Api key auth (http_api_key)
These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: Authorization: ApiKey base64AccessApiKey
The API accepts 2 different authentication methods:
These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: Authorization: ApiKey base64AccessApiKey
Basic auth tokens are constructed with the Basic
keyword, followed by a space, followed by a base64-encoded string of your username:password
(separated by a :
colon).
Example: send a Authorization: Basic aGVsbG86aGVsbG8=
HTTP header with your requests to authenticate with the API.
If you have read
privileges for one or more Kibana features, the API response contains information about the appropriate rule types. For example, there are rule types associated with the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability features, and Security features. To get rule types associated with the Stack Monitoring feature, use the monitoring_user
built-in role.
curl \
--request GET https://localhost:5601/api/alerting/rule_types
[
{
"id": "xpack.ml.anomaly_detection_alert",
"name": "Anomaly detection alert",
"alerts": {
"context": "ml.anomaly-detection",
"mappings": {
"fieldMap": {
"kibana.alert.job_id": {
"type": "keyword",
"array": false,
"required": true
},
"kibana.alert.is_interim": {
"type": "boolean",
"array": false,
"required": false
},
"kibana.alert.top_records": {
"type": "object",
"array": true,
"dynamic": false,
"required": false,
"properties": {
"actual": {
"type": "double"
},
"job_id": {
"type": "keyword"
},
"typical": {
"type": "double"
},
"function": {
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"field_name": {
"type": "keyword"
},
"is_interim": {
"type": "boolean"
},
"record_score": {
"type": "double"
},
"by_field_name": {
"type": "keyword"
},
"by_field_value": {
"type": "keyword"
},
"detector_index": {
"type": "integer"
},
"over_field_name": {
"type": "keyword"
},
"over_field_value": {
"type": "keyword"
},
"initial_record_score": {
"type": "double"
},
"partition_field_name": {
"type": "keyword"
},
"partition_field_value": {
"type": "keyword"
}
}
},
"kibana.alert.anomaly_score": {
"type": "double",
"array": false,
"required": false
},
"kibana.alert.top_influencers": {
"type": "object",
"array": true,
"dynamic": false,
"required": false,
"properties": {
"job_id": {
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"is_interim": {
"type": "boolean"
},
"influencer_score": {
"type": "double"
},
"influencer_field_name": {
"type": "keyword"
},
"influencer_field_value": {
"type": "keyword"
},
"initial_influencer_score": {
"type": "double"
}
}
},
"kibana.alert.anomaly_timestamp": {
"type": "date",
"array": false,
"required": false
}
}
},
"shouldWrite": true
},
"category": "management",
"producer": "ml",
"action_groups": [
{
"id": "anomaly_score_match",
"name": "Anomaly score matched the condition"
},
{
"id": "recovered",
"name": "Recovered"
}
],
"is_exportable": true,
"action_variables": {
"state": [],
"params": [],
"context": [
{
"name": "timestamp",
"description": "The bucket timestamp of the anomaly"
},
{
"name": "timestampIso8601",
"description": "The bucket time of the anomaly in ISO8601 format"
},
{
"name": "jobIds",
"description": "List of job IDs that triggered the alert"
},
{
"name": "message",
"description": "Alert info message"
},
{
"name": "isInterim",
"description": "Indicate if top hits contain interim results"
},
{
"name": "score",
"description": "Anomaly score at the time of the notification action"
},
{
"name": "topRecords",
"description": "Top records"
},
{
"name": "topInfluencers",
"description": "Top influencers"
},
{
"name": "anomalyExplorerUrl",
"description": "URL to open in the Anomaly Explorer",
"useWithTripleBracesInTemplates": true
}
]
},
"rule_task_timeout": "5m",
"enabled_in_license": true,
"has_alerts_mappings": true,
"authorized_consumers": {
"ml": {
"all": true,
"read": true
},
"apm": {
"all": true,
"read": true
},
"slo": {
"all": true,
"read": true
},
"logs": {
"all": true,
"read": true
},
"siem": {
"all": true,
"read": true
},
"alerts": {
"all": true,
"read": true
},
"uptime": {
"all": true,
"read": true
},
"discover": {
"all": true,
"read": true
},
"monitoring": {
"all": true,
"read": true
},
"stackAlerts": {
"all": true,
"read": true
},
"infrastructure": {
"all": true,
"read": true
}
},
"has_fields_for_a_a_d": false,
"recovery_action_group": {
"id": "recovered",
"name": "Recovered"
},
"default_action_group_id": "anomaly_score_match",
"minimum_license_required": "platinum",
"does_set_recovery_context": true
},
{
"id": "xpack.ml.anomaly_detection_jobs_health",
"name": "Anomaly detection jobs health",
"category": "management",
"producer": "ml",
"action_groups": [
{
"id": "anomaly_detection_realtime_issue",
"name": "Issue detected"
},
{
"id": "recovered",
"name": "Recovered"
}
],
"is_exportable": true,
"action_variables": {
"state": [],
"params": [],
"context": [
{
"name": "results",
"description": "Results of the rule execution"
},
{
"name": "message",
"description": "Alert info message"
}
]
},
"rule_task_timeout": "5m",
"enabled_in_license": true,
"has_alerts_mappings": false,
"authorized_consumers": {
"ml": {
"all": true,
"read": true
},
"apm": {
"all": true,
"read": true
},
"slo": {
"all": true,
"read": true
},
"logs": {
"all": true,
"read": true
},
"siem": {
"all": true,
"read": true
},
"alerts": {
"all": true,
"read": true
},
"uptime": {
"all": true,
"read": true
},
"discover": {
"all": true,
"read": true
},
"monitoring": {
"all": true,
"read": true
},
"stackAlerts": {
"all": true,
"read": true
},
"infrastructure": {
"all": true,
"read": true
}
},
"has_fields_for_a_a_d": false,
"recovery_action_group": {
"id": "recovered",
"name": "Recovered"
},
"default_action_group_id": "anomaly_detection_realtime_issue",
"minimum_license_required": "platinum",
"does_set_recovery_context": true
}
]
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
The identifier for the rule. If it is omitted, an ID is randomly generated.
Default value is []
(empty).
Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
Additional properties are NOT allowed.
The name of the application or feature that owns the rule. For example: alerts
, apm
, discover
, infrastructure
, logs
, metrics
, ml
, monitoring
, securitySolution
, siem
, stackAlerts
, or uptime
.
Indicates whether you want to run the rule on an interval basis after it is created.
Default value is true
.
When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
Additional properties are NOT allowed.
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
Indicates how often alerts generate actions. Valid values include: onActionGroupChange
: Actions run when the alert status changes; onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
Values are onActionGroupChange
, onActiveAlert
, or onThrottleInterval
.
The rule type identifier.
The check interval, which specifies how frequently the rule conditions are checked.
Additional properties are NOT allowed.
Use the throttle
property in the action frequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
The parameters for the rule.
curl \
--request POST https://localhost:5601/api/alerting/rule/{id} \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"name":"my Elasticsearch query ESQL rule","params":{"size":0,"esqlQuery":{"esql":"FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes \u003e 5000 | SORT sumbytes desc | LIMIT 10"},"threshold":[0],"timeField":"@timestamp","searchType":"esqlQuery","timeWindowSize":1,"timeWindowUnit":"d","thresholdComparator":"\u003e"},"actions":[{"id":"d0db1fe0-78d6-11ee-9177-f7d404c8c945","group":"query matched","params":{"level":"info","message":"Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"},"frequency":{"summary":false,"notify_when":"onActiveAlert"}}],"consumer":"stackAlerts","schedule":{"interval":"1d"},"rule_type_id":".es-query"}'
{
"name": "my Elasticsearch query ESQL rule",
"params": {
"size": 0,
"esqlQuery": {
"esql": "FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10"
},
"threshold": [
0
],
"timeField": "@timestamp",
"searchType": "esqlQuery",
"timeWindowSize": 1,
"timeWindowUnit": "d",
"thresholdComparator": ">"
},
"actions": [
{
"id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
"group": "query matched",
"params": {
"level": "info",
"message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
},
"frequency": {
"summary": false,
"notify_when": "onActiveAlert"
}
}
],
"consumer": "stackAlerts",
"schedule": {
"interval": "1d"
},
"rule_type_id": ".es-query"
}
{
"name": "my Elasticsearch query rule",
"params": {
"size": 100,
"index": [
"kibana_sample_data_logs"
],
"esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
"threshold": [
100
],
"timeField": "@timestamp",
"timeWindowSize": 1,
"timeWindowUnit": "d",
"thresholdComparator": ">"
},
"actions": [
{
"id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
"group": "query matched",
"params": {
"level": "info",
"message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
},
"frequency": {
"summary": true,
"throttle": "1d",
"notify_when": "onThrottleInterval"
}
},
{
"id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
"group": "recovered",
"params": {
"level": "info",
"message": "Recovered"
},
"frequency": {
"summary": false,
"notify_when": "onActionGroupChange"
}
}
],
"consumer": "alerts",
"schedule": {
"interval": "1d"
},
"rule_type_id": ".es-query"
}
{
"name": "my Elasticsearch query KQL rule",
"params": {
"size": 100,
"aggType": "count",
"groupBy": "all",
"threshold": [
1000
],
"searchType": "searchSource",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"searchConfiguration": {
"index": "90943e30-9a47-11e8-b64d-95841ca0b247",
"query": {
"query": "\"\"geo.src : \"US\" \"\"",
"language": "kuery"
}
},
"thresholdComparator": ">",
"excludeHitsFromPreviousRun": true
},
"consumer": "alerts",
"schedule": {
"interval": "1m"
},
"rule_type_id": ".es-query"
}
{
"name": "my rule",
"tags": [
"cpu"
],
"params": {
"index": [
".test-index"
],
"aggType": "avg",
"groupBy": "top",
"aggField": "sheet.version",
"termSize": 6,
"termField": "name.keyword",
"threshold": [
1000
],
"timeField": "@timestamp",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"thresholdComparator": ">"
},
"actions": [
{
"id": "48de3460-f401-11ed-9f8e-399c75a2deeb",
"group": "threshold met",
"params": {
"level": "info",
"message": "Rule '{{rule.name}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
},
"frequency": {
"summary": false,
"notify_when": "onActionGroupChange"
}
}
],
"consumer": "alerts",
"schedule": {
"interval": "1m"
},
"alert_delay": {
"active": 3
},
"rule_type_id": ".index-threshold"
}
{
"name": "my tracking rule",
"params": {
"index": "kibana_sample_data_logs",
"entity": "agent.keyword",
"indexId": "90943e30-9a47-11e8-b64d-95841ca0b247",
"geoField": "geo.coordinates",
"dateField\"": "@timestamp",
"boundaryType": "entireIndex",
"boundaryIndexId": "0cd90abf-abe7-44c7-909a-f621bbbcfefc",
"boundaryGeoField": "location",
"boundaryNameField": "name",
"boundaryIndexTitle": "boundary*"
},
"consumer": "alerts",
"schedule": {
"interval": "1h"
},
"rule_type_id": ".geo-containment"
}
{
"id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
"name": "my Elasticsearch query ESQL rule",
"tags": [],
"params": {
"size": 0,
"aggType": "count",
"groupBy": "all",
"esqlQuery": {
"esql": "FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != \"GB\" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10"
},
"threshold": [
0
],
"timeField": "@timestamp",
"searchType": "esqlQuery",
"timeWindowSize": 1,
"timeWindowUnit": "d",
"thresholdComparator": ">",
"excludeHitsFromPreviousRun\"": "true,"
},
"actions": [
{
"id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
"uuid": "bfe370a3-531b-4855-bbe6-ad739f578844",
"group": "query matched",
"params": {
"level": "info",
"message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
},
"frequency": {
"summary": false,
"throttle": null,
"notify_when": "onActiveAlert"
},
"connector_type_id": ".server-log"
}
],
"enabled": true,
"running": false,
"consumer": "stackAlerts",
"mute_all": false,
"revision": 0,
"schedule": {
"interval": "1d"
},
"throttle": null,
"created_at": "2023-11-01T19:00:10.453Z",
"created_by": "elastic",
"updated_at": "2023-11-01T19:00:10.453Z",
"updated_by": "elastic\",",
"notify_when": null,
"rule_type_id": ".es-query",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "pending",
"last_execution_date": "2023-11-01T19:00:10.453Z"
},
"scheduled_task_id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
"api_key_created_by_user": false
}
{
"id": "58148c70-407f-11ee-850e-c71febc4ca7f",
"name": "my Elasticsearch query rule",
"tags": [],
"params": {
"size": 100,
"index": [
"kibana_sample_data_logs"
],
"aggType": "count",
"esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
"groupBy": "all",
"threshold": [
100
],
"timeField": "@timestamp",
"searchType": "esQuery",
"timeWindowSize": 1,
"timeWindowUnit": "d",
"thresholdComparator": ">",
"excludeHitsFromPreviousRun": true
},
"actions": [
{
"id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
"uuid": "53f3c2a3-e5d0-4cfa-af3b-6f0881385e78",
"group": "query matched",
"params": {
"level": "info",
"message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
},
"frequency": {
"summary": true,
"throttle": "1d",
"notify_when": "onThrottleInterval"
},
"connector_type_id": ".server-log"
},
{
"id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
"uuid": "2324e45b-c0df-45c7-9d70-4993e30be758",
"group": "recovered",
"params": {
"level": "info",
"message": "Recovered"
},
"frequency": {
"summary": false,
"throttle": null,
"notify_when": "onActionGroupChange"
},
"connector_type_id": ".server-log"
}
],
"enabled": true,
"running": false,
"consumer": "alerts",
"mute_all": false,
"revision": 0,
"schedule": {
"interval": "1d"
},
"throttle": null,
"created_at": "2023-08-22T00:03:38.263Z",
"created_by": "elastic",
"updated_at": "2023-08-22T00:03:38.263Z",
"updated_by": "elastic",
"notify_when": null,
"rule_type_id": ".es-query",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "pending",
"last_execution_date": "2023-08-22T00:03:38.263Z"
},
"scheduled_task_id": "58148c70-407f-11ee-850e-c71febc4ca7f",
"api_key_created_by_user": false
}
{
"id": "7bd506d0-2284-11ee-8fad-6101956ced88",
"name": "my Elasticsearch query KQL rule\"",
"tags": [],
"params": {
"size": 100,
"aggType": "count",
"groupBy": "all",
"threshold": [
1000
],
"searchType": "searchSource",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"searchConfiguration": {
"index": "90943e30-9a47-11e8-b64d-95841ca0b247",
"query": {
"query": "\"\"geo.src : \"US\" \"\"",
"language": "kuery"
}
},
"thresholdComparator": ">",
"excludeHitsFromPreviousRun": true
},
"actions": [],
"enabled": true,
"running": false,
"consumer": "alerts",
"mute_all": false,
"revision": 0,
"schedule": {
"interval": "1m"
},
"throttle": null,
"created_at": "2023-07-14T20:24:50.729Z",
"created_by": "elastic",
"updated_at": "2023-07-14T20:24:50.729Z",
"updated_by": "elastic",
"notify_when": null,
"rule_type_id": ".es-query",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "pending",
"last_execution_date": "2023-07-14T20:24:50.729Z"
},
"scheduled_task_id": "7bd506d0-2284-11ee-8fad-6101956ced88",
"api_key_created_by_user": false
}
{
"id": "41893910-6bca-11eb-9e0d-85d233e3ee35",
"name": "my rule",
"tags": [
"cpu"
],
"params": {
"index": [
".test-index"
],
"aggType": "avg",
"groupBy": "top",
"aggField": "sheet.version",
"termSize": 6,
"termField": "name.keyword",
"threshold": [
1000
],
"timeField": "@timestamp",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"thresholdComparator": ">"
},
"actions": [
{
"id": "dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2",
"uuid": "07aef2a0-9eed-4ef9-94ec-39ba58eb609d",
"group": "threshold met",
"params": {
"level": "info",
"message": "Rule {{rule.name}} is active for group {{context.group} :\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
},
"frequency": {
"summary": false,
"throttle": null,
"notify_when": "onActionGroupChange"
},
"connector_type_id": ".server-log"
}
],
"enabled": true,
"running": false,
"consumer": "alerts",
"mute_all": false,
"revision": 0,
"schedule": {
"interval": "1m"
},
"throttle": null,
"created_at": "2022-06-08T17:20:31.632Z",
"created_by": "elastic",
"updated_at": "2022-06-08T17:20:31.632Z",
"updated_by": "elastic",
"alert_delay": {
"active": 3
},
"notify_when": null,
"rule_type_id": ".index-threshold",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "pending",
"last_execution_date": "2022-06-08T17:20:31.632Z"
},
"scheduled_task_id": "425b0800-6bca-11eb-9e0d-85d233e3ee35",
"api_key_created_by_user": false
}
{
"id": "b6883f9d-5f70-4758-a66e-369d7c26012f",
"name": "my tracking rule",
"tags": [],
"params": {
"index": "kibana_sample_data_logs",
"entity": "agent.keyword",
"indexId": "90943e30-9a47-11e8-b64d-95841ca0b247",
"geoField": "geo.coordinates",
"dateField": "@timestamp",
"boundaryType": "entireIndex",
"boundaryIndexId": "0cd90abf-abe7-44c7-909a-f621bbbcfefc",
"boundaryGeoField": "location",
"boundaryNameField": "name",
"boundaryIndexTitle": "boundary*"
},
"actions": [],
"enabled": true,
"running": false,
"consumer": "alerts",
"last_run": {
"outcome": "succeeded",
"warning": null,
"outcome_msg": null,
"alerts_count": {
"new": 0,
"active": 0,
"ignored": 0,
"recovered": 0
},
"outcome_order": 0
},
"mute_all": false,
"next_run": "2024-02-15T03:26:38.033Z",
"revision": 1,
"schedule": {
"interval": "1h"
},
"throttle": null,
"created_at": "2024-02-14T19:52:55.920Z",
"created_by": "elastic",
"updated_at": "2024-02-15T03:24:32.574Z",
"updated_by": "elastic",
"notify_when": null,
"rule_type_id": ".geo-containment",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "ok",
"last_duration": 74,
"last_execution_date": "2024-02-15T03:25:38.125Z"
},
"scheduled_task_id": "b6883f9d-5f70-4758-a66e-369d7c26012f",
"api_key_created_by_user": false
}
The identifier for the rule.
