Authentication

The API accepts 2 different authentication methods:

Api key auth (http_api_key)

These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: Authorization: ApiKey base64AccessApiKey

Basic auth (http)

Basic auth tokens are constructed with the Basic keyword, followed by a space, followed by a base64-encoded string of your username:password (separated by a : colon).

Example: send a Authorization: Basic aGVsbG86aGVsbG8= HTTP header with your requests to authenticate with the API.







Get the rule types

GET /api/alerting/rule_types

If you have read privileges for one or more Kibana features, the API response contains information about the appropriate rule types. For example, there are rule types associated with the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability features, and Security features. To get rule types associated with the Stack Monitoring feature, use the monitoring_user built-in role.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • action_groups array[object]

      An explicit list of groups for which the rule type can schedule actions, each with the action group's unique ID and human readable name. Rule actions validation uses this configuration to ensure that groups are valid.

      Hide action_groups attributes Show action_groups attributes object
    • A list of action variables that the rule type makes available via context and state in action parameter templates, and a short human readable description. When you create a rule in Kibana, it uses this information to prompt you for these variables in action parameter editors.

      Additional properties are allowed.

      Hide action_variables attributes Show action_variables attributes object
    • alerts object

      Details for writing alerts as data documents for this rule type.

      Additional properties are allowed.

      Hide alerts attributes Show alerts attributes object
      • context string

        The namespace for this rule type.

        Values are ml.anomaly-detection, observability.apm, observability.logs, observability.metrics, observability.slo, observability.threshold, observability.uptime, security, or stack.

      • dynamic string

        Indicates whether new fields are added dynamically.

        Values are false, runtime, strict, or true.

      • Indicates whether the alerts are space-aware. If true, space-specific alert indices are used.

      • mappings object

        Additional properties are allowed.

        Hide mappings attribute Show mappings attribute object
        • fieldMap object

          Mapping information for each field supported in alerts as data documents for this rule type. For more information about mapping parameters, refer to the Elasticsearch documentation.

          Hide fieldMap attribute Show fieldMap attribute object
          • * object Additional properties

            Additional properties are allowed.

            Hide * attributes Show * attributes object
            • array boolean

              Indicates whether the field is an array.

            • dynamic boolean

              Indicates whether it is a dynamic field mapping.

            • format string

              Indicates the format of the field. For example, if the type is date_range, the format can be epoch_millis||strict_date_optional_time.

            • Specifies the maximum length of a string field. Longer strings are not indexed or stored.

            • index boolean

              Indicates whether field values are indexed.

            • path string

              TBD

            • Details about the object properties. This property is applicable when type is object.

              Hide properties attribute Show properties attribute object
              • * object Additional properties

                Additional properties are allowed.

                Hide * attribute Show * attribute object
                • type string

                  The data type for each object property.

            • required boolean

              Indicates whether the field is required.

            • The scaling factor to use when encoding values. This property is applicable when type is scaled_float. Values will be multiplied by this factor at index time and rounded to the closest long value.

            • type string

              Specifies the data type for the field.

      • A secondary alias. It is typically used to support the signals alias for detection rules.

      • Indicates whether the rule should write out alerts as data.

      • useEcs boolean

        Indicates whether to include the ECS component template for the alerts.

      • Indicates whether to include the legacy component template for the alerts.

        Default value is false.

    • The list of the plugins IDs that have access to the rule type.

      Additional properties are allowed.

      Hide authorized_consumers attributes Show authorized_consumers attributes object
      • alerts object

        Additional properties are allowed.

        Hide alerts attributes Show alerts attributes object
      • apm object

        Additional properties are allowed.

        Hide apm attributes Show apm attributes object
      • discover object

        Additional properties are allowed.

        Hide discover attributes Show discover attributes object
      • Additional properties are allowed.

        Hide infrastructure attributes Show infrastructure attributes object
      • logs object

        Additional properties are allowed.

        Hide logs attributes Show logs attributes object
      • ml object

        Additional properties are allowed.

        Hide ml attributes Show ml attributes object
      • Additional properties are allowed.

        Hide monitoring attributes Show monitoring attributes object
      • siem object

        Additional properties are allowed.

        Hide siem attributes Show siem attributes object
      • slo object

        Additional properties are allowed.

        Hide slo attributes Show slo attributes object
      • Additional properties are allowed.

        Hide stackAlerts attributes Show stackAlerts attributes object
      • uptime object

        Additional properties are allowed.

        Hide uptime attributes Show uptime attributes object
    • category string

      The rule category, which is used by features such as category-specific maintenance windows.

      Values are management, observability, or securitySolution.

    • The default identifier for the rule type group.

    • Indicates whether the rule passes context variables to its recovery action.

    • Indicates whether the rule type is enabled or disabled based on the subscription.

    • Indicates whether the rule type has custom mappings for the alert data.

    • id string

      The unique identifier for the rule type.

    • Indicates whether the rule type is exportable in Stack Management > Saved Objects.

    • The subscriptions required to use the rule type.

    • name string

      The descriptive name of the rule type.

    • producer string

      An identifier for the application that produces this rule type.

    • An action group to use when an alert goes from an active state to an inactive one.

      Additional properties are allowed.

      Hide recovery_action_group attributes Show recovery_action_group attributes object
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/alerting/rule_types
curl \
 --request GET https://localhost:5601/api/alerting/rule_types
Response examples (200)
[
  {
    "id": "xpack.ml.anomaly_detection_alert",
    "name": "Anomaly detection alert",
    "alerts": {
      "context": "ml.anomaly-detection",
      "mappings": {
        "fieldMap": {
          "kibana.alert.job_id": {
            "type": "keyword",
            "array": false,
            "required": true
          },
          "kibana.alert.is_interim": {
            "type": "boolean",
            "array": false,
            "required": false
          },
          "kibana.alert.top_records": {
            "type": "object",
            "array": true,
            "dynamic": false,
            "required": false,
            "properties": {
              "actual": {
                "type": "double"
              },
              "job_id": {
                "type": "keyword"
              },
              "typical": {
                "type": "double"
              },
              "function": {
                "type": "keyword"
              },
              "timestamp": {
                "type": "date"
              },
              "field_name": {
                "type": "keyword"
              },
              "is_interim": {
                "type": "boolean"
              },
              "record_score": {
                "type": "double"
              },
              "by_field_name": {
                "type": "keyword"
              },
              "by_field_value": {
                "type": "keyword"
              },
              "detector_index": {
                "type": "integer"
              },
              "over_field_name": {
                "type": "keyword"
              },
              "over_field_value": {
                "type": "keyword"
              },
              "initial_record_score": {
                "type": "double"
              },
              "partition_field_name": {
                "type": "keyword"
              },
              "partition_field_value": {
                "type": "keyword"
              }
            }
          },
          "kibana.alert.anomaly_score": {
            "type": "double",
            "array": false,
            "required": false
          },
          "kibana.alert.top_influencers": {
            "type": "object",
            "array": true,
            "dynamic": false,
            "required": false,
            "properties": {
              "job_id": {
                "type": "keyword"
              },
              "timestamp": {
                "type": "date"
              },
              "is_interim": {
                "type": "boolean"
              },
              "influencer_score": {
                "type": "double"
              },
              "influencer_field_name": {
                "type": "keyword"
              },
              "influencer_field_value": {
                "type": "keyword"
              },
              "initial_influencer_score": {
                "type": "double"
              }
            }
          },
          "kibana.alert.anomaly_timestamp": {
            "type": "date",
            "array": false,
            "required": false
          }
        }
      },
      "shouldWrite": true
    },
    "category": "management",
    "producer": "ml",
    "action_groups": [
      {
        "id": "anomaly_score_match",
        "name": "Anomaly score matched the condition"
      },
      {
        "id": "recovered",
        "name": "Recovered"
      }
    ],
    "is_exportable": true,
    "action_variables": {
      "state": [],
      "params": [],
      "context": [
        {
          "name": "timestamp",
          "description": "The bucket timestamp of the anomaly"
        },
        {
          "name": "timestampIso8601",
          "description": "The bucket time of the anomaly in ISO8601 format"
        },
        {
          "name": "jobIds",
          "description": "List of job IDs that triggered the alert"
        },
        {
          "name": "message",
          "description": "Alert info message"
        },
        {
          "name": "isInterim",
          "description": "Indicate if top hits contain interim results"
        },
        {
          "name": "score",
          "description": "Anomaly score at the time of the notification action"
        },
        {
          "name": "topRecords",
          "description": "Top records"
        },
        {
          "name": "topInfluencers",
          "description": "Top influencers"
        },
        {
          "name": "anomalyExplorerUrl",
          "description": "URL to open in the Anomaly Explorer",
          "useWithTripleBracesInTemplates": true
        }
      ]
    },
    "rule_task_timeout": "5m",
    "enabled_in_license": true,
    "has_alerts_mappings": true,
    "authorized_consumers": {
      "ml": {
        "all": true,
        "read": true
      },
      "apm": {
        "all": true,
        "read": true
      },
      "slo": {
        "all": true,
        "read": true
      },
      "logs": {
        "all": true,
        "read": true
      },
      "siem": {
        "all": true,
        "read": true
      },
      "alerts": {
        "all": true,
        "read": true
      },
      "uptime": {
        "all": true,
        "read": true
      },
      "discover": {
        "all": true,
        "read": true
      },
      "monitoring": {
        "all": true,
        "read": true
      },
      "stackAlerts": {
        "all": true,
        "read": true
      },
      "infrastructure": {
        "all": true,
        "read": true
      }
    },
    "has_fields_for_a_a_d": false,
    "recovery_action_group": {
      "id": "recovered",
      "name": "Recovered"
    },
    "default_action_group_id": "anomaly_score_match",
    "minimum_license_required": "platinum",
    "does_set_recovery_context": true
  },
  {
    "id": "xpack.ml.anomaly_detection_jobs_health",
    "name": "Anomaly detection jobs health",
    "category": "management",
    "producer": "ml",
    "action_groups": [
      {
        "id": "anomaly_detection_realtime_issue",
        "name": "Issue detected"
      },
      {
        "id": "recovered",
        "name": "Recovered"
      }
    ],
    "is_exportable": true,
    "action_variables": {
      "state": [],
      "params": [],
      "context": [
        {
          "name": "results",
          "description": "Results of the rule execution"
        },
        {
          "name": "message",
          "description": "Alert info message"
        }
      ]
    },
    "rule_task_timeout": "5m",
    "enabled_in_license": true,
    "has_alerts_mappings": false,
    "authorized_consumers": {
      "ml": {
        "all": true,
        "read": true
      },
      "apm": {
        "all": true,
        "read": true
      },
      "slo": {
        "all": true,
        "read": true
      },
      "logs": {
        "all": true,
        "read": true
      },
      "siem": {
        "all": true,
        "read": true
      },
      "alerts": {
        "all": true,
        "read": true
      },
      "uptime": {
        "all": true,
        "read": true
      },
      "discover": {
        "all": true,
        "read": true
      },
      "monitoring": {
        "all": true,
        "read": true
      },
      "stackAlerts": {
        "all": true,
        "read": true
      },
      "infrastructure": {
        "all": true,
        "read": true
      }
    },
    "has_fields_for_a_a_d": false,
    "recovery_action_group": {
      "id": "recovered",
      "name": "Recovered"
    },
    "default_action_group_id": "anomaly_detection_realtime_issue",
    "minimum_license_required": "platinum",
    "does_set_recovery_context": true
  }
]
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}








Create a rule

POST /api/alerting/rule/{id}

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule. If it is omitted, an ID is randomly generated.

application/json

Body

  • actions array[object]

    Default value is [] (empty).

    Hide actions attributes Show actions attributes object
    • Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.

      Additional properties are NOT allowed.

      Hide alerts_filter attributes Show alerts_filter attributes object
      • query object

        Additional properties are NOT allowed.

        Hide query attributes Show query attributes object
        • dsl string

          A filter written in Elasticsearch Query Domain Specific Language (DSL).

        • filters array[object] Required

          A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.

          Hide filters attributes Show filters attributes object
          • $state object

            Additional properties are NOT allowed.

            Hide $state attribute Show $state attribute object
            • store string Required

              A filter can be either specific to an application context or applied globally.

              Values are appState or globalState.

          • meta object Required

            Additional properties are allowed.

          • query object

            Additional properties are allowed.

        • kql string Required

          A filter written in Kibana Query Language (KQL).

      • Defines a period that limits whether the action runs.

        Additional properties are NOT allowed.

        Hide timeframe attributes Show timeframe attributes object
        • days array[integer] Required

          Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.

          Values are 1, 2, 3, 4, 5, 6, or 7.

        • hours object Required

          Defines the range of time in a day that the action can run. If the start value is 00:00 and the end value is 24:00, actions be generated all day.

          Additional properties are NOT allowed.

          Hide hours attributes Show hours attributes object
          • end string Required

            The end of the time frame in 24-hour notation (hh:mm).

          • start string Required

            The start of the time frame in 24-hour notation (hh:mm).

        • timezone string Required

          The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.

    • Additional properties are NOT allowed.

      Hide frequency attributes Show frequency attributes object
      • notify_when string Required

        Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

        Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

      • summary boolean Required

        Indicates whether the action is a summary.

      • throttle string | null Required

        The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

    • group string

      The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.

    • id string Required

      The identifier for the connector saved object.

    • params object

      The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.

      Default value is {} (empty). Additional properties are allowed.

    • Indicates whether to use alert data as a template.

    • uuid string

      A universally unique identifier (UUID) for the action.

  • Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

    Additional properties are NOT allowed.

    Hide alert_delay attribute Show alert_delay attribute object
    • active number Required

      The number of consecutive runs that must meet the rule conditions.

  • consumer string Required

    The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.

  • enabled boolean

    Indicates whether you want to run the rule on an interval basis after it is created.

    Default value is true.

  • flapping object | null

    When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

    Additional properties are NOT allowed.

    Hide flapping attributes Show flapping attributes object | null
    • look_back_window number Required

      The minimum number of runs in which the threshold must be met.

      Minimum value is 2, maximum value is 20.

    • The minimum number of times an alert must switch states in the look back window.

      Minimum value is 2, maximum value is 20.

  • name string Required

    The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.

  • notify_when string | null

    Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

    Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

  • rule_type_id string Required

    The rule type identifier.

  • schedule object Required

    The check interval, which specifies how frequently the rule conditions are checked.

    Additional properties are NOT allowed.

    Hide schedule attribute Show schedule attribute object
    • interval string Required

      The interval is specified in seconds, minutes, hours, or days.

  • tags array[string]

    The tags for the rule.

    Default value is [] (empty).

  • throttle string | null

    Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

  • params object

    The parameters for the rule.

    Any of:
    Hide attributes Show attributes

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • actions array[object] Required
      Hide actions attributes Show actions attributes object
      • Defines a period that limits whether the action runs.

        Additional properties are NOT allowed.

        Hide alerts_filter attributes Show alerts_filter attributes object
        • query object

          Additional properties are NOT allowed.

          Hide query attributes Show query attributes object
          • dsl string

            A filter written in Elasticsearch Query Domain Specific Language (DSL).

          • filters array[object] Required

            A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.

            Hide filters attributes Show filters attributes object
            • $state object

              Additional properties are NOT allowed.

              Hide $state attribute Show $state attribute object
              • store string Required

                A filter can be either specific to an application context or applied globally.

                Values are appState or globalState.

            • meta object Required

              Additional properties are allowed.

            • query object

              Additional properties are allowed.

          • kql string Required

            A filter written in Kibana Query Language (KQL).

        • Additional properties are NOT allowed.

          Hide timeframe attributes Show timeframe attributes object
          • days array[integer] Required

            Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.

            Values are 1, 2, 3, 4, 5, 6, or 7.

          • hours object Required

            Additional properties are NOT allowed.

            Hide hours attributes Show hours attributes object
            • end string Required

              The end of the time frame in 24-hour notation (hh:mm).

            • start string Required

              The start of the time frame in 24-hour notation (hh:mm).

          • timezone string Required

            The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.

      • connector_type_id string Required

        The type of connector. This property appears in responses but cannot be set in requests.

      • Additional properties are NOT allowed.

        Hide frequency attributes Show frequency attributes object
        • notify_when string Required

          Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

          Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

        • summary boolean Required

          Indicates whether the action is a summary.

        • throttle string | null Required

          The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      • group string

        The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.

      • id string Required

        The identifier for the connector saved object.

      • params object Required

        The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.

        Additional properties are allowed.

      • Indicates whether to use alert data as a template.

      • uuid string

        A universally unique identifier (UUID) for the action.

    • active_snoozes array[string]

      List of active snoozes for the rule.

    • Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

      Additional properties are NOT allowed.

      Hide alert_delay attribute Show alert_delay attribute object
      • active number Required

        The number of consecutive runs that must meet the rule conditions.

    • Indicates whether the API key that is associated with the rule was created by the user.

    • api_key_owner string | null Required

      The owner of the API key that is associated with the rule and used to run background tasks.

    • consumer string Required

      The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.

    • created_at string Required

      The date and time that the rule was created.

    • created_by string | null Required

      The identifier for the user that created the rule.

    • enabled boolean Required

      Indicates whether you want to run the rule on an interval basis after it is created.

    • execution_status object Required

      Additional properties are NOT allowed.

      Hide execution_status attributes Show execution_status attributes object
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
        • message string Required

          Error message.

        • reason string Required

          Reason for error.

          Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.

      • Duration of last execution of the rule.

      • last_execution_date string Required

        The date and time when rule was executed last.

      • status string Required

        Status of rule execution.

        Values are ok, active, error, warning, pending, or unknown.

      • warning object

        Additional properties are NOT allowed.

        Hide warning attributes Show warning attributes object
        • message string Required

          Warning message.

        • reason string Required

          Reason for warning.

          Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • flapping object | null

      When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

      Additional properties are NOT allowed.

      Hide flapping attributes Show flapping attributes object | null
      • look_back_window number Required

        The minimum number of runs in which the threshold must be met.

        Minimum value is 2, maximum value is 20.

      • The minimum number of times an alert must switch states in the look back window.

        Minimum value is 2, maximum value is 20.

    • id string Required

      The identifier for the rule.

    • is_snoozed_until string | null

      The date when the rule will no longer be snoozed.

    • last_run object | null

      Additional properties are NOT allowed.

      Hide last_run attributes Show last_run attributes object | null
      • alerts_count object Required

        Additional properties are NOT allowed.

        Hide alerts_count attributes Show alerts_count attributes object
        • active number | null

          Number of active alerts during last run.

        • ignored number | null

          Number of ignored alerts during last run.

        • new number | null

          Number of new alerts during last run.

        • recovered number | null

          Number of recovered alerts during last run.

      • outcome string Required

        Outcome of last run of the rule. Value could be succeeded, warning or failed.

        Values are succeeded, warning, or failed.

      • outcome_msg array[string] | null

        Outcome message generated during last rule run.

      • Order of the outcome.

      • warning string | null

        Warning of last rule execution.

        Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • Additional properties are allowed.

    • Monitoring details of the rule.

      Additional properties are NOT allowed.

      Hide monitoring attribute Show monitoring attribute object
      • run object Required

        Rule run details.

        Additional properties are NOT allowed.

        Hide run attributes Show run attributes object
        • calculated_metrics object Required

          Calculation of different percentiles and success ratio.

          Additional properties are NOT allowed.

          Hide calculated_metrics attributes Show calculated_metrics attributes object
        • history array[object] Required

          History of the rule run.

          Hide history attributes Show history attributes object
          • duration number

            Duration of the rule run.

          • outcome string

            Outcome of last run of the rule. Value could be succeeded, warning or failed.

            Values are succeeded, warning, or failed.

          • success boolean Required

            Indicates whether the rule run was successful.

          • timestamp number Required

            Time of rule run.

        • last_run object Required

          Additional properties are NOT allowed.

          Hide last_run attributes Show last_run attributes object
          • metrics object Required

            Additional properties are NOT allowed.

            Hide metrics attributes Show metrics attributes object
            • duration number

              Duration of most recent rule run.

            • gap_duration_s number | null

              Duration in seconds of rule run gap.

            • gap_range object | null

              Additional properties are NOT allowed.

              Hide gap_range attributes Show gap_range attributes object | null
              • gte string Required

                End of the gap range.

              • lte string Required

                Start of the gap range.

            • Total number of alerts created during last rule run.

            • Total number of alerts detected during last rule run.

            • Total time spent indexing documents during last rule run in milliseconds.

            • Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.

          • timestamp string Required

            Time of the most recent rule run.

    • mute_all boolean Required

      Indicates whether all alerts are muted.

    • muted_alert_ids array[string] Required

      List of identifiers of muted alerts.

    • name string Required

      The name of the rule.

    • next_run string | null

      Date and time of the next run of the rule.

    • notify_when string | null

      Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

    • params object Required

      The parameters for the rule.

      Additional properties are allowed.

    • revision number Required

      The rule revision number.

    • rule_type_id string Required

      The rule type identifier.

    • running boolean | null

      Indicates whether the rule is running.

    • schedule object Required

      Additional properties are NOT allowed.

      Hide schedule attribute Show schedule attribute object
      • interval string Required

        The interval is specified in seconds, minutes, hours, or days.

    • Identifier of the scheduled task.

    • snooze_schedule array[object]
      Hide snooze_schedule attributes Show snooze_schedule attributes object
      • duration number Required

        Duration of the rule snooze schedule.

      • id string

        Identifier of the rule snooze schedule.

      • rRule object Required

        Additional properties are NOT allowed.

        Hide rRule attributes Show rRule attributes object
        • byhour array[number] | null

          Indicates hours of the day to recur.

        • byminute array[number] | null

          Indicates minutes of the hour to recur.

        • bymonth array[number] | null

          Indicates months of the year that this rule should recur.

        • bymonthday array[number] | null

          Indicates the days of the month to recur.

        • bysecond array[number] | null

          Indicates seconds of the day to recur.

        • bysetpos array[number] | null

          A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.

        • byweekday array[string | number] | null

          Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.

        • byweekno array[number] | null

          Indicates number of the week hours to recur.

        • byyearday array[number] | null

          Indicates the days of the year that this rule should recur.

        • count number

          Number of times the rule should recur until it stops.

        • dtstart string Required

          Rule start date in Coordinated Universal Time (UTC).

        • freq integer

          Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.

          Values are 0, 1, 2, 3, 4, 5, or 6.

        • interval number

          Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.

        • tzid string Required

          Indicates timezone abbreviation.

        • until string

          Recur the rule until this date.

        • wkst string

          Indicates the start of week, defaults to Monday.

          Values are MO, TU, WE, TH, FR, SA, or SU.

      • skipRecurrences array[string]

        Skips recurrence of rule on this date.

    • tags array[string] Required

      The tags for the rule.

    • throttle string | null Deprecated

      Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

    • updated_at string Required

      The date and time that the rule was updated most recently.

    • updated_by string | null Required

      The identifier for the user that updated this rule most recently.

    • Relative URL to view rule in the app.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

  • Indicates that the rule id is already in use.

