`, the monitor pings all resolvable IPs for a hostname. If it is `any`, the monitor pings only one IP address for a hostname. If you're using a DNS-load balancer and want to ping every IP address for the specified hostname, you should use `all`.
enum:
- all
- any
type: string
password:
description: |
The password for authenticating with the server. The credentials are passed with the request.
type: string
proxy_headers:
description: Additional headers to send to proxies during CONNECT requests.
type: object
proxy_url:
description: The URL of the proxy to use for this monitor.
type: string
response:
description: Controls the indexing of the HTTP response body contents to the `http.response.body.contents field`.
type: object
ssl:
description: |
The TLS/SSL connection settings for use with the HTTPS endpoint. If you don't specify settings, the system defaults are used.
type: object
type:
description: The monitor type.
enum:
- http
type: string
url:
description: The URL to monitor.
type: string
username:
description: |
The username for authenticating with the server. The credentials are passed with the request.
type: string
required:
- type
- url
title: HTTP monitor fields
Synthetics_icmpMonitorFields:
allOf:
- $ref: '#/components/schemas/Synthetics_commonMonitorFields'
- additionalProperties: true
type: object
properties:
host:
description: The host to ping.
type: string
type:
description: The monitor type.
enum:
- icmp
type: string
wait:
default: 1
description: The wait time in seconds.
type: number
required:
- host
- type
title: ICMP monitor fields
Synthetics_monitorWarning:
title: Monitor warning
type: object
properties:
message:
description: A human-readable warning message.
type: string
monitorId:
description: The monitor ID associated with the warning.
type: string
publicLocationIds:
description: The public location IDs associated with the warning.
items:
type: string
type: array
Synthetics_parameterRequest:
title: Parameter request
type: object
properties:
description:
description: A description of the parameter.
type: string
key:
description: The key of the parameter.
type: string
share_across_spaces:
description: Specify whether the parameter should be shared across spaces.
type: boolean
tags:
description: An array of tags to categorize the parameter.
items:
type: string
type: array
value:
description: The value associated with the parameter.
type: string
required:
- key
- value
Synthetics_postParameterResponse:
title: Post parameter response
type: object
properties:
description:
description: A description of the parameter.
type: string
id:
description: The unique identifier for the parameter.
type: string
key:
description: The parameter key.
type: string
share_across_spaces:
description: Indicates whether the parameter is shared across spaces.
type: boolean
tags:
description: An array of tags associated with the parameter.
items:
type: string
type: array
value:
description: The value associated with the parameter.
type: string
Synthetics_tcpMonitorFields:
allOf:
- $ref: '#/components/schemas/Synthetics_commonMonitorFields'
- additionalProperties: true
type: object
properties:
host:
description: |
The host to monitor; it can be an IP address or a hostname. The host can include the port using a colon, for example "example.com:9200".
type: string
proxy_url:
description: |
The URL of the SOCKS5 proxy to use when connecting to the server. The value must be a URL with a scheme of `socks5://`. If the SOCKS5 proxy server requires client authentication, then a username and password can be embedded in the URL. When using a proxy, hostnames are resolved on the proxy server instead of on the client. You can change this behavior by setting the `proxy_use_local_resolver` option.
type: string
proxy_use_local_resolver:
default: false
description: |
Specify that hostnames are resolved locally instead of being resolved on the proxy server. If `false`, name resolution occurs on the proxy server.
type: boolean
ssl:
description: |
The TLS/SSL connection settings for use with the HTTPS endpoint. If you don't specify settings, the system defaults are used.
type: object
type:
description: The monitor type.
enum:
- tcp
type: string
required:
- host
- type
title: TCP monitor fields
Task_manager_health_APIs_configuration:
description: |
This object summarizes the current configuration of Task Manager. This includes dynamic configurations that change over time, such as `poll_interval` and `max_workers`, which can adjust in reaction to changing load on the system.
type: object
Task_manager_health_APIs_health_response:
title: Task health response properties
type: object
properties:
id:
type: string
last_update:
type: string
stats:
type: object
properties:
capacity_estimation:
description: |
This object provides a rough estimate about the sufficiency of its capacity. These are estimates based on historical data and should not be used as predictions.
type: object
configuration:
$ref: '#/components/schemas/Task_manager_health_APIs_configuration'
runtime:
description: |
This object tracks runtime performance of Task Manager, tracking task drift, worker load, and stats broken down by type, including duration and run results.
type: object
workload:
$ref: '#/components/schemas/Task_manager_health_APIs_workload'
status:
type: string
timestamp:
type: string
Task_manager_health_APIs_workload:
description: |
This object summarizes the work load across the cluster, including the tasks in the system, their types, and current status.
type: object
bedrock_config:
title: Connector request properties for an Amazon Bedrock connector
description: Defines properties for connectors when type is `.bedrock`.
type: object
required:
- apiUrl
properties:
apiUrl:
type: string
description: The Amazon Bedrock request URL.
region:
type: string
description: |
Optional AWS region for request signing. Required when using a custom endpoint URL that does not include the region in the hostname (for example, `us-west-1`).
defaultModel:
type: string
description: |
The generative artificial intelligence model for Amazon Bedrock to use. Current support is for the Anthropic Claude models.
default: us.anthropic.claude-sonnet-4-5-20250929-v1:0
crowdstrike_config:
title: Connector request config properties for a Crowdstrike connector
required:
- url
description: Defines config properties for connectors when type is `.crowdstrike`.
type: object
properties:
url:
description: |
The CrowdStrike tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.
type: string
d3security_config:
title: Connector request properties for a D3 Security connector
description: Defines properties for connectors when type is `.d3security`.
type: object
required:
- url
properties:
url:
type: string
description: |
The D3 Security API request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.
email_config:
title: Connector request properties for an email connector
description: Defines properties for connectors when type is `.email`.
required:
- from
type: object
properties:
clientId:
description: |
The client identifier, which is a part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required.
type: string
nullable: true
from:
description: |
The from address for all emails sent by the connector. It must be specified in `user@host-name` format.