curl \
--request DELETE https://localhost:5601/api/alerting/rule/{id} \
--header "kbn-xsrf: true"
The identifier for the rule.
curl \
--request POST https://localhost:5601/api/alerting/rule/{id}/_disable \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"untrack":true}'
# Headers
kbn-xsrf: true
# Payload
{
"untrack": true
}
The identifier for the rule.
curl \
--request POST https://localhost:5601/api/alerting/rule/{id}/_unmute_all \
--header "kbn-xsrf: true"
Retrieve agentName
for a service.
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
The name of the service
curl \
--request GET https://localhost:5601/api/apm/settings/agent-configuration/agent_name?serviceName=node \
--header "elastic-api-version: 2023-10-31"
{
"agentName": "nodejs"
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
The name of the service
curl \
--request GET https://localhost:5601/api/apm/settings/agent-configuration/environments \
--header "elastic-api-version: 2023-10-31"
{
"environments": [
{
"alreadyConfigured": true,
"name": "ALL_OPTION_VALUE"
}
]
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}
This endpoint allows to search for single agent configuration and update 'applied_by_agent' field.
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
A required header to protect against CSRF attacks
If etags match then applied_by_agent
field will be set to true
markAsAppliedByAgent=true
means "force setting it to true regardless of etag".
This is needed for Jaeger agent that doesn't have etags
Service
Additional properties are allowed.
curl \
--request POST https://localhost:5601/api/apm/settings/agent-configuration/search \
--header "Content-Type: application/json" \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true" \
--data '{"etag":"0bc3b5ebf18fba8163fe4c96f491e3767a358f85","mark_as_applied_by_agent":true,"service":{"environment":"prod","name":"node"}}'
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true
# Payload
{
"etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
"mark_as_applied_by_agent": true,
"service": {
"environment": "prod",
"name": "node"
}
}
{
"_id": "string",
"_index": "string",
"_score": 42.0,
"_source": {
"@timestamp": 1730194190636,
"agent_name": "string",
"applied_by_agent": true,
"etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
"service": {
"environment": "prod",
"name": "node"
},
"settings": {
"additionalProperty1": "string",
"additionalProperty2": "string"
}
}
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}
Create a new annotation for a specific service.
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
A required header to protect against CSRF attacks
The name of the service
curl \
--request POST https://localhost:5601/api/apm/services/{serviceName}/annotation \
--header "Content-Type: application/json" \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true" \
--data '{"@timestamp":"string","message":"string","service":{"environment":"string","version":"string"},"tags":["string"]}'
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true
# Payload
{
"@timestamp": "string",
"message": "string",
"service": {
"environment": "string",
"version": "string"
},
"tags": [
"string"
]
}
{
"_id": "string",
"_index": "string",
"_source": {
"@timestamp": "string",
"annotation": {
"title": "string",
"type": "string"
},
"event": {
"created": "string"
},
"message": "string",
"service": {
"environment": "string",
"name": "string",
"version": "string"
},
"tags": [
"string"
]
}
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Forbidden",
"message": "string",
"statusCode": 403
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}
Create APM fleet server schema.
Configure APM source maps.
You must have all
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating.
An array containing users that are assigned to the case.
Not more than 10
elements.
A word or phrase that categorizes the case.
Maximum length is 50
.
Defines properties for connectors when type is .none
.
Custom field values for a case. Any optional custom fields that are not specified in the request are set to null.
At least 0
but not more than 10
elements.
The description for the case.
Maximum length is 30000
.
The application that owns the cases: Stack Management, Observability, or Elastic Security.
Values are cases
, observability
, or securitySolution
.
An object that contains the case settings.
Additional properties are allowed.
The severity of the case.
Values are critical
, high
, low
, or medium
. Default value is low
.
A title for the case.
Maximum length is 160
.
curl \
--request POST https://localhost:5601/api/cases \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"tags":["tag-1"],"owner":"cases","title":"Case title 1","settings":{"syncAlerts":true},"connector":{"id":"131d4448-abe0-4789-939d-8ef60680b498","name":"My connector","type":".jira","fields":{"parent":null,"priority":"High","issueType":"10006"}},"description":"A case description.","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"My field value"}]}'
{
"tags": [
"tag-1"
],
"owner": "cases",
"title": "Case title 1",
"settings": {
"syncAlerts": true
},
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498",
"name": "My connector",
"type": ".jira",
"fields": {
"parent": null,
"priority": "High",
"issueType": "10006"
}
},
"description": "A case description.",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My field value"
}
]
}
{
"id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzUzMiwxXQ==",
"comments": [],
"duration": null,
"settings": {
"syncAlerts": true
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498",
"name": "My connector",
"type": ".jira",
"fields": {
"parent": null,
"priority": "High",
"issueType": "10006"
}
},
"created_at": "2022-10-13T15:33:50.604Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null,
"description": "A case description.",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": null
}
],
"totalComment": 0,
"external_service": null
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
You must have read
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
Filters the returned cases by assignees. Valid values are none
or unique identifiers for the user profiles. These identifiers can be found by using the suggest user profile API.
Filters the returned cases by category.
he default operator to use for the simple_query_string.
Default value is OR
.
Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression.
A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.
The page number to return.
Default value is 1
.
The number of items to return. Limited to 100 items.
Maximum value is 100
. Default value is 20
.
Filters the returned cases by the user name of the reporter.
An Elasticsearch simple_query_string query that filters the objects in the response.
The fields to perform the simple_query_string parsed query against.
The severity of the case.
Values are critical
, high
, low
, or medium
.
Determines which field is used to sort the results.
Values are createdAt
, updatedAt
, closedAt
, title
, category
, status
, or severity
. Default value is createdAt
.
Determines the sort order.
Values are asc
or desc
. Default value is desc
.
Filters the returned cases by state.
Values are closed
, in-progress
, or open
.
Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression.
curl \
--request GET https://localhost:5601/api/cases/_find
{
"page": 1,
"cases": [
{
"id": "abed3a70-71bd-11ea-a0b2-c51ea50a58e2",
"tags": [
"tag-1"
],
"owner": "cases",
"title": "Case title",
"status": "open",
"version": "WzExMCwxXQ==",
"category": null,
"comments": [],
"duration": null,
"settings": {
"syncAlerts": true
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2023-10-12T00:16:36.371Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2023-10-12T00:27:58.162Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "Case description",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": null
}
],
"totalComment": 1,
"external_service": null
}
],
"total": 1,
"per_page": 5,
"count_open_cases": 1,
"count_closed_cases": 0,
"count_in_progress_cases": 0
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Attach a file to a case. You must have all
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating. The request must include:
Content-Type: multipart/form-data
HTTP header.The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
curl \
--request POST https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/files \
--header "Content-Type: multipart/form-data" \
--header "kbn-xsrf: string" \
--form "file=@file" \
--form "filename=string"
{
"id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzIzMzgsMV0=",
"category": null,
"comments": [
{
"id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
"type": "user",
"owner": "cases",
"comment": "A new comment.",
"version": "WzIwNDMxLDFd",
"created_at": "2022-10-02T00:49:47.716Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null
}
}
],
"duration": null,
"settings": {
"syncAlerts": false
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2022-03-24T00:37:03.906Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2022-06-03T00:49:47.716Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "A case description.",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "Field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": true
}
],
"totalComment": 1,
"external_service": null
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Case settings include external connection details, custom fields, and templates. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. If you set a default connector, it is automatically selected when you create cases in Kibana. If you use the create case API, however, you must still specify all of the connector details. You must have all
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on where you are creating cases.
Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing
) or not automatically closed (close-by-user
).
Values are close-by-pushing
or close-by-user
.
An object that contains the connector configuration.
Additional properties are allowed.
Custom fields case configuration.
At least 0
but not more than 10
elements.
The application that owns the cases: Stack Management, Observability, or Elastic Security.
Values are cases
, observability
, or securitySolution
.
curl \
--request POST https://localhost:5601/api/cases/configure \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"owner":"cases","connector":{"id":"5e656730-e1ca-11ec-be9b-9b1838238ee6","name":"my-jira-connector","type":".jira","fields":null},"templates":[{"key":"505932fe-ee3a-4960-a661-c781b5acdb05","name":"template-1","tags":["Template tag 1"],"caseFields":{"tags":["Default case tag"],"title":"Default case title","category":"Default-category","assignees":[{"uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"}],"description":"A default description for cases.","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"A text field value for the template."}]},"description":"A description of the template."}],"closure_type":"close-by-user","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","label":"my-text-field","required":false,"defaultValue":"My custom field default value."}]}'
{
"owner": "cases",
"connector": {
"id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
"name": "my-jira-connector",
"type": ".jira",
"fields": null
},
"templates": [
{
"key": "505932fe-ee3a-4960-a661-c781b5acdb05",
"name": "template-1",
"tags": [
"Template tag 1"
],
"caseFields": {
"tags": [
"Default case tag"
],
"title": "Default case title",
"category": "Default-category",
"assignees": [
{
"uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
}
],
"description": "A default description for cases.",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "A text field value for the template."
}
]
},
"description": "A description of the template."
}
],
"closure_type": "close-by-user",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"label": "my-text-field",
"required": false,
"defaultValue": "My custom field default value."
}
]
}
{
"id": "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
"error": null,
"owner": "cases",
"version": "WzIwNzMsMV0=",
"mappings": [
{
"source": "title",
"target": "summary",
"action_type": "overwrite"
},
{
"source": "description",
"target": "description",
"action_type": "overwrite"
},
{
"source": "comments",
"target": "comments",
"action_type": "append"
},
{
"source": "tags",
"target": "labels",
"action_type": "overwrite"
}
],
"connector": {
"id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
"name": "my-jira-connector",
"type": ".jira",
"fields": null
},
"templates": [
{
"key": "505932fe-ee3a-4960-a661-c781b5acdb05",
"name": "template-1",
"tags": [
"Template tag 1"
],
"caseFields": {
"tags": [
"Default case tag"
],
"title": "Default case title",
"category": "Default-category",
"assignees": [
{
"uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
}
],
"description": "A default description for cases.",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "A text field value for the template."
}
]
},
"description": "A description of the template."