POST /api/alerting/rule/{id}
curl \
 --request POST https://localhost:5601/api/alerting/rule/{id} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"name":"my Elasticsearch query ESQL rule","params":{"size":0,"esqlQuery":{"esql":"FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes \u003e 5000 | SORT sumbytes desc | LIMIT 10"},"threshold":[0],"timeField":"@timestamp","searchType":"esqlQuery","timeWindowSize":1,"timeWindowUnit":"d","thresholdComparator":"\u003e"},"actions":[{"id":"d0db1fe0-78d6-11ee-9177-f7d404c8c945","group":"query matched","params":{"level":"info","message":"Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"},"frequency":{"summary":false,"notify_when":"onActiveAlert"}}],"consumer":"stackAlerts","schedule":{"interval":"1d"},"rule_type_id":".es-query"}'
Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL) to define its query and a server log connector to send notifications.
{
  "name": "my Elasticsearch query ESQL rule",
  "params": {
    "size": 0,
    "esqlQuery": {
      "esql": "FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10"
    },
    "threshold": [
      0
    ],
    "timeField": "@timestamp",
    "searchType": "esqlQuery",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActiveAlert"
      }
    }
  ],
  "consumer": "stackAlerts",
  "schedule": {
    "interval": "1d"
  },
  "rule_type_id": ".es-query"
}
Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications.
{
  "name": "my Elasticsearch query rule",
  "params": {
    "size": 100,
    "index": [
      "kibana_sample_data_logs"
    ],
    "esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
    "threshold": [
      100
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
      },
      "frequency": {
        "summary": true,
        "throttle": "1d",
        "notify_when": "onThrottleInterval"
      }
    },
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "group": "recovered",
      "params": {
        "level": "info",
        "message": "Recovered"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActionGroupChange"
      }
    }
  ],
  "consumer": "alerts",
  "schedule": {
    "interval": "1d"
  },
  "rule_type_id": ".es-query"
}
Create an Elasticsearch query rule that uses Kibana query language (KQL).
{
  "name": "my Elasticsearch query KQL rule",
  "params": {
    "size": 100,
    "aggType": "count",
    "groupBy": "all",
    "threshold": [
      1000
    ],
    "searchType": "searchSource",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "searchConfiguration": {
      "index": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "query": {
        "query": "\"\"geo.src : \"US\" \"\"",
        "language": "kuery"
      }
    },
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun": true
  },
  "consumer": "alerts",
  "schedule": {
    "interval": "1m"
  },
  "rule_type_id": ".es-query"
}
Create an index threshold rule that uses a server log connector to send notifications when the threshold is met.
{
  "name": "my rule",
  "tags": [
    "cpu"
  ],
  "params": {
    "index": [
      ".test-index"
    ],
    "aggType": "avg",
    "groupBy": "top",
    "aggField": "sheet.version",
    "termSize": 6,
    "termField": "name.keyword",
    "threshold": [
      1000
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "48de3460-f401-11ed-9f8e-399c75a2deeb",
      "group": "threshold met",
      "params": {
        "level": "info",
        "message": "Rule '{{rule.name}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActionGroupChange"
      }
    }
  ],
  "consumer": "alerts",
  "schedule": {
    "interval": "1m"
  },
  "alert_delay": {
    "active": 3
  },
  "rule_type_id": ".index-threshold"
}
Create a tracking containment rule that checks when an entity is contained or no longer contained within a boundary.
{
  "name": "my tracking rule",
  "params": {
    "index": "kibana_sample_data_logs",
    "entity": "agent.keyword",
    "indexId": "90943e30-9a47-11e8-b64d-95841ca0b247",
    "geoField": "geo.coordinates",
    "dateField\"": "@timestamp",
    "boundaryType": "entireIndex",
    "boundaryIndexId": "0cd90abf-abe7-44c7-909a-f621bbbcfefc",
    "boundaryGeoField": "location",
    "boundaryNameField": "name",
    "boundaryIndexTitle": "boundary*"
  },
  "consumer": "alerts",
  "schedule": {
    "interval": "1h"
  },
  "rule_type_id": ".geo-containment"
}
The response for successfully creating an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL).
{
  "id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
  "name": "my Elasticsearch query ESQL rule",
  "tags": [],
  "params": {
    "size": 0,
    "aggType": "count",
    "groupBy": "all",
    "esqlQuery": {
      "esql": "FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != \"GB\" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10"
    },
    "threshold": [
      0
    ],
    "timeField": "@timestamp",
    "searchType": "esqlQuery",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun\"": "true,"
  },
  "actions": [
    {
      "id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
      "uuid": "bfe370a3-531b-4855-bbe6-ad739f578844",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActiveAlert"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "stackAlerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1d"
  },
  "throttle": null,
  "created_at": "2023-11-01T19:00:10.453Z",
  "created_by": "elastic",
  "updated_at": "2023-11-01T19:00:10.453Z",
  "updated_by": "elastic\",",
  "notify_when": null,
  "rule_type_id": ".es-query",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2023-11-01T19:00:10.453Z"
  },
  "scheduled_task_id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
  "api_key_created_by_user": false
}
The response for successfully creating an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL).
{
  "id": "58148c70-407f-11ee-850e-c71febc4ca7f",
  "name": "my Elasticsearch query rule",
  "tags": [],
  "params": {
    "size": 100,
    "index": [
      "kibana_sample_data_logs"
    ],
    "aggType": "count",
    "esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
    "groupBy": "all",
    "threshold": [
      100
    ],
    "timeField": "@timestamp",
    "searchType": "esQuery",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun": true
  },
  "actions": [
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "uuid": "53f3c2a3-e5d0-4cfa-af3b-6f0881385e78",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
      },
      "frequency": {
        "summary": true,
        "throttle": "1d",
        "notify_when": "onThrottleInterval"
      },
      "connector_type_id": ".server-log"
    },
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "uuid": "2324e45b-c0df-45c7-9d70-4993e30be758",
      "group": "recovered",
      "params": {
        "level": "info",
        "message": "Recovered"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActionGroupChange"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1d"
  },
  "throttle": null,
  "created_at": "2023-08-22T00:03:38.263Z",
  "created_by": "elastic",
  "updated_at": "2023-08-22T00:03:38.263Z",
  "updated_by": "elastic",
  "notify_when": null,
  "rule_type_id": ".es-query",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2023-08-22T00:03:38.263Z"
  },
  "scheduled_task_id": "58148c70-407f-11ee-850e-c71febc4ca7f",
  "api_key_created_by_user": false
}
The response for successfully creating an Elasticsearch query rule that uses Kibana query language (KQL).
{
  "id": "7bd506d0-2284-11ee-8fad-6101956ced88",
  "name": "my Elasticsearch query KQL rule\"",
  "tags": [],
  "params": {
    "size": 100,
    "aggType": "count",
    "groupBy": "all",
    "threshold": [
      1000
    ],
    "searchType": "searchSource",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "searchConfiguration": {
      "index": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "query": {
        "query": "\"\"geo.src : \"US\" \"\"",
        "language": "kuery"
      }
    },
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun": true
  },
  "actions": [],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1m"
  },
  "throttle": null,
  "created_at": "2023-07-14T20:24:50.729Z",
  "created_by": "elastic",
  "updated_at": "2023-07-14T20:24:50.729Z",
  "updated_by": "elastic",
  "notify_when": null,
  "rule_type_id": ".es-query",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2023-07-14T20:24:50.729Z"
  },
  "scheduled_task_id": "7bd506d0-2284-11ee-8fad-6101956ced88",
  "api_key_created_by_user": false
}
The response for successfully creating an index threshold rule.
{
  "id": "41893910-6bca-11eb-9e0d-85d233e3ee35",
  "name": "my rule",
  "tags": [
    "cpu"
  ],
  "params": {
    "index": [
      ".test-index"
    ],
    "aggType": "avg",
    "groupBy": "top",
    "aggField": "sheet.version",
    "termSize": 6,
    "termField": "name.keyword",
    "threshold": [
      1000
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2",
      "uuid": "07aef2a0-9eed-4ef9-94ec-39ba58eb609d",
      "group": "threshold met",
      "params": {
        "level": "info",
        "message": "Rule {{rule.name}} is active for group {{context.group} :\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActionGroupChange"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1m"
  },
  "throttle": null,
  "created_at": "2022-06-08T17:20:31.632Z",
  "created_by": "elastic",
  "updated_at": "2022-06-08T17:20:31.632Z",
  "updated_by": "elastic",
  "alert_delay": {
    "active": 3
  },
  "notify_when": null,
  "rule_type_id": ".index-threshold",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2022-06-08T17:20:31.632Z"
  },
  "scheduled_task_id": "425b0800-6bca-11eb-9e0d-85d233e3ee35",
  "api_key_created_by_user": false
}
The response for successfully creating a tracking containment rule.
{
  "id": "b6883f9d-5f70-4758-a66e-369d7c26012f",
  "name": "my tracking rule",
  "tags": [],
  "params": {
    "index": "kibana_sample_data_logs",
    "entity": "agent.keyword",
    "indexId": "90943e30-9a47-11e8-b64d-95841ca0b247",
    "geoField": "geo.coordinates",
    "dateField": "@timestamp",
    "boundaryType": "entireIndex",
    "boundaryIndexId": "0cd90abf-abe7-44c7-909a-f621bbbcfefc",
    "boundaryGeoField": "location",
    "boundaryNameField": "name",
    "boundaryIndexTitle": "boundary*"
  },
  "actions": [],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "last_run": {
    "outcome": "succeeded",
    "warning": null,
    "outcome_msg": null,
    "alerts_count": {
      "new": 0,
      "active": 0,
      "ignored": 0,
      "recovered": 0
    },
    "outcome_order": 0
  },
  "mute_all": false,
  "next_run": "2024-02-15T03:26:38.033Z",
  "revision": 1,
  "schedule": {
    "interval": "1h"
  },
  "throttle": null,
  "created_at": "2024-02-14T19:52:55.920Z",
  "created_by": "elastic",
  "updated_at": "2024-02-15T03:24:32.574Z",
  "updated_by": "elastic",
  "notify_when": null,
  "rule_type_id": ".geo-containment",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "ok",
    "last_duration": 74,
    "last_execution_date": "2024-02-15T03:25:38.125Z"
  },
  "scheduled_task_id": "b6883f9d-5f70-4758-a66e-369d7c26012f",
  "api_key_created_by_user": false
}

Delete a rule

DELETE /api/alerting/rule/{id}

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • Indicates a successful call.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

  • Indicates a rule with the given ID does not exist.

DELETE /api/alerting/rule/{id}
curl \
 --request DELETE https://localhost:5601/api/alerting/rule/{id} \
 --header "kbn-xsrf: true"

Disable a rule

POST /api/alerting/rule/{id}/_disable

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

application/json

Body

  • untrack boolean

    Defines whether this rule's alerts should be untracked.

Responses

  • Indicates a successful call.

  • Indicates an invalid schema.

  • Indicates that this call is forbidden.

  • Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_disable
curl \
 --request POST https://localhost:5601/api/alerting/rule/{id}/_disable \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"untrack":true}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "untrack": true
}








Unmute all alerts

POST /api/alerting/rule/{id}/_unmute_all

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • Indicates a successful call.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

  • Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_unmute_all
curl \
 --request POST https://localhost:5601/api/alerting/rule/{id}/_unmute_all \
 --header "kbn-xsrf: true"





























Get agent name for service

GET /api/apm/settings/agent-configuration/agent_name

Retrieve agentName for a service.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
GET /api/apm/settings/agent-configuration/agent_name
curl \
 --request GET https://localhost:5601/api/apm/settings/agent-configuration/agent_name?serviceName=node \
 --header "elastic-api-version: 2023-10-31"
Response examples (200)
{
  "agentName": "nodejs"
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Get environments for service

GET /api/apm/settings/agent-configuration/environments

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
    • environments array[object]

      Service environment list

      Hide environments attributes Show environments attributes object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
GET /api/apm/settings/agent-configuration/environments
curl \
 --request GET https://localhost:5601/api/apm/settings/agent-configuration/environments \
 --header "elastic-api-version: 2023-10-31"
Response examples (200)
{
  "environments": [
    {
      "alreadyConfigured": true,
      "name": "ALL_OPTION_VALUE"
    }
  ]
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Lookup single agent configuration

POST /api/apm/settings/agent-configuration/search

This endpoint allows to search for single agent configuration and update 'applied_by_agent' field.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body Required

  • etag string

    If etags match then applied_by_agent field will be set to true

  • markAsAppliedByAgent=true means "force setting it to true regardless of etag". This is needed for Jaeger agent that doesn't have etags

  • service object Required

    Service

    Additional properties are allowed.

    Hide service attributes Show service attributes object

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • _id string

      Identifier

    • _index string

      Index

    • _score number

      Score

    • _source object

      Agent configuration

      Additional properties are allowed.

      Hide _source attributes Show _source attributes object
      • @timestamp number Required

        Timestamp

      • Agent name

      • Applied by agent

      • etag string Required

        Etag

      • service object Required

        Service

        Additional properties are allowed.

        Hide service attributes Show service attributes object
      • settings object Required

        Agent configuration settings

        Hide settings attribute Show settings attribute object
        • * string Additional properties
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
POST /api/apm/settings/agent-configuration/search
curl \
 --request POST https://localhost:5601/api/apm/settings/agent-configuration/search \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"etag":"0bc3b5ebf18fba8163fe4c96f491e3767a358f85","mark_as_applied_by_agent":true,"service":{"environment":"prod","name":"node"}}'
Request examples
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true

# Payload
{
  "etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
  "mark_as_applied_by_agent": true,
  "service": {
    "environment": "prod",
    "name": "node"
  }
}
Response examples (200)
{
  "_id": "string",
  "_index": "string",
  "_score": 42.0,
  "_source": {
    "@timestamp": 1730194190636,
    "agent_name": "string",
    "applied_by_agent": true,
    "etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
    "service": {
      "environment": "prod",
      "name": "node"
    },
    "settings": {
      "additionalProperty1": "string",
      "additionalProperty2": "string"
    }
  }
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}










Create a service annotation

POST /api/apm/services/{serviceName}/annotation

Create a new annotation for a specific service.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

application/json

Body Required

Responses

  • 200 application/json

    Annotation created successfully

    Hide response attributes Show response attributes object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Forbidden response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
POST /api/apm/services/{serviceName}/annotation
curl \
 --request POST https://localhost:5601/api/apm/services/{serviceName}/annotation \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"@timestamp":"string","message":"string","service":{"environment":"string","version":"string"},"tags":["string"]}'
Request examples
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true

# Payload
{
  "@timestamp": "string",
  "message": "string",
  "service": {
    "environment": "string",
    "version": "string"
  },
  "tags": [
    "string"
  ]
}
Response examples (200)
{
  "_id": "string",
  "_index": "string",
  "_source": {
    "@timestamp": "string",
    "annotation": {
      "title": "string",
      "type": "string"
    },
    "event": {
      "created": "string"
    },
    "message": "string",
    "service": {
      "environment": "string",
      "name": "string",
      "version": "string"
    },
    "tags": [
      "string"
    ]
  }
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403)
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}




APM server schema

Create APM fleet server schema.





APM sourcemaps

Configure APM source maps.














Create a case

POST /api/cases

You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json

Body Required

  • assignees array[object] | null

    An array containing users that are assigned to the case.

    Not more than 10 elements.

    Hide assignees attribute Show assignees attribute object
    • uid string Required

      A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

  • category string

    A word or phrase that categorizes the case.

    Maximum length is 50.

  • connector object Required

    One of:

    Defines properties for connectors when type is .none.

    Hide attributes Show attributes
    • fields string | null Required

      An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

    • id string Required

      The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

    • name string Required

      The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

    • type string Required

      The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

      Value is .none.

  • customFields array[object]

    Custom field values for a case. Any optional custom fields that are not specified in the request are set to null.

    At least 0 but not more than 10 elements.

    Hide customFields attributes Show customFields attributes object
    • key string Required

      The unique identifier for the custom field. The key value must exist in the case configuration settings.

    • type string Required

      The custom field type. It must match the type specified in the case configuration settings.

      Values are text or toggle.

    • value string | null | boolean Required

      The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

      One of:

      Minimum length is 1, maximum length is 160.

  • description string Required

    The description for the case.

    Maximum length is 30000.

  • owner string Required

    The application that owns the cases: Stack Management, Observability, or Elastic Security.

    Values are cases, observability, or securitySolution.

  • settings object Required

    An object that contains the case settings.

    Additional properties are allowed.

    Hide settings attribute Show settings attribute object
    • syncAlerts boolean Required

      Turns alert syncing on or off.

  • severity string

    The severity of the case.

    Values are critical, high, low, or medium. Default value is low.

  • tags array[string] Required

    The words and phrases that help categorize cases. It can be an empty array.

    Not more than 200 elements. Maximum length of each is 256.

  • title string Required

    A title for the case.

    Maximum length is 160.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • assignees array[object] | null

      An array containing users that are assigned to the case.

      Not more than 10 elements.

      Hide assignees attribute Show assignees attribute object
      • uid string Required

        A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

    • category string | null

      The case category.

    • closed_at string(date-time) | null Required
    • closed_by object | null Required

      Additional properties are allowed.

      Hide closed_by attributes Show closed_by attributes object | null
    • comments array[object] Required

      An array of comment objects for the case.

      Not more than 10000 elements.

      One of:
      Hide attributes Show attributes
    • connector object Required

      One of:

      Defines properties for connectors when type is .none.

      Hide attributes Show attributes
      • fields string | null Required

        An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

      • id string Required

        The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • name string Required

        The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • type string Required Discriminator

        The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

        Value is .none.

    • created_at string(date-time) Required
    • created_by object Required

      Additional properties are allowed.

      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom field values for the case.

      Hide customFields attributes Show customFields attributes object
      • key string

        The unique identifier for the custom field. The key value must exist in the case configuration settings.

      • type string

        The custom field type. It must match the type specified in the case configuration settings.

        Values are text or toggle.

      • value string | null | boolean

        The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

        One of:

        Minimum length is 1, maximum length is 160.

    • description string Required
    • duration integer | null Required

      The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

    • external_service object | null Required

      Additional properties are allowed.

      Hide external_service attributes Show external_service attributes object | null
    • id string Required
    • owner string Required

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • settings object Required

      An object that contains the case settings.

      Additional properties are allowed.

      Hide settings attribute Show settings attribute object
      • syncAlerts boolean Required

        Turns alert syncing on or off.

    • severity string Required

      The severity of the case.

      Values are critical, high, low, or medium. Default value is low.

    • status string Required

      The status of the case.

      Values are closed, in-progress, or open.

    • tags array[string] Required
    • title string Required
    • totalAlerts integer Required
    • totalComment integer Required
    • updated_at string(date-time) | null Required
    • updated_by object | null Required

      Additional properties are allowed.

      Hide updated_by attributes Show updated_by attributes object | null
    • version string Required
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
POST /api/cases
curl \
 --request POST https://localhost:5601/api/cases \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"tags":["tag-1"],"owner":"cases","title":"Case title 1","settings":{"syncAlerts":true},"connector":{"id":"131d4448-abe0-4789-939d-8ef60680b498","name":"My connector","type":".jira","fields":{"parent":null,"priority":"High","issueType":"10006"}},"description":"A case description.","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"My field value"}]}'
Request example
{
  "tags": [
    "tag-1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "settings": {
    "syncAlerts": true
  },
  "connector": {
    "id": "131d4448-abe0-4789-939d-8ef60680b498",
    "name": "My connector",
    "type": ".jira",
    "fields": {
      "parent": null,
      "priority": "High",
      "issueType": "10006"
    }
  },
  "description": "A case description.",
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "My field value"
    }
  ]
}
Response examples (200)
{
  "id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzUzMiwxXQ==",
  "comments": [],
  "duration": null,
  "settings": {
    "syncAlerts": true
  },
  "severity": "low",
  "assignees": [],
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "131d4448-abe0-4789-939d-8ef60680b498",
    "name": "My connector",
    "type": ".jira",
    "fields": {
      "parent": null,
      "priority": "High",
      "issueType": "10006"
    }
  },
  "created_at": "2022-10-13T15:33:50.604Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": null,
  "updated_by": null,
  "description": "A case description.",
  "totalAlerts": 0,
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "My field value"
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "value": null
    }
  ],
  "totalComment": 0,
  "external_service": null
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}








Search cases

GET /api/cases/_find

You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.

Query parameters

  • assignees string | array[string]

    Filters the returned cases by assignees. Valid values are none or unique identifiers for the user profiles. These identifiers can be found by using the suggest user profile API.

  • category string | array[string]

    Filters the returned cases by category.

  • he default operator to use for the simple_query_string.

    Default value is OR.

  • from string

    Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression.

  • owner string | array[string]

    A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.

  • page integer

    The page number to return.

    Default value is 1.

  • perPage integer

    The number of items to return. Limited to 100 items.

    Maximum value is 100. Default value is 20.

  • reporters string | array[string]

    Filters the returned cases by the user name of the reporter.

  • searchFields string | array[string]

    The fields to perform the simple_query_string parsed query against.

  • severity string

    The severity of the case.

    Values are critical, high, low, or medium.

  • Determines which field is used to sort the results.

    Values are createdAt, updatedAt, closedAt, title, category, status, or severity. Default value is createdAt.

  • Determines the sort order.

    Values are asc or desc. Default value is desc.

  • status string

    Filters the returned cases by state.

    Values are closed, in-progress, or open.

  • tags string | array[string]

    Filters the returned cases by tags.

  • to string

    Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • cases array[object]

      Not more than 10000 elements.

      Hide cases attributes Show cases attributes object
      • assignees array[object] | null

        An array containing users that are assigned to the case.

        Not more than 10 elements.

        Hide assignees attribute Show assignees attribute object
        • uid string Required

          A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

      • category string | null

        The case category.

      • closed_at string(date-time) | null Required
      • closed_by object | null Required

        Additional properties are allowed.

        Hide closed_by attributes Show closed_by attributes object | null
      • comments array[object] Required

        An array of comment objects for the case.

        Not more than 10000 elements.

        One of:
        Hide attributes Show attributes
      • connector object Required

        One of:

        Defines properties for connectors when type is .none.

        Hide attributes Show attributes
        • fields string | null Required

          An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

        • id string Required

          The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

        • name string Required

          The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

        • type string Required Discriminator

          The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

          Value is .none.

      • created_at string(date-time) Required
      • created_by object Required

        Additional properties are allowed.

        Hide created_by attributes Show created_by attributes object
      • customFields array[object]

        Custom field values for the case.

        Hide customFields attributes Show customFields attributes object
        • key string

          The unique identifier for the custom field. The key value must exist in the case configuration settings.

        • type string

          The custom field type. It must match the type specified in the case configuration settings.

          Values are text or toggle.

        • value string | null | boolean

          The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

          One of:

          Minimum length is 1, maximum length is 160.

      • description string Required
      • duration integer | null Required

        The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

      • external_service object | null Required

        Additional properties are allowed.

        Hide external_service attributes Show external_service attributes object | null
      • id string Required
      • owner string Required

        The application that owns the cases: Stack Management, Observability, or Elastic Security.

        Values are cases, observability, or securitySolution.

      • settings object Required

        An object that contains the case settings.

        Additional properties are allowed.

        Hide settings attribute Show settings attribute object
        • syncAlerts boolean Required

          Turns alert syncing on or off.

      • severity string Required

        The severity of the case.

        Values are critical, high, low, or medium. Default value is low.

      • status string Required

        The status of the case.

        Values are closed, in-progress, or open.

      • tags array[string] Required
      • title string Required
      • totalAlerts integer Required
      • totalComment integer Required
      • updated_at string(date-time) | null Required
      • updated_by object | null Required

        Additional properties are allowed.

        Hide updated_by attributes Show updated_by attributes object | null
      • version string Required
    • page integer
    • per_page integer
    • total integer
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/_find
curl \
 --request GET https://localhost:5601/api/cases/_find
Response examples (200)
{
  "page": 1,
  "cases": [
    {
      "id": "abed3a70-71bd-11ea-a0b2-c51ea50a58e2",
      "tags": [
        "tag-1"
      ],
      "owner": "cases",
      "title": "Case title",
      "status": "open",
      "version": "WzExMCwxXQ==",
      "category": null,
      "comments": [],
      "duration": null,
      "settings": {
        "syncAlerts": true
      },
      "severity": "low",
      "assignees": [],
      "closed_at": null,
      "closed_by": null,
      "connector": {
        "id": "none",
        "name": "none",
        "type": ".none",
        "fields": null
      },
      "created_at": "2023-10-12T00:16:36.371Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      },
      "updated_at": "2023-10-12T00:27:58.162Z",
      "updated_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      },
      "description": "Case description",
      "totalAlerts": 0,
      "customFields": [
        {
          "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
          "type": "text",
          "value": "My field value"
        },
        {
          "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
          "type": "toggle",
          "value": null
        }
      ],
      "totalComment": 1,
      "external_service": null
    }
  ],
  "total": 1,
  "per_page": 5,
  "count_open_cases": 1,
  "count_closed_cases": 0,
  "count_in_progress_cases": 0
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}




































Attach a file to a case

POST /api/cases/{caseId}/files

Attach a file to a case. You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating. The request must include:

  • The Content-Type: multipart/form-data HTTP header.
  • The location of the file that is being uploaded.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

multipart/form-data

Body Required

  • file string(binary) Required

    The file being attached to the case.

  • filename string

    The desired name of the file being attached to the case, it can be different than the name of the file in the filesystem. This should not include the file extension.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • assignees array[object] | null

      An array containing users that are assigned to the case.

      Not more than 10 elements.

      Hide assignees attribute Show assignees attribute object
      • uid string Required

        A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

    • category string | null

      The case category.

    • closed_at string(date-time) | null Required
    • closed_by object | null Required

      Additional properties are allowed.

      Hide closed_by attributes Show closed_by attributes object | null
    • comments array[object] Required

      An array of comment objects for the case.

      Not more than 10000 elements.

      One of:
      Hide attributes Show attributes
    • connector object Required

      One of:

      Defines properties for connectors when type is .none.

      Hide attributes Show attributes
      • fields string | null Required

        An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

      • id string Required

        The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • name string Required

        The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • type string Required Discriminator

        The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

        Value is .none.

    • created_at string(date-time) Required
    • created_by object Required

      Additional properties are allowed.

      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom field values for the case.

      Hide customFields attributes Show customFields attributes object
      • key string

        The unique identifier for the custom field. The key value must exist in the case configuration settings.

      • type string

        The custom field type. It must match the type specified in the case configuration settings.

        Values are text or toggle.

      • value string | null | boolean

        The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

        One of:

        Minimum length is 1, maximum length is 160.

    • description string Required
    • duration integer | null Required

      The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

    • external_service object | null Required

      Additional properties are allowed.

      Hide external_service attributes Show external_service attributes object | null
    • id string Required
    • owner string Required

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • settings object Required

      An object that contains the case settings.

      Additional properties are allowed.

      Hide settings attribute Show settings attribute object
      • syncAlerts boolean Required

        Turns alert syncing on or off.

    • severity string Required

      The severity of the case.

      Values are critical, high, low, or medium. Default value is low.

    • status string Required

      The status of the case.

      Values are closed, in-progress, or open.

    • tags array[string] Required
    • title string Required
    • totalAlerts integer Required
    • totalComment integer Required
    • updated_at string(date-time) | null Required
    • updated_by object | null Required

      Additional properties are allowed.

      Hide updated_by attributes Show updated_by attributes object | null
    • version string Required
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
POST /api/cases/{caseId}/files
curl \
 --request POST https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/files \
 --header "Content-Type: multipart/form-data" \
 --header "kbn-xsrf: string" \
 --form "file=@file" \
 --form "filename=string"
Response examples (200)
{
  "id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzIzMzgsMV0=",
  "category": null,
  "comments": [
    {
      "id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
      "type": "user",
      "owner": "cases",
      "comment": "A new comment.",
      "version": "WzIwNDMxLDFd",
      "created_at": "2022-10-02T00:49:47.716Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null
      }
    }
  ],
  "duration": null,
  "settings": {
    "syncAlerts": false
  },
  "severity": "low",
  "assignees": [],
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "none",
    "name": "none",
    "type": ".none",
    "fields": null
  },
  "created_at": "2022-03-24T00:37:03.906Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": "2022-06-03T00:49:47.716Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "description": "A case description.",
  "totalAlerts": 0,
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "Field value"
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "value": true
    }
  ],
  "totalComment": 1,
  "external_service": null
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}












Add case settings

POST /api/cases/configure

Case settings include external connection details, custom fields, and templates. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. If you set a default connector, it is automatically selected when you create cases in Kibana. If you use the create case API, however, you must still specify all of the connector details. You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on where you are creating cases.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json

Body

  • closure_type string Required

    Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).

    Values are close-by-pushing or close-by-user.

  • connector object Required

    An object that contains the connector configuration.

    Additional properties are allowed.

    Hide connector attributes Show connector attributes object
    • fields object | null Required

      The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

      Additional properties are allowed.

    • id string Required

      The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

    • name string Required

      The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

    • type string Required

      The type of connector.

      Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

  • customFields array[object]

    Custom fields case configuration.

    At least 0 but not more than 10 elements.

    Hide customFields attributes Show customFields attributes object
    • defaultValue string | boolean

      A default value for the custom field. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

    • key string Required

      A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.

      Minimum length is 1, maximum length is 36.

    • label string Required

      The custom field label that is displayed in the case.

      Minimum length is 1, maximum length is 50.

    • type string Required

      The type of the custom field.

      Values are text or toggle.

    • required boolean Required

      Indicates whether the field is required. If false, the custom field can be set to null or omitted when a case is created or updated.

  • owner string Required

    The application that owns the cases: Stack Management, Observability, or Elastic Security.

    Values are cases, observability, or securitySolution.

  • templates array[object] Technical preview
    Hide templates attributes Show templates attributes object
    • Additional properties are allowed.

      Hide caseFields attributes Show caseFields attributes object
      • assignees array[object] | null

        An array containing users that are assigned to the case.

        Not more than 10 elements.

        Hide assignees attribute Show assignees attribute object
        • uid string Required

          A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

      • category string

        A word or phrase that categorizes the case.

        Maximum length is 50.

      • Additional properties are allowed.

        Hide connector attributes Show connector attributes object
        • fields object | null

          The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

          Additional properties are allowed.

        • id string

          The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

        • name string

          The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

        • type string

          The type of connector.

          Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

      • customFields array[object] Technical preview

        Custom field values in the template.

        Hide customFields attributes Show customFields attributes object
        • key string

          The unique key for the custom field.

        • type string

          The type of the custom field.

          Values are text or toggle.

        • value string | boolean

          The default value for the custom field when a case uses the template. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

      • The description for the case.

        Maximum length is 30000.

      • settings object

        An object that contains the case settings.

        Additional properties are allowed.

        Hide settings attribute Show settings attribute object
        • syncAlerts boolean Required

          Turns alert syncing on or off.

      • severity string

        The severity of the case.

        Values are critical, high, low, or medium. Default value is low.

      • tags array[string]

        The words and phrases that help categorize cases. It can be an empty array.

        Not more than 200 elements. Maximum length of each is 256.

      • title string

        A title for the case.

        Maximum length is 160.

    • A description for the template.

    • key string

      A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.

    • name string

      The name of the template.

    • tags array[string]

      The words and phrases that help categorize templates. It can be an empty array.

      Not more than 200 elements. Maximum length of each is 256.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).

      Values are close-by-pushing or close-by-user.

    • Additional properties are allowed.

      Hide connector attributes Show connector attributes object
      • fields object | null

        The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

        Additional properties are allowed.

      • id string

        The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

      • name string

        The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

      • type string

        The type of connector.

        Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

    • created_at string(date-time)
    • Additional properties are allowed.

      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom fields configuration details.

      Hide customFields attributes Show customFields attributes object
      • defaultValue string | boolean

        A default value for the custom field. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

      • key string

        A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.