type: string
hasAuth:
description: |
Specifies whether a user and password are required inside the secrets configuration.
default: true
type: boolean
host:
description: |
The host name of the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined.
type: string
oauthTokenUrl:
type: string
nullable: true
port:
description: |
The port to connect to on the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined.
type: integer
secure:
description: |
Specifies whether the connection to the service provider will use TLS. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored.
type: boolean
service:
description: |
The name of the email service.
type: string
enum:
- elastic_cloud
- exchange_server
- gmail
- other
- outlook365
- ses
tenantId:
description: |
The tenant identifier, which is part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required.
type: string
nullable: true
gemini_config:
title: Connector request properties for an Google Gemini connector
description: Defines properties for connectors when type is `.gemini`.
type: object
required:
- apiUrl
- gcpRegion
- gcpProjectID
properties:
apiUrl:
type: string
description: The Google Gemini request URL.
defaultModel:
type: string
description: The generative artificial intelligence model for Google Gemini to use.
default: gemini-2.5-pro
gcpRegion:
type: string
description: The GCP region where the Vertex AI endpoint enabled.
gcpProjectID:
type: string
description: The Google ProjectID that has Vertex AI endpoint enabled.
resilient_config:
title: Connector request properties for a IBM Resilient connector
required:
- apiUrl
- orgId
description: Defines properties for connectors when type is `.resilient`.
type: object
properties:
apiUrl:
description: The IBM Resilient instance URL.
type: string
orgId:
description: The IBM Resilient organization ID.
type: string
index_config:
title: Connector request properties for an index connector
required:
- index
description: Defines properties for connectors when type is `.index`.
type: object
properties:
executionTimeField:
description: A field that indicates when the document was indexed.
default: null
type: string
nullable: true
index:
description: The Elasticsearch index to be written to.
type: string
refresh:
description: |
The refresh policy for the write request, which affects when changes are made visible to search. Refer to the refresh setting for Elasticsearch document APIs.
default: false
type: boolean
jira_config:
title: Connector request properties for a Jira connector
required:
- apiUrl
- projectKey
description: Defines properties for connectors when type is `.jira`.
type: object
properties:
apiUrl:
description: The Jira instance URL.
type: string
projectKey:
description: The Jira project key.
type: string
defender_config:
title: Connector request properties for a Microsoft Defender for Endpoint connector
required:
- apiUrl
- projectKey
description: Defines properties for connectors when type is `.microsoft_defender_endpoint`.
type: object
properties:
apiUrl:
type: string
description: |
The URL of the Microsoft Defender for Endpoint API. If you are using the `xpack.actions.allowedHosts` setting, make sure the hostname is added to the allowed hosts.
clientId:
type: string
description: The application (client) identifier for your app in the Azure portal.
oAuthScope:
type: string
description: The OAuth scopes or permission sets for the Microsoft Defender for Endpoint API.
oAuthServerUrl:
type: string
description: The OAuth server URL where authentication is sent and received for the Microsoft Defender for Endpoint API.
tenantId:
description: The tenant identifier for your app in the Azure portal.
type: string
genai_azure_config:
title: Connector request properties for an OpenAI connector that uses Azure OpenAI
description: |
Defines properties for connectors when type is `.gen-ai` and the API provider is `Azure OpenAI`.
type: object
required:
- apiProvider
- apiUrl
properties:
apiProvider:
type: string
description: The OpenAI API provider.
enum:
- Azure OpenAI
apiUrl:
type: string
description: The OpenAI API endpoint.
genai_openai_config:
title: Connector request properties for an OpenAI connector
description: |
Defines properties for connectors when type is `.gen-ai` and the API provider is `OpenAI`.
type: object
required:
- apiProvider
- apiUrl
properties:
apiProvider:
type: string
description: The OpenAI API provider.
enum:
- OpenAI
apiUrl:
type: string
description: The OpenAI API endpoint.
defaultModel:
type: string
description: The default model to use for requests.
opsgenie_config:
title: Connector request properties for an Opsgenie connector
required:
- apiUrl
description: Defines properties for connectors when type is `.opsgenie`.
type: object
properties:
apiUrl:
description: |
The Opsgenie URL. For example, `https://api.opsgenie.com` or `https://api.eu.opsgenie.com`. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.
type: string
pagerduty_config:
title: Connector request properties for a PagerDuty connector
description: Defines properties for connectors when type is `.pagerduty`.
type: object
properties:
apiUrl:
description: The PagerDuty event URL.
type: string
nullable: true
example: https://events.pagerduty.com/v2/enqueue
sentinelone_config:
title: Connector request properties for a SentinelOne connector
required:
- url
description: Defines properties for connectors when type is `.sentinelone`.
type: object
properties:
url:
description: |
The SentinelOne tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.
type: string
servicenow_config:
title: Connector request properties for a ServiceNow ITSM connector
required:
- apiUrl
description: Defines properties for connectors when type is `.servicenow`.
type: object
properties:
apiUrl:
type: string
description: The ServiceNow instance URL.
clientId:
description: |
The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`.
type: string
isOAuth:
description: |
The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth).
default: false
type: boolean
jwtKeyId:
description: |
The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`.
type: string
userIdentifierValue:
description: |
The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`.
type: string
usesTableApi:
description: |
Determines whether the connector uses the Table API or the Import Set API. This property is supported only for ServiceNow ITSM and ServiceNow SecOps connectors. NOTE: If this property is set to `false`, the Elastic application should be installed in ServiceNow.
default: true
type: boolean
servicenow_itom_config:
title: Connector request properties for a ServiceNow ITOM connector
required:
- apiUrl
description: Defines properties for connectors when type is `.servicenow-itom`.
type: object
properties:
apiUrl:
type: string
description: The ServiceNow instance URL.
clientId:
description: |
The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`.
type: string
isOAuth:
description: |
The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth).
default: false
type: boolean
jwtKeyId:
description: |
The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`.
type: string
userIdentifierValue:
description: |
The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`.