}
],
"created_at": "2024-07-01T17:07:17.767Z",
"created_by": {
"email": "null,",
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null,
"closure_type": "close-by-user",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"label": "my-text-field",
"required": false,
"defaultValue": "My custom field default value."
}
]
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Get information about connectors that are supported for use in cases. You must have read
privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges.
curl \
--request GET https://localhost:5601/api/cases/configure/connectors/_find
[
{
"id": "61787f53-4eee-4741-8df6-8fe84fa616f7",
"name": "my-Jira",
"config": {
"apiUrl": "https://elastic.atlassian.net/",
"projectKey": "ES"
},
"actionTypeId": ".jira",
"isDeprecated": false,
"isPreconfigured": false,
"isMissingSecrets": false,
"referencedByCount": 0
}
]
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
You do not need any Kibana feature privileges to run this API.
A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases).
curl \
--request GET https://localhost:5601/api/actions/connector_types
[
{
"id": ".gen-ai",
"name": "OpenAI",
"enabled": true,
"enabled_in_config": true,
"enabled_in_license": true,
"is_system_action_type": false,
"supported_feature_ids": [
"generativeAIForSecurity",
"generativeAIForObservability",
"generativeAIForSearchPlayground"
],
"minimum_license_required": "enterprise"
},
{
"id": ".bedrock",
"name": "AWS Bedrock",
"enabled": true,
"enabled_in_config": true,
"enabled_in_license": true,
"is_system_action_type": false,
"supported_feature_ids": [
"generativeAIForSecurity",
"generativeAIForObservability",
"generativeAIForSearchPlayground"
],
"minimum_license_required": "enterprise"
},
{
"id": ".gemini",
"name": "Google Gemini",
"enabled": true,
"enabled_in_config": true,
"enabled_in_license": true,
"is_system_action_type": false,
"supported_feature_ids": [
"generativeAIForSecurity"
],
"minimum_license_required": "enterprise"
}
]
You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems.
An identifier for the connector.
Test an action that acknowledges or resolves a PagerDuty alert.
curl \
--request POST https://localhost:5601/api/actions/connector/{id}/_execute \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"params":{"documents":[{"id":"my_doc_id","name":"my_doc_name","message":"hello, world"}]}}'
{
"params": {
"documents": [
{
"id": "my_doc_id",
"name": "my_doc_name",
"message": "hello, world"
}
]
}
}
{
"params": {
"subAction": "issueTypes"
}
}
{
"params": {
"subAction": "getChoices",
"subActionParams": {
"fields": [
"severity",
"urgency"
]
}
}
}
{
"params": {
"subAction": "postMessage",
"subActionParams": {
"text": "A test message.",
"channelIds": [
"C123ABC456"
]
}
}
}
{
"params": {
"subAction": "pushToService",
"subActionParams": {
"comments": [
{
"comment": "A comment about the incident.",
"commentId": 1
}
],
"incident": {
"caseId": "1000",
"caseName": "Case name",
"description": "Description of the incident."
}
}
}
}
{
"data": {
"took": 135,
"items": [
{
"create": {
"_id": "4JtvwYUBrcyxt2NnfW3y",
"_index": "my-index",
"result": "created",
"status": 201,
"_seq_no": 0,
"_shards": {
"total": 2,
"failed": 0,
"successful": 1
},
"_version": 1,
"_primary_term": 1
}
}
],
"errors": false
},
"status": "ok",
"connector_id": "fd38c600-96a5-11ed-bb79-353b74189cba"
}
{
"data": [
{
"id": 10024,
"name": "Improvement"
},
{
"id": 10006,
"name": "Task"
},
{
"id": 10007,
"name": "Sub-task"
},
{
"id": 10025,
"name": "New Feature"
},
{
"id": 10023,
"name": "Bug"
},
{
"id": 10000,
"name": "Epic"
}
],
"status": "ok",
"connector_id": "b3aad810-edbe-11ec-82d1-11348ecbf4a6"
}
{
"status": "ok",
"connector_id": "7fc7b9a0-ecc9-11ec-8736-e7d63118c907"
}
{
"data": [
{
"label": "Critical",
"value": 1,
"element": "severity",
"dependent_value": ""
},
{
"label": "Major",
"value": 2,
"element": "severity",
"dependent_value": ""
},
{
"label": "Minor",
"value": 3,
"element": "severity",
"dependent_value": ""
},
{
"label": "Warning",
"value": 4,
"element": "severity",
"dependent_value": ""
},
{
"label": "OK",
"value": 5,
"element": "severity",
"dependent_value": ""
},
{
"label": "Clear",
"value": 0,
"element": "severity",
"dependent_value": ""
},
{
"label": "1 - High",
"value": 1,
"element": "urgency",
"dependent_value": ""
},
{
"label": "2 - Medium",
"value": 2,
"element": "urgency",
"dependent_value": ""
},
{
"label": "3 - Low",
"value": 3,
"element": "urgency",
"dependent_value": ""
}
],
"status": "ok",
"connector_id": "9d9be270-2fd2-11ed-b0e0-87533c532698"
}
{
"data": {
"ok": true,
"ts": "1234567890.123456",
"channel": "C123ABC456",
"message": {
"ts": "1234567890.123456",
"team": "T01ABCDE2F",
"text": "A test message",
"type": "message",
"user": "U12A345BC6D",
"app_id": "A01BC2D34EF",
"blocks": [
{
"type": "rich_text",
"block_id": "/NXe",
"elements": [
{
"type": "rich_text_section",
"elements": [
{
"text": "A test message.",
"type": "text"
}
]
}
]
}
],
"bot_id": "B12BCDEFGHI",
"bot_profile": {
"id": "B12BCDEFGHI",
"name": "test",
"icons": {
"image_36": "https://a.slack-edge.com/80588/img/plugins/app/bot_36.png"
},
"app_id": "A01BC2D34EF",
"deleted": false,
"team_id": "T01ABCDE2F",
"updated": 1672169705
}
}
},
"status": "ok",
"connector_id": ".slack_api"
}
{
"data": {
"id": "aKPmBHWzmdRQtx6Mx",
"url": "https://elastic.swimlane.url.us/record/aNcL2xniGHGpa2AHb/aKPmBHWzmdRQtx6Mx",
"title": "TEST-457",
"comments": [
{
"commentId": 1,
"pushedDate": "2022-09-08T16:52:27.865Z"
}
],
"pushedDate": "2022-09-08T16:52:27.866Z"
},
"status": "ok",
"connector_id": "a4746470-2f94-11ed-b0e0-87533c532698"
}
This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
A unique identifier for the dashboard.
curl \
--request GET https://localhost:5601/api/dashboards/dashboard/{id}
{
"item": {
"attributes": {
"controlGroupInput": {
"autoApplySelections": true,
"chainingSystem": "HIERARCHICAL",
"controls": [
{
"controlConfig": {},
"grow": false,
"id": "string",
"order": 42.0,
"type": "string",
"width": "medium"
}
],
"enhancements": {},
"ignoreParentSettings": {
"ignoreFilters": false,
"ignoreQuery": false,
"ignoreTimerange": false,
"ignoreValidations": false
},
"labelPosition": "oneLine"
},
"description": "",
"kibanaSavedObjectMeta": {
"searchSource": {
"filter": [
{
"$state": {
"store": "appState"
},
"meta": {
"alias": "string",
"controlledBy": "string",
"disabled": true,
"field": "string",
"group": "string",
"index": "string",
"isMultiIndex": true,
"key": "string",
"negate": true,
"type": "string",
"value": "string"
},
"query": {}
}
],
"query": {
"language": "string",
"query": "string"
},
"sort": [
{}
],
"type": "string"
}
},
"options": {
"hidePanelTitles": false,
"syncColors": true,
"syncCursor": true,
"syncTooltips": true,
"useMargins": true
},
"panels": [
{
"gridData": {
"h": 15,
"i": "string",
"w": 24,
"x": 42.0,
"y": 42.0
},
"id": "string",
"panelConfig": {
"description": "string",
"enhancements": {},
"hidePanelTitles": true,
"savedObjectId": "string",
"title": "string",
"version": "string"
},
"panelIndex": "string",
"panelRefName": "string",
"title": "string",
"type": "string",
"version": "string"
}
],
"refreshInterval": {
"display": "string",
"pause": true,
"section": 42.0,
"value": 42.0
},
"timeFrom": "string",
"timeRestore": false,
"timeTo": "string",
"title": "string",
"version": 42.0
},
"createdAt": "string",
"createdBy": "string",
"error": {
"error": "string",
"message": "string",
"metadata": {},
"statusCode": 42.0
},
"id": "string",
"managed": true,
"namespaces": [
"string"
],
"originId": "string",
"references": [
{
"id": "string",
"name": "string",
"type": "string"
}
],
"type": "string",
"updatedAt": "string",
"updatedBy": "string",
"version": "string"
},
"meta": {
"aliasPurpose": "savedObjectConversion",
"aliasTargetId": "string",
"outcome": "exactMatch"
}
}
This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
A unique identifier for the dashboard.
curl \
--request DELETE https://localhost:5601/api/dashboards/dashboard/{id} \
--header "kbn-xsrf: true"
The name of the runtime field.
An identifier for the data view.
curl \
--request DELETE https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field/hour_of_day
{
"error": "Not Found",
"message": "Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found",
"statusCode": 404
}
curl \
--request GET https://localhost:5601/api/data_views/default
{
"data_view_id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f"
}
{
"error": "Bad Request",
"message": "string",
"statusCode": 400
}
curl \
--request POST https://localhost:5601/api/data_views/default \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"force":true,"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f"}'
{
"force": true,
"data_view_id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f"
}
{
"acknowledged": true
}
{
"error": "Bad Request",
"message": "string",
"statusCode": 400
}
[Required authorization] Route required privileges: ALL of [fleet-agents-all].
curl \
--request POST https://localhost:5601/api/fleet/agents/{agentId}/unenroll \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"force":true,"revoke":true}'
# Headers
kbn-xsrf: true
# Payload
{
"force": true,
"revoke": true
}
[Required authorization] Route required privileges: ALL of [fleet-agents-read].
curl \
--request GET https://localhost:5601/api/fleet/agents/action_status
{
"items": [
{
"actionId": "string",
"cancellationTime": "string",
"completionTime": "string",
"creationTime": "string",
"expiration": "string",
"hasRolloutPeriod": true,
"latestErrors": [
{
"agentId": "string",
"error": "string",
"hostname": "string",
"timestamp": "string"
}
],
"nbAgentsAck": 42.0,
"nbAgentsActionCreated": 42.0,
"nbAgentsActioned": 42.0,
"nbAgentsFailed": 42.0,
"newPolicyId": "string",
"policyId": "string",
"revision": 42.0,
"startTime": "string",
"status": "COMPLETE",
"type": "UPGRADE",
"version": "string"
}
]
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
[Required authorization] Route required privileges: ALL of [fleet-agents-all].
curl \
--request POST https://localhost:5601/api/fleet/agents/bulk_update_agent_tags \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"agents":["string"],"batchSize":42.0,"includeInactive":false,"tagsToAdd":["string"],"tagsToRemove":["string"]}'
# Headers
kbn-xsrf: true
# Payload
{
"agents": [
"string"
],
"batchSize": 42.0,
"includeInactive": false,
"tagsToAdd": [
"string"
],
"tagsToRemove": [
"string"
]
}
{
"actionId": "string"
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Get an agent binary download source by ID.
[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].
curl \
--request GET https://localhost:5601/api/fleet/agent_download_sources/{sourceId}
{
"item": {
"host": "https://example.com",
"id": "string",
"is_default": false,
"name": "string",
"proxy_id": "string"
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Copy an agent policy by ID.
[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].
Values are simplified
or legacy
.
Minimum length is 1
.
curl \
--request POST https://localhost:5601/api/fleet/agent_policies/{agentPolicyId}/copy \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"description":"string","name":"string"}'
# Headers
kbn-xsrf: true
# Payload
{
"description": "string",
"name": "string"
}
{
"item": {
"advanced_settings": {},
"agent_features": [
{
"enabled": true,
"name": "string"
}
],
"agentless": {
"resources": {
"requests": {
"cpu": "string",
"memory": "string"
}
}
},
"agents": 42.0,
"data_output_id": "string",
"description": "string",
"download_source_id": "string",
"fleet_server_host_id": "string",
"global_data_tags": [
{
"name": "string",
"value": "string"
}
],
"has_fleet_server": true,
"id": "string",
"inactivity_timeout": 1209600,
"is_default": true,
"is_default_fleet_server": true,
"is_managed": true,
"is_preconfigured": true,
"is_protected": true,
"keep_monitoring_alive": false,
"monitoring_diagnostics": {
"limit": {
"burst": 42.0,
"interval": "string"
},
"uploader": {
"init_dur": "string",
"max_dur": "string",
"max_retries": 42.0
}
},
"monitoring_enabled": [
"logs"
],
"monitoring_http": {
"buffer": {
"enabled": false
},
"enabled": true,
"host": "string",
"port": 42.0
},
"monitoring_output_id": "string",
"monitoring_pprof_enabled": true,
"name": "string",
"namespace": "string",
"overrides": {},
"package_policies": [
"string"
],
"required_versions": [
{
"percentage": 42.0,
"version": "string"
}
],
"revision": 42.0,
"schema_version": "string",
"space_ids": [
"string"
],
"status": "active",
"supports_agentless": false,
"unenroll_timeout": 42.0,
"unprivileged_agents": 42.0,
"updated_at": "string",
"updated_by": "string",
"version": "string"
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Get a list of outputs associated with agent policy by policy id.
[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].
curl \
--request GET https://localhost:5601/api/fleet/agent_policies/{agentPolicyId}/outputs
{
"item": {
"agentPolicyId": "string",
"data": {
"integrations": [
{
"id": "string",
"integrationPolicyName": "string",
"name": "string",
"pkgName": "string"
}
],
"output": {
"id": "string",
"name": "string"
}
},
"monitoring": {
"output": {
"id": "string",
"name": "string"
}
}
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Delete an agent policy by ID.
[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].
curl \
--request POST https://localhost:5601/api/fleet/agent_policies/delete \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"agentPolicyId":"string","force":true}'
# Headers
kbn-xsrf: true
# Payload
{
"agentPolicyId": "string",
"force": true
}
{
"id": "string",
"name": "string"
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Get a list of outputs associated with agent policies.