        Minimum length is 1, maximum length is 36.

      • label string

        The custom field label that is displayed in the case.

        Minimum length is 1, maximum length is 50.

      • type string

        The type of the custom field.

        Values are text or toggle.

      • required boolean

        Indicates whether the field is required. If false, the custom field can be set to null or omitted when a case is created or updated.

    • error string | null
    • id string
    • mappings array[object]
      Hide mappings attributes Show mappings attributes object
    • owner string

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • templates array[object] Technical preview
      Hide templates attributes Show templates attributes object
      • Additional properties are allowed.

        Hide caseFields attributes Show caseFields attributes object
        • assignees array[object] | null

          An array containing users that are assigned to the case.

          Not more than 10 elements.

          Hide assignees attribute Show assignees attribute object
          • uid string Required

            A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

        • category string

          A word or phrase that categorizes the case.

          Maximum length is 50.

        • Additional properties are allowed.

          Hide connector attributes Show connector attributes object
          • fields object | null

            The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

            Additional properties are allowed.

          • id string

            The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

          • name string

            The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

          • type string

            The type of connector.

            Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

        • customFields array[object] Technical preview

          Custom field values in the template.

          Hide customFields attributes Show customFields attributes object
          • key string

            The unique key for the custom field.

          • type string

            The type of the custom field.

            Values are text or toggle.

          • value string | boolean

            The default value for the custom field when a case uses the template. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

        • The description for the case.

          Maximum length is 30000.

        • settings object

          An object that contains the case settings.

          Additional properties are allowed.

          Hide settings attribute Show settings attribute object
          • syncAlerts boolean Required

            Turns alert syncing on or off.

        • severity string

          The severity of the case.

          Values are critical, high, low, or medium. Default value is low.

        • tags array[string]

          The words and phrases that help categorize cases. It can be an empty array.

          Not more than 200 elements. Maximum length of each is 256.

        • title string

          A title for the case.

          Maximum length is 160.

      • A description for the template.

      • key string

        A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.

      • name string

        The name of the template.

      • tags array[string]

        The words and phrases that help categorize templates. It can be an empty array.

        Not more than 200 elements. Maximum length of each is 256.

    • updated_at string(date-time) | null
    • updated_by object | null

      Additional properties are allowed.

      Hide updated_by attributes Show updated_by attributes object | null
    • version string
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
POST /api/cases/configure
curl \
 --request POST https://localhost:5601/api/cases/configure \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"owner":"cases","connector":{"id":"5e656730-e1ca-11ec-be9b-9b1838238ee6","name":"my-jira-connector","type":".jira","fields":null},"templates":[{"key":"505932fe-ee3a-4960-a661-c781b5acdb05","name":"template-1","tags":["Template tag 1"],"caseFields":{"tags":["Default case tag"],"title":"Default case title","category":"Default-category","assignees":[{"uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"}],"description":"A default description for cases.","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"A text field value for the template."}]},"description":"A description of the template."}],"closure_type":"close-by-user","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","label":"my-text-field","required":false,"defaultValue":"My custom field default value."}]}'
Request example
{
  "owner": "cases",
  "connector": {
    "id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
    "name": "my-jira-connector",
    "type": ".jira",
    "fields": null
  },
  "templates": [
    {
      "key": "505932fe-ee3a-4960-a661-c781b5acdb05",
      "name": "template-1",
      "tags": [
        "Template tag 1"
      ],
      "caseFields": {
        "tags": [
          "Default case tag"
        ],
        "title": "Default case title",
        "category": "Default-category",
        "assignees": [
          {
            "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
          }
        ],
        "description": "A default description for cases.",
        "customFields": [
          {
            "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
            "type": "text",
            "value": "A text field value for the template."
          }
        ]
      },
      "description": "A description of the template."
    }
  ],
  "closure_type": "close-by-user",
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "label": "my-text-field",
      "required": false,
      "defaultValue": "My custom field default value."
    }
  ]
}
Response examples (200)
{
  "id": "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
  "error": null,
  "owner": "cases",
  "version": "WzIwNzMsMV0=",
  "mappings": [
    {
      "source": "title",
      "target": "summary",
      "action_type": "overwrite"
    },
    {
      "source": "description",
      "target": "description",
      "action_type": "overwrite"
    },
    {
      "source": "comments",
      "target": "comments",
      "action_type": "append"
    },
    {
      "source": "tags",
      "target": "labels",
      "action_type": "overwrite"
    }
  ],
  "connector": {
    "id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
    "name": "my-jira-connector",
    "type": ".jira",
    "fields": null
  },
  "templates": [
    {
      "key": "505932fe-ee3a-4960-a661-c781b5acdb05",
      "name": "template-1",
      "tags": [
        "Template tag 1"
      ],
      "caseFields": {
        "tags": [
          "Default case tag"
        ],
        "title": "Default case title",
        "category": "Default-category",
        "assignees": [
          {
            "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
          }
        ],
        "description": "A default description for cases.",
        "customFields": [
          {
            "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
            "type": "text",
            "value": "A text field value for the template."
          }
        ]
      },
      "description": "A description of the template."
    }
  ],
  "created_at": "2024-07-01T17:07:17.767Z",
  "created_by": {
    "email": "null,",
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": null,
  "updated_by": null,
  "closure_type": "close-by-user",
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "label": "my-text-field",
      "required": false,
      "defaultValue": "My custom field default value."
    }
  ]
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}




Get case connectors

GET /api/cases/configure/connectors/_find

Get information about connectors that are supported for use in cases. You must have read privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges.

Responses

GET /api/cases/configure/connectors/_find
curl \
 --request GET https://localhost:5601/api/cases/configure/connectors/_find
Response examples (200)
[
  {
    "id": "61787f53-4eee-4741-8df6-8fe84fa616f7",
    "name": "my-Jira",
    "config": {
      "apiUrl": "https://elastic.atlassian.net/",
      "projectKey": "ES"
    },
    "actionTypeId": ".jira",
    "isDeprecated": false,
    "isPreconfigured": false,
    "isMissingSecrets": false,
    "referencedByCount": 0
  }
]
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}









Get connector types

GET /api/actions/connector_types

You do not need any Kibana feature privileges to run this API.

Query parameters

  • A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases).

Responses

  • 200 application/json

    Indicates a successful call.

GET /api/actions/connector_types
curl \
 --request GET https://localhost:5601/api/actions/connector_types
Response examples (200)
[
  {
    "id": ".gen-ai",
    "name": "OpenAI",
    "enabled": true,
    "enabled_in_config": true,
    "enabled_in_license": true,
    "is_system_action_type": false,
    "supported_feature_ids": [
      "generativeAIForSecurity",
      "generativeAIForObservability",
      "generativeAIForSearchPlayground"
    ],
    "minimum_license_required": "enterprise"
  },
  {
    "id": ".bedrock",
    "name": "AWS Bedrock",
    "enabled": true,
    "enabled_in_config": true,
    "enabled_in_license": true,
    "is_system_action_type": false,
    "supported_feature_ids": [
      "generativeAIForSecurity",
      "generativeAIForObservability",
      "generativeAIForSearchPlayground"
    ],
    "minimum_license_required": "enterprise"
  },
  {
    "id": ".gemini",
    "name": "Google Gemini",
    "enabled": true,
    "enabled_in_config": true,
    "enabled_in_license": true,
    "is_system_action_type": false,
    "supported_feature_ids": [
      "generativeAIForSecurity"
    ],
    "minimum_license_required": "enterprise"
  }
]
















Run a connector

POST /api/actions/connector/{id}/_execute

You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    An identifier for the connector.

application/json

Body

  • params object Required

    One of:

    Test an action that acknowledges or resolves a PagerDuty alert.

    Hide attributes Show attributes
    • dedupKey string Required

      The deduplication key for the PagerDuty alert.

      Maximum length is 255.

    • eventAction string Required

      The type of event.

      Values are acknowledge or resolve.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • config object

      Additional properties are allowed.

    • connector_type_id string Required

      The connector type identifier.

    • id string Required

      The identifier for the connector.

    • is_deprecated boolean Required

      Indicates whether the connector is deprecated.

    • Indicates whether the connector is missing secrets.

    • is_preconfigured boolean Required

      Indicates whether the connector is preconfigured. If true, the config and is_missing_secrets properties are omitted from the response.

    • is_system_action boolean Required

      Indicates whether the connector is used for system actions.

    • name string Required

      The name of the rule.

POST /api/actions/connector/{id}/_execute
curl \
 --request POST https://localhost:5601/api/actions/connector/{id}/_execute \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"params":{"documents":[{"id":"my_doc_id","name":"my_doc_name","message":"hello, world"}]}}'
{
  "params": {
    "documents": [
      {
        "id": "my_doc_id",
        "name": "my_doc_name",
        "message": "hello, world"
      }
    ]
  }
}
{
  "params": {
    "subAction": "issueTypes"
  }
}
{
  "params": {
    "subAction": "getChoices",
    "subActionParams": {
      "fields": [
        "severity",
        "urgency"
      ]
    }
  }
}
{
  "params": {
    "subAction": "postMessage",
    "subActionParams": {
      "text": "A test message.",
      "channelIds": [
        "C123ABC456"
      ]
    }
  }
}
{
  "params": {
    "subAction": "pushToService",
    "subActionParams": {
      "comments": [
        {
          "comment": "A comment about the incident.",
          "commentId": 1
        }
      ],
      "incident": {
        "caseId": "1000",
        "caseName": "Case name",
        "description": "Description of the incident."
      }
    }
  }
}
{
  "data": {
    "took": 135,
    "items": [
      {
        "create": {
          "_id": "4JtvwYUBrcyxt2NnfW3y",
          "_index": "my-index",
          "result": "created",
          "status": 201,
          "_seq_no": 0,
          "_shards": {
            "total": 2,
            "failed": 0,
            "successful": 1
          },
          "_version": 1,
          "_primary_term": 1
        }
      }
    ],
    "errors": false
  },
  "status": "ok",
  "connector_id": "fd38c600-96a5-11ed-bb79-353b74189cba"
}
{
  "data": [
    {
      "id": 10024,
      "name": "Improvement"
    },
    {
      "id": 10006,
      "name": "Task"
    },
    {
      "id": 10007,
      "name": "Sub-task"
    },
    {
      "id": 10025,
      "name": "New Feature"
    },
    {
      "id": 10023,
      "name": "Bug"
    },
    {
      "id": 10000,
      "name": "Epic"
    }
  ],
  "status": "ok",
  "connector_id": "b3aad810-edbe-11ec-82d1-11348ecbf4a6"
}
{
  "status": "ok",
  "connector_id": "7fc7b9a0-ecc9-11ec-8736-e7d63118c907"
}
{
  "data": [
    {
      "label": "Critical",
      "value": 1,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "Major",
      "value": 2,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "Minor",
      "value": 3,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "Warning",
      "value": 4,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "OK",
      "value": 5,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "Clear",
      "value": 0,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "1 - High",
      "value": 1,
      "element": "urgency",
      "dependent_value": ""
    },
    {
      "label": "2 - Medium",
      "value": 2,
      "element": "urgency",
      "dependent_value": ""
    },
    {
      "label": "3 - Low",
      "value": 3,
      "element": "urgency",
      "dependent_value": ""
    }
  ],
  "status": "ok",
  "connector_id": "9d9be270-2fd2-11ed-b0e0-87533c532698"
}
{
  "data": {
    "ok": true,
    "ts": "1234567890.123456",
    "channel": "C123ABC456",
    "message": {
      "ts": "1234567890.123456",
      "team": "T01ABCDE2F",
      "text": "A test message",
      "type": "message",
      "user": "U12A345BC6D",
      "app_id": "A01BC2D34EF",
      "blocks": [
        {
          "type": "rich_text",
          "block_id": "/NXe",
          "elements": [
            {
              "type": "rich_text_section",
              "elements": [
                {
                  "text": "A test message.",
                  "type": "text"
                }
              ]
            }
          ]
        }
      ],
      "bot_id": "B12BCDEFGHI",
      "bot_profile": {
        "id": "B12BCDEFGHI",
        "name": "test",
        "icons": {
          "image_36": "https://a.slack-edge.com/80588/img/plugins/app/bot_36.png"
        },
        "app_id": "A01BC2D34EF",
        "deleted": false,
        "team_id": "T01ABCDE2F",
        "updated": 1672169705
      }
    }
  },
  "status": "ok",
  "connector_id": ".slack_api"
}
{
  "data": {
    "id": "aKPmBHWzmdRQtx6Mx",
    "url": "https://elastic.swimlane.url.us/record/aNcL2xniGHGpa2AHb/aKPmBHWzmdRQtx6Mx",
    "title": "TEST-457",
    "comments": [
      {
        "commentId": 1,
        "pushedDate": "2022-09-08T16:52:27.865Z"
      }
    ],
    "pushedDate": "2022-09-08T16:52:27.866Z"
  },
  "status": "ok",
  "connector_id": "a4746470-2f94-11ed-b0e0-87533c532698"
}








Get a dashboard Technical Preview

GET /api/dashboards/dashboard/{id}

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Path parameters

  • id string Required

    A unique identifier for the dashboard.

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • item object Required

      Additional properties are allowed.

      Hide item attributes Show item attributes object
      • attributes object Required

        Additional properties are NOT allowed.

        Hide attributes attributes Show attributes attributes object
        • Additional properties are NOT allowed.

          Hide controlGroupInput attributes Show controlGroupInput attributes object
          • Show apply selections button in controls.

            Default value is true.

          • The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".

            Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.

          • controls array[object]

            An array of control panels and their state in the control group.

            Default value is [] (empty).

            Hide controls attributes Show controls attributes object
            • Additional properties are allowed.

            • grow boolean

              Expand width of the control panel to fit available space.

              Default value is false.

            • id string

              The unique ID of the control.

            • order number Required

              The order of the control panel in the control group.

            • type string Required

              The type of the control panel.

            • width string

              Minimum width of the control panel in the control group.

              Values are small, medium, or large. Default value is medium.

          • Additional properties are allowed.

          • ignoreParentSettings object Required

            Additional properties are NOT allowed.

            Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
            • Ignore global filters in controls.

              Default value is false.

            • Ignore the global query bar in controls.

              Default value is false.

            • Ignore the global time range in controls.

              Default value is false.

            • Ignore validations in controls.

              Default value is false.

          • Position of the labels for controls. For example, "oneLine", "twoLine".

            Values are oneLine or twoLine. Default value is oneLine.

        • A short description.

          Default value is empty.

        • A container for various metadata

          Default value is {} (empty). Additional properties are NOT allowed.

          Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
          • Additional properties are allowed.

            Hide searchSource attributes Show searchSource attributes object
            • filter array[object]
              Hide filter attributes Show filter attributes object
              • $state object

                Additional properties are NOT allowed.

                Hide $state attribute Show $state attribute object
                • store string Required

                  Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').

                  Values are appState or globalState.

              • meta object Required

                Additional properties are allowed.

                Hide meta attributes Show meta attributes object
              • query object

                Additional properties are allowed.

            • query object

              Additional properties are NOT allowed.

              Hide query attributes Show query attributes object
            • sort array[object]
            • type string
        • options object Required

          Additional properties are NOT allowed.

          Hide options attributes Show options attributes object
          • Hide the panel titles in the dashboard.

            Default value is false.

          • syncColors boolean

            Synchronize colors between related panels in the dashboard.

            Default value is true.

          • syncCursor boolean

            Synchronize cursor position between related panels in the dashboard.

            Default value is true.

          • Synchronize tooltips between related panels in the dashboard.

            Default value is true.

          • useMargins boolean

            Show margins between panels in the dashboard layout.

            Default value is true.

        • panels array[object]

          Default value is [] (empty).

          Hide panels attributes Show panels attributes object
          • gridData object Required

            Additional properties are NOT allowed.

            Hide gridData attributes Show gridData attributes object
            • h number

              The height of the panel in grid units

              Minimum value is 1. Default value is 15.

            • i string Required
            • w number

              The width of the panel in grid units

              Minimum value is 1, maximum value is 48. Default value is 24.

            • x number Required

              The x coordinate of the panel in grid units

            • y number Required

              The y coordinate of the panel in grid units

          • id string

            The saved object id for by reference panels

          • panelConfig object Required

            Additional properties are allowed.

            Hide panelConfig attributes Show panelConfig attributes object
          • panelIndex string Required
          • title string

            The title of the panel

          • type string Required

            The embeddable type

          • version string Deprecated

            The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).

        • A container for various refresh interval settings

          Additional properties are NOT allowed.

          Hide refreshInterval attributes Show refreshInterval attributes object
          • display string Deprecated

            A human-readable string indicating the refresh frequency. No longer used.

          • pause boolean Required

            Whether the refresh interval is set to be paused while viewing the dashboard.

          • section number Deprecated

            No longer used.

          • value number Required

            A numeric value indicating refresh frequency in milliseconds.

        • timeFrom string

          An ISO string indicating when to restore time from

        • Whether to restore time upon viewing this dashboard

          Default value is false.

        • timeTo string

          An ISO string indicating when to restore time from

        • title string Required

          A human-readable title for the dashboard

        • version number Deprecated
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
      • id string Required
      • managed boolean
      • namespaces array[string]
      • originId string
      • references array[object] Required
        Hide references attributes Show references attributes object
      • type string Required
      • version string
    • meta object Required

      Additional properties are NOT allowed.

      Hide meta attributes Show meta attributes object
GET /api/dashboards/dashboard/{id}
curl \
 --request GET https://localhost:5601/api/dashboards/dashboard/{id}
Response examples (200)
{
  "item": {
    "attributes": {
      "controlGroupInput": {
        "autoApplySelections": true,
        "chainingSystem": "HIERARCHICAL",
        "controls": [
          {
            "controlConfig": {},
            "grow": false,
            "id": "string",
            "order": 42.0,
            "type": "string",
            "width": "medium"
          }
        ],
        "enhancements": {},
        "ignoreParentSettings": {
          "ignoreFilters": false,
          "ignoreQuery": false,
          "ignoreTimerange": false,
          "ignoreValidations": false
        },
        "labelPosition": "oneLine"
      },
      "description": "",
      "kibanaSavedObjectMeta": {
        "searchSource": {
          "filter": [
            {
              "$state": {
                "store": "appState"
              },
              "meta": {
                "alias": "string",
                "controlledBy": "string",
                "disabled": true,
                "field": "string",
                "group": "string",
                "index": "string",
                "isMultiIndex": true,
                "key": "string",
                "negate": true,
                "type": "string",
                "value": "string"
              },
              "query": {}
            }
          ],
          "query": {
            "language": "string",
            "query": "string"
          },
          "sort": [
            {}
          ],
          "type": "string"
        }
      },
      "options": {
        "hidePanelTitles": false,
        "syncColors": true,
        "syncCursor": true,
        "syncTooltips": true,
        "useMargins": true
      },
      "panels": [
        {
          "gridData": {
            "h": 15,
            "i": "string",
            "w": 24,
            "x": 42.0,
            "y": 42.0
          },
          "id": "string",
          "panelConfig": {
            "description": "string",
            "enhancements": {},
            "hidePanelTitles": true,
            "savedObjectId": "string",
            "title": "string",
            "version": "string"
          },
          "panelIndex": "string",
          "panelRefName": "string",
          "title": "string",
          "type": "string",
          "version": "string"
        }
      ],
      "refreshInterval": {
        "display": "string",
        "pause": true,
        "section": 42.0,
        "value": 42.0
      },
      "timeFrom": "string",
      "timeRestore": false,
      "timeTo": "string",
      "title": "string",
      "version": 42.0
    },
    "createdAt": "string",
    "createdBy": "string",
    "error": {
      "error": "string",
      "message": "string",
      "metadata": {},
      "statusCode": 42.0
    },
    "id": "string",
    "managed": true,
    "namespaces": [
      "string"
    ],
    "originId": "string",
    "references": [
      {
        "id": "string",
        "name": "string",
        "type": "string"
      }
    ],
    "type": "string",
    "updatedAt": "string",
    "updatedBy": "string",
    "version": "string"
  },
  "meta": {
    "aliasPurpose": "savedObjectConversion",
    "aliasTargetId": "string",
    "outcome": "exactMatch"
  }
}








Delete a dashboard Technical Preview

DELETE /api/dashboards/dashboard/{id}

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    A unique identifier for the dashboard.

DELETE /api/dashboards/dashboard/{id}
curl \
 --request DELETE https://localhost:5601/api/dashboards/dashboard/{id} \
 --header "kbn-xsrf: true"


















































Delete a runtime field from a data view

DELETE /api/data_views/data_view/{viewId}/runtime_field/{fieldName}

Path parameters

  • fieldName string Required

    The name of the runtime field.

  • viewId string Required

    An identifier for the data view.

Responses

  • Indicates a successful call.

  • 404 application/json

    Object is not found.

    Hide response attributes Show response attributes object
DELETE /api/data_views/data_view/{viewId}/runtime_field/{fieldName}
curl \
 --request DELETE https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field/hour_of_day
Response examples (404)
{
  "error": "Not Found",
  "message": "Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found",
  "statusCode": 404
}

Get the default data view

GET /api/data_views/default

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
GET /api/data_views/default
curl \
 --request GET https://localhost:5601/api/data_views/default
Response examples (200)
{
  "data_view_id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f"
}
Response examples (400)
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Set the default data view

POST /api/data_views/default

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json

Body Required

  • data_view_id string | null Required

    The data view identifier. NOTE: The API does not validate whether it is a valid identifier. Use null to unset the default data view.

  • force boolean

    Update an existing default data view identifier.

    Default value is false.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
POST /api/data_views/default
curl \
 --request POST https://localhost:5601/api/data_views/default \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"force":true,"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f"}'
Request example
{
  "force": true,
  "data_view_id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f"
}
Response examples (200)
{
  "acknowledged": true
}
Response examples (400)
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}




















Unenroll an agent

POST /api/fleet/agents/{agentId}/unenroll

[Required authorization] Route required privileges: ALL of [fleet-agents-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

application/json

Body

POST /api/fleet/agents/{agentId}/unenroll
curl \
 --request POST https://localhost:5601/api/fleet/agents/{agentId}/unenroll \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"force":true,"revoke":true}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "force": true,
  "revoke": true
}




Get an agent action status

GET /api/fleet/agents/action_status

[Required authorization] Route required privileges: ALL of [fleet-agents-read].

Query parameters

Responses

GET /api/fleet/agents/action_status
curl \
 --request GET https://localhost:5601/api/fleet/agents/action_status
Response examples (200)
{
  "items": [
    {
      "actionId": "string",
      "cancellationTime": "string",
      "completionTime": "string",
      "creationTime": "string",
      "expiration": "string",
      "hasRolloutPeriod": true,
      "latestErrors": [
        {
          "agentId": "string",
          "error": "string",
          "hostname": "string",
          "timestamp": "string"
        }
      ],
      "nbAgentsAck": 42.0,
      "nbAgentsActionCreated": 42.0,
      "nbAgentsActioned": 42.0,
      "nbAgentsFailed": 42.0,
      "newPolicyId": "string",
      "policyId": "string",
      "revision": 42.0,
      "startTime": "string",
      "status": "COMPLETE",
      "type": "UPGRADE",
      "version": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}
















Bulk update agent tags

POST /api/fleet/agents/bulk_update_agent_tags

[Required authorization] Route required privileges: ALL of [fleet-agents-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

POST /api/fleet/agents/bulk_update_agent_tags
curl \
 --request POST https://localhost:5601/api/fleet/agents/bulk_update_agent_tags \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"agents":["string"],"batchSize":42.0,"includeInactive":false,"tagsToAdd":["string"],"tagsToRemove":["string"]}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "agents": [
    "string"
  ],
  "batchSize": 42.0,
  "includeInactive": false,
  "tagsToAdd": [
    "string"
  ],
  "tagsToRemove": [
    "string"
  ]
}
Response examples (200)
{
  "actionId": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}













Get an agent binary download source

GET /api/fleet/agent_download_sources/{sourceId}

Get an agent binary download source by ID.

[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-settings-read].

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
      • host string(uri) Required
      • id string Required
      • is_default boolean

        Default value is false.

      • name string Required
      • proxy_id string | null

        The ID of the proxy to use for this download source. See the proxies API for more information.

  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/agent_download_sources/{sourceId}
curl \
 --request GET https://localhost:5601/api/fleet/agent_download_sources/{sourceId}
Response examples (200)
{
  "item": {
    "host": "https://example.com",
    "id": "string",
    "is_default": false,
    "name": "string",
    "proxy_id": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}





























Copy an agent policy

POST /api/fleet/agent_policies/{agentPolicyId}/copy

Copy an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

Query parameters

  • format string

    Values are simplified or legacy.

application/json

Body

Responses

POST /api/fleet/agent_policies/{agentPolicyId}/copy
curl \
 --request POST https://localhost:5601/api/fleet/agent_policies/{agentPolicyId}/copy \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"description":"string","name":"string"}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "description": "string",
  "name": "string"
}
Response examples (200)
{
  "item": {
    "advanced_settings": {},
    "agent_features": [
      {
        "enabled": true,
        "name": "string"
      }
    ],
    "agentless": {
      "resources": {
        "requests": {
          "cpu": "string",
          "memory": "string"
        }
      }
    },
    "agents": 42.0,
    "data_output_id": "string",
    "description": "string",
    "download_source_id": "string",
    "fleet_server_host_id": "string",
    "global_data_tags": [
      {
        "name": "string",
        "value": "string"
      }
    ],
    "has_fleet_server": true,
    "id": "string",
    "inactivity_timeout": 1209600,
    "is_default": true,
    "is_default_fleet_server": true,
    "is_managed": true,
    "is_preconfigured": true,
    "is_protected": true,
    "keep_monitoring_alive": false,
    "monitoring_diagnostics": {
      "limit": {
        "burst": 42.0,
        "interval": "string"
      },
      "uploader": {
        "init_dur": "string",
        "max_dur": "string",
        "max_retries": 42.0
      }
    },
    "monitoring_enabled": [
      "logs"
    ],
    "monitoring_http": {
      "buffer": {
        "enabled": false
      },
      "enabled": true,
      "host": "string",
      "port": 42.0
    },
    "monitoring_output_id": "string",
    "monitoring_pprof_enabled": true,
    "name": "string",
    "namespace": "string",
    "overrides": {},
    "package_policies": [
      "string"
    ],
    "required_versions": [
      {
        "percentage": 42.0,
        "version": "string"
      }
    ],
    "revision": 42.0,
    "schema_version": "string",
    "space_ids": [
      "string"
    ],
    "status": "active",
    "supports_agentless": false,
    "unenroll_timeout": 42.0,
    "unprivileged_agents": 42.0,
    "updated_at": "string",
    "updated_by": "string",
    "version": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}








Get outputs for an agent policy

GET /api/fleet/agent_policies/{agentPolicyId}/outputs

Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
      • data object Required

        Additional properties are NOT allowed.

        Hide data attributes Show data attributes object
      • monitoring object Required

        Additional properties are NOT allowed.

        Hide monitoring attribute Show monitoring attribute object
        • output object Required

          Additional properties are NOT allowed.