type: string
slack_api_config:
title: Connector request properties for a Slack connector
description: Defines properties for connectors when type is `.slack_api`.
type: object
properties:
allowedChannels:
type: array
description: A list of valid Slack channels.
items:
type: object
required:
- id
- name
maxItems: 25
properties:
id:
type: string
description: The Slack channel ID.
example: C123ABC456
minLength: 1
name:
type: string
description: The Slack channel name.
minLength: 1
swimlane_config:
title: Connector request properties for a Swimlane connector
required:
- apiUrl
- appId
- connectorType
description: Defines properties for connectors when type is `.swimlane`.
type: object
properties:
apiUrl:
description: The Swimlane instance URL.
type: string
appId:
description: The Swimlane application ID.
type: string
connectorType:
description: The type of connector. Valid values are `all`, `alerts`, and `cases`.
type: string
enum:
- all
- alerts
- cases
mappings:
title: Connector mappings properties for a Swimlane connector
description: The field mapping.
type: object
properties:
alertIdConfig:
title: Alert identifier mapping
description: Mapping for the alert ID.
type: object
required:
- fieldType
- id
- key
- name
properties:
fieldType:
type: string
description: The type of field in Swimlane.
id:
type: string
description: The identifier for the field in Swimlane.
key:
type: string
description: The key for the field in Swimlane.
name:
type: string
description: The name of the field in Swimlane.
caseIdConfig:
title: Case identifier mapping
description: Mapping for the case ID.
type: object
required:
- fieldType
- id
- key
- name
properties:
fieldType:
type: string
description: The type of field in Swimlane.
id:
type: string
description: The identifier for the field in Swimlane.
key:
type: string
description: The key for the field in Swimlane.
name:
type: string
description: The name of the field in Swimlane.
caseNameConfig:
title: Case name mapping
description: Mapping for the case name.
type: object
required:
- fieldType
- id
- key
- name
properties:
fieldType:
type: string
description: The type of field in Swimlane.
id:
type: string
description: The identifier for the field in Swimlane.
key:
type: string
description: The key for the field in Swimlane.
name:
type: string
description: The name of the field in Swimlane.
commentsConfig:
title: Case comment mapping
description: Mapping for the case comments.
type: object
required:
- fieldType
- id
- key
- name
properties:
fieldType:
type: string
description: The type of field in Swimlane.
id:
type: string
description: The identifier for the field in Swimlane.
key:
type: string
description: The key for the field in Swimlane.
name:
type: string
description: The name of the field in Swimlane.
descriptionConfig:
title: Case description mapping
description: Mapping for the case description.
type: object
required:
- fieldType
- id
- key
- name
properties:
fieldType:
type: string
description: The type of field in Swimlane.
id:
type: string
description: The identifier for the field in Swimlane.
key:
type: string
description: The key for the field in Swimlane.
name:
type: string
description: The name of the field in Swimlane.
ruleNameConfig:
title: Rule name mapping
description: Mapping for the name of the alert's rule.
type: object
required:
- fieldType
- id
- key
- name
properties:
fieldType:
type: string
description: The type of field in Swimlane.
id:
type: string
description: The identifier for the field in Swimlane.
key:
type: string
description: The key for the field in Swimlane.
name:
type: string
description: The name of the field in Swimlane.
severityConfig:
title: Severity mapping
description: Mapping for the severity.
type: object
required:
- fieldType
- id
- key
- name
properties:
fieldType:
type: string
description: The type of field in Swimlane.
id:
type: string
description: The identifier for the field in Swimlane.
key:
type: string
description: The key for the field in Swimlane.
name:
type: string
description: The name of the field in Swimlane.
thehive_config:
title: Connector request properties for a TheHive connector
description: Defines configuration properties for connectors when type is `.thehive`.
type: object
required:
- url
properties:
organisation:
type: string
description: |
The organisation in TheHive that will contain the alerts or cases. By default, the connector uses the default organisation of the user account that created the API key.
url:
type: string
description: |
The instance URL in TheHive. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.
tines_config:
title: Connector request properties for a Tines connector
description: Defines properties for connectors when type is `.tines`.
type: object
required:
- url
properties:
url:
description: |
The Tines tenant URL. If you are using the `xpack.actions.allowedHosts` setting, make sure this hostname is added to the allowed hosts.
type: string
torq_config:
title: Connector request properties for a Torq connector
description: Defines properties for connectors when type is `.torq`.
type: object
required:
- webhookIntegrationUrl
properties:
webhookIntegrationUrl:
description: The endpoint URL of the Elastic Security integration in Torq.
type: string
auth_type:
title: Authentication type
type: string
nullable: true
enum:
- webhook-authentication-basic
- webhook-authentication-ssl
description: |
The type of authentication to use: basic, SSL, or none.
ca:
title: Certificate authority
type: string
description: |
A base64 encoded version of the certificate authority file that the connector can trust to sign and validate certificates. This option is available for all authentication types.
cert_type:
title: Certificate type
type: string
description: |
If the `authType` is `webhook-authentication-ssl`, specifies whether the certificate authentication data is in a CRT and key file format or a PFX file format.
enum:
- ssl-crt-key
- ssl-pfx
has_auth:
title: Has authentication
type: boolean
description: If true, a username and password for login type authentication must be provided.
default: true
verification_mode:
title: Verification mode
type: string
enum:
- certificate
- full
- none
default: full
description: |
Controls the verification of certificates. Use `full` to validate that the certificate has an issue date within the `not_before` and `not_after` dates, chains to a trusted certificate authority (CA), and has a hostname or IP address that matches the names within the certificate. Use `certificate` to validate the certificate and verify that it is signed by a trusted authority; this option does not check the certificate hostname. Use `none` to skip certificate validation.
webhook_config:
title: Connector request properties for a Webhook connector
description: Defines properties for connectors when type is `.webhook`.
type: object
properties:
authType:
$ref: '#/components/schemas/auth_type'
ca:
$ref: '#/components/schemas/ca'
certType:
$ref: '#/components/schemas/cert_type'
hasAuth:
$ref: '#/components/schemas/has_auth'
headers:
type: object
nullable: true
description: A set of key-value pairs sent as headers with the request.