[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].
curl \
--request POST https://localhost:5601/api/fleet/agent_policies/outputs \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"ids":["string"]}'
# Headers
kbn-xsrf: true
# Payload
{
"ids": [
"string"
]
}
{
"items": [
{
"agentPolicyId": "string",
"data": {
"integrations": [
{
"id": "string",
"integrationPolicyName": "string",
"name": "string",
"pkgName": "string"
}
],
"output": {
"id": "string",
"name": "string"
}
},
"monitoring": {
"output": {
"id": "string",
"name": "string"
}
}
}
]
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
[Required authorization] Route required privileges: ALL of [fleet-agents-read].
Default value is 1
.
Default value is 20
.
Default value is false
.
Default value is false
.
Default value is false
.
Default value is false
.
Values are asc
or desc
.
curl \
--request GET https://localhost:5601/api/fleet/agents
{
"items": [
{
"access_api_key": "string",
"access_api_key_id": "string",
"active": true,
"agent": {
"id": "string",
"version": "string"
},
"audit_unenrolled_reason": "string",
"components": [
{
"id": "string",
"message": "string",
"status": "STARTING",
"type": "string",
"units": [
{
"id": "string",
"message": "string",
"payload": {},
"status": "STARTING",
"type": "input"
}
]
}
],
"default_api_key": "string",
"default_api_key_history": [
{
"id": "string",
"retired_at": "string"
}
],
"default_api_key_id": "string",
"enrolled_at": "string",
"id": "string",
"last_checkin": "string",
"last_checkin_message": "string",
"last_checkin_status": "error",
"local_metadata": {},
"metrics": {
"cpu_avg": 42.0,
"memory_size_byte_avg": 42.0
},
"namespaces": [
"string"
],
"outputs": {
"additionalProperty1": {
"api_key_id": "string",
"to_retire_api_key_ids": [
{
"id": "string",
"retired_at": "string"
}
],
"type": "string"
},
"additionalProperty2": {
"api_key_id": "string",
"to_retire_api_key_ids": [
{
"id": "string",
"retired_at": "string"
}
],
"type": "string"
}
},
"packages": [
"string"
],
"policy_id": "string",
"policy_revision": 42.0,
"sort": [
42.0
],
"status": "offline",
"tags": [
"string"
],
"type": "PERMANENT",
"unenrolled_at": "string",
"unenrollment_started_at": "string",
"unhealthy_reason": [
"input"
],
"upgrade_details": {
"action_id": "string",
"metadata": {
"download_percent": 42.0,
"download_rate": 42.0,
"error_msg": "string",
"failed_state": "UPG_REQUESTED",
"retry_error_msg": "string",
"retry_until": "string",
"scheduled_at": "string"
},
"state": "UPG_REQUESTED",
"target_version": "string"
},
"upgrade_started_at": "string",
"upgraded_at": "string",
"user_provided_metadata": {}
}
],
"page": 42.0,
"perPage": 42.0,
"statusSummary": {
"additionalProperty1": 42.0,
"additionalProperty2": 42.0
},
"total": 42.0
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
[Required authorization] Route required privileges: ALL of [fleet-agents-read].
curl \
--request POST https://localhost:5601/api/fleet/agents \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"actionIds":["string"]}'
# Headers
kbn-xsrf: true
# Payload
{
"actionIds": [
"string"
]
}
{
"items": [
"string"
]
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Get an agent by ID.
[Required authorization] Route required privileges: ALL of [fleet-agents-read].
Default value is false
.
curl \
--request GET https://localhost:5601/api/fleet/agents/{agentId}
{
"item": {
"access_api_key": "string",
"access_api_key_id": "string",
"active": true,
"agent": {
"id": "string",
"version": "string"
},
"audit_unenrolled_reason": "string",
"components": [
{
"id": "string",
"message": "string",
"status": "STARTING",
"type": "string",
"units": [
{
"id": "string",
"message": "string",
"payload": {},
"status": "STARTING",
"type": "input"
}
]
}
],
"default_api_key": "string",
"default_api_key_history": [
{
"id": "string",
"retired_at": "string"
}
],
"default_api_key_id": "string",
"enrolled_at": "string",
"id": "string",
"last_checkin": "string",
"last_checkin_message": "string",
"last_checkin_status": "error",
"local_metadata": {},
"metrics": {
"cpu_avg": 42.0,
"memory_size_byte_avg": 42.0
},
"namespaces": [
"string"
],
"outputs": {
"additionalProperty1": {
"api_key_id": "string",
"to_retire_api_key_ids": [
{
"id": "string",
"retired_at": "string"
}
],
"type": "string"
},
"additionalProperty2": {
"api_key_id": "string",
"to_retire_api_key_ids": [
{
"id": "string",
"retired_at": "string"
}
],
"type": "string"
}
},
"packages": [
"string"
],
"policy_id": "string",
"policy_revision": 42.0,
"sort": [
42.0
],
"status": "offline",
"tags": [
"string"
],
"type": "PERMANENT",
"unenrolled_at": "string",
"unenrollment_started_at": "string",
"unhealthy_reason": [
"input"
],
"upgrade_details": {
"action_id": "string",
"metadata": {
"download_percent": 42.0,
"download_rate": 42.0,
"error_msg": "string",
"failed_state": "UPG_REQUESTED",
"retry_error_msg": "string",
"retry_until": "string",
"scheduled_at": "string"
},
"state": "UPG_REQUESTED",
"target_version": "string"
},
"upgrade_started_at": "string",
"upgraded_at": "string",
"user_provided_metadata": {}
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Update an agent by ID.
[Required authorization] Route required privileges: ALL of [fleet-agents-all].
Additional properties are allowed.
curl \
--request PUT https://localhost:5601/api/fleet/agents/{agentId} \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"tags":["string"],"user_provided_metadata":{}}'
# Headers
kbn-xsrf: true
# Payload
{
"tags": [
"string"
],
"user_provided_metadata": {}
}
{
"item": {
"access_api_key": "string",
"access_api_key_id": "string",
"active": true,
"agent": {
"id": "string",
"version": "string"
},
"audit_unenrolled_reason": "string",
"components": [
{
"id": "string",
"message": "string",
"status": "STARTING",
"type": "string",
"units": [
{
"id": "string",
"message": "string",
"payload": {},
"status": "STARTING",
"type": "input"
}
]
}
],
"default_api_key": "string",
"default_api_key_history": [
{
"id": "string",
"retired_at": "string"
}
],
"default_api_key_id": "string",
"enrolled_at": "string",
"id": "string",
"last_checkin": "string",
"last_checkin_message": "string",
"last_checkin_status": "error",
"local_metadata": {},
"metrics": {
"cpu_avg": 42.0,
"memory_size_byte_avg": 42.0
},
"namespaces": [
"string"
],
"outputs": {
"additionalProperty1": {
"api_key_id": "string",
"to_retire_api_key_ids": [
{
"id": "string",
"retired_at": "string"
}
],
"type": "string"
},
"additionalProperty2": {
"api_key_id": "string",
"to_retire_api_key_ids": [
{
"id": "string",
"retired_at": "string"
}
],
"type": "string"
}
},
"packages": [
"string"
],
"policy_id": "string",
"policy_revision": 42.0,
"sort": [
42.0
],
"status": "offline",
"tags": [
"string"
],
"type": "PERMANENT",
"unenrolled_at": "string",
"unenrollment_started_at": "string",
"unhealthy_reason": [
"input"
],
"upgrade_details": {
"action_id": "string",
"metadata": {
"download_percent": 42.0,
"download_rate": 42.0,
"error_msg": "string",
"failed_state": "UPG_REQUESTED",
"retry_error_msg": "string",
"retry_until": "string",
"scheduled_at": "string"
},
"state": "UPG_REQUESTED",
"target_version": "string"
},
"upgrade_started_at": "string",
"upgraded_at": "string",
"user_provided_metadata": {}
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Delete an agent by ID.
[Required authorization] Route required privileges: ALL of [fleet-agents-all].
curl \
--request DELETE https://localhost:5601/api/fleet/agents/{agentId} \
--header "kbn-xsrf: true"
{
"action": "deleted"
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Get a file uploaded by an agent.
[Required authorization] Route required privileges: ALL of [fleet-agents-read].
curl \
--request GET https://localhost:5601/api/fleet/agents/files/{fileId}/{fileName}
{}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].
curl \
--request POST https://localhost:5601/api/fleet/agents/setup \
--header "kbn-xsrf: true"
{
"isInitialized": true,
"nonFatalErrors": [
{
"message": "string",
"name": "string"
}
]
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].
curl \
--request POST https://localhost:5601/api/fleet/epm/bulk_assets \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"assetIds":[{"id":"string","type":"string"}]}'
# Headers
kbn-xsrf: true
# Payload
{
"assetIds": [
{
"id": "string",
"type": "string"
}
]
}
{
"items": [
{
"appLink": "string",
"attributes": {
"description": "string",
"service": "string",
"title": "string"
},
"id": "string",
"type": "string",
"updatedAt": "string"
}
]
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].
curl \
--request POST https://localhost:5601/api/fleet/epm/custom_integrations \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"datasets":[{"name":"string","type":"logs"}],"force":true,"integrationName":"string"}'
# Headers
kbn-xsrf: true
# Payload
{
"datasets": [
{
"name": "string",
"type": "logs"
}
],
"force": true,
"integrationName": "string"
}
{
"_meta": {
"install_source": "string"
},
"items": [
{
"id": "string",
"originId": "string",
"type": "dashboard"
}
]
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].
curl \
--request GET https://localhost:5601/api/fleet/epm/packages
{
"items": [
{
"categories": [
"string"
],
"conditions": {
"elastic": {
"capabilities": [
"string"
],
"subscription": "string"
},
"kibana": {
"version": "string"
}
},
"data_streams": [
{}
],
"description": "string",
"discovery": {
"fields": [
{
"name": "string"
}
]
},
"download": "string",
"format_version": "string",
"icons": [
{
"dark_mode": true,
"path": "string",
"size": "string",
"src": "string",
"title": "string",
"type": "string"
}
],
"id": "string",
"installationInfo": {
"additional_spaces_installed_kibana": {
"additionalProperty1": [
{
"id": "string",
"originId": "string",
"type": "dashboard"
}
],
"additionalProperty2": [
{
"id": "string",
"originId": "string",
"type": "dashboard"
}
]
},
"created_at": "string",
"experimental_data_stream_features": [
{
"data_stream": "string",
"features": {
"doc_value_only_numeric": true,
"doc_value_only_other": true,
"synthetic_source": true,
"tsdb": true
}
}
],
"install_format_schema_version": "string",
"install_source": "registry",
"install_status": "installed",
"installed_es": [
{
"deferred": true,
"id": "string",
"type": "index",
"version": "string"
}
],
"installed_kibana": [
{
"id": "string",
"originId": "string",
"type": "dashboard"
}
],
"installed_kibana_space_id": "string",
"latest_executed_state": {
"error": "string",
"name": "string",
"started_at": "string"
},
"latest_install_failed_attempts": [
{
"created_at": "string",
"error": {
"message": "string",
"name": "string",
"stack": "string"
},
"target_version": "string"
}
],
"name": "string",
"namespaces": [
"string"
],
"type": "string",
"updated_at": "string",
"verification_key_id": "string",
"verification_status": "unverified",
"version": "string"
},
"integration": "string",
"internal": true,
"latestVersion": "string",
"name": "string",
"owner": {
"github": "string",
"type": "elastic"
},
"path": "string",
"policy_templates": [
{}
],
"readme": "string",
"release": "ga",
"signature_path": "string",
"source": {
"license": "string"
},
"status": "string",
"title": "string",
"type": "integration",
"vars": [
{}
],
"version": "string"
}
]
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].
Default value is false
.
Default value is false
.
curl \
--request POST https://localhost:5601/api/fleet/epm/packages \
--header "Content-Type: application/gzip; application/zip" \
--header "kbn-xsrf: true" \
--data-binary '@file'
[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].
Values are logs
, metrics
, traces
, synthetics
, or profiling
.
Default value is 15
.
Values are asc
or desc
. Default value is asc
.
curl \
--request GET https://localhost:5601/api/fleet/epm/packages/installed
{
"items": [
{
"dataStreams": [
{
"name": "string",
"title": "string"
}
],
"description": "string",
"icons": [
{
"dark_mode": true,
"path": "string",
"size": "string",
"src": "string",
"title": "string",
"type": "string"
}
],
"name": "string",
"status": "string",
"title": "string",
"version": "string"
}
],
"searchAfter": [
"string"
],
"total": 42.0
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].
curl \
--request GET https://localhost:5601/api/fleet/epm/packages/limited
{
"items": [
"string"
]
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].
Values are json
, yml
, or yaml
. Default value is json
.
curl \
--request GET https://localhost:5601/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs
string
{
"inputs": [
{
"id": "string",
"streams": [
{
"data_stream": {
"dataset": "string",
"type": "string"
},
"id": "string"
}
],
"type": "string"
}
]
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].
curl \
--request GET https://localhost:5601/api/fleet/enrollment_api_keys
{
"items": [
{
"active": true,
"api_key": "string",
"api_key_id": "string",
"created_at": "string",
"id": "string",
"name": "string",
"policy_id": "string"
}
],
"list": [
{
"active": true,
"api_key": "string",
"api_key_id": "string",
"created_at": "string",
"id": "string",
"name": "string",
"policy_id": "string"
}
],
"page": 42.0,
"perPage": 42.0,
"total": 42.0
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
[Required authorization] Route required privileges: ALL of [fleet-settings-read].
curl \
--request GET https://localhost:5601/api/fleet/settings
{
"item": {
"delete_unenrolled_agents": {
"enabled": true,
"is_preconfigured": true
},
"has_seen_add_data_notice": true,
"id": "string",
"output_secret_storage_requirements_met": true,
"preconfigured_fields": [
"fleet_server_hosts"
],
"prerelease_integrations_enabled": true,
"secret_storage_requirements_met": true,
"use_space_awareness_migration_started_at": "string",
"use_space_awareness_migration_status": "pending",
"version": "string"
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
{
"message": "string"
}
[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].
curl \
--request POST https://localhost:5601/api/fleet/setup \
--header "kbn-xsrf: true"
{
"isInitialized": true,
"nonFatalErrors": [
{
"message": "string",
"name": "string"
}
]
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
{
"message": "string"
}
Get output by ID.