          Hide output attributes Show output attributes object
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/agent_policies/{agentPolicyId}/outputs
curl \
 --request GET https://localhost:5601/api/fleet/agent_policies/{agentPolicyId}/outputs
Response examples (200)
{
  "item": {
    "agentPolicyId": "string",
    "data": {
      "integrations": [
        {
          "id": "string",
          "integrationPolicyName": "string",
          "name": "string",
          "pkgName": "string"
        }
      ],
      "output": {
        "id": "string",
        "name": "string"
      }
    },
    "monitoring": {
      "output": {
        "id": "string",
        "name": "string"
      }
    }
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Delete an agent policy

POST /api/fleet/agent_policies/delete

Delete an agent policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
  • 400 application/json
    Hide response attributes Show response attributes object
POST /api/fleet/agent_policies/delete
curl \
 --request POST https://localhost:5601/api/fleet/agent_policies/delete \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"agentPolicyId":"string","force":true}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "agentPolicyId": "string",
  "force": true
}
Response examples (200)
{
  "id": "string",
  "name": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get outputs for agent policies

POST /api/fleet/agent_policies/outputs

Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-read, fleet-settings-read].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

  • ids array[string] Required

    list of package policy ids

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • items array[object] Required
      Hide items attributes Show items attributes object
      • data object Required

        Additional properties are NOT allowed.

        Hide data attributes Show data attributes object
      • monitoring object Required

        Additional properties are NOT allowed.

        Hide monitoring attribute Show monitoring attribute object
        • output object Required

          Additional properties are NOT allowed.

          Hide output attributes Show output attributes object
  • 400 application/json
    Hide response attributes Show response attributes object
POST /api/fleet/agent_policies/outputs
curl \
 --request POST https://localhost:5601/api/fleet/agent_policies/outputs \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"ids":["string"]}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "ids": [
    "string"
  ]
}
Response examples (200)
{
  "items": [
    {
      "agentPolicyId": "string",
      "data": {
        "integrations": [
          {
            "id": "string",
            "integrationPolicyName": "string",
            "name": "string",
            "pkgName": "string"
          }
        ],
        "output": {
          "id": "string",
          "name": "string"
        }
      },
      "monitoring": {
        "output": {
          "id": "string",
          "name": "string"
        }
      }
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}


















Get agents

GET /api/fleet/agents

[Required authorization] Route required privileges: ALL of [fleet-agents-read].

Query parameters

Responses

GET /api/fleet/agents
curl \
 --request GET https://localhost:5601/api/fleet/agents
Response examples (200)
{
  "items": [
    {
      "access_api_key": "string",
      "access_api_key_id": "string",
      "active": true,
      "agent": {
        "id": "string",
        "version": "string"
      },
      "audit_unenrolled_reason": "string",
      "components": [
        {
          "id": "string",
          "message": "string",
          "status": "STARTING",
          "type": "string",
          "units": [
            {
              "id": "string",
              "message": "string",
              "payload": {},
              "status": "STARTING",
              "type": "input"
            }
          ]
        }
      ],
      "default_api_key": "string",
      "default_api_key_history": [
        {
          "id": "string",
          "retired_at": "string"
        }
      ],
      "default_api_key_id": "string",
      "enrolled_at": "string",
      "id": "string",
      "last_checkin": "string",
      "last_checkin_message": "string",
      "last_checkin_status": "error",
      "local_metadata": {},
      "metrics": {
        "cpu_avg": 42.0,
        "memory_size_byte_avg": 42.0
      },
      "namespaces": [
        "string"
      ],
      "outputs": {
        "additionalProperty1": {
          "api_key_id": "string",
          "to_retire_api_key_ids": [
            {
              "id": "string",
              "retired_at": "string"
            }
          ],
          "type": "string"
        },
        "additionalProperty2": {
          "api_key_id": "string",
          "to_retire_api_key_ids": [
            {
              "id": "string",
              "retired_at": "string"
            }
          ],
          "type": "string"
        }
      },
      "packages": [
        "string"
      ],
      "policy_id": "string",
      "policy_revision": 42.0,
      "sort": [
        42.0
      ],
      "status": "offline",
      "tags": [
        "string"
      ],
      "type": "PERMANENT",
      "unenrolled_at": "string",
      "unenrollment_started_at": "string",
      "unhealthy_reason": [
        "input"
      ],
      "upgrade_details": {
        "action_id": "string",
        "metadata": {
          "download_percent": 42.0,
          "download_rate": 42.0,
          "error_msg": "string",
          "failed_state": "UPG_REQUESTED",
          "retry_error_msg": "string",
          "retry_until": "string",
          "scheduled_at": "string"
        },
        "state": "UPG_REQUESTED",
        "target_version": "string"
      },
      "upgrade_started_at": "string",
      "upgraded_at": "string",
      "user_provided_metadata": {}
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "statusSummary": {
    "additionalProperty1": 42.0,
    "additionalProperty2": 42.0
  },
  "total": 42.0
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get agents by action ids

POST /api/fleet/agents

[Required authorization] Route required privileges: ALL of [fleet-agents-read].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
  • 400 application/json
    Hide response attributes Show response attributes object
POST /api/fleet/agents
curl \
 --request POST https://localhost:5601/api/fleet/agents \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"actionIds":["string"]}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "actionIds": [
    "string"
  ]
}
Response examples (200)
{
  "items": [
    "string"
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get an agent

GET /api/fleet/agents/{agentId}

Get an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].

Query parameters

Responses

GET /api/fleet/agents/{agentId}
curl \
 --request GET https://localhost:5601/api/fleet/agents/{agentId}
Response examples (200)
{
  "item": {
    "access_api_key": "string",
    "access_api_key_id": "string",
    "active": true,
    "agent": {
      "id": "string",
      "version": "string"
    },
    "audit_unenrolled_reason": "string",
    "components": [
      {
        "id": "string",
        "message": "string",
        "status": "STARTING",
        "type": "string",
        "units": [
          {
            "id": "string",
            "message": "string",
            "payload": {},
            "status": "STARTING",
            "type": "input"
          }
        ]
      }
    ],
    "default_api_key": "string",
    "default_api_key_history": [
      {
        "id": "string",
        "retired_at": "string"
      }
    ],
    "default_api_key_id": "string",
    "enrolled_at": "string",
    "id": "string",
    "last_checkin": "string",
    "last_checkin_message": "string",
    "last_checkin_status": "error",
    "local_metadata": {},
    "metrics": {
      "cpu_avg": 42.0,
      "memory_size_byte_avg": 42.0
    },
    "namespaces": [
      "string"
    ],
    "outputs": {
      "additionalProperty1": {
        "api_key_id": "string",
        "to_retire_api_key_ids": [
          {
            "id": "string",
            "retired_at": "string"
          }
        ],
        "type": "string"
      },
      "additionalProperty2": {
        "api_key_id": "string",
        "to_retire_api_key_ids": [
          {
            "id": "string",
            "retired_at": "string"
          }
        ],
        "type": "string"
      }
    },
    "packages": [
      "string"
    ],
    "policy_id": "string",
    "policy_revision": 42.0,
    "sort": [
      42.0
    ],
    "status": "offline",
    "tags": [
      "string"
    ],
    "type": "PERMANENT",
    "unenrolled_at": "string",
    "unenrollment_started_at": "string",
    "unhealthy_reason": [
      "input"
    ],
    "upgrade_details": {
      "action_id": "string",
      "metadata": {
        "download_percent": 42.0,
        "download_rate": 42.0,
        "error_msg": "string",
        "failed_state": "UPG_REQUESTED",
        "retry_error_msg": "string",
        "retry_until": "string",
        "scheduled_at": "string"
      },
      "state": "UPG_REQUESTED",
      "target_version": "string"
    },
    "upgrade_started_at": "string",
    "upgraded_at": "string",
    "user_provided_metadata": {}
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Update an agent

PUT /api/fleet/agents/{agentId}

Update an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

PUT /api/fleet/agents/{agentId}
curl \
 --request PUT https://localhost:5601/api/fleet/agents/{agentId} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"tags":["string"],"user_provided_metadata":{}}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "tags": [
    "string"
  ],
  "user_provided_metadata": {}
}
Response examples (200)
{
  "item": {
    "access_api_key": "string",
    "access_api_key_id": "string",
    "active": true,
    "agent": {
      "id": "string",
      "version": "string"
    },
    "audit_unenrolled_reason": "string",
    "components": [
      {
        "id": "string",
        "message": "string",
        "status": "STARTING",
        "type": "string",
        "units": [
          {
            "id": "string",
            "message": "string",
            "payload": {},
            "status": "STARTING",
            "type": "input"
          }
        ]
      }
    ],
    "default_api_key": "string",
    "default_api_key_history": [
      {
        "id": "string",
        "retired_at": "string"
      }
    ],
    "default_api_key_id": "string",
    "enrolled_at": "string",
    "id": "string",
    "last_checkin": "string",
    "last_checkin_message": "string",
    "last_checkin_status": "error",
    "local_metadata": {},
    "metrics": {
      "cpu_avg": 42.0,
      "memory_size_byte_avg": 42.0
    },
    "namespaces": [
      "string"
    ],
    "outputs": {
      "additionalProperty1": {
        "api_key_id": "string",
        "to_retire_api_key_ids": [
          {
            "id": "string",
            "retired_at": "string"
          }
        ],
        "type": "string"
      },
      "additionalProperty2": {
        "api_key_id": "string",
        "to_retire_api_key_ids": [
          {
            "id": "string",
            "retired_at": "string"
          }
        ],
        "type": "string"
      }
    },
    "packages": [
      "string"
    ],
    "policy_id": "string",
    "policy_revision": 42.0,
    "sort": [
      42.0
    ],
    "status": "offline",
    "tags": [
      "string"
    ],
    "type": "PERMANENT",
    "unenrolled_at": "string",
    "unenrollment_started_at": "string",
    "unhealthy_reason": [
      "input"
    ],
    "upgrade_details": {
      "action_id": "string",
      "metadata": {
        "download_percent": 42.0,
        "download_rate": 42.0,
        "error_msg": "string",
        "failed_state": "UPG_REQUESTED",
        "retry_error_msg": "string",
        "retry_until": "string",
        "scheduled_at": "string"
      },
      "state": "UPG_REQUESTED",
      "target_version": "string"
    },
    "upgrade_started_at": "string",
    "upgraded_at": "string",
    "user_provided_metadata": {}
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Delete an agent

DELETE /api/fleet/agents/{agentId}

Delete an agent by ID.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • action string Required

      Value is deleted.

  • 400 application/json
    Hide response attributes Show response attributes object
DELETE /api/fleet/agents/{agentId}
curl \
 --request DELETE https://localhost:5601/api/fleet/agents/{agentId} \
 --header "kbn-xsrf: true"
Response examples (200)
{
  "action": "deleted"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}












Get an uploaded file

GET /api/fleet/agents/files/{fileId}/{fileName}

Get a file uploaded by an agent.

[Required authorization] Route required privileges: ALL of [fleet-agents-read].

Path parameters

Responses

  • 200 application/json

    Additional properties are allowed.

  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/agents/files/{fileId}/{fileName}
curl \
 --request GET https://localhost:5601/api/fleet/agents/files/{fileId}/{fileName}
Response examples (200)
{}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}




Initiate agent setup

POST /api/fleet/agents/setup

[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

POST /api/fleet/agents/setup
curl \
 --request POST https://localhost:5601/api/fleet/agents/setup \
 --header "kbn-xsrf: true"
Response examples (200)
{
  "isInitialized": true,
  "nonFatalErrors": [
    {
      "message": "string",
      "name": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}





Bulk get assets

POST /api/fleet/epm/bulk_assets

[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

  • assetIds array[object] Required
    Hide assetIds attributes Show assetIds attributes object

Responses

POST /api/fleet/epm/bulk_assets
curl \
 --request POST https://localhost:5601/api/fleet/epm/bulk_assets \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"assetIds":[{"id":"string","type":"string"}]}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "assetIds": [
    {
      "id": "string",
      "type": "string"
    }
  ]
}
Response examples (200)
{
  "items": [
    {
      "appLink": "string",
      "attributes": {
        "description": "string",
        "service": "string",
        "title": "string"
      },
      "id": "string",
      "type": "string",
      "updatedAt": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}




Create a custom integration

POST /api/fleet/epm/custom_integrations

[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

  • datasets array[object] Required
    Hide datasets attributes Show datasets attributes object
    • name string Required
    • type string Required

      Values are logs, metrics, traces, synthetics, or profiling.

  • force boolean
  • integrationName string Required

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • _meta object Required

      Additional properties are NOT allowed.

      Hide _meta attribute Show _meta attribute object
    • items array[object] Required
      Any of:
      Hide attributes Show attributes
      • id string Required
      • originId string
      • type string Required

        Values are dashboard, lens, visualization, search, index-pattern, map, ml-module, security-rule, csp-rule-template, osquery-pack-asset, osquery-saved-query, or tag.

  • 400 application/json
    Hide response attributes Show response attributes object
POST /api/fleet/epm/custom_integrations
curl \
 --request POST https://localhost:5601/api/fleet/epm/custom_integrations \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"datasets":[{"name":"string","type":"logs"}],"force":true,"integrationName":"string"}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "datasets": [
    {
      "name": "string",
      "type": "logs"
    }
  ],
  "force": true,
  "integrationName": "string"
}
Response examples (200)
{
  "_meta": {
    "install_source": "string"
  },
  "items": [
    {
      "id": "string",
      "originId": "string",
      "type": "dashboard"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get packages

GET /api/fleet/epm/packages

[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].

Responses

GET /api/fleet/epm/packages
curl \
 --request GET https://localhost:5601/api/fleet/epm/packages
Response examples (200)
{
  "items": [
    {
      "categories": [
        "string"
      ],
      "conditions": {
        "elastic": {
          "capabilities": [
            "string"
          ],
          "subscription": "string"
        },
        "kibana": {
          "version": "string"
        }
      },
      "data_streams": [
        {}
      ],
      "description": "string",
      "discovery": {
        "fields": [
          {
            "name": "string"
          }
        ]
      },
      "download": "string",
      "format_version": "string",
      "icons": [
        {
          "dark_mode": true,
          "path": "string",
          "size": "string",
          "src": "string",
          "title": "string",
          "type": "string"
        }
      ],
      "id": "string",
      "installationInfo": {
        "additional_spaces_installed_kibana": {
          "additionalProperty1": [
            {
              "id": "string",
              "originId": "string",
              "type": "dashboard"
            }
          ],
          "additionalProperty2": [
            {
              "id": "string",
              "originId": "string",
              "type": "dashboard"
            }
          ]
        },
        "created_at": "string",
        "experimental_data_stream_features": [
          {
            "data_stream": "string",
            "features": {
              "doc_value_only_numeric": true,
              "doc_value_only_other": true,
              "synthetic_source": true,
              "tsdb": true
            }
          }
        ],
        "install_format_schema_version": "string",
        "install_source": "registry",
        "install_status": "installed",
        "installed_es": [
          {
            "deferred": true,
            "id": "string",
            "type": "index",
            "version": "string"
          }
        ],
        "installed_kibana": [
          {
            "id": "string",
            "originId": "string",
            "type": "dashboard"
          }
        ],
        "installed_kibana_space_id": "string",
        "latest_executed_state": {
          "error": "string",
          "name": "string",
          "started_at": "string"
        },
        "latest_install_failed_attempts": [
          {
            "created_at": "string",
            "error": {
              "message": "string",
              "name": "string",
              "stack": "string"
            },
            "target_version": "string"
          }
        ],
        "name": "string",
        "namespaces": [
          "string"
        ],
        "type": "string",
        "updated_at": "string",
        "verification_key_id": "string",
        "verification_status": "unverified",
        "version": "string"
      },
      "integration": "string",
      "internal": true,
      "latestVersion": "string",
      "name": "string",
      "owner": {
        "github": "string",
        "type": "elastic"
      },
      "path": "string",
      "policy_templates": [
        {}
      ],
      "readme": "string",
      "release": "ga",
      "signature_path": "string",
      "source": {
        "license": "string"
      },
      "status": "string",
      "title": "string",
      "type": "integration",
      "vars": [
        {}
      ],
      "version": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Install a package by upload

POST /api/fleet/epm/packages

[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

application/gzip; application/zip

Body

string(binary) string(binary)

Responses

  • 200 application/gzip; application/zip
    Hide response attributes Show response attributes object
    • _meta object Required

      Additional properties are NOT allowed.

      Hide _meta attribute Show _meta attribute object
    • items array[object] Required
      Any of:
      Hide attributes Show attributes
      • id string Required
      • originId string
      • type string Required

        Values are dashboard, lens, visualization, search, index-pattern, map, ml-module, security-rule, csp-rule-template, osquery-pack-asset, osquery-saved-query, or tag.

  • 400 application/gzip; application/zip
    Hide response attributes Show response attributes object
POST /api/fleet/epm/packages
curl \
 --request POST https://localhost:5601/api/fleet/epm/packages \
 --header "Content-Type: application/gzip; application/zip" \
 --header "kbn-xsrf: true" \
 --data-binary '@file'
































Get installed packages

GET /api/fleet/epm/packages/installed

[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].

Query parameters

Responses

GET /api/fleet/epm/packages/installed
curl \
 --request GET https://localhost:5601/api/fleet/epm/packages/installed
Response examples (200)
{
  "items": [
    {
      "dataStreams": [
        {
          "name": "string",
          "title": "string"
        }
      ],
      "description": "string",
      "icons": [
        {
          "dark_mode": true,
          "path": "string",
          "size": "string",
          "src": "string",
          "title": "string",
          "type": "string"
        }
      ],
      "name": "string",
      "status": "string",
      "title": "string",
      "version": "string"
    }
  ],
  "searchAfter": [
    "string"
  ],
  "total": 42.0
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get a limited package list

GET /api/fleet/epm/packages/limited

[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/epm/packages/limited
curl \
 --request GET https://localhost:5601/api/fleet/epm/packages/limited
Response examples (200)
{
  "items": [
    "string"
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get an inputs template

GET /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs

[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].

Path parameters

Query parameters

Responses

GET /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs
curl \
 --request GET https://localhost:5601/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs
Response examples (200)
string
{
  "inputs": [
    {
      "id": "string",
      "streams": [
        {
          "data_stream": {
            "dataset": "string",
            "type": "string"
          },
          "id": "string"
        }
      ],
      "type": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}





Get enrollment API keys

GET /api/fleet/enrollment_api_keys

[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-setup].

Query parameters

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • items array[object] Required
      Hide items attributes Show items attributes object
      • active boolean Required

        When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.

      • api_key string Required

        The enrollment API key (token) used for enrolling Elastic Agents.

      • api_key_id string Required

        The ID of the API key in the Security API.

      • created_at string Required
      • id string Required
      • name string

        The name of the enrollment API key.

      • The ID of the agent policy the Elastic Agent will be enrolled in.

    • list array[object] Required Deprecated
      Hide list attributes Show list attributes object
      • active boolean Required

        When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.

      • api_key string Required

        The enrollment API key (token) used for enrolling Elastic Agents.

      • api_key_id string Required

        The ID of the API key in the Security API.

      • created_at string Required
      • id string Required
      • name string

        The name of the enrollment API key.

      • The ID of the agent policy the Elastic Agent will be enrolled in.

    • page number Required
    • perPage number Required
    • total number Required
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/enrollment_api_keys
curl \
 --request GET https://localhost:5601/api/fleet/enrollment_api_keys
Response examples (200)
{
  "items": [
    {
      "active": true,
      "api_key": "string",
      "api_key_id": "string",
      "created_at": "string",
      "id": "string",
      "name": "string",
      "policy_id": "string"
    }
  ],
  "list": [
    {
      "active": true,
      "api_key": "string",
      "api_key_id": "string",
      "created_at": "string",
      "id": "string",
      "name": "string",
      "policy_id": "string"
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}





















Get settings

GET /api/fleet/settings

[Required authorization] Route required privileges: ALL of [fleet-settings-read].

Responses

GET /api/fleet/settings
curl \
 --request GET https://localhost:5601/api/fleet/settings
Response examples (200)
{
  "item": {
    "delete_unenrolled_agents": {
      "enabled": true,
      "is_preconfigured": true
    },
    "has_seen_add_data_notice": true,
    "id": "string",
    "output_secret_storage_requirements_met": true,
    "preconfigured_fields": [
      "fleet_server_hosts"
    ],
    "prerelease_integrations_enabled": true,
    "secret_storage_requirements_met": true,
    "use_space_awareness_migration_started_at": "string",
    "use_space_awareness_migration_status": "pending",
    "version": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (404)
{
  "message": "string"
}




Initiate Fleet setup

POST /api/fleet/setup

[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
  • 400 application/json
    Hide response attributes Show response attributes object
  • 500 application/json
    Hide response attribute Show response attribute object
POST /api/fleet/setup
curl \
 --request POST https://localhost:5601/api/fleet/setup \
 --header "kbn-xsrf: true"
Response examples (200)
{
  "isInitialized": true,
  "nonFatalErrors": [
    {
      "message": "string",
      "name": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (500)
{
  "message": "string"
}













Get output

GET /api/fleet/outputs/{outputId}

Get output by ID.

[Required authorization] Route required privileges: ANY of [fleet-settings-read OR fleet-agent-policies-read].

Responses

GET /api/fleet/outputs/{outputId}
curl \
 --request GET https://localhost:5601/api/fleet/outputs/{outputId}
Response examples (200)
{
  "item": {
    "allow_edit": [
      "string"
    ],
    "ca_sha256": "string",
    "ca_trusted_fingerprint": "string",
    "config_yaml": "string",
    "hosts": [
      "https://example.com"
    ],
    "id": "string",
    "is_default": false,
    "is_default_monitoring": false,
    "is_internal": true,
    "is_preconfigured": true,
    "name": "string",
    "preset": "balanced",
    "proxy_id": "string",
    "shipper": {
      "compression_level": 42.0,
      "disk_queue_compression_enabled": true,
      "disk_queue_enabled": false,
      "disk_queue_encryption_enabled": true,
      "disk_queue_max_size": 42.0,
      "disk_queue_path": "string",
      "loadbalance": true,
      "max_batch_bytes": 42.0,
      "mem_queue_events": 42.0,
      "queue_flush_timeout": 42.0
    },
    "ssl": {
      "certificate": "string",
      "certificate_authorities": [
        "string"
      ],
      "key": "string",
      "verification_mode": "full"
    },
    "type": "elasticsearch"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Update output

PUT /api/fleet/outputs/{outputId}

Update output by ID.

[Required authorization] Route required privileges: ANY of [fleet-settings-all OR fleet-agent-policies-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body object

Any of:

Responses

PUT /api/fleet/outputs/{outputId}
curl \
 --request PUT https://localhost:5601/api/fleet/outputs/{outputId} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"allow_edit":["string"],"ca_sha256":"string","ca_trusted_fingerprint":"string","config_yaml":"string","hosts":["https://example.com"],"id":"string","is_default":true,"is_default_monitoring":true,"is_internal":true,"is_preconfigured":true,"name":"string","preset":"balanced","proxy_id":"string","shipper":{"compression_level":42.0,"disk_queue_compression_enabled":true,"disk_queue_enabled":false,"disk_queue_encryption_enabled":true,"disk_queue_max_size":42.0,"disk_queue_path":"string","loadbalance":true,"max_batch_bytes":42.0,"mem_queue_events":42.0,"queue_flush_timeout":42.0},"ssl":{"certificate":"string","certificate_authorities":["string"],"key":"string","verification_mode":"full"},"type":"elasticsearch"}'
# Headers
kbn-xsrf: true

# Payload
{
  "allow_edit": [
    "string"
  ],
  "ca_sha256": "string",
  "ca_trusted_fingerprint": "string",
  "config_yaml": "string",
  "hosts": [
    "https://example.com"
  ],
  "id": "string",
  "is_default": true,
  "is_default_monitoring": true,
  "is_internal": true,
  "is_preconfigured": true,
  "name": "string",
  "preset": "balanced",
  "proxy_id": "string",
  "shipper": {
    "compression_level": 42.0,
    "disk_queue_compression_enabled": true,
    "disk_queue_enabled": false,
    "disk_queue_encryption_enabled": true,
    "disk_queue_max_size": 42.0,
    "disk_queue_path": "string",
    "loadbalance": true,
    "max_batch_bytes": 42.0,
    "mem_queue_events": 42.0,
    "queue_flush_timeout": 42.0
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string",
    "verification_mode": "full"
  },
  "type": "elasticsearch"
}
# Headers
kbn-xsrf: true

# Payload
{
  "allow_edit": [
    "string"
  ],
  "ca_sha256": "string",
  "ca_trusted_fingerprint": "string",
  "config_yaml": "string",
  "hosts": [
    "https://example.com"
  ],
  "id": "string",
  "is_default": true,
  "is_default_monitoring": true,
  "is_internal": true,
  "is_preconfigured": true,
  "kibana_api_key": "string",
  "kibana_url": "string",
  "name": "string",
  "preset": "balanced",
  "proxy_id": "string",
  "secrets": {
    "kibana_api_key": {
      "id": "string"
    },
    "service_token": {
      "id": "string"
    }
  },
  "service_token": "string",
  "shipper": {
    "compression_level": 42.0,
    "disk_queue_compression_enabled": true,
    "disk_queue_enabled": false,
    "disk_queue_encryption_enabled": true,
    "disk_queue_max_size": 42.0,
    "disk_queue_path": "string",
    "loadbalance": true,
    "max_batch_bytes": 42.0,
    "mem_queue_events": 42.0,
    "queue_flush_timeout": 42.0
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string",
    "verification_mode": "full"
  },
  "sync_integrations": true,
  "type": "remote_elasticsearch"
}
# Headers
kbn-xsrf: true

# Payload
{
  "allow_edit": [
    "string"
  ],
  "ca_sha256": "string",
  "ca_trusted_fingerprint": "string",
  "config_yaml": "string",
  "hosts": [
    "string"
  ],
  "id": "string",
  "is_default": true,
  "is_default_monitoring": true,
  "is_internal": true,
  "is_preconfigured": true,
  "name": "string",
  "proxy_id": "string",
  "secrets": {
    "ssl": {
      "key": {
        "id": "string"
      }
    }
  },
  "shipper": {
    "compression_level": 42.0,
    "disk_queue_compression_enabled": true,
    "disk_queue_enabled": false,
    "disk_queue_encryption_enabled": true,
    "disk_queue_max_size": 42.0,
    "disk_queue_path": "string",
    "loadbalance": true,
    "max_batch_bytes": 42.0,
    "mem_queue_events": 42.0,
    "queue_flush_timeout": 42.0
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string",
    "verification_mode": "full"
  },
  "type": "logstash"
}
# Headers
kbn-xsrf: true

# Payload
{
  "allow_edit": [
    "string"
  ],
  "auth_type": "none",
  "broker_timeout": 42.0,
  "ca_sha256": "string",
  "ca_trusted_fingerprint": "string",
  "client_id": "string",
  "compression": "gzip",
  "compression_level": [],
  "config_yaml": "string",
  "connection_type": [],
  "hash": {
    "hash": "string",
    "random": true
  },
  "headers": [
    {
      "key": "string",
      "value": "string"
    }
  ],
  "hosts": [
    "string"
  ],
  "id": "string",
  "is_default": false,
  "is_default_monitoring": false,
  "is_internal": true,
  "is_preconfigured": true,
  "key": "string",
  "name": "string",
  "partition": "random",
  "password": [],
  "proxy_id": "string",
  "random": {
    "group_events": 42.0
  },
  "required_acks": 1,
  "round_robin": {
    "group_events": 42.0
  },
  "sasl": {
    "mechanism": "PLAIN"
  },
  "secrets": {
    "password": {
      "id": "string"
    },
    "ssl": {
      "key": {
        "id": "string"
      }
    }
  },
  "shipper": {
    "compression_level": 42.0,
    "disk_queue_compression_enabled": true,
    "disk_queue_enabled": false,
    "disk_queue_encryption_enabled": true,
    "disk_queue_max_size": 42.0,
    "disk_queue_path": "string",
    "loadbalance": true,
    "max_batch_bytes": 42.0,
    "mem_queue_events": 42.0,
    "queue_flush_timeout": 42.0
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string",
    "verification_mode": "full"
  },
  "timeout": 42.0,
  "topic": "string",
  "type": "kafka",
  "username": [],
  "version": "string"
}
Response examples (200)
{
  "item": {
    "allow_edit": [
      "string"
    ],
    "ca_sha256": "string",
    "ca_trusted_fingerprint": "string",
    "config_yaml": "string",
    "hosts": [
      "https://example.com"
    ],
    "id": "string",
    "is_default": false,
    "is_default_monitoring": false,
    "is_internal": true,
    "is_preconfigured": true,
    "name": "string",
    "preset": "balanced",
    "proxy_id": "string",
    "shipper": {
      "compression_level": 42.0,
      "disk_queue_compression_enabled": true,
      "disk_queue_enabled": false,
      "disk_queue_encryption_enabled": true,
      "disk_queue_max_size": 42.0,
      "disk_queue_path": "string",
      "loadbalance": true,
      "max_batch_bytes": 42.0,
      "mem_queue_events": 42.0,
      "queue_flush_timeout": 42.0
    },
    "ssl": {
      "certificate": "string",
      "certificate_authorities": [
        "string"
      ],
      "key": "string",
      "verification_mode": "full"
    },
    "type": "elasticsearch"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}




Get the latest output health

GET /api/fleet/outputs/{outputId}/health

[Required authorization] Route required privileges: ALL of [fleet-settings-read].