method:
type: string
default: post
enum:
- post
- put
description: |
The HTTP request method, either `post` or `put`.
url:
type: string
description: |
The request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.
verificationMode:
$ref: '#/components/schemas/verification_mode'
cases_webhook_config:
title: Connector request properties for Webhook - Case Management connector
required:
- createIncidentJson
- createIncidentResponseKey
- createIncidentUrl
- getIncidentResponseExternalTitleKey
- getIncidentUrl
- updateIncidentJson
- updateIncidentUrl
- viewIncidentUrl
description: Defines properties for connectors when type is `.cases-webhook`.
type: object
properties:
authType:
$ref: '#/components/schemas/auth_type'
ca:
$ref: '#/components/schemas/ca'
certType:
$ref: '#/components/schemas/cert_type'
createCommentJson:
type: string
description: |
A JSON payload sent to the create comment URL to create a case comment. You can use variables to add Kibana Cases data to the payload. The required variable is `case.comment`. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated once the Mustache variables have been placed when the REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass.
example: '{"body": {{{case.comment}}}}'
createCommentMethod:
type: string
description: |
The REST API HTTP request method to create a case comment in the third-party system. Valid values are `patch`, `post`, and `put`.
default: put
enum:
- patch
- post
- put
createCommentUrl:
type: string
description: |
The REST API URL to create a case comment by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts setting`, add the hostname to the allowed hosts.
example: https://example.com/issue/{{{external.system.id}}}/comment
createIncidentJson:
type: string
description: |
A JSON payload sent to the create case URL to create a case. You can use variables to add case data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review.
example: '{"fields": {"summary": {{{case.title}}},"description": {{{case.description}}},"labels": {{{case.tags}}}}}'
createIncidentMethod:
type: string
description: |
The REST API HTTP request method to create a case in the third-party system. Valid values are `patch`, `post`, and `put`.
enum:
- patch
- post
- put
default: post
createIncidentResponseKey:
type: string
description: The JSON key in the create external case response that contains the case ID.
createIncidentUrl:
type: string
description: |
The REST API URL to create a case in the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.
getIncidentResponseExternalTitleKey:
type: string
description: The JSON key in get external case response that contains the case title.
getIncidentUrl:
type: string
description: |
The REST API URL to get the case by ID from the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. You can use a variable to add the external system ID to the URL. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass.
example: https://example.com/issue/{{{external.system.id}}}
hasAuth:
$ref: '#/components/schemas/has_auth'
headers:
type: string
description: |
A set of key-value pairs sent as headers with the request URLs for the create case, update case, get case, and create comment methods.
updateIncidentJson:
type: string
description: |
The JSON payload sent to the update case URL to update the case. You can use variables to add Kibana Cases data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review.
example: '{"fields": {"summary": {{{case.title}}},"description": {{{case.description}}},"labels": {{{case.tags}}}}}'
updateIncidentMethod:
type: string
description: |
The REST API HTTP request method to update the case in the third-party system. Valid values are `patch`, `post`, and `put`.
default: put
enum:
- patch
- post
- put
updateIncidentUrl:
type: string
description: |
The REST API URL to update the case by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.
example: https://example.com/issue/{{{external.system.ID}}}
verificationMode:
$ref: '#/components/schemas/verification_mode'
viewIncidentUrl:
type: string
description: |
The URL to view the case in the external system. You can use variables to add the external system ID or external system title to the URL.
example: https://testing-jira.atlassian.net/browse/{{{external.system.title}}}
xmatters_config:
title: Connector request properties for an xMatters connector
description: Defines properties for connectors when type is `.xmatters`.
type: object
properties:
configUrl:
description: |
The request URL for the Elastic Alerts trigger in xMatters. It is applicable only when `usesBasic` is `true`.
type: string
nullable: true
usesBasic:
description: Specifies whether the connector uses HTTP basic authentication (`true`) or URL authentication (`false`).
type: boolean
default: true
bedrock_secrets:
title: Connector secrets properties for an Amazon Bedrock connector
description: Defines secrets for connectors when type is `.bedrock`.
type: object
required:
- accessKey
- secret
properties:
accessKey:
type: string
description: The AWS access key for authentication.
secret:
type: string
description: The AWS secret for authentication.
crowdstrike_secrets:
title: Connector secrets properties for a Crowdstrike connector
description: Defines secrets for connectors when type is `.crowdstrike`.
type: object
required:
- clientId
- clientSecret
properties:
clientId:
description: The CrowdStrike API client identifier.
type: string
clientSecret:
description: The CrowdStrike API client secret to authenticate the `clientId`.
type: string
d3security_secrets:
title: Connector secrets properties for a D3 Security connector
description: Defines secrets for connectors when type is `.d3security`.
required:
- token
type: object
properties:
token:
type: string
description: The D3 Security token.
email_secrets:
title: Connector secrets properties for an email connector
description: Defines secrets for connectors when type is `.email`.
type: object
properties:
clientSecret:
type: string
description: |
The Microsoft Exchange Client secret for OAuth 2.0 client credentials authentication. It must be URL-encoded. If `service` is `exchange_server`, this property is required.
password:
type: string
description: |
The password for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required.
user:
type: string
description: |
The username for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required.
gemini_secrets:
title: Connector secrets properties for a Google Gemini connector
description: Defines secrets for connectors when type is `.gemini`.
type: object
required:
- credentialsJson
properties:
credentialsJson:
type: string
description: The service account credentials JSON file. The service account should have Vertex AI user IAM role assigned to it.
resilient_secrets:
title: Connector secrets properties for IBM Resilient connector
required:
- apiKeyId
- apiKeySecret
description: Defines secrets for connectors when type is `.resilient`.
type: object
properties:
apiKeyId:
type: string
description: The authentication key ID for HTTP Basic authentication.
apiKeySecret:
type: string
description: The authentication key secret for HTTP Basic authentication.