[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].
curl \
--request GET https://localhost:5601/api/fleet/outputs/{outputId}
{
"item": {
"allow_edit": [
"string"
],
"ca_sha256": "string",
"ca_trusted_fingerprint": "string",
"config_yaml": "string",
"hosts": [
"https://example.com"
],
"id": "string",
"is_default": false,
"is_default_monitoring": false,
"is_internal": true,
"is_preconfigured": true,
"name": "string",
"preset": "balanced",
"proxy_id": "string",
"shipper": {
"compression_level": 42.0,
"disk_queue_compression_enabled": true,
"disk_queue_enabled": false,
"disk_queue_encryption_enabled": true,
"disk_queue_max_size": 42.0,
"disk_queue_path": "string",
"loadbalance": true,
"max_batch_bytes": 42.0,
"mem_queue_events": 42.0,
"queue_flush_timeout": 42.0
},
"ssl": {
"certificate": "string",
"certificate_authorities": [
"string"
],
"key": "string",
"verification_mode": "full"
},
"type": "elasticsearch"
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Update output by ID.
[Required authorization] Route required privileges: ANY of [fleet-settings-all OR fleet-agent-policies-all].
At least 1
element.
Values are balanced
, custom
, throughput
, scale
, or latency
.
Additional properties are NOT allowed.
Additional properties are NOT allowed.
Value is elasticsearch
.
curl \
--request PUT https://localhost:5601/api/fleet/outputs/{outputId} \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"allow_edit":["string"],"ca_sha256":"string","ca_trusted_fingerprint":"string","config_yaml":"string","hosts":["https://example.com"],"id":"string","is_default":true,"is_default_monitoring":true,"is_internal":true,"is_preconfigured":true,"name":"string","preset":"balanced","proxy_id":"string","shipper":{"compression_level":42.0,"disk_queue_compression_enabled":true,"disk_queue_enabled":false,"disk_queue_encryption_enabled":true,"disk_queue_max_size":42.0,"disk_queue_path":"string","loadbalance":true,"max_batch_bytes":42.0,"mem_queue_events":42.0,"queue_flush_timeout":42.0},"ssl":{"certificate":"string","certificate_authorities":["string"],"key":"string","verification_mode":"full"},"type":"elasticsearch"}'
# Headers
kbn-xsrf: true
# Payload
{
"allow_edit": [
"string"
],
"ca_sha256": "string",
"ca_trusted_fingerprint": "string",
"config_yaml": "string",
"hosts": [
"https://example.com"
],
"id": "string",
"is_default": true,
"is_default_monitoring": true,
"is_internal": true,
"is_preconfigured": true,
"name": "string",
"preset": "balanced",
"proxy_id": "string",
"shipper": {
"compression_level": 42.0,
"disk_queue_compression_enabled": true,
"disk_queue_enabled": false,
"disk_queue_encryption_enabled": true,
"disk_queue_max_size": 42.0,
"disk_queue_path": "string",
"loadbalance": true,
"max_batch_bytes": 42.0,
"mem_queue_events": 42.0,
"queue_flush_timeout": 42.0
},
"ssl": {
"certificate": "string",
"certificate_authorities": [
"string"
],
"key": "string",
"verification_mode": "full"
},
"type": "elasticsearch"
}
# Headers
kbn-xsrf: true
# Payload
{
"allow_edit": [
"string"
],
"ca_sha256": "string",
"ca_trusted_fingerprint": "string",
"config_yaml": "string",
"hosts": [
"https://example.com"
],
"id": "string",
"is_default": true,
"is_default_monitoring": true,
"is_internal": true,
"is_preconfigured": true,
"kibana_api_key": "string",
"kibana_url": "string",
"name": "string",
"preset": "balanced",
"proxy_id": "string",
"secrets": {
"kibana_api_key": {
"id": "string"
},
"service_token": {
"id": "string"
}
},
"service_token": "string",
"shipper": {
"compression_level": 42.0,
"disk_queue_compression_enabled": true,
"disk_queue_enabled": false,
"disk_queue_encryption_enabled": true,
"disk_queue_max_size": 42.0,
"disk_queue_path": "string",
"loadbalance": true,
"max_batch_bytes": 42.0,
"mem_queue_events": 42.0,
"queue_flush_timeout": 42.0
},
"ssl": {
"certificate": "string",
"certificate_authorities": [
"string"
],
"key": "string",
"verification_mode": "full"
},
"sync_integrations": true,
"type": "remote_elasticsearch"
}
# Headers
kbn-xsrf: true
# Payload
{
"allow_edit": [
"string"
],
"ca_sha256": "string",
"ca_trusted_fingerprint": "string",
"config_yaml": "string",
"hosts": [
"string"
],
"id": "string",
"is_default": true,
"is_default_monitoring": true,
"is_internal": true,
"is_preconfigured": true,
"name": "string",
"proxy_id": "string",
"secrets": {
"ssl": {
"key": {
"id": "string"
}
}
},
"shipper": {
"compression_level": 42.0,
"disk_queue_compression_enabled": true,
"disk_queue_enabled": false,
"disk_queue_encryption_enabled": true,
"disk_queue_max_size": 42.0,
"disk_queue_path": "string",
"loadbalance": true,
"max_batch_bytes": 42.0,
"mem_queue_events": 42.0,
"queue_flush_timeout": 42.0
},
"ssl": {
"certificate": "string",
"certificate_authorities": [
"string"
],
"key": "string",
"verification_mode": "full"
},
"type": "logstash"
}
# Headers
kbn-xsrf: true
# Payload
{
"allow_edit": [
"string"
],
"auth_type": "none",
"broker_timeout": 42.0,
"ca_sha256": "string",
"ca_trusted_fingerprint": "string",
"client_id": "string",
"compression": "gzip",
"compression_level": [],
"config_yaml": "string",
"connection_type": [],
"hash": {
"hash": "string",
"random": true
},
"headers": [
{
"key": "string",
"value": "string"
}
],
"hosts": [
"string"
],
"id": "string",
"is_default": false,
"is_default_monitoring": false,
"is_internal": true,
"is_preconfigured": true,
"key": "string",
"name": "string",
"partition": "random",
"password": [],
"proxy_id": "string",
"random": {
"group_events": 42.0
},
"required_acks": 1,
"round_robin": {
"group_events": 42.0
},
"sasl": {
"mechanism": "PLAIN"
},
"secrets": {
"password": {
"id": "string"
},
"ssl": {
"key": {
"id": "string"
}
}
},
"shipper": {
"compression_level": 42.0,
"disk_queue_compression_enabled": true,
"disk_queue_enabled": false,
"disk_queue_encryption_enabled": true,
"disk_queue_max_size": 42.0,
"disk_queue_path": "string",
"loadbalance": true,
"max_batch_bytes": 42.0,
"mem_queue_events": 42.0,
"queue_flush_timeout": 42.0
},
"ssl": {
"certificate": "string",
"certificate_authorities": [
"string"
],
"key": "string",
"verification_mode": "full"
},
"timeout": 42.0,
"topic": "string",
"type": "kafka",
"username": [],
"version": "string"
}
{
"item": {
"allow_edit": [
"string"
],
"ca_sha256": "string",
"ca_trusted_fingerprint": "string",
"config_yaml": "string",
"hosts": [
"https://example.com"
],
"id": "string",
"is_default": false,
"is_default_monitoring": false,
"is_internal": true,
"is_preconfigured": true,
"name": "string",
"preset": "balanced",
"proxy_id": "string",
"shipper": {
"compression_level": 42.0,
"disk_queue_compression_enabled": true,
"disk_queue_enabled": false,
"disk_queue_encryption_enabled": true,
"disk_queue_max_size": 42.0,
"disk_queue_path": "string",
"loadbalance": true,
"max_batch_bytes": 42.0,
"mem_queue_events": 42.0,
"queue_flush_timeout": 42.0
},
"ssl": {
"certificate": "string",
"certificate_authorities": [
"string"
],
"key": "string",
"verification_mode": "full"
},
"type": "elasticsearch"
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
[Required authorization] Route required privileges: ALL of [fleet-settings-read].
curl \
--request GET https://localhost:5601/api/fleet/outputs/{outputId}/health
{
"message": "string",
"state": "string",
"timestamp": "string"
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Values are simplified
or legacy
.
You should use inputs as an object and not use the deprecated inputs array.
Package policy description
Force package policy creation even if package is not verified, or if the agent policy is managed.
Package policy unique identifier
Package policy name (should be unique)
The package policy namespace. Leave blank to inherit the agent policy's namespace.
Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
Additional properties are NOT allowed.
Additional properties are NOT allowed.
Agent policy ID where that package policy will be added
Agent policy IDs where that package policy will be added
Indicates whether the package policy belongs to an agentless agent policy.
Default value is false
.
Package variable (see integration documentation for more information)
curl \
--request POST https://localhost:5601/api/fleet/package_policies \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"description":"string","enabled":true,"force":true,"id":"string","inputs":[{"config":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"enabled":true,"id":"string","keep_enabled":true,"policy_template":"string","streams":[{"config":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"data_stream":{"dataset":"string","elasticsearch":{"dynamic_dataset":true,"dynamic_namespace":true,"privileges":{"indices":["string"]}},"type":"string"},"enabled":true,"id":"string","keep_enabled":true,"release":"ga","vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}],"type":"string","vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}],"is_managed":true,"name":"string","namespace":"string","output_id":"string","overrides":{"inputs":{}},"package":{"experimental_data_stream_features":[{"data_stream":"string","features":{"doc_value_only_numeric":true,"doc_value_only_other":true,"synthetic_source":true,"tsdb":true}}],"name":"string","requires_root":true,"title":"string","version":"string"},"policy_id":"string","policy_ids":["string"],"supports_agentless":false,"vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}'
# Headers
kbn-xsrf: true
# Payload
{
"description": "string",
"enabled": true,
"force": true,
"id": "string",
"inputs": [
{
"config": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"enabled": true,
"id": "string",
"keep_enabled": true,
"policy_template": "string",
"streams": [
{
"config": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"data_stream": {
"dataset": "string",
"elasticsearch": {
"dynamic_dataset": true,
"dynamic_namespace": true,
"privileges": {
"indices": [
"string"
]
}
},
"type": "string"
},
"enabled": true,
"id": "string",
"keep_enabled": true,
"release": "ga",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
}
}
],
"type": "string",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
}
}
],
"is_managed": true,
"name": "string",
"namespace": "string",
"output_id": "string",
"overrides": {
"inputs": {}
},
"package": {
"experimental_data_stream_features": [
{
"data_stream": "string",
"features": {
"doc_value_only_numeric": true,
"doc_value_only_other": true,
"synthetic_source": true,
"tsdb": true
}
}
],
"name": "string",
"requires_root": true,
"title": "string",
"version": "string"
},
"policy_id": "string",
"policy_ids": [
"string"
],
"supports_agentless": false,
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
}
}
# Headers
kbn-xsrf: true
# Payload
{
"description": "string",
"force": true,
"id": "string",
"inputs": {
"additionalProperty1": {
"enabled": true,
"streams": {
"additionalProperty1": {
"enabled": true,
"vars": {}
},
"additionalProperty2": {
"enabled": true,
"vars": {}
}
},
"vars": {}
},
"additionalProperty2": {
"enabled": true,
"streams": {
"additionalProperty1": {
"enabled": true,
"vars": {}
},
"additionalProperty2": {
"enabled": true,
"vars": {}
}
},
"vars": {}
}
},
"name": "string",
"namespace": "string",
"output_id": "string",
"package": {
"experimental_data_stream_features": [
{
"data_stream": "string",
"features": {
"doc_value_only_numeric": true,
"doc_value_only_other": true,
"synthetic_source": true,
"tsdb": true
}
}
],
"name": "string",
"requires_root": true,
"title": "string",
"version": "string"
},
"policy_id": "string",
"policy_ids": [
"string"
],
"supports_agentless": false,
"vars": {}
}
{
"item": {
"agents": 42.0,
"created_at": "string",
"created_by": "string",
"description": "string",
"elasticsearch": {
"privileges": {
"cluster": [
"string"
]
}
},
"enabled": true,
"id": "string",
"inputs": [
{
"config": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"enabled": true,
"id": "string",
"keep_enabled": true,
"policy_template": "string",
"streams": [
{
"config": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"data_stream": {
"dataset": "string",
"elasticsearch": {
"dynamic_dataset": true,
"dynamic_namespace": true,
"privileges": {
"indices": [
"string"
]
}
},
"type": "string"
},
"enabled": true,
"id": "string",
"keep_enabled": true,
"release": "ga",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
}
}
],
"type": "string",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
}
}
],
"is_managed": true,
"name": "string",
"namespace": "string",
"output_id": "string",
"overrides": {
"inputs": {}
},
"package": {
"experimental_data_stream_features": [
{
"data_stream": "string",
"features": {
"doc_value_only_numeric": true,
"doc_value_only_other": true,
"synthetic_source": true,
"tsdb": true
}
}
],
"name": "string",
"requires_root": true,
"title": "string",
"version": "string"
},
"policy_id": "string",
"policy_ids": [
"string"
],
"revision": 42.0,
"secret_references": [
{
"id": "string"
}
],
"spaceIds": [
"string"
],
"supports_agentless": false,
"updated_at": "string",
"updated_by": "string",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"version": "string"
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Values are simplified
or legacy
.
list of package policy ids
curl \
--request POST https://localhost:5601/api/fleet/package_policies/_bulk_get \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"ids":["string"],"ignoreMissing":true}'
# Headers
kbn-xsrf: true
# Payload
{
"ids": [
"string"
],
"ignoreMissing": true
}
{
"items": [
{
"agents": 42.0,
"created_at": "string",
"created_by": "string",
"description": "string",
"elasticsearch": {
"privileges": {
"cluster": [
"string"
]
}
},
"enabled": true,
"id": "string",
"inputs": [
{
"config": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"enabled": true,
"id": "string",
"keep_enabled": true,
"policy_template": "string",
"streams": [
{
"config": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"data_stream": {
"dataset": "string",
"elasticsearch": {
"dynamic_dataset": true,
"dynamic_namespace": true,
"privileges": {
"indices": [
"string"
]
}
},
"type": "string"
},
"enabled": true,
"id": "string",
"keep_enabled": true,
"release": "ga",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
}
}
],
"type": "string",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
}
}
],
"is_managed": true,
"name": "string",
"namespace": "string",
"output_id": "string",
"overrides": {
"inputs": {}
},
"package": {
"experimental_data_stream_features": [
{
"data_stream": "string",
"features": {
"doc_value_only_numeric": true,
"doc_value_only_other": true,
"synthetic_source": true,
"tsdb": true
}
}
],
"name": "string",
"requires_root": true,
"title": "string",
"version": "string"
},
"policy_id": "string",
"policy_ids": [
"string"
],
"revision": 42.0,
"secret_references": [
{
"id": "string"
}
],
"spaceIds": [
"string"
],
"supports_agentless": false,
"updated_at": "string",
"updated_by": "string",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"version": "string"
}
]
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
{
"message": "string"
}
Delete a package policy by ID.