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • message string Required

      long message if unhealthy

    • state string Required

      state of output, HEALTHY or DEGRADED

    • timestamp string Required

      timestamp of reported state

  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/outputs/{outputId}/health
curl \
 --request GET https://localhost:5601/api/fleet/outputs/{outputId}/health
Response examples (200)
{
  "message": "string",
  "state": "string",
  "timestamp": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}




Create a package policy

POST /api/fleet/package_policies

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

  • format string

    Values are simplified or legacy.

application/json

Body object

You should use inputs as an object and not use the deprecated inputs array.

Any of:
  • Package policy description

  • enabled boolean
  • force boolean

    Force package policy creation even if package is not verified, or if the agent policy is managed.

  • id string

    Package policy unique identifier

  • inputs array[object] Required
    Hide inputs attributes Show inputs attributes object
    • config object

      Package variable (see integration documentation for more information)

      Hide config attribute Show config attribute object
      • * object Additional properties

        Additional properties are NOT allowed.

        Hide * attributes Show * attributes object
    • enabled boolean Required
    • id string
    • streams array[object]
      Hide streams attributes Show streams attributes object
      • config object

        Package variable (see integration documentation for more information)

        Hide config attribute Show config attribute object
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
      • data_stream object Required

        Additional properties are NOT allowed.

        Hide data_stream attributes Show data_stream attributes object
      • enabled boolean Required
      • id string
      • release string

        Values are ga, beta, or experimental.

      • vars object

        Package variable (see integration documentation for more information)

        Hide vars attribute Show vars attribute object
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
    • type string Required
    • vars object

      Package variable (see integration documentation for more information)

      Hide vars attribute Show vars attribute object
      • * object Additional properties

        Additional properties are NOT allowed.

        Hide * attributes Show * attributes object
  • is_managed boolean
  • name string Required

    Package policy name (should be unique)

  • The package policy namespace. Leave blank to inherit the agent policy's namespace.

  • output_id string | null
  • overrides object | null

    Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

    Additional properties are NOT allowed.

    Hide overrides attribute Show overrides attribute object | null
    • inputs object

      Additional properties are allowed.

  • package object

    Additional properties are NOT allowed.

    Hide package attributes Show package attributes object
  • policy_id string | null Deprecated

    Agent policy ID where that package policy will be added

  • policy_ids array[string]

    Agent policy IDs where that package policy will be added

  • supports_agentless boolean | null

    Indicates whether the package policy belongs to an agentless agent policy.

    Default value is false.

  • vars object

    Package variable (see integration documentation for more information)

    Hide vars attribute Show vars attribute object
    • * object Additional properties

      Additional properties are NOT allowed.

      Hide * attributes Show * attributes object

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
      • agents number
      • created_at string Required
      • created_by string Required
      • Package policy description

      • Additional properties are allowed.

        Hide elasticsearch attribute Show elasticsearch attribute object
        • Additional properties are allowed.

          Hide privileges attribute Show privileges attribute object
      • enabled boolean Required
      • id string Required
      • inputs array[object] | object Required

        Any of:
        Hide attributes Show attributes object
        • config object

          Package variable (see integration documentation for more information)

          Hide config attribute Show config attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
        • enabled boolean Required
        • id string
        • streams array[object] Required
          Hide streams attributes Show streams attributes object
          • config object

            Package variable (see integration documentation for more information)

            Hide config attribute Show config attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
          • data_stream object Required

            Additional properties are NOT allowed.

            Hide data_stream attributes Show data_stream attributes object
          • enabled boolean Required
          • id string
          • release string

            Values are ga, beta, or experimental.

          • vars object

            Package variable (see integration documentation for more information)

            Hide vars attribute Show vars attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
        • type string Required
        • vars object

          Package variable (see integration documentation for more information)

          Hide vars attribute Show vars attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
      • is_managed boolean
      • name string Required

        Package policy name (should be unique)

      • The package policy namespace. Leave blank to inherit the agent policy's namespace.

      • output_id string | null
      • overrides object | null

        Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

        Additional properties are NOT allowed.

        Hide overrides attribute Show overrides attribute object | null
        • inputs object

          Additional properties are allowed.

      • package object

        Additional properties are NOT allowed.

        Hide package attributes Show package attributes object
      • policy_id string | null Deprecated

        Agent policy ID where that package policy will be added

      • policy_ids array[string]

        Agent policy IDs where that package policy will be added

      • revision number Required
      • secret_references array[object]
        Hide secret_references attribute Show secret_references attribute object
        • id string Required
      • spaceIds array[string]
      • supports_agentless boolean | null

        Indicates whether the package policy belongs to an agentless agent policy.

        Default value is false.

      • updated_at string Required
      • updated_by string Required
      • vars object

        Any of:

        Package variable (see integration documentation for more information)

        Hide attribute Show attribute
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
      • version string
  • 400 application/json
    Hide response attributes Show response attributes object
  • 409 application/json
    Hide response attributes Show response attributes object
POST /api/fleet/package_policies
curl \
 --request POST https://localhost:5601/api/fleet/package_policies \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"description":"string","enabled":true,"force":true,"id":"string","inputs":[{"config":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"enabled":true,"id":"string","keep_enabled":true,"policy_template":"string","streams":[{"config":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}},"data_stream":{"dataset":"string","elasticsearch":{"dynamic_dataset":true,"dynamic_namespace":true,"privileges":{"indices":["string"]}},"type":"string"},"enabled":true,"id":"string","keep_enabled":true,"release":"ga","vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}],"type":"string","vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}],"is_managed":true,"name":"string","namespace":"string","output_id":"string","overrides":{"inputs":{}},"package":{"experimental_data_stream_features":[{"data_stream":"string","features":{"doc_value_only_numeric":true,"doc_value_only_other":true,"synthetic_source":true,"tsdb":true}}],"name":"string","requires_root":true,"title":"string","version":"string"},"policy_id":"string","policy_ids":["string"],"supports_agentless":false,"vars":{"additionalProperty1":{"frozen":true,"type":"string"},"additionalProperty2":{"frozen":true,"type":"string"}}}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "description": "string",
  "enabled": true,
  "force": true,
  "id": "string",
  "inputs": [
    {
      "config": {
        "additionalProperty1": {
          "frozen": true,
          "type": "string"
        },
        "additionalProperty2": {
          "frozen": true,
          "type": "string"
        }
      },
      "enabled": true,
      "id": "string",
      "keep_enabled": true,
      "policy_template": "string",
      "streams": [
        {
          "config": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          },
          "data_stream": {
            "dataset": "string",
            "elasticsearch": {
              "dynamic_dataset": true,
              "dynamic_namespace": true,
              "privileges": {
                "indices": [
                  "string"
                ]
              }
            },
            "type": "string"
          },
          "enabled": true,
          "id": "string",
          "keep_enabled": true,
          "release": "ga",
          "vars": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          }
        }
      ],
      "type": "string",
      "vars": {
        "additionalProperty1": {
          "frozen": true,
          "type": "string"
        },
        "additionalProperty2": {
          "frozen": true,
          "type": "string"
        }
      }
    }
  ],
  "is_managed": true,
  "name": "string",
  "namespace": "string",
  "output_id": "string",
  "overrides": {
    "inputs": {}
  },
  "package": {
    "experimental_data_stream_features": [
      {
        "data_stream": "string",
        "features": {
          "doc_value_only_numeric": true,
          "doc_value_only_other": true,
          "synthetic_source": true,
          "tsdb": true
        }
      }
    ],
    "name": "string",
    "requires_root": true,
    "title": "string",
    "version": "string"
  },
  "policy_id": "string",
  "policy_ids": [
    "string"
  ],
  "supports_agentless": false,
  "vars": {
    "additionalProperty1": {
      "frozen": true,
      "type": "string"
    },
    "additionalProperty2": {
      "frozen": true,
      "type": "string"
    }
  }
}
# Headers
kbn-xsrf: true

# Payload
{
  "description": "string",
  "force": true,
  "id": "string",
  "inputs": {
    "additionalProperty1": {
      "enabled": true,
      "streams": {
        "additionalProperty1": {
          "enabled": true,
          "vars": {}
        },
        "additionalProperty2": {
          "enabled": true,
          "vars": {}
        }
      },
      "vars": {}
    },
    "additionalProperty2": {
      "enabled": true,
      "streams": {
        "additionalProperty1": {
          "enabled": true,
          "vars": {}
        },
        "additionalProperty2": {
          "enabled": true,
          "vars": {}
        }
      },
      "vars": {}
    }
  },
  "name": "string",
  "namespace": "string",
  "output_id": "string",
  "package": {
    "experimental_data_stream_features": [
      {
        "data_stream": "string",
        "features": {
          "doc_value_only_numeric": true,
          "doc_value_only_other": true,
          "synthetic_source": true,
          "tsdb": true
        }
      }
    ],
    "name": "string",
    "requires_root": true,
    "title": "string",
    "version": "string"
  },
  "policy_id": "string",
  "policy_ids": [
    "string"
  ],
  "supports_agentless": false,
  "vars": {}
}
Response examples (200)
{
  "item": {
    "agents": 42.0,
    "created_at": "string",
    "created_by": "string",
    "description": "string",
    "elasticsearch": {
      "privileges": {
        "cluster": [
          "string"
        ]
      }
    },
    "enabled": true,
    "id": "string",
    "inputs": [
      {
        "config": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        },
        "enabled": true,
        "id": "string",
        "keep_enabled": true,
        "policy_template": "string",
        "streams": [
          {
            "config": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            },
            "data_stream": {
              "dataset": "string",
              "elasticsearch": {
                "dynamic_dataset": true,
                "dynamic_namespace": true,
                "privileges": {
                  "indices": [
                    "string"
                  ]
                }
              },
              "type": "string"
            },
            "enabled": true,
            "id": "string",
            "keep_enabled": true,
            "release": "ga",
            "vars": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            }
          }
        ],
        "type": "string",
        "vars": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        }
      }
    ],
    "is_managed": true,
    "name": "string",
    "namespace": "string",
    "output_id": "string",
    "overrides": {
      "inputs": {}
    },
    "package": {
      "experimental_data_stream_features": [
        {
          "data_stream": "string",
          "features": {
            "doc_value_only_numeric": true,
            "doc_value_only_other": true,
            "synthetic_source": true,
            "tsdb": true
          }
        }
      ],
      "name": "string",
      "requires_root": true,
      "title": "string",
      "version": "string"
    },
    "policy_id": "string",
    "policy_ids": [
      "string"
    ],
    "revision": 42.0,
    "secret_references": [
      {
        "id": "string"
      }
    ],
    "spaceIds": [
      "string"
    ],
    "supports_agentless": false,
    "updated_at": "string",
    "updated_by": "string",
    "vars": {
      "additionalProperty1": {
        "frozen": true,
        "type": "string"
      },
      "additionalProperty2": {
        "frozen": true,
        "type": "string"
      }
    },
    "version": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (409)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Bulk get package policies

POST /api/fleet/package_policies/_bulk_get

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

  • format string

    Values are simplified or legacy.

application/json

Body

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • items array[object] Required
      Hide items attributes Show items attributes object
      • agents number
      • created_at string Required
      • created_by string Required
      • Package policy description

      • Additional properties are allowed.

        Hide elasticsearch attribute Show elasticsearch attribute object
        • Additional properties are allowed.

          Hide privileges attribute Show privileges attribute object
      • enabled boolean Required
      • id string Required
      • inputs array[object] | object Required

        Any of:
        Hide attributes Show attributes object
        • config object

          Package variable (see integration documentation for more information)

          Hide config attribute Show config attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
        • enabled boolean Required
        • id string
        • streams array[object] Required
          Hide streams attributes Show streams attributes object
          • config object

            Package variable (see integration documentation for more information)

            Hide config attribute Show config attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
          • data_stream object Required

            Additional properties are NOT allowed.

            Hide data_stream attributes Show data_stream attributes object
          • enabled boolean Required
          • id string
          • release string

            Values are ga, beta, or experimental.

          • vars object

            Package variable (see integration documentation for more information)

            Hide vars attribute Show vars attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
        • type string Required
        • vars object

          Package variable (see integration documentation for more information)

          Hide vars attribute Show vars attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
      • is_managed boolean
      • name string Required

        Package policy name (should be unique)

      • The package policy namespace. Leave blank to inherit the agent policy's namespace.

      • output_id string | null
      • overrides object | null

        Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

        Additional properties are NOT allowed.

        Hide overrides attribute Show overrides attribute object | null
        • inputs object

          Additional properties are allowed.

      • package object

        Additional properties are NOT allowed.

        Hide package attributes Show package attributes object
      • policy_id string | null Deprecated

        Agent policy ID where that package policy will be added

      • policy_ids array[string]

        Agent policy IDs where that package policy will be added

      • revision number Required
      • secret_references array[object]
        Hide secret_references attribute Show secret_references attribute object
        • id string Required
      • spaceIds array[string]
      • supports_agentless boolean | null

        Indicates whether the package policy belongs to an agentless agent policy.

        Default value is false.

      • updated_at string Required
      • updated_by string Required
      • vars object

        Any of:

        Package variable (see integration documentation for more information)

        Hide attribute Show attribute
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
      • version string
  • 400 application/json
    Hide response attributes Show response attributes object
  • 404 application/json
    Hide response attribute Show response attribute object
POST /api/fleet/package_policies/_bulk_get
curl \
 --request POST https://localhost:5601/api/fleet/package_policies/_bulk_get \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"ids":["string"],"ignoreMissing":true}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "ids": [
    "string"
  ],
  "ignoreMissing": true
}
Response examples (200)
{
  "items": [
    {
      "agents": 42.0,
      "created_at": "string",
      "created_by": "string",
      "description": "string",
      "elasticsearch": {
        "privileges": {
          "cluster": [
            "string"
          ]
        }
      },
      "enabled": true,
      "id": "string",
      "inputs": [
        {
          "config": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          },
          "enabled": true,
          "id": "string",
          "keep_enabled": true,
          "policy_template": "string",
          "streams": [
            {
              "config": {
                "additionalProperty1": {
                  "frozen": true,
                  "type": "string"
                },
                "additionalProperty2": {
                  "frozen": true,
                  "type": "string"
                }
              },
              "data_stream": {
                "dataset": "string",
                "elasticsearch": {
                  "dynamic_dataset": true,
                  "dynamic_namespace": true,
                  "privileges": {
                    "indices": [
                      "string"
                    ]
                  }
                },
                "type": "string"
              },
              "enabled": true,
              "id": "string",
              "keep_enabled": true,
              "release": "ga",
              "vars": {
                "additionalProperty1": {
                  "frozen": true,
                  "type": "string"
                },
                "additionalProperty2": {
                  "frozen": true,
                  "type": "string"
                }
              }
            }
          ],
          "type": "string",
          "vars": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          }
        }
      ],
      "is_managed": true,
      "name": "string",
      "namespace": "string",
      "output_id": "string",
      "overrides": {
        "inputs": {}
      },
      "package": {
        "experimental_data_stream_features": [
          {
            "data_stream": "string",
            "features": {
              "doc_value_only_numeric": true,
              "doc_value_only_other": true,
              "synthetic_source": true,
              "tsdb": true
            }
          }
        ],
        "name": "string",
        "requires_root": true,
        "title": "string",
        "version": "string"
      },
      "policy_id": "string",
      "policy_ids": [
        "string"
      ],
      "revision": 42.0,
      "secret_references": [
        {
          "id": "string"
        }
      ],
      "spaceIds": [
        "string"
      ],
      "supports_agentless": false,
      "updated_at": "string",
      "updated_by": "string",
      "vars": {
        "additionalProperty1": {
          "frozen": true,
          "type": "string"
        },
        "additionalProperty2": {
          "frozen": true,
          "type": "string"
        }
      },
      "version": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (404)
{
  "message": "string"
}








Delete a package policy

DELETE /api/fleet/package_policies/{packagePolicyId}

Delete a package policy by ID.

[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • id string Required
  • 400 application/json
    Hide response attributes Show response attributes object
DELETE /api/fleet/package_policies/{packagePolicyId}
curl \
 --request DELETE https://localhost:5601/api/fleet/package_policies/{packagePolicyId} \
 --header "kbn-xsrf: true"
Response examples (200)
{
  "id": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

















Create a proxy

POST /api/fleet/proxies

[Required authorization] Route required privileges: ALL of [fleet-settings-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

POST /api/fleet/proxies
curl \
 --request POST https://localhost:5601/api/fleet/proxies \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"certificate":"string","certificate_authorities":"string","certificate_key":"string","id":"string","is_preconfigured":false,"name":"string","proxy_headers":{},"url":"string"}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "certificate": "string",
  "certificate_authorities": "string",
  "certificate_key": "string",
  "id": "string",
  "is_preconfigured": false,
  "name": "string",
  "proxy_headers": {},
  "url": "string"
}
Response examples (200)
{
  "item": {
    "certificate": "string",
    "certificate_authorities": "string",
    "certificate_key": "string",
    "id": "string",
    "is_preconfigured": false,
    "name": "string",
    "proxy_headers": {},
    "url": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}








Delete a proxy

DELETE /api/fleet/proxies/{itemId}

Delete a proxy by ID

[Required authorization] Route required privileges: ALL of [fleet-settings-all].

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • id string Required
  • 400 application/json
    Hide response attributes Show response attributes object
DELETE /api/fleet/proxies/{itemId}
curl \
 --request DELETE https://localhost:5601/api/fleet/proxies/{itemId} \
 --header "kbn-xsrf: true"
Response examples (200)
{
  "id": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get Fleet Server hosts

GET /api/fleet/fleet_server_hosts

[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-settings-read].

Responses

GET /api/fleet/fleet_server_hosts
curl \
 --request GET https://localhost:5601/api/fleet/fleet_server_hosts
Response examples (200)
{
  "items": [
    {
      "host_urls": [
        "string"
      ],
      "id": "string",
      "is_default": false,
      "is_internal": true,
      "is_preconfigured": false,
      "name": "string",
      "proxy_id": "string"
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}






















Get metadata for latest uninstall tokens

GET /api/fleet/uninstall_tokens

List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: ALL of [fleet-agents-all].

Query parameters

  • policyId string

    Partial match filtering for policy IDs

    Maximum length is 50.

  • perPage number

    The number of items to return

    Minimum value is 5.

  • page number

    Minimum value is 1.

Responses

GET /api/fleet/uninstall_tokens
curl \
 --request GET https://localhost:5601/api/fleet/uninstall_tokens
Response examples (200)
{
  "items": [
    {
      "created_at": "string",
      "id": "string",
      "namespaces": [
        "string"
      ],
      "policy_id": "string",
      "policy_name": "string"
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}














Roles

Manage the roles that grant Elasticsearch and Kibana privileges.





Get a role

GET /api/security/role/{name}

Path parameters

  • name string Required

    The role name.

    Minimum length is 1.

Query parameters

  • If true and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges.

Responses

  • 200 application/json

    Indicates a successful call.

GET /api/security/role/{name}
curl \
 --request GET https://localhost:5601/api/security/role/{name}
Response examples (200)
{
  "name": "my_kibana_role",
  "kibana": [
    {
      "base": [
        "all"
      ],
      "spaces": [
        "default"
      ],
      "feature": {}
    }
  ],
  "metadata": {
    "version": 1
  },
  "description": "Grants all cluster privileges and full access to index1 and index2. Grants full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grants all Kibana privileges in the default space.",
  "elasticsearch": {
    "run_as": [],
    "cluster": [
      "all"
    ],
    "indices": [
      {
        "names": [
          "index1",
          "index2"
        ],
        "privileges": [
          "all"
        ],
        "allow_restricted_indices": false
      }
    ],
    "remote_cluster": [
      {
        "clusters": [
          "remote_cluster1"
        ],
        "privileges": [
          "monitor_enrich"
        ]
      }
    ],
    "remote_indices": [
      {
        "names": [
          "remote_index1",
          "remote_index2"
        ],
        "clusters": [
          "remote_cluster1"
        ],
        "privileges": [
          "all"
        ],
        "allow_restricted_indices": false
      }
    ]
  },
  "_transform_error": [],
  "transient_metadata": {
    "enabled": true
  },
  "_unrecognized_applications": []
}

Create or update a role

PUT /api/security/role/{name}

Create a new Kibana role or update the attributes of an existing role. Kibana roles are stored in the Elasticsearch native realm.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • name string Required

    The role name.

    Minimum length is 1, maximum length is 1024.

Query parameters

  • createOnly boolean

    When true, a role is not overwritten if it already exists.

    Default value is false.

application/json

Body

  • A description for the role.

    Maximum length is 2048.

  • elasticsearch object Required

    Additional properties are NOT allowed.

    Hide elasticsearch attributes Show elasticsearch attributes object
    • cluster array[string]

      Cluster privileges that define the cluster level actions that users can perform.

    • indices array[object]
      Hide indices attributes Show indices attributes object
      • Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too.

      • Hide field_security attribute Show field_security attribute object
        • * array[string] Additional properties

          The document fields that the role members have read access to.

      • names array[string] Required

        The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*).

        At least 1 element.

      • privileges array[string] Required

        The index level privileges that the role members have for the data streams and indices.

        At least 1 element.

      • query string

        A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members.

    • remote_cluster array[object]
      Hide remote_cluster attributes Show remote_cluster attributes object
      • clusters array[string] Required

        A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.

        At least 1 element.

      • privileges array[string] Required

        The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges.

        At least 1 element.

    • remote_indices array[object]
      Hide remote_indices attributes Show remote_indices attributes object
      • Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too.

      • clusters array[string] Required

        A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.

        At least 1 element.

      • Hide field_security attribute Show field_security attribute object
        • * array[string] Additional properties

          The document fields that the role members have read access to.

      • names array[string] Required

        A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*).

        At least 1 element.

      • privileges array[string] Required

        The index level privileges that role members have for the specified indices.

        At least 1 element.

      • query string

        A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members.

    • run_as array[string]

      A user name that the role member can impersonate.

  • kibana array[object]
    Hide kibana attributes Show kibana attributes object
  • metadata object

    Additional properties are allowed.

Responses

  • Indicates a successful call.

PUT /api/security/role/{name}
curl \
 --request PUT https://localhost:5601/api/security/role/{name} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"kibana":[{"base":[],"spaces":["default"],"feature":{"discover":["all"],"dashboard":["all"]}},{"base":["read"],"spaces":["marketing","sales"]}],"metadata":{"version":1},"description":"Grant full access to discover and dashboard features in the default space. Grant read access in the marketing, and sales spaces.","elasticsearch":{"cluster":[],"indices":[]}}'
Grant access to various features in some spaces.
{
  "kibana": [
    {
      "base": [],
      "spaces": [
        "default"
      ],
      "feature": {
        "discover": [
          "all"
        ],
        "dashboard": [
          "all"
        ]
      }
    },
    {
      "base": [
        "read"
      ],
      "spaces": [
        "marketing",
        "sales"
      ]
    }
  ],
  "metadata": {
    "version": 1
  },
  "description": "Grant full access to discover and dashboard features in the default space. Grant read access in the marketing, and sales spaces.",
  "elasticsearch": {
    "cluster": [],
    "indices": []
  }
}
Grant access to dashboard features in a Marketing space.
{
  "kibana": [
    {
      "base": [],
      "spaces": [
        "marketing"
      ],
      "feature": {
        "dashboard": [
          "read"
        ]
      }
    }
  ],
  "metadata": {
    "version": 1
  },
  "description": "Grant dashboard access in the Marketing space.",
  "elasticsearch": {
    "cluster": [],
    "indices": []
  }
}
Grant full access to all features in the default space.
{
  "kibana": [
    {
      "base": [
        "all"
      ],
      "spaces": [
        "default"
      ],
      "feature": {}
    }
  ],
  "metadata": {
    "version": 1
  },
  "elasticsearch": {
    "cluster": [],
    "indices": []
  }
}
Grant Elasticsearch and Kibana feature privileges.
{
  "kibana": [
    {
      "base": [
        "all"
      ],
      "spaces": [
        "default"
      ],
      "feature": {}
    }
  ],
  "metadata": {
    "version": 1
  },
  "description": "Grant all cluster privileges and full access to index1 and index2. Grant full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grant all Kibana privileges in the default space.",
  "elasticsearch": {
    "cluster": [
      "all"
    ],
    "indices": [
      {
        "names": [
          "index1",
          "index2"
        ],
        "privileges": [
          "all"
        ]
      }
    ],
    "remote_cluster": [
      {
        "clusters": [
          "remote_cluster1"
        ],
        "privileges": [
          "monitor_enrich"
        ]
      }
    ],
    "remote_indices": [
      {
        "names": [
          "remote_index1",
          "remote_index2"
        ],
        "clusters": [
          "remote_cluster1"
        ],
        "privileges": [
          "all"
        ]
      }
    ]
  }
}




Create or update roles

POST /api/security/roles

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

  • roles object Required
    Hide roles attribute Show roles attribute object
    • * object Additional properties

      Additional properties are NOT allowed.

      Hide * attributes Show * attributes object
      • A description for the role.

        Maximum length is 2048.

      • elasticsearch object Required

        Additional properties are NOT allowed.

        Hide elasticsearch attributes Show elasticsearch attributes object
        • cluster array[string]

          Cluster privileges that define the cluster level actions that users can perform.

        • indices array[object]
          Hide indices attributes Show indices attributes object
          • Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too.

          • Hide field_security attribute Show field_security attribute object
            • * array[string] Additional properties

              The document fields that the role members have read access to.

          • names array[string] Required

            The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*).

            At least 1 element.

          • privileges array[string] Required

            The index level privileges that the role members have for the data streams and indices.

            At least 1 element.

          • query string

            A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members.