jira_secrets:
title: Connector secrets properties for a Jira connector
required:
- apiToken
- email
description: Defines secrets for connectors when type is `.jira`.
type: object
properties:
apiToken:
description: The Jira API authentication token for HTTP basic authentication.
type: string
email:
description: The account email for HTTP Basic authentication.
type: string
teams_secrets:
title: Connector secrets properties for a Microsoft Teams connector
description: Defines secrets for connectors when type is `.teams`.
type: object
required:
- webhookUrl
properties:
webhookUrl:
type: string
description: |
The URL of the incoming webhook. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.
genai_secrets:
title: Connector secrets properties for an OpenAI connector
description: |
Defines secrets for connectors when type is `.gen-ai`. Supports both API key authentication (OpenAI, Azure OpenAI, and `Other`) and PKI authentication (`Other` provider only). PKI fields must be base64-encoded PEM content.
type: object
properties:
apiKey:
type: string
description: |
The API key for authentication. For OpenAI and Azure OpenAI providers, it is required. For the `Other` provider, it is required if you do not use PKI authentication. With PKI, you can also optionally include an API key if the OpenAI-compatible service supports or requires one.
certificateData:
type: string
description: |
Base64-encoded PEM certificate content for PKI authentication (Other provider only). Required for PKI.
minLength: 1
privateKeyData:
type: string
description: |
Base64-encoded PEM private key content for PKI authentication (Other provider only). Required for PKI.
minLength: 1
caData:
type: string
description: |
Base64-encoded PEM CA certificate content for PKI authentication (Other provider only). Optional.
minLength: 1
opsgenie_secrets:
title: Connector secrets properties for an Opsgenie connector
required:
- apiKey
description: Defines secrets for connectors when type is `.opsgenie`.
type: object
properties:
apiKey:
description: The Opsgenie API authentication key for HTTP Basic authentication.
type: string
pagerduty_secrets:
title: Connector secrets properties for a PagerDuty connector
description: Defines secrets for connectors when type is `.pagerduty`.
type: object
required:
- routingKey
properties:
routingKey:
description: |
A 32 character PagerDuty Integration Key for an integration on a service.
type: string
sentinelone_secrets:
title: Connector secrets properties for a SentinelOne connector
description: Defines secrets for connectors when type is `.sentinelone`.
type: object
required:
- token
properties:
token:
description: The A SentinelOne API token.
type: string
servicenow_secrets:
title: Connector secrets properties for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors
description: Defines secrets for connectors when type is `.servicenow`, `.servicenow-sir`, or `.servicenow-itom`.
type: object
properties:
clientSecret:
type: string
description: The client secret assigned to your OAuth application. This property is required when `isOAuth` is `true`.
password:
type: string
description: The password for HTTP basic authentication. This property is required when `isOAuth` is `false`.
privateKey:
type: string
description: The RSA private key that you created for use in ServiceNow. This property is required when `isOAuth` is `true`.
privateKeyPassword:
type: string
description: The password for the RSA private key. This property is required when `isOAuth` is `true` and you set a password on your private key.
username:
type: string
description: The username for HTTP basic authentication. This property is required when `isOAuth` is `false`.
slack_api_secrets:
title: Connector secrets properties for a Web API Slack connector
description: Defines secrets for connectors when type is `.slack`.
required:
- token
type: object
properties:
token:
type: string
description: Slack bot user OAuth token.
swimlane_secrets:
title: Connector secrets properties for a Swimlane connector
description: Defines secrets for connectors when type is `.swimlane`.
type: object
properties:
apiToken:
description: Swimlane API authentication token.
type: string
thehive_secrets:
title: Connector secrets properties for a TheHive connector
description: Defines secrets for connectors when type is `.thehive`.
required:
- apiKey
type: object
properties:
apiKey:
type: string
description: The API key for authentication in TheHive.
tines_secrets:
title: Connector secrets properties for a Tines connector
description: Defines secrets for connectors when type is `.tines`.
type: object
required:
- email
- token
properties:
email:
description: The email used to sign in to Tines.
type: string
token:
description: The Tines API token.
type: string
torq_secrets:
title: Connector secrets properties for a Torq connector
description: Defines secrets for connectors when type is `.torq`.
type: object
required:
- token
properties:
token:
description: The secret of the webhook authentication header.
type: string
crt:
title: Certificate
type: string
description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the CRT or CERT file.
key:
title: Certificate key
type: string
description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the KEY file.
pfx:
title: Personal information exchange
type: string
description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-pfx`, it is a base64 encoded version of the PFX or P12 file.
webhook_secrets:
title: Connector secrets properties for a Webhook connector
description: Defines secrets for connectors when type is `.webhook`.
type: object
properties:
crt:
$ref: '#/components/schemas/crt'
key:
$ref: '#/components/schemas/key'
pfx:
$ref: '#/components/schemas/pfx'
password:
type: string
description: |
The password for HTTP basic authentication or the passphrase for the SSL certificate files. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required.
user:
type: string
description: |
The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required.
cases_webhook_secrets:
title: Connector secrets properties for Webhook - Case Management connector
type: object
properties:
crt:
$ref: '#/components/schemas/crt'
key:
$ref: '#/components/schemas/key'
pfx:
$ref: '#/components/schemas/pfx'
password:
type: string
description: |
The password for HTTP basic authentication. If `hasAuth` is set to `true` and and `authType` is `webhook-authentication-basic`, this property is required.
user:
type: string
description: |
The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required.
xmatters_secrets:
title: Connector secrets properties for an xMatters connector
description: Defines secrets for connectors when type is `.xmatters`.
type: object
properties:
password:
description: |
A user name for HTTP basic authentication. It is applicable only when `usesBasic` is `true`.
type: string
secretsUrl:
description: |
The request URL for the Elastic Alerts trigger in xMatters with the API key included in the URL. It is applicable only when `usesBasic` is `false`.
type: string
user:
description: |
A password for HTTP basic authentication. It is applicable only when `usesBasic` is `true`.