[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].
curl \
--request DELETE https://localhost:5601/api/fleet/package_policies/{packagePolicyId} \
--header "kbn-xsrf: true"
{
"id": "string"
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
[Required authorization] Route required privileges: ALL of [fleet-settings-all].
Default value is false
.
curl \
--request POST https://localhost:5601/api/fleet/proxies \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"certificate":"string","certificate_authorities":"string","certificate_key":"string","id":"string","is_preconfigured":false,"name":"string","proxy_headers":{},"url":"string"}'
# Headers
kbn-xsrf: true
# Payload
{
"certificate": "string",
"certificate_authorities": "string",
"certificate_key": "string",
"id": "string",
"is_preconfigured": false,
"name": "string",
"proxy_headers": {},
"url": "string"
}
{
"item": {
"certificate": "string",
"certificate_authorities": "string",
"certificate_key": "string",
"id": "string",
"is_preconfigured": false,
"name": "string",
"proxy_headers": {},
"url": "string"
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Delete a proxy by ID
[Required authorization] Route required privileges: ALL of [fleet-settings-all].
curl \
--request DELETE https://localhost:5601/api/fleet/proxies/{itemId} \
--header "kbn-xsrf: true"
{
"id": "string"
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-settings-read].
curl \
--request GET https://localhost:5601/api/fleet/fleet_server_hosts
{
"items": [
{
"host_urls": [
"string"
],
"id": "string",
"is_default": false,
"is_internal": true,
"is_preconfigured": false,
"name": "string",
"proxy_id": "string"
}
],
"page": 42.0,
"perPage": 42.0,
"total": 42.0
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
List the metadata for the latest uninstall tokens per agent policy.
[Required authorization] Route required privileges: ALL of [fleet-agents-all].
curl \
--request GET https://localhost:5601/api/fleet/uninstall_tokens
{
"items": [
{
"created_at": "string",
"id": "string",
"namespaces": [
"string"
],
"policy_id": "string",
"policy_name": "string"
}
],
"page": 42.0,
"perPage": 42.0,
"total": 42.0
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Manage the roles that grant Elasticsearch and Kibana privileges.
The role name.
Minimum length is 1
.
If true
and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges.
curl \
--request GET https://localhost:5601/api/security/role/{name}
{
"name": "my_kibana_role",
"kibana": [
{
"base": [
"all"
],
"spaces": [
"default"
],
"feature": {}
}
],
"metadata": {
"version": 1
},
"description": "Grants all cluster privileges and full access to index1 and index2. Grants full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grants all Kibana privileges in the default space.",
"elasticsearch": {
"run_as": [],
"cluster": [
"all"
],
"indices": [
{
"names": [
"index1",
"index2"
],
"privileges": [
"all"
],
"allow_restricted_indices": false
}
],
"remote_cluster": [
{
"clusters": [
"remote_cluster1"
],
"privileges": [
"monitor_enrich"
]
}
],
"remote_indices": [
{
"names": [
"remote_index1",
"remote_index2"
],
"clusters": [
"remote_cluster1"
],
"privileges": [
"all"
],
"allow_restricted_indices": false
}
]
},
"_transform_error": [],
"transient_metadata": {
"enabled": true
},
"_unrecognized_applications": []
}
Create a new Kibana role or update the attributes of an existing role. Kibana roles are stored in the Elasticsearch native realm.
The role name.
Minimum length is 1
, maximum length is 1024
.
When true, a role is not overwritten if it already exists.
Default value is false
.
A description for the role.
Maximum length is 2048
.
Additional properties are NOT allowed.
Additional properties are allowed.
curl \
--request PUT https://localhost:5601/api/security/role/{name} \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"kibana":[{"base":[],"spaces":["default"],"feature":{"discover":["all"],"dashboard":["all"]}},{"base":["read"],"spaces":["marketing","sales"]}],"metadata":{"version":1},"description":"Grant full access to discover and dashboard features in the default space. Grant read access in the marketing, and sales spaces.","elasticsearch":{"cluster":[],"indices":[]}}'
{
"kibana": [
{
"base": [],
"spaces": [
"default"
],
"feature": {
"discover": [
"all"
],
"dashboard": [
"all"
]
}
},
{
"base": [
"read"
],
"spaces": [
"marketing",
"sales"
]
}
],
"metadata": {
"version": 1
},
"description": "Grant full access to discover and dashboard features in the default space. Grant read access in the marketing, and sales spaces.",
"elasticsearch": {
"cluster": [],
"indices": []
}
}
{
"kibana": [
{
"base": [],
"spaces": [
"marketing"
],
"feature": {
"dashboard": [
"read"
]
}
}
],
"metadata": {
"version": 1
},
"description": "Grant dashboard access in the Marketing space.",
"elasticsearch": {
"cluster": [],
"indices": []
}
}
{
"kibana": [
{
"base": [
"all"
],
"spaces": [
"default"
],
"feature": {}
}
],
"metadata": {
"version": 1
},
"elasticsearch": {
"cluster": [],
"indices": []
}
}
{
"kibana": [
{
"base": [
"all"
],
"spaces": [
"default"
],
"feature": {}
}
],
"metadata": {
"version": 1
},
"description": "Grant all cluster privileges and full access to index1 and index2. Grant full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grant all Kibana privileges in the default space.",
"elasticsearch": {
"cluster": [
"all"
],
"indices": [
{
"names": [
"index1",
"index2"
],
"privileges": [
"all"
]
}
],
"remote_cluster": [
{
"clusters": [
"remote_cluster1"
],
"privileges": [
"monitor_enrich"
]
}
],
"remote_indices": [
{
"names": [
"remote_index1",
"remote_index2"
],
"clusters": [
"remote_cluster1"
],
"privileges": [
"all"
]
}
]
}
}
curl \
--request POST https://localhost:5601/api/security/roles \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"roles":{"additionalProperty1":{"description":"string","elasticsearch":{"cluster":["string"],"indices":[{"allow_restricted_indices":true,"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"remote_cluster":[{"clusters":["string"],"privileges":["string"]}],"remote_indices":[{"allow_restricted_indices":true,"clusters":["string"],"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"run_as":["string"]},"kibana":[{"base":[],"feature":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"spaces":["*"]}],"metadata":{}},"additionalProperty2":{"description":"string","elasticsearch":{"cluster":["string"],"indices":[{"allow_restricted_indices":true,"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"remote_cluster":[{"clusters":["string"],"privileges":["string"]}],"remote_indices":[{"allow_restricted_indices":true,"clusters":["string"],"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"run_as":["string"]},"kibana":[{"base":[],"feature":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"spaces":["*"]}],"metadata":{}}}}'
# Headers
kbn-xsrf: true
# Payload
{
"roles": {
"additionalProperty1": {
"description": "string",
"elasticsearch": {
"cluster": [
"string"
],
"indices": [
{
"allow_restricted_indices": true,
"field_security": {
"additionalProperty1": [
"string"
],
"additionalProperty2": [
"string"
]
},
"names": [
"string"
],
"privileges": [
"string"
],
"query": "string"
}
],
"remote_cluster": [
{
"clusters": [
"string"
],
"privileges": [
"string"
]
}
],
"remote_indices": [
{
"allow_restricted_indices": true,
"clusters": [
"string"
],
"field_security": {
"additionalProperty1": [
"string"
],
"additionalProperty2": [
"string"
]
},
"names": [
"string"
],
"privileges": [
"string"
],
"query": "string"
}
],
"run_as": [
"string"
]
},
"kibana": [
{
"base": [],
"feature": {
"additionalProperty1": [
"string"
],
"additionalProperty2": [
"string"
]
},
"spaces": [
"*"
]
}
],
"metadata": {}
},
"additionalProperty2": {
"description": "string",
"elasticsearch": {
"cluster": [
"string"
],
"indices": [
{
"allow_restricted_indices": true,
"field_security": {
"additionalProperty1": [
"string"
],
"additionalProperty2": [
"string"
]
},
"names": [
"string"
],
"privileges": [
"string"
],
"query": "string"
}
],
"remote_cluster": [
{
"clusters": [
"string"
],
"privileges": [
"string"
]
}
],
"remote_indices": [
{
"allow_restricted_indices": true,
"clusters": [
"string"
],
"field_security": {
"additionalProperty1": [
"string"
],
"additionalProperty2": [
"string"
]
},
"names": [
"string"
],
"privileges": [
"string"
],
"query": "string"
}
],
"run_as": [
"string"
]
},
"kibana": [
{
"base": [],
"feature": {
"additionalProperty1": [
"string"
],
"additionalProperty2": [
"string"
]
},
"spaces": [
"*"
]
}
],
"metadata": {}
}
}
}
When true, overwrites the document with the same identifier.
curl \
--request POST https://localhost:5601/api/saved_objects/_bulk_create \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '[{}]'
# Headers
kbn-xsrf: string
# Payload
[
{}
]
{}
{
"error": "Bad Request",
"message": "string",
"statusCode": 400
}
curl \
--request POST https://localhost:5601/api/saved_objects/_bulk_get \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '[{}]'
# Headers
kbn-xsrf: string
# Payload
[
{}
]
{}
{
"error": "Bad Request",
"message": "string",
"statusCode": 400
}
Retrieve a paginated set of Kibana saved objects.
An aggregation structure, serialized as a string. The field format is similar to filter, meaning that to use a saved object type attribute in the aggregation, the savedObjectType.attributes.title: "myTitle"
format must be used. For root fields, the syntax is savedObjectType.rootField
. NOTE: As objects change in Kibana, the results on each page of the response also change. Use the find API for traditional paginated results, but avoid using it to export large amounts of data.
The default operator to use for the simple_query_string
.
The fields to return in the attributes key of the response.
The filter is a KQL string with the caveat that if you filter with an attribute from your saved object type, it should look like that: savedObjectType.attributes.title: "myTitle"
. However, if you use a root attribute of a saved object such as updated_at
, you will have to define your filter like that: savedObjectType.updated_at > 2018-12-22
.
Filters to objects that do not have a relationship with the type and identifier combination.
Additional properties are allowed.
The operator to use for the has_no_reference
parameter. Either OR
or AND
. Defaults to OR
.
Filters to objects that have a relationship with the type and ID combination.
Additional properties are allowed.
The operator to use for the has_reference
parameter. Either OR
or AND
. Defaults to OR
.
The page of objects to return.
The number of objects to return per page.
An Elasticsearch simple_query_string
query that filters the objects in the response.
The fields to perform the simple_query_string
parsed query against.
Sorts the response. Includes "root" and "type" fields. "root" fields exist for all saved objects, such as "updated_at". "type" fields are specific to an object type, such as fields returned in the attributes key of the response. When a single type is defined in the type parameter, the "root" and "type" fields are allowed, and validity checks are made in that order. When multiple types are defined in the type parameter, only "root" fields are allowed.
The saved object types to include.
curl \
--request GET https://localhost:5601/api/saved_objects/_find?type=string
{}
{
"error": "Bad Request",
"message": "string",
"statusCode": 400
}
Retrieve a single Kibana saved object by identifier.
An identifier for the saved object.
Valid options include visualization
, dashboard
, search
, index-pattern
, config
.
curl \
--request GET https://localhost:5601/api/saved_objects/{type}/{id}
{}
{
"error": "Bad Request",
"message": "string",
"statusCode": 400
}
Get a list of all anonymization fields.
Search query
Field to sort by
Values are created_at
, anonymized
, allowed
, field
, or updated_at
.
Sort order
Values are asc
or desc
.
Page number
Minimum value is 1
. Default value is 1
.
AnonymizationFields per page
Minimum value is 0
. Default value is 20
.
curl \
--request GET https://localhost:5601/api/security_ai_assistant/anonymization_fields/_find
{
"data": [
{
"allowed": true,
"anonymized": true,
"createdAt": "string",
"createdBy": "string",
"field": "string",
"id": "string",
"namespace": "string",
"timestamp": "string",
"updatedAt": "string",
"updatedBy": "string"
}
],
"page": 42,
"perPage": 42,
"total": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Get a list of all conversations for the current user.
Search query
Field to sort by
Values are created_at
, is_default
, title
, or updated_at
.
Sort order
Values are asc
or desc
.
Page number
Minimum value is 1
. Default value is 1
.
Conversations per page
Minimum value is 0
. Default value is 20
.
curl \
--request GET https://localhost:5601/api/security_ai_assistant/current_user/conversations/_find
{
"data": [
{
"apiConfig": {
"actionTypeId": "string",
"connectorId": "string",
"defaultSystemPromptId": "string",
"model": "string",
"provider": "OpenAI"
},
"category": "assistant",
"createdAt": "string",
"excludeFromLastConversationStorage": true,
"id": "string",
"isDefault": true,
"messages": [
{
"content": "string",
"isError": true,
"metadata": {
"contentReferences": {}
},
"reader": {},
"role": "system",
"timestamp": "string",
"traceData": {
"traceId": "string",
"transactionId": "string"
}
}
],
"namespace": "string",
"replacements": {
"additionalProperty1": "string",
"additionalProperty2": "string"
},
"summary": {
"confidence": "low",
"content": "string",
"public": true,
"timestamp": "string"
},
"timestamp": "string",
"title": "string",
"updatedAt": "string",
"users": [
{
"id": "string",
"name": "string"
}
]
}
],
"page": 42,
"perPage": 42,
"total": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Get the details of an existing conversation using the conversation ID.