        • remote_cluster array[object]
          Hide remote_cluster attributes Show remote_cluster attributes object
          • clusters array[string] Required

            A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.

            At least 1 element.

          • privileges array[string] Required

            The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges.

            At least 1 element.

        • remote_indices array[object]
          Hide remote_indices attributes Show remote_indices attributes object
          • Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too.

          • clusters array[string] Required

            A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.

            At least 1 element.

          • Hide field_security attribute Show field_security attribute object
            • * array[string] Additional properties

              The document fields that the role members have read access to.

          • names array[string] Required

            A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*).

            At least 1 element.

          • privileges array[string] Required

            The index level privileges that role members have for the specified indices.

            At least 1 element.

          • query string

            A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members.

        • run_as array[string]

          A user name that the role member can impersonate.

      • kibana array[object]
        Hide kibana attributes Show kibana attributes object
      • metadata object

        Additional properties are allowed.

Responses

  • Indicates a successful call.

POST /api/security/roles
curl \
 --request POST https://localhost:5601/api/security/roles \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"roles":{"additionalProperty1":{"description":"string","elasticsearch":{"cluster":["string"],"indices":[{"allow_restricted_indices":true,"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"remote_cluster":[{"clusters":["string"],"privileges":["string"]}],"remote_indices":[{"allow_restricted_indices":true,"clusters":["string"],"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"run_as":["string"]},"kibana":[{"base":[],"feature":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"spaces":["*"]}],"metadata":{}},"additionalProperty2":{"description":"string","elasticsearch":{"cluster":["string"],"indices":[{"allow_restricted_indices":true,"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"remote_cluster":[{"clusters":["string"],"privileges":["string"]}],"remote_indices":[{"allow_restricted_indices":true,"clusters":["string"],"field_security":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"names":["string"],"privileges":["string"],"query":"string"}],"run_as":["string"]},"kibana":[{"base":[],"feature":{"additionalProperty1":["string"],"additionalProperty2":["string"]},"spaces":["*"]}],"metadata":{}}}}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "roles": {
    "additionalProperty1": {
      "description": "string",
      "elasticsearch": {
        "cluster": [
          "string"
        ],
        "indices": [
          {
            "allow_restricted_indices": true,
            "field_security": {
              "additionalProperty1": [
                "string"
              ],
              "additionalProperty2": [
                "string"
              ]
            },
            "names": [
              "string"
            ],
            "privileges": [
              "string"
            ],
            "query": "string"
          }
        ],
        "remote_cluster": [
          {
            "clusters": [
              "string"
            ],
            "privileges": [
              "string"
            ]
          }
        ],
        "remote_indices": [
          {
            "allow_restricted_indices": true,
            "clusters": [
              "string"
            ],
            "field_security": {
              "additionalProperty1": [
                "string"
              ],
              "additionalProperty2": [
                "string"
              ]
            },
            "names": [
              "string"
            ],
            "privileges": [
              "string"
            ],
            "query": "string"
          }
        ],
        "run_as": [
          "string"
        ]
      },
      "kibana": [
        {
          "base": [],
          "feature": {
            "additionalProperty1": [
              "string"
            ],
            "additionalProperty2": [
              "string"
            ]
          },
          "spaces": [
            "*"
          ]
        }
      ],
      "metadata": {}
    },
    "additionalProperty2": {
      "description": "string",
      "elasticsearch": {
        "cluster": [
          "string"
        ],
        "indices": [
          {
            "allow_restricted_indices": true,
            "field_security": {
              "additionalProperty1": [
                "string"
              ],
              "additionalProperty2": [
                "string"
              ]
            },
            "names": [
              "string"
            ],
            "privileges": [
              "string"
            ],
            "query": "string"
          }
        ],
        "remote_cluster": [
          {
            "clusters": [
              "string"
            ],
            "privileges": [
              "string"
            ]
          }
        ],
        "remote_indices": [
          {
            "allow_restricted_indices": true,
            "clusters": [
              "string"
            ],
            "field_security": {
              "additionalProperty1": [
                "string"
              ],
              "additionalProperty2": [
                "string"
              ]
            },
            "names": [
              "string"
            ],
            "privileges": [
              "string"
            ],
            "query": "string"
          }
        ],
        "run_as": [
          "string"
        ]
      },
      "kibana": [
        {
          "base": [],
          "feature": {
            "additionalProperty1": [
              "string"
            ],
            "additionalProperty2": [
              "string"
            ]
          },
          "spaces": [
            "*"
          ]
        }
      ],
      "metadata": {}
    }
  }
}





Create saved objects Deprecated

POST /api/saved_objects/_bulk_create

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Query parameters

  • overwrite boolean

    When true, overwrites the document with the same identifier.

application/json

Body Required

object object

Additional properties are allowed.

Responses

  • 200 application/json

    Indicates a successful call.

    Additional properties are allowed.

  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
POST /api/saved_objects/_bulk_create
curl \
 --request POST https://localhost:5601/api/saved_objects/_bulk_create \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '[{}]'
Request examples
# Headers
kbn-xsrf: string

# Payload
[
  {}
]
Response examples (200)
{}
Response examples (400)
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}




Get saved objects Deprecated

POST /api/saved_objects/_bulk_get

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json

Body Required

object object

Additional properties are allowed.

Responses

  • 200 application/json

    Indicates a successful call.

    Additional properties are allowed.

  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
POST /api/saved_objects/_bulk_get
curl \
 --request POST https://localhost:5601/api/saved_objects/_bulk_get \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '[{}]'
Request examples
# Headers
kbn-xsrf: string

# Payload
[
  {}
]
Response examples (200)
{}
Response examples (400)
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}












Search for saved objects Deprecated

GET /api/saved_objects/_find

Retrieve a paginated set of Kibana saved objects.

Query parameters

  • aggs string

    An aggregation structure, serialized as a string. The field format is similar to filter, meaning that to use a saved object type attribute in the aggregation, the savedObjectType.attributes.title: "myTitle" format must be used. For root fields, the syntax is savedObjectType.rootField. NOTE: As objects change in Kibana, the results on each page of the response also change. Use the find API for traditional paginated results, but avoid using it to export large amounts of data.

  • The default operator to use for the simple_query_string.

  • fields string | array

    The fields to return in the attributes key of the response.

  • filter string

    The filter is a KQL string with the caveat that if you filter with an attribute from your saved object type, it should look like that: savedObjectType.attributes.title: "myTitle". However, if you use a root attribute of a saved object such as updated_at, you will have to define your filter like that: savedObjectType.updated_at > 2018-12-22.

  • Filters to objects that do not have a relationship with the type and identifier combination.

    Additional properties are allowed.

  • The operator to use for the has_no_reference parameter. Either OR or AND. Defaults to OR.

  • Filters to objects that have a relationship with the type and ID combination.

    Additional properties are allowed.

  • The operator to use for the has_reference parameter. Either OR or AND. Defaults to OR.

  • page integer

    The page of objects to return.

  • per_page integer

    The number of objects to return per page.

  • search_fields string | array

    The fields to perform the simple_query_string parsed query against.

  • Sorts the response. Includes "root" and "type" fields. "root" fields exist for all saved objects, such as "updated_at". "type" fields are specific to an object type, such as fields returned in the attributes key of the response. When a single type is defined in the type parameter, the "root" and "type" fields are allowed, and validity checks are made in that order. When multiple types are defined in the type parameter, only "root" fields are allowed.

  • type string | array Required

    The saved object types to include.

Responses

  • 200 application/json

    Indicates a successful call.

    Additional properties are allowed.

  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
GET /api/saved_objects/_find
curl \
 --request GET https://localhost:5601/api/saved_objects/_find?type=string
Response examples (200)
{}
Response examples (400)
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}












Get a saved object Deprecated

GET /api/saved_objects/{type}/{id}

Retrieve a single Kibana saved object by identifier.

Path parameters

  • id string Required

    An identifier for the saved object.

  • type string Required

    Valid options include visualization, dashboard, search, index-pattern, config.

Responses

  • 200 application/json

    Indicates a successful call.

    Additional properties are allowed.

  • 400 application/json

    Bad request.

    Hide response attributes Show response attributes object
GET /api/saved_objects/{type}/{id}
curl \
 --request GET https://localhost:5601/api/saved_objects/{type}/{id}
Response examples (200)
{}
Response examples (400)
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

















Get anonymization fields

GET /api/security_ai_assistant/anonymization_fields/_find

Get a list of all anonymization fields.

Query parameters

  • fields array[string]
  • filter string

    Search query

  • Field to sort by

    Values are created_at, anonymized, allowed, field, or updated_at.

  • Sort order

    Values are asc or desc.

  • page integer

    Page number

    Minimum value is 1. Default value is 1.

  • per_page integer

    AnonymizationFields per page

    Minimum value is 0. Default value is 20.

Responses

GET /api/security_ai_assistant/anonymization_fields/_find
curl \
 --request GET https://localhost:5601/api/security_ai_assistant/anonymization_fields/_find
Response examples (200)
{
  "data": [
    {
      "allowed": true,
      "anonymized": true,
      "createdAt": "string",
      "createdBy": "string",
      "field": "string",
      "id": "string",
      "namespace": "string",
      "timestamp": "string",
      "updatedAt": "string",
      "updatedBy": "string"
    }
  ],
  "page": 42,
  "perPage": 42,
  "total": 42
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}








Get conversations

GET /api/security_ai_assistant/current_user/conversations/_find

Get a list of all conversations for the current user.

Query parameters

  • fields array[string]
  • filter string

    Search query

  • Field to sort by

    Values are created_at, is_default, title, or updated_at.

  • Sort order

    Values are asc or desc.

  • page integer

    Page number

    Minimum value is 1. Default value is 1.

  • per_page integer

    Conversations per page

    Minimum value is 0. Default value is 20.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • data array[object] Required
      Hide data attributes Show data attributes object
      • LLM API configuration.

        Additional properties are allowed.

        Hide apiConfig attributes Show apiConfig attributes object
      • category string Required

        The conversation category.

        Values are assistant or insights.

      • createdAt string Required

        The last time conversation was updated.

      • excludeFromLastConversationStorage.

      • id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • isDefault boolean

        Is default conversation.

      • messages array[object]

        The conversation messages.

        Hide messages attributes Show messages attributes object
        • content string Required

          Message content.

        • isError boolean

          Is error message.

        • metadata object

          metadata

          Additional properties are allowed.

          Hide metadata attribute Show metadata attribute object
        • reader object

          Message content.

          Additional properties are allowed.

        • role string Required

          Message role.

          Values are system, user, or assistant.

        • timestamp string(nonempty) Required

          A string that does not contain only whitespace characters

          Minimum length is 1.

        • trace Data

          Additional properties are allowed.

          Hide traceData attributes Show traceData attributes object
          • traceId string

            Could be any string, not necessarily a UUID

          • Could be any string, not necessarily a UUID

      • namespace string Required

        Kibana space

      • Replacements object used to anonymize/deanomymize messsages

        Hide replacements attribute Show replacements attribute object
        • * string Additional properties
      • summary object

        Additional properties are allowed.

        Hide summary attributes Show summary attributes object
        • How confident you are about this being a correct and useful learning.

          Values are low, medium, or high.

        • content string

          Summary text of the conversation over time.

        • public boolean

          Define if summary is marked as publicly available.

        • timestamp string(nonempty)

          A string that does not contain only whitespace characters

          Minimum length is 1.

      • timestamp string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • title string Required

        The conversation title.

      • The last time conversation was updated.

      • users array[object] Required
        Hide users attributes Show users attributes object
    • page integer Required
    • perPage integer Required
    • total integer Required
  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
GET /api/security_ai_assistant/current_user/conversations/_find
curl \
 --request GET https://localhost:5601/api/security_ai_assistant/current_user/conversations/_find
Response examples (200)
{
  "data": [
    {
      "apiConfig": {
        "actionTypeId": "string",
        "connectorId": "string",
        "defaultSystemPromptId": "string",
        "model": "string",
        "provider": "OpenAI"
      },
      "category": "assistant",
      "createdAt": "string",
      "excludeFromLastConversationStorage": true,
      "id": "string",
      "isDefault": true,
      "messages": [
        {
          "content": "string",
          "isError": true,
          "metadata": {
            "contentReferences": {}
          },
          "reader": {},
          "role": "system",
          "timestamp": "string",
          "traceData": {
            "traceId": "string",
            "transactionId": "string"
          }
        }
      ],
      "namespace": "string",
      "replacements": {
        "additionalProperty1": "string",
        "additionalProperty2": "string"
      },
      "summary": {
        "confidence": "low",
        "content": "string",
        "public": true,
        "timestamp": "string"
      },
      "timestamp": "string",
      "title": "string",
      "updatedAt": "string",
      "users": [
        {
          "id": "string",
          "name": "string"
        }
      ]
    }
  ],
  "page": 42,
  "perPage": 42,
  "total": 42
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get a conversation

GET /api/security_ai_assistant/current_user/conversations/{id}

Get the details of an existing conversation using the conversation ID.

Path parameters

  • id string(nonempty) Required

    The conversation's id value.

    Minimum length is 1.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • LLM API configuration.

      Additional properties are allowed.

      Hide apiConfig attributes Show apiConfig attributes object
    • category string Required

      The conversation category.

      Values are assistant or insights.

    • createdAt string Required

      The last time conversation was updated.

    • excludeFromLastConversationStorage.

    • id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • isDefault boolean

      Is default conversation.

    • messages array[object]

      The conversation messages.

      Hide messages attributes Show messages attributes object
      • content string Required

        Message content.

      • isError boolean

        Is error message.

      • metadata object

        metadata

        Additional properties are allowed.

        Hide metadata attribute Show metadata attribute object
      • reader object

        Message content.

        Additional properties are allowed.

      • role string Required

        Message role.

        Values are system, user, or assistant.

      • timestamp string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • trace Data

        Additional properties are allowed.

        Hide traceData attributes Show traceData attributes object
        • traceId string

          Could be any string, not necessarily a UUID

        • Could be any string, not necessarily a UUID

    • namespace string Required

      Kibana space

    • Replacements object used to anonymize/deanomymize messsages

      Hide replacements attribute Show replacements attribute object
      • * string Additional properties
    • summary object

      Additional properties are allowed.

      Hide summary attributes Show summary attributes object
      • How confident you are about this being a correct and useful learning.

        Values are low, medium, or high.

      • content string

        Summary text of the conversation over time.

      • public boolean

        Define if summary is marked as publicly available.

      • timestamp string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • timestamp string(nonempty)

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • title string Required

      The conversation title.

    • The last time conversation was updated.

    • users array[object] Required
      Hide users attributes Show users attributes object
  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
GET /api/security_ai_assistant/current_user/conversations/{id}
curl \
 --request GET https://localhost:5601/api/security_ai_assistant/current_user/conversations/{id}
Response examples (200)
{
  "apiConfig": {
    "actionTypeId": "string",
    "connectorId": "string",
    "defaultSystemPromptId": "string",
    "model": "string",
    "provider": "OpenAI"
  },
  "category": "assistant",
  "createdAt": "string",
  "excludeFromLastConversationStorage": true,
  "id": "string",
  "isDefault": true,
  "messages": [
    {
      "content": "string",
      "isError": true,
      "metadata": {
        "contentReferences": {}
      },
      "reader": {},
      "role": "system",
      "timestamp": "string",
      "traceData": {
        "traceId": "string",
        "transactionId": "string"
      }
    }
  ],
  "namespace": "string",
  "replacements": {
    "additionalProperty1": "string",
    "additionalProperty2": "string"
  },
  "summary": {
    "confidence": "low",
    "content": "string",
    "public": true,
    "timestamp": "string"
  },
  "timestamp": "string",
  "title": "string",
  "updatedAt": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Update a conversation

PUT /api/security_ai_assistant/current_user/conversations/{id}

Update an existing conversation using the conversation ID.

Path parameters

  • id string(nonempty) Required

    The conversation's id value.

    Minimum length is 1.

application/json

Body Required

  • LLM API configuration.

    Additional properties are allowed.

    Hide apiConfig attributes Show apiConfig attributes object
  • category string

    The conversation category.

    Values are assistant or insights.

  • excludeFromLastConversationStorage.

  • id string(nonempty) Required

    A string that does not contain only whitespace characters

    Minimum length is 1.

  • messages array[object]

    The conversation messages.

    Hide messages attributes Show messages attributes object
    • content string Required

      Message content.

    • isError boolean

      Is error message.

    • metadata object

      metadata

      Additional properties are allowed.

      Hide metadata attribute Show metadata attribute object
    • reader object

      Message content.

      Additional properties are allowed.

    • role string Required

      Message role.

      Values are system, user, or assistant.

    • timestamp string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • trace Data

      Additional properties are allowed.

      Hide traceData attributes Show traceData attributes object
      • traceId string

        Could be any string, not necessarily a UUID

      • Could be any string, not necessarily a UUID

  • Replacements object used to anonymize/deanomymize messsages

    Hide replacements attribute Show replacements attribute object
    • * string Additional properties
  • summary object

    Additional properties are allowed.

    Hide summary attributes Show summary attributes object
    • How confident you are about this being a correct and useful learning.

      Values are low, medium, or high.

    • content string

      Summary text of the conversation over time.

    • public boolean

      Define if summary is marked as publicly available.

    • timestamp string(nonempty)

      A string that does not contain only whitespace characters

      Minimum length is 1.

  • title string

    The conversation title.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • LLM API configuration.

      Additional properties are allowed.

      Hide apiConfig attributes Show apiConfig attributes object
    • category string Required

      The conversation category.

      Values are assistant or insights.

    • createdAt string Required

      The last time conversation was updated.

    • excludeFromLastConversationStorage.

    • id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • isDefault boolean

      Is default conversation.

    • messages array[object]

      The conversation messages.

      Hide messages attributes Show messages attributes object
      • content string Required

        Message content.

      • isError boolean

        Is error message.

      • metadata object

        metadata

        Additional properties are allowed.

        Hide metadata attribute Show metadata attribute object
      • reader object

        Message content.

        Additional properties are allowed.

      • role string Required

        Message role.

        Values are system, user, or assistant.

      • timestamp string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • trace Data

        Additional properties are allowed.

        Hide traceData attributes Show traceData attributes object
        • traceId string

          Could be any string, not necessarily a UUID

        • Could be any string, not necessarily a UUID

    • namespace string Required

      Kibana space

    • Replacements object used to anonymize/deanomymize messsages

      Hide replacements attribute Show replacements attribute object
      • * string Additional properties
    • summary object

      Additional properties are allowed.

      Hide summary attributes Show summary attributes object
      • How confident you are about this being a correct and useful learning.

        Values are low, medium, or high.

      • content string

        Summary text of the conversation over time.

      • public boolean

        Define if summary is marked as publicly available.

      • timestamp string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • timestamp string(nonempty)

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • title string Required

      The conversation title.

    • The last time conversation was updated.

    • users array[object] Required
      Hide users attributes Show users attributes object
  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
PUT /api/security_ai_assistant/current_user/conversations/{id}
curl \
 --request PUT https://localhost:5601/api/security_ai_assistant/current_user/conversations/{id} \
 --header "Content-Type: application/json" \
 --data '{"apiConfig":{"actionTypeId":"string","connectorId":"string","defaultSystemPromptId":"string","model":"string","provider":"OpenAI"},"category":"assistant","excludeFromLastConversationStorage":true,"id":"string","messages":[{"content":"string","isError":true,"metadata":{"contentReferences":{}},"reader":{},"role":"system","timestamp":"string","traceData":{"traceId":"string","transactionId":"string"}}],"replacements":{"additionalProperty1":"string","additionalProperty2":"string"},"summary":{"confidence":"low","content":"string","public":true,"timestamp":"string"},"title":"string"}'
Request examples
{
  "apiConfig": {
    "actionTypeId": "string",
    "connectorId": "string",
    "defaultSystemPromptId": "string",
    "model": "string",
    "provider": "OpenAI"
  },
  "category": "assistant",
  "excludeFromLastConversationStorage": true,
  "id": "string",
  "messages": [
    {
      "content": "string",
      "isError": true,
      "metadata": {
        "contentReferences": {}
      },
      "reader": {},
      "role": "system",
      "timestamp": "string",
      "traceData": {
        "traceId": "string",
        "transactionId": "string"
      }
    }
  ],
  "replacements": {
    "additionalProperty1": "string",
    "additionalProperty2": "string"
  },
  "summary": {
    "confidence": "low",
    "content": "string",
    "public": true,
    "timestamp": "string"
  },
  "title": "string"
}
Response examples (200)
{
  "apiConfig": {
    "actionTypeId": "string",
    "connectorId": "string",
    "defaultSystemPromptId": "string",
    "model": "string",
    "provider": "OpenAI"
  },
  "category": "assistant",
  "createdAt": "string",
  "excludeFromLastConversationStorage": true,
  "id": "string",
  "isDefault": true,
  "messages": [
    {
      "content": "string",
      "isError": true,
      "metadata": {
        "contentReferences": {}
      },
      "reader": {},
      "role": "system",
      "timestamp": "string",
      "traceData": {
        "traceId": "string",
        "transactionId": "string"
      }
    }
  ],
  "namespace": "string",
  "replacements": {
    "additionalProperty1": "string",
    "additionalProperty2": "string"
  },
  "summary": {
    "confidence": "low",
    "content": "string",
    "public": true,
    "timestamp": "string"
  },
  "timestamp": "string",
  "title": "string",
  "updatedAt": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}












Create a Knowledge Base Entry

POST /api/security_ai_assistant/knowledge_base/entries

Create a Knowledge Base Entry

application/json

Body object Required

Any of:
  • name string Required

    Name of the Knowledge Base Entry

  • Kibana Space, defaults to 'default' space

  • users array[object]

    Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.

    Hide users attributes Show users attributes object
  • kbResource string Required

    Knowledge Base resource name for grouping entries, e.g. 'esql', 'lens-docs', etc

  • source string Required

    Source document name or filepath

  • text string Required

    Knowledge Base Entry content

  • type string Required Discriminator

    Entry type

    Value is document.

  • required boolean

    Whether this resource should always be included, defaults to false

  • vector object

    Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings

    Additional properties are allowed.

    Hide vector attributes Show vector attributes object
    • modelId string Required

      ID of the model used to create the embeddings

    • tokens object Required

      Tokens with their corresponding values

      Hide tokens attribute Show tokens attribute object
      • * number Additional properties

Responses

  • 200 application/json

    Successful request returning Knowledge Base Entries

    Any of:
    Hide attributes Show attributes
    • name string Required

      Name of the Knowledge Base Entry

    • namespace string Required

      Kibana Space, defaults to 'default' space

    • users array[object] Required

      Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.

      Hide users attributes Show users attributes object
    • createdAt string Required

      Time the Knowledge Base Entry was created

    • createdBy string Required

      User who created the Knowledge Base Entry

    • id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • updatedAt string Required

      Time the Knowledge Base Entry was last updated

    • updatedBy string Required

      User who last updated the Knowledge Base Entry

    • kbResource string Required

      Knowledge Base resource name for grouping entries, e.g. 'esql', 'lens-docs', etc

    • source string Required

      Source document name or filepath

    • text string Required

      Knowledge Base Entry content

    • type string Required Discriminator

      Entry type

      Value is document.

    • required boolean

      Whether this resource should always be included, defaults to false

    • vector object

      Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings

      Additional properties are allowed.

      Hide vector attributes Show vector attributes object
      • modelId string Required

        ID of the model used to create the embeddings

      • tokens object Required

        Tokens with their corresponding values

        Hide tokens attribute Show tokens attribute object
        • * number Additional properties
  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
POST /api/security_ai_assistant/knowledge_base/entries
curl \
 --request POST https://localhost:5601/api/security_ai_assistant/knowledge_base/entries \
 --header "Content-Type: application/json" \
 --data '{"name":"string","namespace":"string","users":[{"id":"string","name":"string"}],"kbResource":"string","source":"string","text":"string","type":"document","required":true,"vector":{"modelId":"string","tokens":{"additionalProperty1":42.0,"additionalProperty2":42.0}}}'
{
  "name": "string",
  "namespace": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "kbResource": "string",
  "source": "string",
  "text": "string",
  "type": "document",
  "required": true,
  "vector": {
    "modelId": "string",
    "tokens": {
      "additionalProperty1": 42.0,
      "additionalProperty2": 42.0
    }
  }
}
{
  "name": "string",
  "namespace": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "description": "string",
  "field": "string",
  "index": "string",
  "queryDescription": "string",
  "type": "index",
  "inputSchema": [
    {
      "description": "string",
      "fieldName": "string",
      "fieldType": "string"
    }
  ],
  "outputFields": [
    "string"
  ]
}
Response examples (200)
{
  "name": "string",
  "namespace": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "createdAt": "string",
  "createdBy": "string",
  "id": "string",
  "updatedAt": "string",
  "updatedBy": "string",
  "kbResource": "string",
  "source": "string",
  "text": "string",
  "type": "document",
  "required": true,
  "vector": {
    "modelId": "string",
    "tokens": {
      "additionalProperty1": 42.0,
      "additionalProperty2": 42.0
    }
  }
}
{
  "name": "string",
  "namespace": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "createdAt": "string",
  "createdBy": "string",
  "id": "string",
  "updatedAt": "string",
  "updatedBy": "string",
  "description": "string",
  "field": "string",
  "index": "string",
  "queryDescription": "string",
  "type": "index",
  "inputSchema": [
    {
      "description": "string",
      "fieldName": "string",
      "fieldType": "string"
    }
  ],
  "outputFields": [
    "string"
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}




Finds Knowledge Base Entries that match the given query.

GET /api/security_ai_assistant/knowledge_base/entries/_find

Finds Knowledge Base Entries that match the given query.

Query parameters

  • fields array[string]
  • filter string

    Search query

  • Field to sort by

    Values are created_at, is_default, title, or updated_at.

  • Sort order

    Values are asc or desc.

  • page integer

    Page number

    Minimum value is 1. Default value is 1.

  • per_page integer

    Knowledge Base Entries per page

    Minimum value is 0. Default value is 20.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • data array[object] Required
      Any of:
      Hide attributes Show attributes
      • name string Required

        Name of the Knowledge Base Entry

      • namespace string Required

        Kibana Space, defaults to 'default' space

      • users array[object] Required

        Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.

        Hide users attributes Show users attributes object
      • createdAt string Required

        Time the Knowledge Base Entry was created

      • createdBy string Required

        User who created the Knowledge Base Entry

      • id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • updatedAt string Required

        Time the Knowledge Base Entry was last updated

      • updatedBy string Required

        User who last updated the Knowledge Base Entry

      • kbResource string Required

        Knowledge Base resource name for grouping entries, e.g. 'esql', 'lens-docs', etc

      • source string Required

        Source document name or filepath

      • text string Required

        Knowledge Base Entry content

      • type string Required Discriminator

        Entry type

        Value is document.

      • required boolean

        Whether this resource should always be included, defaults to false

      • vector object

        Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings

        Additional properties are allowed.