type: string
genai_openai_other_config:
title: Connector request properties for an OpenAI connector with Other provider
description: |
Defines properties for connectors when type is `.gen-ai` and the API provider is `Other` (OpenAI-compatible service), including optional PKI authentication.
type: object
required:
- apiProvider
- apiUrl
- defaultModel
properties:
apiProvider:
type: string
description: The OpenAI API provider.
enum:
- Other
apiUrl:
type: string
description: The OpenAI-compatible API endpoint.
defaultModel:
type: string
description: The default model to use for requests.
certificateData:
type: string
description: PEM-encoded certificate content.
minLength: 1
privateKeyData:
type: string
description: PEM-encoded private key content.
minLength: 1
caData:
type: string
description: PEM-encoded CA certificate content.
minLength: 1
verificationMode:
type: string
description: SSL verification mode for PKI authentication.
enum:
- full
- certificate
- none
default: full
headers:
type: object
description: Custom headers to include in requests.
additionalProperties:
type: string
defender_secrets:
title: Connector secrets properties for a Microsoft Defender for Endpoint connector
required:
- clientSecret
description: Defines secrets for connectors when type is `..microsoft_defender_endpoint`.
type: object
properties:
clientSecret:
description: The client secret for your app in the Azure portal.
type: string
run_acknowledge_resolve_pagerduty:
title: PagerDuty connector parameters
description: Test an action that acknowledges or resolves a PagerDuty alert.
type: object
required:
- dedupKey
- eventAction
properties:
dedupKey:
description: The deduplication key for the PagerDuty alert.
type: string
maxLength: 255
eventAction:
description: The type of event.
type: string
enum:
- acknowledge
- resolve
run_documents:
title: Index connector parameters
description: Test an action that indexes a document into Elasticsearch.
type: object
required:
- documents
properties:
documents:
type: array
description: The documents in JSON format for index connectors.
items:
type: object
additionalProperties: true
run_message_email:
title: Email connector parameters
description: |
Test an action that sends an email message. There must be at least one recipient in `to`, `cc`, or `bcc`.
type: object
required:
- message
- subject
properties:
bcc:
type: array
items:
type: string
description: |
A list of "blind carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `` format
cc:
type: array
items:
type: string
description: |
A list of "carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `` format
message:
type: string
description: The email message text. Markdown format is supported.
subject:
type: string
description: The subject line of the email.
to:
type: array
description: |
A list of email addresses. Addresses can be specified in `user@host-name` format or in name `` format.
items:
type: string
run_message_serverlog:
title: Server log connector parameters
description: Test an action that writes an entry to the Kibana server log.
type: object
required:
- message
properties:
level:
type: string
description: The log level of the message for server log connectors.
enum:
- debug
- error
- fatal
- info
- trace
- warn
default: info
message:
type: string
description: The message for server log connectors.
run_message_slack:
title: Slack connector parameters
description: |
Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack`.
type: object
required:
- message
properties:
message:
type: string
description: The Slack message text, which cannot contain Markdown, images, or other advanced formatting.
run_trigger_pagerduty:
title: PagerDuty connector parameters
description: Test an action that triggers a PagerDuty alert.
type: object
required:
- eventAction
properties:
class:
description: The class or type of the event.
type: string
example: cpu load
component:
description: The component of the source machine that is responsible for the event.
type: string
example: eth0
customDetails:
description: Additional details to add to the event.
type: object
dedupKey:
description: |
All actions sharing this key will be associated with the same PagerDuty alert. This value is used to correlate trigger and resolution.
type: string
maxLength: 255
eventAction:
description: The type of event.
type: string
enum:
- trigger
group:
description: The logical grouping of components of a service.
type: string
example: app-stack
links:
description: A list of links to add to the event.
type: array
items:
type: object
properties:
href:
description: The URL for the link.
type: string
text:
description: A plain text description of the purpose of the link.
type: string
severity:
description: The severity of the event on the affected system.
type: string
enum:
- critical
- error
- info
- warning
default: info
source:
description: |
The affected system, such as a hostname or fully qualified domain name. Defaults to the Kibana saved object id of the action.
type: string
summary:
description: A summery of the event.
type: string
maxLength: 1024
timestamp:
description: An ISO-8601 timestamp that indicates when the event was detected or generated.
type: string
format: date-time
run_addevent:
title: The addEvent subaction
type: object
required:
- subAction
description: The `addEvent` subaction for ServiceNow ITOM connectors.
properties:
subAction:
type: string
description: The action to test.
enum:
- addEvent
subActionParams:
type: object
description: The set of configuration properties for the action.
properties:
additional_info:
type: string
description: Additional information about the event.
description:
type: string
description: The details about the event.
event_class:
type: string
description: A specific instance of the source.
message_key:
type: string
description: All actions sharing this key are associated with the same ServiceNow alert. The default value is `:`.
metric_name:
type: string
description: The name of the metric.
node:
type: string
description: The host that the event was triggered for.
resource:
type: string
description: The name of the resource.
severity:
type: string
description: The severity of the event.
source:
type: string
description: The name of the event source type.
time_of_event:
type: string
description: The time of the event.
type:
type: string
description: The type of event.
run_closealert:
title: The closeAlert subaction
type: object
required:
- subAction
- subActionParams
description: The `closeAlert` subaction for Opsgenie connectors.
properties:
subAction:
type: string
description: The action to test.
enum:
- closeAlert
subActionParams:
type: object
required:
- alias
properties:
alias:
type: string
description: The unique identifier used for alert deduplication in Opsgenie. The alias must match the value used when creating the alert.
note:
type: string
description: Additional information for the alert.
source:
type: string
description: The display name for the source of the alert.
user:
type: string
description: The display name for the owner.
run_closeincident:
title: The closeIncident subaction
type: object
required:
- subAction
- subActionParams
description: The `closeIncident` subaction for ServiceNow ITSM connectors.
properties:
subAction:
type: string
description: The action to test.