The conversation's id
value.
Minimum length is 1
.
curl \
--request GET https://localhost:5601/api/security_ai_assistant/current_user/conversations/{id}
{
"apiConfig": {
"actionTypeId": "string",
"connectorId": "string",
"defaultSystemPromptId": "string",
"model": "string",
"provider": "OpenAI"
},
"category": "assistant",
"createdAt": "string",
"excludeFromLastConversationStorage": true,
"id": "string",
"isDefault": true,
"messages": [
{
"content": "string",
"isError": true,
"metadata": {
"contentReferences": {}
},
"reader": {},
"role": "system",
"timestamp": "string",
"traceData": {
"traceId": "string",
"transactionId": "string"
}
}
],
"namespace": "string",
"replacements": {
"additionalProperty1": "string",
"additionalProperty2": "string"
},
"summary": {
"confidence": "low",
"content": "string",
"public": true,
"timestamp": "string"
},
"timestamp": "string",
"title": "string",
"updatedAt": "string",
"users": [
{
"id": "string",
"name": "string"
}
]
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Update an existing conversation using the conversation ID.
The conversation's id
value.
Minimum length is 1
.
LLM API configuration.
Additional properties are allowed.
The conversation category.
Values are assistant
or insights
.
excludeFromLastConversationStorage.
A string that does not contain only whitespace characters
Minimum length is 1
.
The conversation messages.
Replacements object used to anonymize/deanomymize messsages
Additional properties are allowed.
The conversation title.
curl \
--request PUT https://localhost:5601/api/security_ai_assistant/current_user/conversations/{id} \
--header "Content-Type: application/json" \
--data '{"apiConfig":{"actionTypeId":"string","connectorId":"string","defaultSystemPromptId":"string","model":"string","provider":"OpenAI"},"category":"assistant","excludeFromLastConversationStorage":true,"id":"string","messages":[{"content":"string","isError":true,"metadata":{"contentReferences":{}},"reader":{},"role":"system","timestamp":"string","traceData":{"traceId":"string","transactionId":"string"}}],"replacements":{"additionalProperty1":"string","additionalProperty2":"string"},"summary":{"confidence":"low","content":"string","public":true,"timestamp":"string"},"title":"string"}'
{
"apiConfig": {
"actionTypeId": "string",
"connectorId": "string",
"defaultSystemPromptId": "string",
"model": "string",
"provider": "OpenAI"
},
"category": "assistant",
"excludeFromLastConversationStorage": true,
"id": "string",
"messages": [
{
"content": "string",
"isError": true,
"metadata": {
"contentReferences": {}
},
"reader": {},
"role": "system",
"timestamp": "string",
"traceData": {
"traceId": "string",
"transactionId": "string"
}
}
],
"replacements": {
"additionalProperty1": "string",
"additionalProperty2": "string"
},
"summary": {
"confidence": "low",
"content": "string",
"public": true,
"timestamp": "string"
},
"title": "string"
}
{
"apiConfig": {
"actionTypeId": "string",
"connectorId": "string",
"defaultSystemPromptId": "string",
"model": "string",
"provider": "OpenAI"
},
"category": "assistant",
"createdAt": "string",
"excludeFromLastConversationStorage": true,
"id": "string",
"isDefault": true,
"messages": [
{
"content": "string",
"isError": true,
"metadata": {
"contentReferences": {}
},
"reader": {},
"role": "system",
"timestamp": "string",
"traceData": {
"traceId": "string",
"transactionId": "string"
}
}
],
"namespace": "string",
"replacements": {
"additionalProperty1": "string",
"additionalProperty2": "string"
},
"summary": {
"confidence": "low",
"content": "string",
"public": true,
"timestamp": "string"
},
"timestamp": "string",
"title": "string",
"updatedAt": "string",
"users": [
{
"id": "string",
"name": "string"
}
]
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Create a Knowledge Base Entry
Name of the Knowledge Base Entry
Kibana Space, defaults to 'default' space
Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.
Knowledge Base resource name for grouping entries, e.g. 'esql', 'lens-docs', etc
Source document name or filepath
Knowledge Base Entry content
Entry type
Value is document
.
Whether this resource should always be included, defaults to false
Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings
Additional properties are allowed.
curl \
--request POST https://localhost:5601/api/security_ai_assistant/knowledge_base/entries \
--header "Content-Type: application/json" \
--data '{"name":"string","namespace":"string","users":[{"id":"string","name":"string"}],"kbResource":"string","source":"string","text":"string","type":"document","required":true,"vector":{"modelId":"string","tokens":{"additionalProperty1":42.0,"additionalProperty2":42.0}}}'
{
"name": "string",
"namespace": "string",
"users": [
{
"id": "string",
"name": "string"
}
],
"kbResource": "string",
"source": "string",
"text": "string",
"type": "document",
"required": true,
"vector": {
"modelId": "string",
"tokens": {
"additionalProperty1": 42.0,
"additionalProperty2": 42.0
}
}
}
{
"name": "string",
"namespace": "string",
"users": [
{
"id": "string",
"name": "string"
}
],
"description": "string",
"field": "string",
"index": "string",
"queryDescription": "string",
"type": "index",
"inputSchema": [
{
"description": "string",
"fieldName": "string",
"fieldType": "string"
}
],
"outputFields": [
"string"
]
}
{
"name": "string",
"namespace": "string",
"users": [
{
"id": "string",
"name": "string"
}
],
"createdAt": "string",
"createdBy": "string",
"id": "string",
"updatedAt": "string",
"updatedBy": "string",
"kbResource": "string",
"source": "string",
"text": "string",
"type": "document",
"required": true,
"vector": {
"modelId": "string",
"tokens": {
"additionalProperty1": 42.0,
"additionalProperty2": 42.0
}
}
}
{
"name": "string",
"namespace": "string",
"users": [
{
"id": "string",
"name": "string"
}
],
"createdAt": "string",
"createdBy": "string",
"id": "string",
"updatedAt": "string",
"updatedBy": "string",
"description": "string",
"field": "string",
"index": "string",
"queryDescription": "string",
"type": "index",
"inputSchema": [
{
"description": "string",
"fieldName": "string",
"fieldType": "string"
}
],
"outputFields": [
"string"
]
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Finds Knowledge Base Entries that match the given query.
Search query
Field to sort by
Values are created_at
, is_default
, title
, or updated_at
.
Sort order
Values are asc
or desc
.
Page number
Minimum value is 1
. Default value is 1
.
Knowledge Base Entries per page
Minimum value is 0
. Default value is 20
.
curl \
--request GET https://localhost:5601/api/security_ai_assistant/knowledge_base/entries/_find
{
"data": [
{
"name": "string",
"namespace": "string",
"users": [
{
"id": "string",
"name": "string"
}
],
"createdAt": "string",
"createdBy": "string",
"id": "string",
"updatedAt": "string",
"updatedBy": "string",
"kbResource": "string",
"source": "string",
"text": "string",
"type": "document",
"required": true,
"vector": {
"modelId": "string",
"tokens": {
"additionalProperty1": 42.0,
"additionalProperty2": 42.0
}
}
}
],
"page": 42,
"perPage": 42,
"total": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Read a Knowledge Base Entry
The Knowledge Base Entry's id
value.
Minimum length is 1
.
curl \
--request GET https://localhost:5601/api/security_ai_assistant/knowledge_base/entries/{id}
{
"name": "string",
"namespace": "string",
"users": [
{
"id": "string",
"name": "string"
}
],
"createdAt": "string",
"createdBy": "string",
"id": "string",
"updatedAt": "string",
"updatedBy": "string",
"kbResource": "string",
"source": "string",
"text": "string",
"type": "document",
"required": true,
"vector": {
"modelId": "string",
"tokens": {
"additionalProperty1": 42.0,
"additionalProperty2": 42.0
}
}
}
{
"name": "string",
"namespace": "string",
"users": [
{
"id": "string",
"name": "string"
}
],
"createdAt": "string",
"createdBy": "string",
"id": "string",
"updatedAt": "string",
"updatedBy": "string",
"description": "string",
"field": "string",
"index": "string",
"queryDescription": "string",
"type": "index",
"inputSchema": [
{
"description": "string",
"fieldName": "string",
"fieldType": "string"
}
],
"outputFields": [
"string"
]
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Deletes a single Knowledge Base Entry using the id
field
The Knowledge Base Entry's id
value
Minimum length is 1
.
curl \
--request DELETE https://localhost:5601/api/security_ai_assistant/knowledge_base/entries/{id}
{
"id": "string"
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Search query
Field to sort by
Values are created_at
, is_default
, name
, or updated_at
.
Sort order
Values are asc
or desc
.
Page number
Minimum value is 1
. Default value is 1
.
Prompts per page
Minimum value is 0
. Default value is 20
.
curl \
--request GET https://localhost:5601/api/security_ai_assistant/prompts/_find
{
"data": [
{
"categories": [
"string"
],
"color": "string",
"consumer": "string",
"content": "string",
"createdAt": "string",
"createdBy": "string",
"id": "string",
"isDefault": true,
"isNewConversationDefault": true,
"name": "string",
"namespace": "string",
"promptType": "system",
"timestamp": "string",
"updatedAt": "string",
"updatedBy": "string",
"users": [
{
"id": "string",
"name": "string"
}
]
}
],
"page": 42,
"perPage": 42,
"total": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
curl \
--request POST https://localhost:5601/api/detection_engine/index
{
"acknowledged": true
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
{
"message": "string",
"status_code": 42
}
{
"message": "string",
"status_code": 42
}
Deletes multiple rules.
Indicates a successful call.
Invalid input data response
Unsuccessful authentication response
Internal server error response
curl \
--request POST https://localhost:5601/api/detection_engine/rules/_bulk_delete \
--header "Content-Type: application/json" \
--data '[{"id":"string","rule_id":"string"}]'
[
{
"id": "string",
"rule_id": "string"
}
]
[
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"ecs": true,
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00+00:00",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string",
"language": "eql",
"query": "string",
"type": "eql",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"event_category_override": "string",
"filters": [],
"index": [
"string"
],
"tiebreaker_field": "string",
"timestamp_field": "string"
}
]
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
Retrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page.
Search query
Field to sort by
Values are created_at
, createdAt
, enabled
, execution_summary.last_execution.date
, execution_summary.last_execution.metrics.execution_gap_duration_s
, execution_summary.last_execution.metrics.total_indexing_duration_ms
, execution_summary.last_execution.metrics.total_search_duration_ms
, execution_summary.last_execution.status
, name
, risk_score
, riskScore
, severity
, updated_at
, or updatedAt
.
Sort order
Values are asc
or desc
.
Page number
Minimum value is 1
. Default value is 1
.
Rules per page
Minimum value is 0
. Default value is 20
.
Gaps range start
Gaps range end
curl \
--request GET https://localhost:5601/api/detection_engine/rules/_find
{
"data": [
{
"actions": [
{
"action_type_id": "string",
"alerts_filter": {},
"frequency": {
"notifyWhen": "onActiveAlert",
"summary": true,
"throttle": "no_actions"
},
"group": "string",
"id": "string",
"params": {},
"uuid": "string"
}
],
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"author": [
"string"
],
"building_block_type": "string",
"description": "string",
"enabled": true,
"exceptions_list": [
{
"id": "string",
"list_id": "string",
"namespace_type": "agnostic",
"type": "detection"
}
],
"false_positives": [
"string"
],
"from": "string",
"interval": "string",
"investigation_fields": {
"field_names": [
"string"
]
},
"license": "string",
"max_signals": 42,
"meta": {},
"name": "string",
"namespace": "string",
"note": "string",
"outcome": "exactMatch",
"output_index": "string",
"references": [
"string"
],
"related_integrations": [
{
"integration": "string",
"package": "string",
"version": "string"
}
],
"required_fields": [
{
"ecs": true,
"name": "string",
"type": "string"
}
],
"response_actions": [
{
"action_type_id": ".osquery",
"params": {
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"pack_id": "string",
"queries": [
{
"ecs_mapping": {
"additionalProperty1": {
"field": "string",
"value": "string"
},
"additionalProperty2": {
"field": "string",
"value": "string"
}
},
"id": "string",
"platform": "string",
"query": "string",
"removed": true,
"snapshot": true,
"version": "string"
}
],
"query": "string",
"saved_query_id": "string",
"timeout": 42.0
}
}
],
"risk_score": 42,
"risk_score_mapping": [
{
"field": "string",
"operator": "equals",
"risk_score": 42,
"value": "string"
}
],
"rule_name_override": "string",
"setup": "string",
"severity": "low",
"severity_mapping": [
{
"field": "string",
"operator": "equals",
"severity": "low",
"value": "string"
}
],
"tags": [
"string"
],
"threat": [
{
"framework": "string",
"tactic": {
"id": "string",
"name": "string",
"reference": "string"
},
"technique": [
{
"id": "string",
"name": "string",
"reference": "string",
"subtechnique": [
{
"id": "string",
"name": "string",
"reference": "string"
}
]
}
]
}
],
"throttle": "no_actions",
"timeline_id": "string",
"timeline_title": "string",
"timestamp_override": "string",
"timestamp_override_fallback_disabled": true,
"to": "string",
"version": 42,
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"execution_summary": {
"last_execution": {
"date": "2025-05-04T09:42:00+00:00",
"message": "string",
"metrics": {
"execution_gap_duration_s": 42,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_enrichment_duration_ms": 42,
"total_indexing_duration_ms": 42,
"total_search_duration_ms": 42
},
"status": "going to run",
"status_order": 42
}
},
"id": "string",
"immutable": true,
"revision": 42,
"rule_id": "string",
"rule_source": {
"is_customized": true,
"type": "external"
},
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string",
"language": "eql",
"query": "string",
"type": "eql",
"alert_suppression": {
"duration": {
"unit": "s",
"value": 42
},
"group_by": [
"string"
],
"missing_fields_strategy": "doNotSuppress"
},
"data_view_id": "string",
"event_category_override": "string",
"filters": [],
"index": [
"string"
],
"tiebreaker_field": "string",
"timestamp_field": "string"
}
],
"page": 42,
"perPage": 42,
"total": 42
}
Import detection rules from an .ndjson
file, including actions and exception lists. The request must include:
Content-Type: multipart/form-data
HTTP header..ndjson
file containing the rules.Determines whether existing rules with the same rule_id
are overwritten.