        Hide vector attributes Show vector attributes object
        • modelId string Required

          ID of the model used to create the embeddings

        • tokens object Required

          Tokens with their corresponding values

          Hide tokens attribute Show tokens attribute object
          • * number Additional properties
    • page integer Required
    • perPage integer Required
    • total integer Required
  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
GET /api/security_ai_assistant/knowledge_base/entries/_find
curl \
 --request GET https://localhost:5601/api/security_ai_assistant/knowledge_base/entries/_find
Response examples (200)
{
  "data": [
    {
      "name": "string",
      "namespace": "string",
      "users": [
        {
          "id": "string",
          "name": "string"
        }
      ],
      "createdAt": "string",
      "createdBy": "string",
      "id": "string",
      "updatedAt": "string",
      "updatedBy": "string",
      "kbResource": "string",
      "source": "string",
      "text": "string",
      "type": "document",
      "required": true,
      "vector": {
        "modelId": "string",
        "tokens": {
          "additionalProperty1": 42.0,
          "additionalProperty2": 42.0
        }
      }
    }
  ],
  "page": 42,
  "perPage": 42,
  "total": 42
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Read a Knowledge Base Entry

GET /api/security_ai_assistant/knowledge_base/entries/{id}

Read a Knowledge Base Entry

Path parameters

  • id string(nonempty) Required

    The Knowledge Base Entry's id value.

    Minimum length is 1.

Responses

  • 200 application/json

    Successful request returning a Knowledge Base Entry

    Any of:
    Hide attributes Show attributes
    • name string Required

      Name of the Knowledge Base Entry

    • namespace string Required

      Kibana Space, defaults to 'default' space

    • users array[object] Required

      Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.

      Hide users attributes Show users attributes object
    • createdAt string Required

      Time the Knowledge Base Entry was created

    • createdBy string Required

      User who created the Knowledge Base Entry

    • id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • updatedAt string Required

      Time the Knowledge Base Entry was last updated

    • updatedBy string Required

      User who last updated the Knowledge Base Entry

    • kbResource string Required

      Knowledge Base resource name for grouping entries, e.g. 'esql', 'lens-docs', etc

    • source string Required

      Source document name or filepath

    • text string Required

      Knowledge Base Entry content

    • type string Required Discriminator

      Entry type

      Value is document.

    • required boolean

      Whether this resource should always be included, defaults to false

    • vector object

      Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings

      Additional properties are allowed.

      Hide vector attributes Show vector attributes object
      • modelId string Required

        ID of the model used to create the embeddings

      • tokens object Required

        Tokens with their corresponding values

        Hide tokens attribute Show tokens attribute object
        • * number Additional properties
  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
GET /api/security_ai_assistant/knowledge_base/entries/{id}
curl \
 --request GET https://localhost:5601/api/security_ai_assistant/knowledge_base/entries/{id}
Response examples (200)
{
  "name": "string",
  "namespace": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "createdAt": "string",
  "createdBy": "string",
  "id": "string",
  "updatedAt": "string",
  "updatedBy": "string",
  "kbResource": "string",
  "source": "string",
  "text": "string",
  "type": "document",
  "required": true,
  "vector": {
    "modelId": "string",
    "tokens": {
      "additionalProperty1": 42.0,
      "additionalProperty2": 42.0
    }
  }
}
{
  "name": "string",
  "namespace": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "createdAt": "string",
  "createdBy": "string",
  "id": "string",
  "updatedAt": "string",
  "updatedBy": "string",
  "description": "string",
  "field": "string",
  "index": "string",
  "queryDescription": "string",
  "type": "index",
  "inputSchema": [
    {
      "description": "string",
      "fieldName": "string",
      "fieldType": "string"
    }
  ],
  "outputFields": [
    "string"
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}




Deletes a single Knowledge Base Entry using the `id` field

DELETE /api/security_ai_assistant/knowledge_base/entries/{id}

Deletes a single Knowledge Base Entry using the id field

Path parameters

  • id string(nonempty) Required

    The Knowledge Base Entry's id value

    Minimum length is 1.

Responses

  • 200 application/json

    Successful request returning the deleted Knowledge Base Entry's ID

    Hide response attribute Show response attribute object
    • id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
DELETE /api/security_ai_assistant/knowledge_base/entries/{id}
curl \
 --request DELETE https://localhost:5601/api/security_ai_assistant/knowledge_base/entries/{id}
Response examples (200)
{
  "id": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}




Get prompts

GET /api/security_ai_assistant/prompts/_find

Get a list of all prompts.

Query parameters

  • fields array[string]
  • filter string

    Search query

  • Field to sort by

    Values are created_at, is_default, name, or updated_at.

  • Sort order

    Values are asc or desc.

  • page integer

    Page number

    Minimum value is 1. Default value is 1.

  • per_page integer

    Prompts per page

    Minimum value is 0. Default value is 20.

Responses

GET /api/security_ai_assistant/prompts/_find
curl \
 --request GET https://localhost:5601/api/security_ai_assistant/prompts/_find
Response examples (200)
{
  "data": [
    {
      "categories": [
        "string"
      ],
      "color": "string",
      "consumer": "string",
      "content": "string",
      "createdAt": "string",
      "createdBy": "string",
      "id": "string",
      "isDefault": true,
      "isNewConversationDefault": true,
      "name": "string",
      "namespace": "string",
      "promptType": "system",
      "timestamp": "string",
      "updatedAt": "string",
      "updatedBy": "string",
      "users": [
        {
          "id": "string",
          "name": "string"
        }
      ]
    }
  ],
  "page": 42,
  "perPage": 42,
  "total": 42
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}





Create an alerts index

POST /api/detection_engine/index

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 403 application/json

    Not enough permissions response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
POST /api/detection_engine/index
curl \
 --request POST https://localhost:5601/api/detection_engine/index
Response examples (200)
{
  "acknowledged": true
}
Response examples (401)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (403)
{
  "message": "string",
  "status_code": 42
}
Response examples (404)
{
  "message": "string",
  "status_code": 42
}
Response examples (500)
{
  "message": "string",
  "status_code": 42
}




































Delete multiple detection rules Deprecated

POST /api/detection_engine/rules/_bulk_delete

Deletes multiple rules.

application/json

Body Required

A JSON array of id or rule_id fields of the rules you want to delete.

  • id string(uuid)

    A universally unique identifier

  • rule_id string

    Could be any string, not necessarily a UUID

Responses

  • 200 application/json

    Indicates a successful call.

    One of:
    Hide attributes Show attributes
    • actions array[object] Required
      Hide actions attributes Show actions attributes object
      • action_type_id string Required

        The action type used for sending notifications.

      • Additional properties are allowed.

      • The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

        Additional properties are allowed.

        Hide frequency attributes Show frequency attributes object
        • notifyWhen string Required

          The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

          Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

        • summary boolean Required

          Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

        • throttle string | null Required

          Defines how often rule actions are taken.

          One of:

          Values are no_actions or rule.

      • group string

        Optionally groups actions by use cases. Use default for alert notifications.

      • id string Required

        The connector ID.

      • params object Required

        Object containing the allowed connector fields, which varies according to the connector type.

        Additional properties are allowed.

      • uuid string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • Values are savedObjectConversion or savedObjectImport.

    • author array[string] Required
    • Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

    • description string Required

      Minimum length is 1.

    • enabled boolean Required

      Determines whether the rule is enabled.

    • exceptions_list array[object] Required
      Hide exceptions_list attributes Show exceptions_list attributes object
      • id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • list_id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • namespace_type string Required

        Determines the exceptions validity in rule's Kibana space

        Values are agnostic or single.

      • type string Required

        The exception type

        Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

    • false_positives array[string] Required
    • from string(date-math) Required

      Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

    • interval string Required

      Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

    • Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

      const investigationFields = z.object({
        field_names: NonEmptyArray(NonEmptyString),
        override: z.boolean().optional(),
      });
      

      Additional properties are allowed.

      Hide investigation_fields attribute Show investigation_fields attribute object
      • field_names array[string(nonempty)] Required

        A string that does not contain only whitespace characters

        At least 1 element. Minimum length of each is 1.

    • license string

      The rule's license.

    • max_signals integer Required

      Minimum value is 1.

    • meta object

      Additional properties are allowed.

    • name string Required

      Minimum length is 1.

    • Has no effect.

    • note string

      Notes to help investigate alerts produced by the rule.

    • outcome string

      Values are exactMatch, aliasMatch, or conflict.

    • output_index string Deprecated

      (deprecated) Has no effect.

    • references array[string] Required
    • required_fields array[object] Required
      Hide required_fields attributes Show required_fields attributes object
      • ecs boolean Required

        Whether the field is an ECS field

      • name string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • type string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • response_actions array[object]
      One of:
      Hide attributes Show attributes
    • risk_score integer Required

      Risk score (0 to 100)

      Minimum value is 0, maximum value is 100.

    • risk_score_mapping array[object] Required

      Overrides generated alerts' risk_score with a value from the source event

      Hide risk_score_mapping attributes Show risk_score_mapping attributes object
    • Sets the source field for the alert's signal.rule.name value

    • setup string Required
    • severity string Required

      Severity of the rule

      Values are low, medium, high, or critical.

    • severity_mapping array[object] Required

      Overrides generated alerts' severity with values from the source event

      Hide severity_mapping attributes Show severity_mapping attributes object
      • field string Required
      • operator string Required

        Value is equals.

      • severity string Required

        Severity of the rule

        Values are low, medium, high, or critical.

      • value string Required
    • tags array[string] Required

      String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

    • threat array[object] Required
      Hide threat attributes Show threat attributes object
      • framework string Required

        Relevant attack framework

      • tactic object Required

        Additional properties are allowed.

        Hide tactic attributes Show tactic attributes object
        • id string Required

          Tactic ID

        • name string Required

          Tactic name

        • reference string Required

          Tactic reference

      • technique array[object]

        Array containing information on the attack techniques (optional)

        Hide technique attributes Show technique attributes object
        • id string Required

          Technique ID

        • name string Required

          Technique name

        • reference string Required

          Technique reference

        • subtechnique array[object]

          Array containing more specific information on the attack technique

          Hide subtechnique attributes Show subtechnique attributes object
          • id string Required

            Subtechnique ID

          • name string Required

            Subtechnique name

          • reference string Required

            Subtechnique reference

    • throttle string | null

      Defines how often rule actions are taken.

      One of:

      Values are no_actions or rule.

    • Timeline template ID

    • Timeline template title

    • Sets the time field used to query indices

    • Disables the fallback to the event's @timestamp field

    • to string Required
    • version integer Required

      The rule's version number.

      Minimum value is 1.

    • created_at string(date-time) Required
    • created_by string Required
    • Additional properties are allowed.

      Hide execution_summary attribute Show execution_summary attribute object
      • last_execution object Required

        Additional properties are allowed.

        Hide last_execution attributes Show last_execution attributes object
        • date string(date-time) Required

          Date of the last execution

        • message string Required
        • metrics object Required

          Additional properties are allowed.

          Hide metrics attributes Show metrics attributes object
          • Duration in seconds of execution gap

            Minimum value is 0.

          • Range of the execution gap

            Additional properties are allowed.

            Hide gap_range attributes Show gap_range attributes object
            • gte string Required

              Start date of the execution gap

            • lte string Required

              End date of the execution gap

          • Total time spent enriching documents during current rule execution cycle

            Minimum value is 0.

          • Total time spent indexing documents during current rule execution cycle

            Minimum value is 0.

          • Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

            Minimum value is 0.

        • status string Required

          Status of the last execution

          Values are going to run, running, partial failure, failed, or succeeded.

        • status_order integer Required
    • id string(uuid) Required

      A universally unique identifier

    • immutable boolean Required Deprecated

      This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

    • revision integer Required

      Minimum value is 0.

    • rule_id string Required

      Could be any string, not necessarily a UUID

    • rule_source object Required

      Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

      One of:

      Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

      Hide attributes Show attributes
      • is_customized boolean Required

        Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

      • type string Required Discriminator

        Value is external.

    • updated_at string(date-time) Required
    • updated_by string Required
    • language string Required

      Query language to use

      Value is eql.

    • query string Required

      EQL query to execute

    • type string Required Discriminator

      Rule type

      Value is eql.

    • Additional properties are allowed.

      Hide alert_suppression attributes Show alert_suppression attributes object
      • duration object

        Additional properties are allowed.

        Hide duration attributes Show duration attributes object
        • unit string Required

          Values are s, m, or h.

        • value integer Required

          Minimum value is 1.

      • group_by array[string] Required

        At least 1 but not more than 3 elements.

      • Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

        Values are doNotSuppress or suppress.

    • filters array
    • index array[string]
    • Sets a secondary field for sorting events

    • Contains the event timestamp used for sorting a sequence of events

  • 400 application/json

    Invalid input data response

    One of:
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
POST /api/detection_engine/rules/_bulk_delete
curl \
 --request POST https://localhost:5601/api/detection_engine/rules/_bulk_delete \
 --header "Content-Type: application/json" \
 --data '[{"id":"string","rule_id":"string"}]'
Request examples
[
  {
    "id": "string",
    "rule_id": "string"
  }
]
Response examples (200)
[
  {
    "actions": [
      {
        "action_type_id": "string",
        "alerts_filter": {},
        "frequency": {
          "notifyWhen": "onActiveAlert",
          "summary": true,
          "throttle": "no_actions"
        },
        "group": "string",
        "id": "string",
        "params": {},
        "uuid": "string"
      }
    ],
    "alias_purpose": "savedObjectConversion",
    "alias_target_id": "string",
    "author": [
      "string"
    ],
    "building_block_type": "string",
    "description": "string",
    "enabled": true,
    "exceptions_list": [
      {
        "id": "string",
        "list_id": "string",
        "namespace_type": "agnostic",
        "type": "detection"
      }
    ],
    "false_positives": [
      "string"
    ],
    "from": "string",
    "interval": "string",
    "investigation_fields": {
      "field_names": [
        "string"
      ]
    },
    "license": "string",
    "max_signals": 42,
    "meta": {},
    "name": "string",
    "namespace": "string",
    "note": "string",
    "outcome": "exactMatch",
    "output_index": "string",
    "references": [
      "string"
    ],
    "related_integrations": [
      {
        "integration": "string",
        "package": "string",
        "version": "string"
      }
    ],
    "required_fields": [
      {
        "ecs": true,
        "name": "string",
        "type": "string"
      }
    ],
    "response_actions": [
      {
        "action_type_id": ".osquery",
        "params": {
          "ecs_mapping": {
            "additionalProperty1": {
              "field": "string",
              "value": "string"
            },
            "additionalProperty2": {
              "field": "string",
              "value": "string"
            }
          },
          "pack_id": "string",
          "queries": [
            {
              "ecs_mapping": {
                "additionalProperty1": {
                  "field": "string",
                  "value": "string"
                },
                "additionalProperty2": {
                  "field": "string",
                  "value": "string"
                }
              },
              "id": "string",
              "platform": "string",
              "query": "string",
              "removed": true,
              "snapshot": true,
              "version": "string"
            }
          ],
          "query": "string",
          "saved_query_id": "string",
          "timeout": 42.0
        }
      }
    ],
    "risk_score": 42,
    "risk_score_mapping": [
      {
        "field": "string",
        "operator": "equals",
        "risk_score": 42,
        "value": "string"
      }
    ],
    "rule_name_override": "string",
    "setup": "string",
    "severity": "low",
    "severity_mapping": [
      {
        "field": "string",
        "operator": "equals",
        "severity": "low",
        "value": "string"
      }
    ],
    "tags": [
      "string"
    ],
    "threat": [
      {
        "framework": "string",
        "tactic": {
          "id": "string",
          "name": "string",
          "reference": "string"
        },
        "technique": [
          {
            "id": "string",
            "name": "string",
            "reference": "string",
            "subtechnique": [
              {
                "id": "string",
                "name": "string",
                "reference": "string"
              }
            ]
          }
        ]
      }
    ],
    "throttle": "no_actions",
    "timeline_id": "string",
    "timeline_title": "string",
    "timestamp_override": "string",
    "timestamp_override_fallback_disabled": true,
    "to": "string",
    "version": 42,
    "created_at": "2025-05-04T09:42:00+00:00",
    "created_by": "string",
    "execution_summary": {
      "last_execution": {
        "date": "2025-05-04T09:42:00+00:00",
        "message": "string",
        "metrics": {
          "execution_gap_duration_s": 42,
          "gap_range": {
            "gte": "string",
            "lte": "string"
          },
          "total_enrichment_duration_ms": 42,
          "total_indexing_duration_ms": 42,
          "total_search_duration_ms": 42
        },
        "status": "going to run",
        "status_order": 42
      }
    },
    "id": "string",
    "immutable": true,
    "revision": 42,
    "rule_id": "string",
    "rule_source": {
      "is_customized": true,
      "type": "external"
    },
    "updated_at": "2025-05-04T09:42:00+00:00",
    "updated_by": "string",
    "language": "eql",
    "query": "string",
    "type": "eql",
    "alert_suppression": {
      "duration": {
        "unit": "s",
        "value": 42
      },
      "group_by": [
        "string"
      ],
      "missing_fields_strategy": "doNotSuppress"
    },
    "data_view_id": "string",
    "event_category_override": "string",
    "filters": [],
    "index": [
      "string"
    ],
    "tiebreaker_field": "string",
    "timestamp_field": "string"
  }
]
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
{
  "message": "string",
  "status_code": 42
}
Response examples (401)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (500)
{
  "message": "string",
  "status_code": 42
}
















List all detection rules

GET /api/detection_engine/rules/_find

Retrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page.

Query parameters

  • fields array[string]
  • filter string

    Search query

  • Field to sort by

    Values are created_at, createdAt, enabled, execution_summary.last_execution.date, execution_summary.last_execution.metrics.execution_gap_duration_s, execution_summary.last_execution.metrics.total_indexing_duration_ms, execution_summary.last_execution.metrics.total_search_duration_ms, execution_summary.last_execution.status, name, risk_score, riskScore, severity, updated_at, or updatedAt.

  • Sort order

    Values are asc or desc.

  • page integer

    Page number

    Minimum value is 1. Default value is 1.

  • per_page integer

    Rules per page

    Minimum value is 0. Default value is 20.

  • Gaps range start

  • Gaps range end

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • data array[object] Required
      Any of:
      Hide attributes Show attributes
      • actions array[object] Required
        Hide actions attributes Show actions attributes object
        • action_type_id string Required

          The action type used for sending notifications.

        • Additional properties are allowed.

        • The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).

          Additional properties are allowed.

          Hide frequency attributes Show frequency attributes object
          • notifyWhen string Required

            The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

            Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

          • summary boolean Required

            Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

          • throttle string | null Required

            Defines how often rule actions are taken.

            One of:

            Values are no_actions or rule.

        • group string

          Optionally groups actions by use cases. Use default for alert notifications.

        • id string Required

          The connector ID.

        • params object Required

          Object containing the allowed connector fields, which varies according to the connector type.

          Additional properties are allowed.

        • uuid string(nonempty)

          A string that does not contain only whitespace characters

          Minimum length is 1.

      • Values are savedObjectConversion or savedObjectImport.

      • author array[string] Required
      • Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.

      • description string Required

        Minimum length is 1.

      • enabled boolean Required

        Determines whether the rule is enabled.

      • exceptions_list array[object] Required
        Hide exceptions_list attributes Show exceptions_list attributes object
        • id string(nonempty) Required

          A string that does not contain only whitespace characters

          Minimum length is 1.

        • list_id string(nonempty) Required

          A string that does not contain only whitespace characters

          Minimum length is 1.

        • namespace_type string Required

          Determines the exceptions validity in rule's Kibana space

          Values are agnostic or single.

        • type string Required

          The exception type

          Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

      • false_positives array[string] Required
      • from string(date-math) Required

        Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).

      • interval string Required

        Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).

      • Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. Added in PR #163235 Right now we only have a single field but anticipate adding more related fields to store various configuration states such as override - where a user might say if they want only these fields to display, or if they want these fields + the fields we select. When expanding this field, it may look something like:

        const investigationFields = z.object({
          field_names: NonEmptyArray(NonEmptyString),
          override: z.boolean().optional(),
        });
        

        Additional properties are allowed.

        Hide investigation_fields attribute Show investigation_fields attribute object
        • field_names array[string(nonempty)] Required

          A string that does not contain only whitespace characters

          At least 1 element. Minimum length of each is 1.

      • license string

        The rule's license.

      • max_signals integer Required

        Minimum value is 1.

      • meta object

        Additional properties are allowed.

      • name string Required

        Minimum length is 1.

      • Has no effect.

      • note string

        Notes to help investigate alerts produced by the rule.

      • outcome string

        Values are exactMatch, aliasMatch, or conflict.

      • output_index string Deprecated

        (deprecated) Has no effect.

      • references array[string] Required
      • required_fields array[object] Required
        Hide required_fields attributes Show required_fields attributes object
        • ecs boolean Required

          Whether the field is an ECS field

        • name string(nonempty) Required

          A string that does not contain only whitespace characters

          Minimum length is 1.

        • type string(nonempty) Required

          A string that does not contain only whitespace characters

          Minimum length is 1.

      • response_actions array[object]
        One of:
        Hide attributes Show attributes
      • risk_score integer Required

        Risk score (0 to 100)

        Minimum value is 0, maximum value is 100.

      • risk_score_mapping array[object] Required

        Overrides generated alerts' risk_score with a value from the source event

        Hide risk_score_mapping attributes Show risk_score_mapping attributes object
      • Sets the source field for the alert's signal.rule.name value

      • setup string Required
      • severity string Required

        Severity of the rule

        Values are low, medium, high, or critical.

      • severity_mapping array[object] Required

        Overrides generated alerts' severity with values from the source event

        Hide severity_mapping attributes Show severity_mapping attributes object
        • field string Required
        • operator string Required

          Value is equals.

        • severity string Required

          Severity of the rule

          Values are low, medium, high, or critical.

        • value string Required
      • tags array[string] Required

        String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.

      • threat array[object] Required
        Hide threat attributes Show threat attributes object
        • framework string Required

          Relevant attack framework

        • tactic object Required

          Additional properties are allowed.

          Hide tactic attributes Show tactic attributes object
          • id string Required

            Tactic ID

          • name string Required

            Tactic name

          • reference string Required

            Tactic reference

        • technique array[object]

          Array containing information on the attack techniques (optional)

          Hide technique attributes Show technique attributes object
          • id string Required

            Technique ID

          • name string Required

            Technique name

          • reference string Required

            Technique reference

          • subtechnique array[object]

            Array containing more specific information on the attack technique

            Hide subtechnique attributes Show subtechnique attributes object
            • id string Required

              Subtechnique ID

            • name string Required

              Subtechnique name

            • reference string Required

              Subtechnique reference

      • throttle string | null

        Defines how often rule actions are taken.

        One of:

        Values are no_actions or rule.

      • Timeline template ID

      • Timeline template title

      • Sets the time field used to query indices

      • Disables the fallback to the event's @timestamp field

      • to string Required
      • version integer Required

        The rule's version number.

        Minimum value is 1.

      • created_at string(date-time) Required
      • created_by string Required
      • Additional properties are allowed.

        Hide execution_summary attribute Show execution_summary attribute object
        • last_execution object Required

          Additional properties are allowed.

          Hide last_execution attributes Show last_execution attributes object
          • date string(date-time) Required

            Date of the last execution

          • message string Required
          • metrics object Required

            Additional properties are allowed.

            Hide metrics attributes Show metrics attributes object
            • Duration in seconds of execution gap

              Minimum value is 0.

            • Range of the execution gap

              Additional properties are allowed.

              Hide gap_range attributes Show gap_range attributes object
              • gte string Required

                Start date of the execution gap

              • lte string Required

                End date of the execution gap

            • Total time spent enriching documents during current rule execution cycle

              Minimum value is 0.

            • Total time spent indexing documents during current rule execution cycle

              Minimum value is 0.

            • Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response

              Minimum value is 0.

          • status string Required

            Status of the last execution

            Values are going to run, running, partial failure, failed, or succeeded.

          • status_order integer Required
      • id string(uuid) Required

        A universally unique identifier

      • immutable boolean Required Deprecated

        This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the rule_source field.

      • revision integer Required

        Minimum value is 0.

      • rule_id string Required

        Could be any string, not necessarily a UUID

      • rule_source object Required

        Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.

        One of:

        Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.

        Hide attributes Show attributes
        • is_customized boolean Required

          Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).

        • type string Required Discriminator

          Value is external.

      • updated_at string(date-time) Required
      • updated_by string Required
      • language string Required

        Query language to use

        Value is eql.

      • query string Required

        EQL query to execute

      • type string Required Discriminator

        Rule type

        Value is eql.

      • Additional properties are allowed.

        Hide alert_suppression attributes Show alert_suppression attributes object
        • duration object

          Additional properties are allowed.

          Hide duration attributes Show duration attributes object
          • unit string Required

            Values are s, m, or h.

          • value integer Required

            Minimum value is 1.

        • group_by array[string] Required

          At least 1 but not more than 3 elements.

        • Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket

          Values are doNotSuppress or suppress.

      • filters array
      • index array[string]
      • Sets a secondary field for sorting events

      • Contains the event timestamp used for sorting a sequence of events

    • page integer Required
    • perPage integer Required
    • total integer Required
GET /api/detection_engine/rules/_find
curl \
 --request GET https://localhost:5601/api/detection_engine/rules/_find
Response examples (200)
{
  "data": [
    {
      "actions": [
        {
          "action_type_id": "string",
          "alerts_filter": {},
          "frequency": {
            "notifyWhen": "onActiveAlert",
            "summary": true,
            "throttle": "no_actions"
          },
          "group": "string",
          "id": "string",
          "params": {},
          "uuid": "string"
        }
      ],
      "alias_purpose": "savedObjectConversion",
      "alias_target_id": "string",
      "author": [
        "string"
      ],
      "building_block_type": "string",
      "description": "string",
      "enabled": true,
      "exceptions_list": [
        {
          "id": "string",
          "list_id": "string",
          "namespace_type": "agnostic",
          "type": "detection"
        }
      ],
      "false_positives": [
        "string"
      ],
      "from": "string",
      "interval": "string",
      "investigation_fields": {
        "field_names": [
          "string"
        ]
      },
      "license": "string",
      "max_signals": 42,
      "meta": {},
      "name": "string",
      "namespace": "string",
      "note": "string",
      "outcome": "exactMatch",
      "output_index": "string",
      "references": [
        "string"
      ],
      "related_integrations": [
        {
          "integration": "string",
          "package": "string",
          "version": "string"
        }
      ],
      "required_fields": [
        {
          "ecs": true,
          "name": "string",
          "type": "string"
        }
      ],
      "response_actions": [
        {
          "action_type_id": ".osquery",
          "params": {
            "ecs_mapping": {
              "additionalProperty1": {
                "field": "string",
                "value": "string"
              },
              "additionalProperty2": {
                "field": "string",
                "value": "string"
              }
            },
            "pack_id": "string",
            "queries": [
              {
                "ecs_mapping": {
                  "additionalProperty1": {
                    "field": "string",
                    "value": "string"
                  },
                  "additionalProperty2": {
                    "field": "string",
                    "value": "string"
                  }
                },
                "id": "string",
                "platform": "string",
                "query": "string",
                "removed": true,
                "snapshot": true,
                "version": "string"
              }
            ],
            "query": "string",
            "saved_query_id": "string",
            "timeout": 42.0
          }
        }
      ],
      "risk_score": 42,
      "risk_score_mapping": [
        {
          "field": "string",
          "operator": "equals",
          "risk_score": 42,
          "value": "string"
        }
      ],
      "rule_name_override": "string",
      "setup": "string",
      "severity": "low",
      "severity_mapping": [
        {
          "field": "string",
          "operator": "equals",
          "severity": "low",
          "value": "string"
        }
      ],
      "tags": [
        "string"
      ],
      "threat": [
        {
          "framework": "string",
          "tactic": {
            "id": "string",
            "name": "string",
            "reference": "string"
          },
          "technique": [
            {
              "id": "string",
              "name": "string",
              "reference": "string",
              "subtechnique": [
                {
                  "id": "string",
                  "name": "string",
                  "reference": "string"
                }
              ]
            }
          ]
        }
      ],
      "throttle": "no_actions",
      "timeline_id": "string",
      "timeline_title": "string",
      "timestamp_override": "string",
      "timestamp_override_fallback_disabled": true,
      "to": "string",
      "version": 42,
      "created_at": "2025-05-04T09:42:00+00:00",
      "created_by": "string",
      "execution_summary": {
        "last_execution": {
          "date": "2025-05-04T09:42:00+00:00",
          "message": "string",
          "metrics": {
            "execution_gap_duration_s": 42,
            "gap_range": {
              "gte": "string",
              "lte": "string"
            },
            "total_enrichment_duration_ms": 42,
            "total_indexing_duration_ms": 42,
            "total_search_duration_ms": 42
          },
          "status": "going to run",
          "status_order": 42
        }
      },
      "id": "string",
      "immutable": true,
      "revision": 42,
      "rule_id": "string",
      "rule_source": {
        "is_customized": true,
        "type": "external"
      },
      "updated_at": "2025-05-04T09:42:00+00:00",
      "updated_by": "string",
      "language": "eql",
      "query": "string",
      "type": "eql",
      "alert_suppression": {
        "duration": {
          "unit": "s",
          "value": 42
        },
        "group_by": [
          "string"
        ],
        "missing_fields_strategy": "doNotSuppress"
      },
      "data_view_id": "string",
      "event_category_override": "string",
      "filters": [],
      "index": [
        "string"
      ],
      "tiebreaker_field": "string",
      "timestamp_field": "string"
    }
  ],
  "page": 42,
  "perPage": 42,
  "total": 42
}

Import detection rules

POST /api/detection_engine/rules/_import

Import detection rules from an .ndjson file, including actions and exception lists. The request must include:

  • The Content-Type: multipart/form-data HTTP header.
  • A link to the .ndjson file containing the rules.

Query parameters

  • overwrite boolean

    Determines whether existing rules with the same rule_id are overwritten.

    Default value is false.

  • Determines whether existing exception lists with the same list_id are overwritten.

    Default value is false.

  • Determines whether existing actions with the same kibana.alert.rule.actions.id are overwritten.

    Default value is false.

  • Generates a new list ID for each imported exception list.

    Default value is false.

multipart/form-data

Body Required

  • file string(binary)

    The .ndjson file containing the rules.

Responses

POST /api/detection_engine/rules/_import
curl \
 --request POST https://localhost:5601/api/detection_engine/rules/_import \
 --header "Content-Type: multipart/form-data" \
 --form "file=@file"
Response examples (200)
{
  "action_connectors_errors": [
    {
      "error": {
        "message": "string",
        "status_code": 42
      },
      "id": "string",
      "item_id": "string",
      "list_id": "string",
      "rule_id": "string"
    }
  ],
  "action_connectors_success": true,
  "action_connectors_success_count": 42,
  "action_connectors_warnings": [
    {
      "actionPath": "string",
      "buttonLabel": "string",
      "message": "string",
      "type": "string"
    }
  ],
  "errors": [
    {
      "error": {
        "message": "string",
        "status_code": 42
      },
      "id": "string",
      "item_id": "string",
      "list_id": "string",
      "rule_id": "string"
    }
  ],
  "exceptions_errors": [
    {
      "error": {
        "message": "string",
        "status_code": 42
      },
      "id": "string",
      "item_id": "string",
      "list_id": "string",
      "rule_id": "string"
    }
  ],
  "exceptions_success": true,
  "exceptions_success_count": 42,
  "rules_count": 42,
  "success": true,
  "success_count": 42
}

Install prebuilt detection rules and Timelines

PUT /api/detection_engine/rules/prepackaged

Install and update all Elastic prebuilt detection rules and Timelines.

Responses

  • 200 application/json

    Indicates a successful call

    Hide response attributes Show response attributes object
PUT /api/detection_engine/rules/prepackaged
curl \
 --request PUT https://localhost:5601/api/detection_engine/rules/prepackaged
Response examples (200)
{
  "rules_installed": 42,
  "rules_updated": 42,
  "timelines_installed": 42,
  "timelines_updated": 42
}








Assign and unassign users from detection alerts

POST /api/detection_engine/signals/assignees

Assign users to detection alerts, and unassign them from alerts.

You cannot add and remove the same assignee in the same request.

application/json

Body Required

  • assignees object Required

    Details about the assignees to assign and unassign.

    Additional properties are allowed.

    Hide assignees attributes Show assignees attributes object
    • add array[string(nonempty)] Required

      A list of users ids to assign.

      Minimum length of each is 1.

    • remove array[string(nonempty)] Required

      A list of users ids to unassign.

      Minimum length of each is 1.

  • ids array[string(nonempty)] Required

    A list of alerts ids.

    At least 1 element. Minimum length of each is 1.

Responses

  • 200 application/ndjson

    Indicates a successful call.

  • Invalid request.

POST /api/detection_engine/signals/assignees
curl \
 --request POST https://localhost:5601/api/detection_engine/signals/assignees \
 --header "Content-Type: application/json" \
 --data '{"ids":["681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6"],"assignees":{"add":["u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0"],"remove":[]}}'
Request examples
{
  "ids": [
    "681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6"
  ],
  "assignees": {
    "add": [
      "u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0"
    ],
    "remove": []
  }
}
{
  "ids": [
    "681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6"
  ],
  "assignees": {
    "add": [],
    "remove": [
      "u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0"
    ]
  }
}
Response examples (200)
{
  "took": "76,",
  "noops": 0,
  "total": "1,",
  "batches": "1,",
  "deleted": 0,
  "retries": [
    {
      "bulk": 0
    },
    {
      "search": 0
    }
  ],
  "updated": "1,",
  "failures": [],
  "timed_out": "false,",
  "throttled_millis": 0,
  "version_conflicts": 0,
  "requests_per_second": "-1,",
  "throttled_until_millis": 0
}

Finalize detection alert migrations Deprecated

POST /api/detection_engine/signals/finalize_migration

Finalize successful migrations of detection alerts. This replaces the original index's alias with the successfully migrated index's alias. The endpoint is idempotent; therefore, it can safely be used to poll a given migration and, upon completion, finalize it.

application/json

Body Required

Array of migration_ids to finalize

  • migration_ids array[string] Required

    Array of migration_ids to finalize.

    At least 1 element.

Responses

POST /api/detection_engine/signals/finalize_migration
curl \
 --request POST https://localhost:5601/api/detection_engine/signals/finalize_migration \
 --header "Content-Type: application/json" \
 --data '{"migration_ids":["924f7c50-505f-11eb-ae0a-3fa2e626a51d"]}'
Request example
{
  "migration_ids": [
    "924f7c50-505f-11eb-ae0a-3fa2e626a51d"
  ]
}
Response examples (200)
{
  "migrations": [
    {
      "id": "924f7c50-505f-11eb-ae0a-3fa2e626a51d",
      "status": "success",
      "updated": "2021-01-06T22:05:56.859Z",
      "version": 16,
      "completed": true,
      "sourceIndex": ".siem-signals-default-000002",
      "destinationIndex": ".siem-signals-default-000002-r000016"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
{
  "message": "string",
  "status_code": 42
}
Response examples (401)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (500)
{
  "message": "string",
  "status_code": 42
}

Initiate a detection alert migration Deprecated

POST /api/detection_engine/signals/migration

Initiate a migration of detection alerts. Migrations are initiated per index. While the process is neither destructive nor interferes with existing data, it may be resource-intensive. As such, it is recommended that you plan your migrations accordingly.

application/json

Body Required

Alerts migration parameters

  • index array[string(nonempty)] Required

    Array of index names to migrate.

    At least 1 element. Minimum length of each is 1.

  • The throttle for the migration task in sub-requests per second. Corresponds to requests_per_second on the Reindex API.

    Minimum value is 1.

  • size integer

    Number of alerts to migrate per batch. Corresponds to the source.size option on the Reindex API.

    Minimum value is 1.

  • slices integer

    The number of subtasks for the migration task. Corresponds to slices on the Reindex API.

    Minimum value is 1.

Responses

POST /api/detection_engine/signals/migration
curl \
 --request POST https://localhost:5601/api/detection_engine/signals/migration \
 --header "Content-Type: application/json" \
 --data '{"index":[".siem-signals-default-000001"]}'
Request example
{
  "index": [
    ".siem-signals-default-000001"
  ]
}
Response examples (200)
{
  "indices": [
    {
      "index": ".siem-signals-default-000001,",
      "migration_id": "923f7c50-505f-11eb-ae0a-3fa2e626a51d",
      "migration_index": ".siem-signals-default-000001-r000016"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
{
  "message": "string",
  "status_code": 42
}
Response examples (401)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (500)
{
  "message": "string",
  "status_code": 42
}




Retrieve the status of detection alert migrations Deprecated

GET /api/detection_engine/signals/migration_status

Retrieve indices that contain detection alerts of a particular age, along with migration information for each of those indices.

Query parameters

  • from string(date-math) Required

    Maximum age of qualifying detection alerts

Responses

GET /api/detection_engine/signals/migration_status
curl \
 --request GET https://localhost:5601/api/detection_engine/signals/migration_status?from=now-30d
Response examples (200)
{
  "indices": [
    {
      "index": ".siem-signals-default-000002",
      "version": 15,
      "migrations": [
        {
          "id": "924f7c50-505f-11eb-ae0a-3fa2e626a51d",
          "status": "pending",
          "updated": "2021-01-06T20:41:37.173Z",
          "version": 16
        }
      ],
      "is_outdated": true,
      "signal_versions": [
        {
          "count": 100,
          "version": 15
        },
        {
          "count": 87,
          "version": 16
        }
      ]
    },
    {
      "index": ".siem-signals-default-000003",
      "version": 16,
      "migrations": [],
      "is_outdated": false,
      "signal_versions": [
        {
          "count": 54,
          "version": 16
        }
      ]
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
{
  "message": "string",
  "status_code": 42
}
Response examples (401)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (500)
{
  "message": "string",
  "status_code": 42
}

Find and/or aggregate detection alerts

POST /api/detection_engine/signals/search

Find and/or aggregate detection alerts that match the given query.

application/json

Body Required

Search and/or aggregation query

Responses

POST /api/detection_engine/signals/search
curl \
 --request POST https://localhost:5601/api/detection_engine/signals/search \
 --header "Content-Type: application/json" \
 --data '{"aggs":{"missingFields":{"missing":{"field":"host.name"}},"alertsByGrouping":{"terms":{"size":10,"field":"host.name"}}},"size":0,"query":{"bool":{"filter":[{"bool":{"must":[],"filter":[{"match_phrase":{"kibana.alert.workflow_status":"open"}}],"should":[],"must_not":[{"exists":{"field":"kibana.alert.building_block_type"}}]}},{"range":{"@timestamp":{"gte":"2025-01-17T08:00:00.000Z","lte":"2025-01-18T07:59:59.999Z"}}}]}},"runtime_mappings":{}}'
Request example
{
  "aggs": {
    "missingFields": {
      "missing": {
        "field": "host.name"
      }
    },
    "alertsByGrouping": {
      "terms": {
        "size": 10,
        "field": "host.name"
      }
    }
  },
  "size": 0,
  "query": {
    "bool": {
      "filter": [
        {
          "bool": {
            "must": [],
            "filter": [
              {
                "match_phrase": {
                  "kibana.alert.workflow_status": "open"
                }
              }
            ],
            "should": [],
            "must_not": [
              {
                "exists": {
                  "field": "kibana.alert.building_block_type"
                }
              }
            ]
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2025-01-17T08:00:00.000Z",
              "lte": "2025-01-18T07:59:59.999Z"
            }
          }
        }
      ]
    }
  },
  "runtime_mappings": {}
}
Response examples (200)
{
  "hits": {
    "hits": [],
    "total": {
      "value": 5,
      "relation": "eq"
    },
    "max_score": null
  },
  "took": 0,
  "_shards": {
    "total": 1,
    "failed": 0,
    "skipped": 0,
    "successful": 1
  },
  "timed_out": false,
  "aggregations": {
    "missingFields": {
      "doc_count": 0
    },
    "alertsByGrouping": {
      "buckets": [
        {
          "key": "Host-f43kkddfyc",
          "doc_count": 5
        }
      ],
      "sum_other_doc_count": 0,
      "doc_count_error_upper_bound": 0
    }
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
{
  "message": "string",
  "status_code": 42
}
Response examples (401)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (500)
{
  "message": "string",
  "status_code": 42
}

Set a detection alert status

POST /api/detection_engine/signals/status

Set the status of one or more detection alerts.

application/json

Body object Required

An object containing desired status and explicit alert ids or a query to select alerts

One of:
  • signal_ids array[string(nonempty)] Required

    List of alert ids.

    At least 1 element. Minimum length of each is 1.

  • status string Required

    The status of an alert, which can be open, acknowledged, in-progress, or closed.

    Values are open, closed, acknowledged, or in-progress.

Responses

POST /api/detection_engine/signals/status
curl \
 --request POST https://localhost:5601/api/detection_engine/signals/status \
 --header "Content-Type: application/json" \
 --data '{"status":"closed","signal_ids":["80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1"]}'
Request examples
{
  "status": "closed",
  "signal_ids": [
    "80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1"
  ]
}
{
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "range": null,
          "@timestamp": {
            "gte": "2024-10-23T07:00:00.000Z",
            "lte": "2025-01-21T20:12:11.704Z",
            "format": "strict_date_optional_time"
          }
        },
        {
          "bool": {
            "filter": {
              "bool": {
                "must": [],
                "filter": [
                  {
                    "match_phrase": {
                      "kibana.alert.workflow_status": "open"
                    }
                  },
                  {
                    "range": null,
                    "@timestamp": {
                      "gte": "2024-10-23T07:00:00.000Z",
                      "lte": "2025-01-21T20:12:11.704Z",
                      "format": "strict_date_optional_time"
                    }
                  }
                ],
                "should": [],
                "must_not": [
                  {
                    "exists": {
                      "field": "kibana.alert.building_block_type"
                    }
                  }
                ]
              }
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  },
  "status": "closed",
  "conflicts": "proceed"
}
Response examples (200)
{
  "took": 81,
  "noops": 0,
  "total": 1,
  "batches": 1,
  "deleted": 0,
  "retries": {
    "bulk": 0,
    "search": 0
  },
  "updated": 1,
  "failures": [],
  "timed_out": false,
  "throttled_millis": 0,
  "version_conflicts": 0,
  "requests_per_second": -1,
  "throttled_until_millis": 0
}
{
  "took": 100,
  "noops": 0,
  "total": 17,
  "batches": 1,
  "deleted": 0,
  "retries": {
    "bulk": 0,
    "search": 0
  },
  "updated": 17,
  "failures": [],
  "timed_out": false,
  "throttled_millis": 0,
  "version_conflicts": 0,
  "requests_per_second": -1,
  "throttled_until_millis": 0
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
{
  "message": "string",
  "status_code": 42
}
Response examples (401)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (500)
{
  "message": "string",
  "status_code": 42
}









Create an endpoint exception list

POST /api/endpoint_list

Create an endpoint exception list, which groups endpoint exception list items. If an endpoint exception list already exists, an empty response is returned.

Responses

  • 200 application/json

    Successful response

    One of:
    Hide attributes Show attributes
    • _version string

      The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.

    • created_at string(date-time) Required

      Autogenerated date of object creation.

    • created_by string Required

      Autogenerated value - user that created object.

    • description string Required

      Describes the exception list.

    • id string(nonempty) Required

      Exception list's identifier.

      Minimum length is 1.

    • immutable boolean Required
    • list_id string(nonempty) Required

      Exception list's human readable string identifier, e.g. trusted-linux-processes.

      Minimum length is 1.

    • meta object

      Placeholder for metadata about the list container.

      Additional properties are allowed.

    • name string Required

      The name of the exception list.

    • namespace_type string Required

      Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

      • single: Only available in the Kibana space in which it is created.
      • agnostic: Available in all Kibana spaces.

      Values are agnostic or single.

    • os_types array[string]

      Use this field to specify the operating system.

      Values are linux, macos, or windows.

    • tags array[string]

      String array containing words and phrases to help categorize exception containers.

    • tie_breaker_id string Required

      Field used in search to ensure all containers are sorted and returned correctly.

    • type string Required

      The type of exception list to be created. Different list types may denote where they can be utilized.

      Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

    • updated_at string(date-time) Required

      Autogenerated date of last object update.

    • updated_by string Required

      Autogenerated value - user that last updated object.

    • version integer Required

      The document version, automatically increasd on updates.

      Minimum value is 1.

  • 400 application/json

    Invalid input data

    One of:
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication

    Hide response attributes Show response attributes object
  • 403 application/json

    Insufficient privileges

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error

    Hide response attributes Show response attributes object
POST /api/endpoint_list
curl \
 --request POST https://localhost:5601/api/endpoint_list
Response examples (200)
{
  "_version": "string",
  "created_at": "2025-05-04T09:42:00+00:00",
  "created_by": "string",
  "description": "This list tracks allowlisted values.",
  "id": "9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85",
  "immutable": true,
  "list_id": "simple_list",
  "meta": {},
  "name": "My exception list",
  "namespace_type": "agnostic",
  "os_types": [
    "linux"
  ],
  "tags": [
    "string"
  ],
  "tie_breaker_id": "string",
  "type": "detection",
  "updated_at": "2025-05-04T09:42:00+00:00",
  "updated_by": "string",
  "version": 42
}
{}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
{
  "message": "string",
  "status_code": 42
}
Response examples (401)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (403)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (500)
{
  "message": "string",
  "status_code": 42
}
















Get endpoint exception list items

GET /api/endpoint_list/items/_find

Get a list of all endpoint exception list items.

Query parameters

  • filter string(nonempty)

    Filters the returned results according to the value of the specified field, using the <field name>:<field value> syntax.

    Minimum length is 1.

  • page integer

    The page number to return

    Minimum value is 0.

  • per_page integer

    The number of exception list items to return per page

    Minimum value is 0.

  • sort_field string(nonempty)

    Determines which field is used to sort the results

    Minimum length is 1.

  • Determines the sort order, which can be desc or asc

    Values are desc or asc.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • data array[object] Required
      Hide data attributes Show data attributes object
      • _version string

        The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.

      • comments array[object] Required

        Array of comment fields:

        • comment (string): Comments about the exception item.
        Hide comments attributes Show comments attributes object
        • comment string(nonempty) Required

          A string that does not contain only whitespace characters

          Minimum length is 1.

        • created_at string(date-time) Required

          Autogenerated date of object creation.

        • created_by string(nonempty) Required

          A string that does not contain only whitespace characters

          Minimum length is 1.

        • id string(nonempty) Required

          A string that does not contain only whitespace characters

          Minimum length is 1.

        • updated_at string(date-time)

          Autogenerated date of last object update.

        • updated_by string(nonempty)

          A string that does not contain only whitespace characters

          Minimum length is 1.

      • created_at string(date-time) Required

        Autogenerated date of object creation.

      • created_by string Required

        Autogenerated value - user that created object.

      • description string Required

        Describes the exception list.

      • entries array[object] Required
        Any of:
        Hide attributes Show attributes
        • field string(nonempty) Required

          A string that does not contain only whitespace characters

          Minimum length is 1.

        • operator string Required

          Values are excluded or included.

        • type string Required Discriminator

          Value is match.

        • value string(nonempty) Required

          A string that does not contain only whitespace characters

          Minimum length is 1.

      • expire_time string(date-time)

        The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.

      • id string(nonempty) Required

        Exception's identifier.

        Minimum length is 1.

      • item_id string(nonempty) Required

        Human readable string identifier, e.g. trusted-linux-processes

        Minimum length is 1.

      • list_id string(nonempty) Required

        Exception list's human readable string identifier, e.g. trusted-linux-processes.

        Minimum length is 1.

      • meta object

        Additional properties are allowed.

      • name string(nonempty) Required

        Exception list name.

        Minimum length is 1.

      • namespace_type string Required

        Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

        • single: Only available in the Kibana space in which it is created.
        • agnostic: Available in all Kibana spaces.

        Values are agnostic or single.

      • os_types array[string]

        Use this field to specify the operating system.

        Values are linux, macos, or windows.

      • tags array[string(nonempty)]

        String array containing words and phrases to help categorize exception items.

        Minimum length of each is 1.

      • tie_breaker_id string Required

        Field used in search to ensure all containers are sorted and returned correctly.

      • type string Required

        Value is simple.

      • updated_at string(date-time) Required

        Autogenerated date of last object update.

      • updated_by string Required

        Autogenerated value - user that last updated object.

    • page integer Required

      Minimum value is 0.

    • per_page integer Required

      Minimum value is 0.

    • pit string
    • total integer Required

      Minimum value is 0.

  • 400 application/json

    Invalid input data

    One of:
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication

    Hide response attributes Show response attributes object
  • 403 application/json

    Insufficient privileges

    Hide response attributes Show response attributes object
  • 404 application/json

    Endpoint list not found

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error

    Hide response attributes Show response attributes object
GET /api/endpoint_list/items/_find
curl \
 --request GET https://localhost:5601/api/endpoint_list/items/_find
Response examples (200)
{
  "data": [
    {
      "_version": "string",
      "comments": [
        {
          "comment": "string",
          "created_at": "2025-05-04T09:42:00+00:00",
          "created_by": "string",
          "id": "string",
          "updated_at": "2025-05-04T09:42:00+00:00",
          "updated_by": "string"
        }
      ],
      "created_at": "2025-05-04T09:42:00+00:00",
      "created_by": "string",
      "description": "string",
      "entries": [
        {
          "field": "string",
          "operator": "excluded",
          "type": "match",
          "value": "string"
        }
      ],
      "expire_time": "2025-05-04T09:42:00+00:00",
      "id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
      "item_id": "simple_list_item",
      "list_id": "simple_list",
      "meta": {},
      "name": "string",
      "namespace_type": "agnostic",
      "os_types": [
        "linux"
      ],
      "tags": [
        "string"
      ],
      "tie_breaker_id": "string",
      "type": "simple",
      "updated_at": "2025-05-04T09:42:00+00:00",
      "updated_by": "string"
    }
  ],
  "page": 42,
  "per_page": 42,
  "pit": "string",
  "total": 42
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
{
  "message": "string",
  "status_code": 42
}
Response examples (401)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (403)
{
  "error": "string",
  "message": "string",
  "statusCode": 42
}
Response examples (404)
{
  "message": "string",
  "status_code": 42
}
Response examples (500)
{
  "message": "string",
  "status_code": 42
}









































Run a script

POST /api/endpoint/action/runscript

Run a shell command on an endpoint.

application/json

Body Required

Responses

  • 200 application/json

    OK

    Additional properties are allowed.

POST /api/endpoint/action/runscript
curl \
 --request POST https://localhost:5601/api/endpoint/action/runscript \
 --header "Content-Type: application/json" \
 --data '{"parameters":{"commandLine":"string","raw":"string","timeout":42}}'
Request examples
{
  "parameters": {
    "commandLine": "string",
    "raw": "string",
    "timeout": 42
  }
}
Response examples (200)
{}

Scan a file or directory

POST /api/endpoint/action/scan

Scan a specific file or directory on an endpoint for malware.

application/json

Body Required

  • The host agent type (optional). Defaults to endpoint.

    Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

  • alert_ids array[string(nonempty)]

    A list of alerts ids.

    At least 1 element. Minimum length of each is 1.

  • case_ids array[string]

    Case IDs to be updated (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • comment string

    Optional comment

  • endpoint_ids array[string] Required

    List of endpoint IDs (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • parameters object Required

    Additional properties are allowed.

    Hide parameters attribute Show parameters attribute object

Responses

  • 200 application/json

    OK

    Additional properties are allowed.

POST /api/endpoint/action/scan
curl \
 --request POST https://localhost:5601/api/endpoint/action/scan \
 --header "Content-Type: application/json" \
 --data '{"agent_type":"endpoint","alert_ids":["string"],"case_ids":["string"],"comment":"string","endpoint_ids":["string"],"parameters":{"path":"string"}}'
Request examples
{
  "agent_type": "endpoint",
  "alert_ids": [
    "string"
  ],
  "case_ids": [
    "string"
  ],
  "comment": "string",
  "endpoint_ids": [
    "string"
  ],
  "parameters": {
    "path": "string"
  }
}
Response examples (200)
{}












Upload a file

POST /api/endpoint/action/upload

Upload a file to an endpoint.

application/json

Body Required

  • The host agent type (optional). Defaults to endpoint.

    Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

  • alert_ids array[string(nonempty)]

    A list of alerts ids.

    At least 1 element. Minimum length of each is 1.

  • case_ids array[string]

    Case IDs to be updated (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • comment string

    Optional comment

  • endpoint_ids array[string] Required

    List of endpoint IDs (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • parameters object Required

    Additional properties are allowed.

    Hide parameters attribute Show parameters attribute object
  • file string(binary) Required

Responses

  • 200 application/json

    OK

    Additional properties are allowed.

POST /api/endpoint/action/upload
curl \
 --request POST https://localhost:5601/api/endpoint/action/upload \
 --header "Content-Type: application/json" \
 --data '{"agent_type":"endpoint","alert_ids":["string"],"case_ids":["string"],"comment":"string","endpoint_ids":["string"],"parameters":{"overwrite":false},"file":"@file"}'
Request examples
{
  "agent_type": "endpoint",
  "alert_ids": [
    "string"
  ],
  "case_ids": [
    "string"
  ],
  "comment": "string",
  "endpoint_ids": [
    "string"
  ],
  "parameters": {
    "overwrite": false
  },
  "file": "@file"
}
Response examples (200)
{}

Get a metadata list

GET /api/endpoint/metadata

Query parameters

  • query object Required

    Additional properties are allowed.

    Hide query attributes Show query attributes object
    • hostStatuses array[string] Required

      Values are healthy, offline, updating, inactive, or unenrolled.

    • kuery string | null
    • page integer

      Page number

      Minimum value is 0. Default value is 0.

    • pageSize integer

      Number of items per page

      Minimum value is 1, maximum value is 10000. Default value is 10.

    • sortDirection string | null

      Values are asc or desc.

    • Values are enrolled_at, metadata.host.hostname, host_status, metadata.Endpoint.policy.applied.name, metadata.Endpoint.policy.applied.status, metadata.host.os.name, metadata.host.ip, metadata.agent.version, or last_checkin.

Responses

  • 200 application/json

    OK

    Additional properties are allowed.

GET /api/endpoint/metadata
curl \
 --request GET https://localhost:5601/api/endpoint/metadata?query=%7B%7D
Response examples (200)
{}

Get metadata

GET /api/endpoint/metadata/{id}

Path parameters

  • id string Required

Responses

  • 200 application/json

    OK

    Additional properties are allowed.

GET /api/endpoint/metadata/{id}
curl \
 --request GET https://localhost:5601/api/endpoint/metadata/{id}
Response examples (200)
{}

Get a policy response

GET /api/endpoint/policy_response

Query parameters

  • query object Required

    Additional properties are allowed.

    Hide query attribute Show query attribute object

Responses

  • 200 application/json

    OK

    Additional properties are allowed.

GET /api/endpoint/policy_response
curl \
 --request GET https://localhost:5601/api/endpoint/policy_response?query=%7B%7D
Response examples (200)
{}








Security entity analytics