enum:
- closeIncident
subActionParams:
type: object
required:
- incident
properties:
incident:
type: object
anyOf:
- required:
- correlation_id
- required:
- externalId
properties:
correlation_id:
type: string
nullable: true
description: |
An identifier that is assigned to the incident when it is created by the connector. NOTE: If you use the default value and the rule generates multiple alerts that use the same alert IDs, the latest open incident for this correlation ID is closed unless you specify the external ID.
maxLength: 100
default: '{{rule.id}}:{{alert.id}}'
externalId:
type: string
nullable: true
description: The unique identifier (`incidentId`) for the incident in ServiceNow.
run_createalert:
title: The createAlert subaction
type: object
required:
- subAction
- subActionParams
description: The `createAlert` subaction for Opsgenie and TheHive connectors.
properties:
subAction:
type: string
description: The action to test.
enum:
- createAlert
subActionParams:
type: object
properties:
actions:
type: array
description: The custom actions available to the alert in Opsgenie connectors.
items:
type: string
alias:
type: string
description: The unique identifier used for alert deduplication in Opsgenie.
description:
type: string
description: A description that provides detailed information about the alert.
details:
type: object
description: The custom properties of the alert in Opsgenie connectors.
additionalProperties: true
example:
key1: value1
key2: value2
entity:
type: string
description: The domain of the alert in Opsgenie connectors. For example, the application or server name.
message:
type: string
description: The alert message in Opsgenie connectors.
note:
type: string
description: Additional information for the alert in Opsgenie connectors.
priority:
type: string
description: The priority level for the alert in Opsgenie connectors.
enum:
- P1
- P2
- P3
- P4
- P5
responders:
type: array
description: |
The entities to receive notifications about the alert in Opsgenie connectors. If `type` is `user`, either `id` or `username` is required. If `type` is `team`, either `id` or `name` is required.
items:
type: object
properties:
id:
type: string
description: The identifier for the entity.
name:
type: string
description: The name of the entity.
type:
type: string
description: The type of responders, in this case `escalation`.
enum:
- escalation
- schedule
- team
- user
username:
type: string
description: A valid email address for the user.
severity:
type: integer
minimum: 1
maximum: 4
description: |
The severity of the incident for TheHive connectors. The value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium).
source:
type: string
description: The display name for the source of the alert in Opsgenie and TheHive connectors.
sourceRef:
type: string
description: A source reference for the alert in TheHive connectors.
tags:
type: array
description: The tags for the alert in Opsgenie and TheHive connectors.
items:
type: string
title:
type: string
description: |
A title for the incident for TheHive connectors. It is used for searching the contents of the knowledge base.
tlp:
type: integer
minimum: 0
maximum: 4
default: 2
description: |
The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red).
type:
type: string
description: The type of alert in TheHive connectors.
user:
type: string
description: The display name for the owner.
visibleTo:
type: array
description: The teams and users that the alert will be visible to without sending a notification. Only one of `id`, `name`, or `username` is required.
items:
type: object
required:
- type
properties:
id:
type: string
description: The identifier for the entity.
name:
type: string
description: The name of the entity.
type:
type: string
description: Valid values are `team` and `user`.
enum:
- team
- user
username:
type: string
description: The user name. This property is required only when the `type` is `user`.
run_fieldsbyissuetype:
title: The fieldsByIssueType subaction
type: object
required:
- subAction
- subActionParams
description: The `fieldsByIssueType` subaction for Jira connectors.
properties:
subAction:
type: string
description: The action to test.
enum:
- fieldsByIssueType
subActionParams:
type: object
required:
- id
properties:
id:
type: string
description: The Jira issue type identifier.
example: 10024
run_getagentdetails:
title: The getAgentDetails subaction
type: object
required:
- subAction
- subActionParams
description: The `getAgentDetails` subaction for CrowdStrike connectors.
properties:
subAction:
type: string
description: The action to test.
enum:
- getAgentDetails
subActionParams:
type: object
description: The set of configuration properties for the action.
required:
- ids
properties:
ids:
type: array
description: An array of CrowdStrike agent identifiers.
items:
type: string
run_getagents:
title: The getAgents subaction
type: object
required:
- subAction
description: The `getAgents` subaction for SentinelOne connectors.
properties:
subAction:
type: string
description: The action to test.
enum:
- getAgents
run_getchoices:
title: The getChoices subaction
type: object
required:
- subAction
- subActionParams
description: The `getChoices` subaction for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors.
properties:
subAction:
type: string
description: The action to test.
enum:
- getChoices
subActionParams:
type: object
description: The set of configuration properties for the action.
required:
- fields
properties:
fields:
type: array
description: An array of fields.
items:
type: string
run_getfields:
title: The getFields subaction
type: object
required:
- subAction
description: The `getFields` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors.
properties:
subAction:
type: string
description: The action to test.
enum:
- getFields
run_getincident:
title: The getIncident subaction
type: object
description: The `getIncident` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors.
required:
- subAction
- subActionParams
properties:
subAction:
type: string
description: The action to test.
enum:
- getIncident
subActionParams:
type: object
required:
- externalId
properties:
externalId:
type: string
description: The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier.
example: 71778
run_issue:
title: The issue subaction
type: object
required:
- subAction
description: The `issue` subaction for Jira connectors.
properties:
subAction:
type: string
description: The action to test.
enum:
- issue
subActionParams:
type: object
required:
- id
properties:
id:
type: string
description: The Jira issue identifier.
example: 71778
run_issues:
title: The issues subaction
type: object
required:
- subAction
- subActionParams
description: The `issues` subaction for Jira connectors.
properties:
subAction:
type: string
description: The action to test.
enum:
- issues
subActionParams:
type: object
required:
- title
properties:
title:
type: string
description: The title of the Jira issue.
run_issuetypes:
title: The issueTypes subaction
type: object
required:
- subAction
description: The `issueTypes` subaction for Jira connectors.
properties:
subAction:
type: string
description: The action to test.
enum:
- issueTypes
run_postmessage:
title: The postMessage subaction
type: object
description: |
Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack_api`.
required:
- subAction
- subActionParams
properties:
subAction:
type: string
description: The action to test.