Default value is false
.
Determines whether existing exception lists with the same list_id
are overwritten.
Default value is false
.
Determines whether existing actions with the same kibana.alert.rule.actions.id
are overwritten.
Default value is false
.
Generates a new list ID for each imported exception list.
Default value is false
.
curl \
--request POST https://localhost:5601/api/detection_engine/rules/_import \
--header "Content-Type: multipart/form-data" \
--form "file=@file"
{
"action_connectors_errors": [
{
"error": {
"message": "string",
"status_code": 42
},
"id": "string",
"item_id": "string",
"list_id": "string",
"rule_id": "string"
}
],
"action_connectors_success": true,
"action_connectors_success_count": 42,
"action_connectors_warnings": [
{
"actionPath": "string",
"buttonLabel": "string",
"message": "string",
"type": "string"
}
],
"errors": [
{
"error": {
"message": "string",
"status_code": 42
},
"id": "string",
"item_id": "string",
"list_id": "string",
"rule_id": "string"
}
],
"exceptions_errors": [
{
"error": {
"message": "string",
"status_code": 42
},
"id": "string",
"item_id": "string",
"list_id": "string",
"rule_id": "string"
}
],
"exceptions_success": true,
"exceptions_success_count": 42,
"rules_count": 42,
"success": true,
"success_count": 42
}
Install and update all Elastic prebuilt detection rules and Timelines.
curl \
--request PUT https://localhost:5601/api/detection_engine/rules/prepackaged
{
"rules_installed": 42,
"rules_updated": 42,
"timelines_installed": 42,
"timelines_updated": 42
}
Assign users to detection alerts, and unassign them from alerts.
You cannot add and remove the same assignee in the same request.
curl \
--request POST https://localhost:5601/api/detection_engine/signals/assignees \
--header "Content-Type: application/json" \
--data '{"ids":["681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6"],"assignees":{"add":["u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0"],"remove":[]}}'
{
"ids": [
"681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6"
],
"assignees": {
"add": [
"u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0"
],
"remove": []
}
}
{
"ids": [
"681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6"
],
"assignees": {
"add": [],
"remove": [
"u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0"
]
}
}
{
"took": "76,",
"noops": 0,
"total": "1,",
"batches": "1,",
"deleted": 0,
"retries": [
{
"bulk": 0
},
{
"search": 0
}
],
"updated": "1,",
"failures": [],
"timed_out": "false,",
"throttled_millis": 0,
"version_conflicts": 0,
"requests_per_second": "-1,",
"throttled_until_millis": 0
}
Finalize successful migrations of detection alerts. This replaces the original index's alias with the successfully migrated index's alias. The endpoint is idempotent; therefore, it can safely be used to poll a given migration and, upon completion, finalize it.
Array of migration_id
s to finalize
Array of migration_id
s to finalize.
At least 1
element.
curl \
--request POST https://localhost:5601/api/detection_engine/signals/finalize_migration \
--header "Content-Type: application/json" \
--data '{"migration_ids":["924f7c50-505f-11eb-ae0a-3fa2e626a51d"]}'
{
"migration_ids": [
"924f7c50-505f-11eb-ae0a-3fa2e626a51d"
]
}
{
"migrations": [
{
"id": "924f7c50-505f-11eb-ae0a-3fa2e626a51d",
"status": "success",
"updated": "2021-01-06T22:05:56.859Z",
"version": 16,
"completed": true,
"sourceIndex": ".siem-signals-default-000002",
"destinationIndex": ".siem-signals-default-000002-r000016"
}
]
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
Initiate a migration of detection alerts. Migrations are initiated per index. While the process is neither destructive nor interferes with existing data, it may be resource-intensive. As such, it is recommended that you plan your migrations accordingly.
Alerts migration parameters
Array of index names to migrate.
At least 1
element. Minimum length of each is 1
.
The throttle for the migration task in sub-requests per second. Corresponds to requests_per_second on the Reindex API.
Minimum value is 1
.
Number of alerts to migrate per batch. Corresponds to the source.size option on the Reindex API.
Minimum value is 1
.
The number of subtasks for the migration task. Corresponds to slices on the Reindex API.
Minimum value is 1
.
curl \
--request POST https://localhost:5601/api/detection_engine/signals/migration \
--header "Content-Type: application/json" \
--data '{"index":[".siem-signals-default-000001"]}'
{
"index": [
".siem-signals-default-000001"
]
}
{
"indices": [
{
"index": ".siem-signals-default-000001,",
"migration_id": "923f7c50-505f-11eb-ae0a-3fa2e626a51d",
"migration_index": ".siem-signals-default-000001-r000016"
}
]
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
Retrieve indices that contain detection alerts of a particular age, along with migration information for each of those indices.
Maximum age of qualifying detection alerts
curl \
--request GET https://localhost:5601/api/detection_engine/signals/migration_status?from=now-30d
{
"indices": [
{
"index": ".siem-signals-default-000002",
"version": 15,
"migrations": [
{
"id": "924f7c50-505f-11eb-ae0a-3fa2e626a51d",
"status": "pending",
"updated": "2021-01-06T20:41:37.173Z",
"version": 16
}
],
"is_outdated": true,
"signal_versions": [
{
"count": 100,
"version": 15
},
{
"count": 87,
"version": 16
}
]
},
{
"index": ".siem-signals-default-000003",
"version": 16,
"migrations": [],
"is_outdated": false,
"signal_versions": [
{
"count": 54,
"version": 16
}
]
}
]
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
Find and/or aggregate detection alerts that match the given query.
Search and/or aggregation query
Additional properties are allowed.
Additional properties are allowed.
Additional properties are allowed.
Minimum value is 0
.
curl \
--request POST https://localhost:5601/api/detection_engine/signals/search \
--header "Content-Type: application/json" \
--data '{"aggs":{"missingFields":{"missing":{"field":"host.name"}},"alertsByGrouping":{"terms":{"size":10,"field":"host.name"}}},"size":0,"query":{"bool":{"filter":[{"bool":{"must":[],"filter":[{"match_phrase":{"kibana.alert.workflow_status":"open"}}],"should":[],"must_not":[{"exists":{"field":"kibana.alert.building_block_type"}}]}},{"range":{"@timestamp":{"gte":"2025-01-17T08:00:00.000Z","lte":"2025-01-18T07:59:59.999Z"}}}]}},"runtime_mappings":{}}'
{
"aggs": {
"missingFields": {
"missing": {
"field": "host.name"
}
},
"alertsByGrouping": {
"terms": {
"size": 10,
"field": "host.name"
}
}
},
"size": 0,
"query": {
"bool": {
"filter": [
{
"bool": {
"must": [],
"filter": [
{
"match_phrase": {
"kibana.alert.workflow_status": "open"
}
}
],
"should": [],
"must_not": [
{
"exists": {
"field": "kibana.alert.building_block_type"
}
}
]
}
},
{
"range": {
"@timestamp": {
"gte": "2025-01-17T08:00:00.000Z",
"lte": "2025-01-18T07:59:59.999Z"
}
}
}
]
}
},
"runtime_mappings": {}
}
{
"hits": {
"hits": [],
"total": {
"value": 5,
"relation": "eq"
},
"max_score": null
},
"took": 0,
"_shards": {
"total": 1,
"failed": 0,
"skipped": 0,
"successful": 1
},
"timed_out": false,
"aggregations": {
"missingFields": {
"doc_count": 0
},
"alertsByGrouping": {
"buckets": [
{
"key": "Host-f43kkddfyc",
"doc_count": 5
}
],
"sum_other_doc_count": 0,
"doc_count_error_upper_bound": 0
}
}
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
Set the status of one or more detection alerts.
An object containing desired status and explicit alert ids or a query to select alerts
List of alert id
s.
At least 1
element. Minimum length of each is 1
.
The status of an alert, which can be open
, acknowledged
, in-progress
, or closed
.
Values are open
, closed
, acknowledged
, or in-progress
.
curl \
--request POST https://localhost:5601/api/detection_engine/signals/status \
--header "Content-Type: application/json" \
--data '{"status":"closed","signal_ids":["80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1"]}'
{
"status": "closed",
"signal_ids": [
"80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1"
]
}
{
"query": {
"bool": {
"must": [],
"filter": [
{
"range": null,
"@timestamp": {
"gte": "2024-10-23T07:00:00.000Z",
"lte": "2025-01-21T20:12:11.704Z",
"format": "strict_date_optional_time"
}
},
{
"bool": {
"filter": {
"bool": {
"must": [],
"filter": [
{
"match_phrase": {
"kibana.alert.workflow_status": "open"
}
},
{
"range": null,
"@timestamp": {
"gte": "2024-10-23T07:00:00.000Z",
"lte": "2025-01-21T20:12:11.704Z",
"format": "strict_date_optional_time"
}
}
],
"should": [],
"must_not": [
{
"exists": {
"field": "kibana.alert.building_block_type"
}
}
]
}
}
}
}
],
"should": [],
"must_not": []
}
},
"status": "closed",
"conflicts": "proceed"
}
{
"took": 81,
"noops": 0,
"total": 1,
"batches": 1,
"deleted": 0,
"retries": {
"bulk": 0,
"search": 0
},
"updated": 1,
"failures": [],
"timed_out": false,
"throttled_millis": 0,
"version_conflicts": 0,
"requests_per_second": -1,
"throttled_until_millis": 0
}
{
"took": 100,
"noops": 0,
"total": 17,
"batches": 1,
"deleted": 0,
"retries": {
"bulk": 0,
"search": 0
},
"updated": 17,
"failures": [],
"timed_out": false,
"throttled_millis": 0,
"version_conflicts": 0,
"requests_per_second": -1,
"throttled_until_millis": 0
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
Create an endpoint exception list, which groups endpoint exception list items. If an endpoint exception list already exists, an empty response is returned.
curl \
--request POST https://localhost:5601/api/endpoint_list
{
"_version": "string",
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"description": "This list tracks allowlisted values.",
"id": "9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85",
"immutable": true,
"list_id": "simple_list",
"meta": {},
"name": "My exception list",
"namespace_type": "agnostic",
"os_types": [
"linux"
],
"tags": [
"string"
],
"tie_breaker_id": "string",
"type": "detection",
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string",
"version": 42
}
{}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
Get a list of all endpoint exception list items.
Filters the returned results according to the value of the specified field,
using the <field name>:<field value>
syntax.
Minimum length is 1
.
The page number to return
Minimum value is 0
.
The number of exception list items to return per page
Minimum value is 0
.
Determines which field is used to sort the results
Minimum length is 1
.
Determines the sort order, which can be desc
or asc
Values are desc
or asc
.
curl \
--request GET https://localhost:5601/api/endpoint_list/items/_find
{
"data": [
{
"_version": "string",
"comments": [
{
"comment": "string",
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"id": "string",
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string"
}
],
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"description": "string",
"entries": [
{
"field": "string",
"operator": "excluded",
"type": "match",
"value": "string"
}
],
"expire_time": "2025-05-04T09:42:00+00:00",
"id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
"item_id": "simple_list_item",
"list_id": "simple_list",
"meta": {},
"name": "string",
"namespace_type": "agnostic",
"os_types": [
"linux"
],
"tags": [
"string"
],
"tie_breaker_id": "string",
"type": "simple",
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string"
}
],
"page": 42,
"per_page": 42,
"pit": "string",
"total": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
{
"message": "string",
"status_code": 42
}
Exactly one of 'Raw', 'HostPath', or 'CloudFile' must be provided. CommandLine and Timeout are optional for all.
curl \
--request POST https://localhost:5601/api/endpoint/action/runscript \
--header "Content-Type: application/json" \
--data '{"parameters":{"commandLine":"string","raw":"string","timeout":42}}'
{
"parameters": {
"commandLine": "string",
"raw": "string",
"timeout": 42
}
}
{}
Scan a specific file or directory on an endpoint for malware.
The host agent type (optional). Defaults to endpoint.
Values are endpoint
, sentinel_one
, crowdstrike
, or microsoft_defender_endpoint
.
A list of alerts id
s.
At least 1
element. Minimum length of each is 1
.
Case IDs to be updated (cannot contain empty strings)
At least 1
element. Minimum length of each is 1
.
Optional comment
List of endpoint IDs (cannot contain empty strings)
At least 1
element. Minimum length of each is 1
.
Additional properties are allowed.
curl \
--request POST https://localhost:5601/api/endpoint/action/scan \
--header "Content-Type: application/json" \
--data '{"agent_type":"endpoint","alert_ids":["string"],"case_ids":["string"],"comment":"string","endpoint_ids":["string"],"parameters":{"path":"string"}}'
{
"agent_type": "endpoint",
"alert_ids": [
"string"
],
"case_ids": [
"string"
],
"comment": "string",
"endpoint_ids": [
"string"
],
"parameters": {
"path": "string"
}
}
{}
The host agent type (optional). Defaults to endpoint.
Values are endpoint
, sentinel_one
, crowdstrike
, or microsoft_defender_endpoint
.
A list of alerts id
s.
At least 1
element. Minimum length of each is 1
.
Case IDs to be updated (cannot contain empty strings)
At least 1
element. Minimum length of each is 1
.
Optional comment
List of endpoint IDs (cannot contain empty strings)
At least 1
element. Minimum length of each is 1
.
Additional properties are allowed.
curl \
--request POST https://localhost:5601/api/endpoint/action/upload \
--header "Content-Type: application/json" \
--data '{"agent_type":"endpoint","alert_ids":["string"],"case_ids":["string"],"comment":"string","endpoint_ids":["string"],"parameters":{"overwrite":false},"file":"@file"}'
{
"agent_type": "endpoint",
"alert_ids": [
"string"
],
"case_ids": [
"string"
],
"comment": "string",
"endpoint_ids": [
"string"
],
"parameters": {
"overwrite": false
},
"file": "@file"
}
{}
Additional properties are allowed.
curl \
--request GET https://localhost:5601/api/endpoint/metadata?query=%7B%7D
{}
curl \
--request GET https://localhost:5601/api/endpoint/metadata/{id}
{}
Additional properties are allowed.
curl \
--request GET https://localhost:5601/api/endpoint/policy_response?query=%7B%7D
{}