enum:
- postMessage
subActionParams:
type: object
description: The set of configuration properties for the action.
properties:
channelIds:
type: array
maxItems: 1
description: |
The Slack channel identifier, which must be one of the `allowedChannels` in the connector configuration.
items:
type: string
channels:
type: array
deprecated: true
description: |
The name of a channel that your Slack app has access to.
maxItems: 1
items:
type: string
text:
type: string
description: |
The Slack message text. If it is a Slack webhook connector, the text cannot contain Markdown, images, or other advanced formatting. If it is a Slack web API connector, it can contain either plain text or block kit messages.
minLength: 1
run_pushtoservice:
title: The pushToService subaction
type: object
required:
- subAction
- subActionParams
description: The `pushToService` subaction for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors.
properties:
subAction:
type: string
description: The action to test.
enum:
- pushToService
subActionParams:
type: object
description: The set of configuration properties for the action.
properties:
comments:
type: array
description: Additional information that is sent to Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, or TheHive.
items:
type: object
properties:
comment:
type: string
description: A comment related to the incident. For example, describe how to troubleshoot the issue.
commentId:
type: integer
description: A unique identifier for the comment.
incident:
type: object
description: Information necessary to create or update a Jira, ServiceNow ITSM, ServiveNow SecOps, Swimlane, or TheHive incident.
properties:
additional_fields:
type: string
nullable: true
maxLength: 20
description: |
Additional fields for ServiceNow ITSM and ServiveNow SecOps connectors. The fields must exist in the Elastic ServiceNow application and must be specified in JSON format.
alertId:
type: string
description: The alert identifier for Swimlane connectors.
caseId:
type: string
description: The case identifier for the incident for Swimlane connectors.
caseName:
type: string
description: The case name for the incident for Swimlane connectors.
category:
type: string
description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.
correlation_display:
type: string
description: A descriptive label of the alert for correlation purposes for ServiceNow ITSM and ServiceNow SecOps connectors.
correlation_id:
type: string
description: |
The correlation identifier for the security incident for ServiceNow ITSM and ServiveNow SecOps connectors. Connectors using the same correlation ID are associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident is created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as `{{ruleID}}:{{alert ID}}` to form the correlation ID value in ServiceNow. The maximum character length for this value is 100 characters. NOTE: Using the default configuration of `{{ruleID}}:{{alert ID}}` ensures that ServiceNow creates a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert.
description:
type: string
description: The description of the incident for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors.
dest_ip:
description: |
A list of destination IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident.
oneOf:
- type: string
- type: array
items:
type: string
externalId:
type: string
description: |
The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. If present, the incident is updated. Otherwise, a new incident is created.
id:
type: string
description: The external case identifier for Webhook - Case Management connectors.
impact:
type: string
description: The impact of the incident for ServiceNow ITSM connectors.
issueType:
type: integer
description: The type of incident for Jira connectors. For example, 10006. To obtain the list of valid values, set `subAction` to `issueTypes`.
labels:
type: array
items:
type: string
description: |
The labels for the incident for Jira connectors. NOTE: Labels cannot contain spaces.
malware_hash:
description: A list of malware hashes related to the security incident for ServiceNow SecOps connectors. The hashes are added as observables to the security incident.
oneOf:
- type: string
- type: array
items:
type: string
malware_url:
type: string
description: A list of malware URLs related to the security incident for ServiceNow SecOps connectors. The URLs are added as observables to the security incident.
oneOf:
- type: string
- type: array
items:
type: string
otherFields:
type: object
additionalProperties: true
maxProperties: 20
description: |
Custom field identifiers and their values for Jira connectors.
parent:
type: string
description: The ID or key of the parent issue for Jira connectors. Applies only to `Sub-task` types of issues.
priority:
type: string
description: The priority of the incident in Jira and ServiceNow SecOps connectors.
ruleName:
type: string
description: The rule name for Swimlane connectors.
severity:
type: integer
description: |
The severity of the incident for ServiceNow ITSM, Swimlane, and TheHive connectors. In TheHive connectors, the severity value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium).
short_description:
type: string
description: |
A short description of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. It is used for searching the contents of the knowledge base.
source_ip:
description: A list of source IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident.
oneOf:
- type: string
- type: array
items:
type: string
status:
type: string
description: The status of the incident for Webhook - Case Management connectors.
subcategory:
type: string
description: The subcategory of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.
summary:
type: string
description: A summary of the incident for Jira connectors.
tags:
type: array
items:
type: string
description: A list of tags for TheHive and Webhook - Case Management connectors.
title:
type: string
description: |
A title for the incident for Jira, TheHive, and Webhook - Case Management connectors. It is used for searching the contents of the knowledge base.
tlp:
type: integer
minimum: 0
maximum: 4
default: 2
description: |
The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red).
urgency:
type: string
description: The urgency of the incident for ServiceNow ITSM connectors.
run_validchannelid:
title: The validChannelId subaction
type: object
description: |
Retrieves information about a valid Slack channel identifier. It is applicable only when the connector type is `.slack_api`.
required:
- subAction
- subActionParams
properties:
subAction:
type: string
description: The action to test.
enum:
- validChannelId
subActionParams:
type: object
required:
- channelId
properties:
channelId:
type: string
description: The Slack channel identifier.
example: C123ABC456
securitySchemes:
apiKeyAuth:
description: |
These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: `Authorization: ApiKey base64AccessApiKey`
in: header
name: Authorization
type: apiKey
basicAuth:
scheme: basic
type: http
x-topics:
- title: Kibana spaces
content: |
Spaces enable you to organize your dashboards and other saved objects into meaningful categories.
You can use the default space or create your own spaces.
To run APIs in non-default spaces, you must add `s/{space_id}/` to the path.
For example:
```bash
curl -X GET "http://${KIBANA_URL}/s/marketing/api/data_views" \
-H "Authorization: ApiKey ${API_KEY}"
```
If you use the Kibana console to send API requests, it automatically adds the appropriate space identifier.
To learn more, check out [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces).