Api key auth (http_api_key)
These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: Authorization: ApiKey base64AccessApiKey
The API accepts 2 different authentication methods:
These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: Authorization: ApiKey base64AccessApiKey
Basic auth tokens are constructed with the Basic
keyword, followed by a space, followed by a base64-encoded string of your username:password
(separated by a :
colon).
Example: send a Authorization: Basic aGVsbG86aGVsbG8=
HTTP header with your requests to authenticate with the API.
The identifier for the rule.
curl \
--request GET https://localhost:5601/api/alerting/rule/{id}
{
"actions": [
{
"alerts_filter": {
"query": {
"dsl": "string",
"filters": [
{
"$state": {
"store": "appState"
},
"meta": {},
"query": {}
}
],
"kql": "string"
},
"timeframe": {
"days": [
1
],
"hours": {
"end": "string",
"start": "string"
},
"timezone": "string"
}
},
"connector_type_id": "string",
"frequency": {
"notify_when": "onActionGroupChange",
"summary": true,
"throttle": "string"
},
"group": "string",
"id": "string",
"params": {},
"use_alert_data_for_template": true,
"uuid": "string"
}
],
"active_snoozes": [
"string"
],
"alert_delay": {
"active": 42.0
},
"api_key_created_by_user": true,
"api_key_owner": "string",
"consumer": "string",
"created_at": "string",
"created_by": "string",
"enabled": true,
"execution_status": {
"error": {
"message": "string",
"reason": "read"
},
"last_duration": 42.0,
"last_execution_date": "string",
"status": "ok",
"warning": {
"message": "string",
"reason": "maxExecutableActions"
}
},
"flapping": {
"look_back_window": 42.0,
"status_change_threshold": 42.0
},
"id": "string",
"is_snoozed_until": "string",
"last_run": {
"alerts_count": {
"active": 42.0,
"ignored": 42.0,
"new": 42.0,
"recovered": 42.0
},
"outcome": "succeeded",
"outcome_msg": [
"string"
],
"outcome_order": 42.0,
"warning": "read"
},
"mapped_params": {},
"monitoring": {
"run": {
"calculated_metrics": {
"p50": 42.0,
"p95": 42.0,
"p99": 42.0,
"success_ratio": 42.0
},
"history": [
{
"duration": 42.0,
"outcome": "succeeded",
"success": true,
"timestamp": 42.0
}
],
"last_run": {
"metrics": {
"duration": 42.0,
"gap_duration_s": 42.0,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_alerts_created": 42.0,
"total_alerts_detected": 42.0,
"total_indexing_duration_ms": 42.0,
"total_search_duration_ms": 42.0
},
"timestamp": "string"
}
}
},
"mute_all": true,
"muted_alert_ids": [
"string"
],
"name": "string",
"next_run": "string",
"notify_when": "onActionGroupChange",
"params": {},
"revision": 42.0,
"rule_type_id": "string",
"running": true,
"schedule": {
"interval": "string"
},
"scheduled_task_id": "string",
"snooze_schedule": [
{
"duration": 42.0,
"id": "string",
"rRule": {
"byhour": [
42.0
],
"byminute": [
42.0
],
"bymonth": [
42.0
],
"bymonthday": [
42.0
],
"bysecond": [
42.0
],
"bysetpos": [
42.0
],
"byweekday": [
"string"
],
"byweekno": [
42.0
],
"byyearday": [
42.0
],
"count": 42.0,
"dtstart": "string",
"freq": 0,
"interval": 42.0,
"tzid": "string",
"until": "string",
"wkst": "MO"
},
"skipRecurrences": [
"string"
]
}
],
"tags": [
"string"
],
"throttle": "string",
"updated_at": "string",
"updated_by": "string",
"view_in_app_relative_url": "string"
}
The identifier for the rule.
curl \
--request POST https://localhost:5601/api/alerting/rule/{id}/_mute_all \
--header "kbn-xsrf: true"
The version of the API to use
Value is 2023-10-31
. Default value is 2023-10-31
.
Service name
Service environment
curl \
--request GET https://localhost:5601/api/apm/settings/agent-configuration/view \
--header "elastic-api-version: 2023-10-31"
{
"id": "string",
"@timestamp": 1730194190636,
"agent_name": "string",
"applied_by_agent": true,
"etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
"service": {
"environment": "prod",
"name": "node"
},
"settings": {
"additionalProperty1": "string",
"additionalProperty2": "string"
}
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}
You must have read
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.
The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
curl \
--request GET https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414
{
"id": "31cdada0-02c1-11ed-85f2-4f7c222ca2fa",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzM2LDFd",
"category": null,
"comments": [
{
"id": "2134c1d0-02c2-11ed-85f2-4f7c222ca2fa",
"type": "user",
"owner": "cases",
"comment": "A new comment",
"version": "WzM3LDFd",
"pushed_at": null,
"pushed_by": null,
"created_at": "2023-10-13T15:40:32.335Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null
}
],
"duration": null,
"settings": {
"syncAlerts": true
},
"severity": "low",
"assignees": [
{
"uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
}
],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2023-10-13T15:33:50.604Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2023-10-13T15:40:32.335Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "A case description",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": null
}
],
"totalComment": 1,
"external_service": null
}
{
"id": "c3ff7550-def1-4e90-b6bc-c9969a4a09b1",
"tags": [
"observability",
"tag 1"
],
"owner": "observability",
"title": "Observability case title 1",
"status": "in-progress",
"version": "WzI0NywyXQ==",
"category": null,
"comments": [
{
"id": "59d438d0-79a9-4864-8d4b-e63adacebf6e",
"rule": {
"id": "03e4eb87-62ca-4e5d-9570-3d7625e9669d",
"name": "Observability rule"
},
"type": "alert",
"index": [
".internal.alerts-observability.logs.alerts-default-000001"
],
"owner": "observability",
"alertId": [
"a6e12ac4-7bce-457b-84f6-d7ce8deb8446"
],
"version": "WzY3LDJd",
"pushed_at": null,
"pushed_by": null,
"created_at": "2023-11-06T19:29:38.424Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null
},
{
"id": "d99342d3-3aa3-4b80-90ec-a702607604f5",
"type": "user",
"owner": "observability",
"comment": "The first comment.",
"version": "WzcyLDJd",
"pushed_at": null,
"pushed_by": null,
"created_at": "2023-11-06T19:29:57.812Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null
}
],
"duration": null,
"settings": {
"syncAlerts": false
},
"severity": "low",
"assignees": [
{
"uid": "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
}
],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2023-11-06T19:29:04.086Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null
},
"updated_at": "2023-11-06T19:47:55.662Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "An Observability case description.",
"totalAlerts": 1,
"customFields": [],
"totalComment": 1,
"external_service": null
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Attach a file to a case. You must have all
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating. The request must include:
Content-Type: multipart/form-data
HTTP header.The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
curl \
--request POST https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/files \
--header "Content-Type: multipart/form-data" \
--header "kbn-xsrf: string" \
--form "file=@file" \
--form "filename=string"
{
"id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzIzMzgsMV0=",
"category": null,
"comments": [
{
"id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
"type": "user",
"owner": "cases",
"comment": "A new comment.",
"version": "WzIwNDMxLDFd",
"created_at": "2022-10-02T00:49:47.716Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null
}
}
],
"duration": null,
"settings": {
"syncAlerts": false
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2022-03-24T00:37:03.906Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2022-06-03T00:49:47.716Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "A case description.",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "Field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": true
}
],
"totalComment": 1,
"external_service": null
}
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Aggregates and returns a list of case tags. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
curl \
--request GET https://localhost:5601/api/cases/tags
[
"observability",
"security",
"tag 1",
"tag 2"
]
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Data view APIs enable you to manage data views, formerly known as Kibana index patterns.
The name of the runtime field.
An identifier for the data view.
The runtime field definition object.
You can update following fields:
type
script
Additional properties are allowed.
curl \
--request POST https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field/hour_of_day \
--header "Content-Type: application/json" \
--data '{"runtimeField":{"script":{"source":"emit(doc[\"bar\"].value)"}}}'
{
"runtimeField": {
"script": {
"source": "emit(doc[\"bar\"].value)"
}
}
}
{
"error": "Bad Request",
"message": "string",
"statusCode": 400
}
[Required authorization] Route required privileges: ALL of [fleet-settings-all].
curl \
--request POST https://localhost:5601/api/fleet/agent_download_sources \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"host":"https://example.com","id":"string","is_default":false,"name":"string","proxy_id":"string"}'
# Headers
kbn-xsrf: true
# Payload
{
"host": "https://example.com",
"id": "string",
"is_default": false,
"name": "string",
"proxy_id": "string"
}
{
"item": {
"host": "https://example.com",
"id": "string",
"is_default": false,
"name": "string",
"proxy_id": "string"
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Copy an agent policy by ID.
[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].
Values are simplified
or legacy
.
Minimum length is 1
.
curl \
--request POST https://localhost:5601/api/fleet/agent_policies/{agentPolicyId}/copy \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"description":"string","name":"string"}'
# Headers
kbn-xsrf: true
# Payload
{
"description": "string",
"name": "string"
}
{
"item": {
"advanced_settings": {},
"agent_features": [
{
"enabled": true,
"name": "string"
}
],
"agentless": {
"resources": {
"requests": {
"cpu": "string",
"memory": "string"
}
}
},
"agents": 42.0,
"data_output_id": "string",
"description": "string",
"download_source_id": "string",
"fleet_server_host_id": "string",
"global_data_tags": [
{
"name": "string",
"value": "string"
}
],
"has_fleet_server": true,
"id": "string",
"inactivity_timeout": 1209600,
"is_default": true,
"is_default_fleet_server": true,
"is_managed": true,
"is_preconfigured": true,
"is_protected": true,
"keep_monitoring_alive": false,
"monitoring_diagnostics": {
"limit": {
"burst": 42.0,
"interval": "string"
},
"uploader": {
"init_dur": "string",
"max_dur": "string",
"max_retries": 42.0
}
},
"monitoring_enabled": [
"logs"
],
"monitoring_http": {
"buffer": {
"enabled": false
},
"enabled": true,
"host": "string",
"port": 42.0
},
"monitoring_output_id": "string",
"monitoring_pprof_enabled": true,
"name": "string",
"namespace": "string",
"overrides": {},
"package_policies": [
"string"
],
"required_versions": [
{
"percentage": 42.0,
"version": "string"
}
],
"revision": 42.0,
"schema_version": "string",
"space_ids": [
"string"
],
"status": "active",
"supports_agentless": false,
"unenroll_timeout": 42.0,
"unprivileged_agents": 42.0,
"updated_at": "string",
"updated_by": "string",
"version": "string"
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
[Required authorization] Route required privileges: ALL of [fleet-agents-read].
curl \
--request GET https://localhost:5601/api/fleet/agents/{agentId}/uploads
{
"items": [
{
"actionId": "string",
"createTime": "string",
"error": "string",
"filePath": "string",
"id": "string",
"name": "string",
"status": "READY"
}
]
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
[Required authorization] Route required privileges: ALL of [integrations-all, fleet-agent-policies-all].
curl \
--request DELETE https://localhost:5601/api/fleet/epm/packages/{pkgName}/{pkgVersion} \
--header "kbn-xsrf: true"
{
"items": [
{
"id": "string",
"originId": "string",
"type": "dashboard"
}
]
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Values are simplified
or legacy
.
curl \
--request GET https://localhost:5601/api/fleet/package_policies/{packagePolicyId}
{
"item": {
"agents": 42.0,
"created_at": "string",
"created_by": "string",
"description": "string",
"elasticsearch": {
"privileges": {
"cluster": [
"string"
]
}
},
"enabled": true,
"id": "string",
"inputs": [
{
"config": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"enabled": true,
"id": "string",
"keep_enabled": true,
"policy_template": "string",
"streams": [
{
"config": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"data_stream": {
"dataset": "string",
"elasticsearch": {
"dynamic_dataset": true,
"dynamic_namespace": true,
"privileges": {
"indices": [
"string"
]
}
},
"type": "string"
},
"enabled": true,
"id": "string",
"keep_enabled": true,
"release": "ga",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
}
}
],
"type": "string",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
}
}
],
"is_managed": true,
"name": "string",
"namespace": "string",
"output_id": "string",
"overrides": {
"inputs": {}
},
"package": {
"experimental_data_stream_features": [
{
"data_stream": "string",
"features": {
"doc_value_only_numeric": true,
"doc_value_only_other": true,
"synthetic_source": true,
"tsdb": true
}
}
],
"name": "string",
"requires_root": true,
"title": "string",
"version": "string"
},
"policy_id": "string",
"policy_ids": [
"string"
],
"revision": 42.0,
"secret_references": [
{
"id": "string"
}
],
"spaceIds": [
"string"
],
"supports_agentless": false,
"updated_at": "string",
"updated_by": "string",
"vars": {
"additionalProperty1": {
"frozen": true,
"type": "string"
},
"additionalProperty2": {
"frozen": true,
"type": "string"
}
},
"version": "string"
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
{
"message": "string"
}
[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all, integrations-all].
curl \
--request POST https://localhost:5601/api/fleet/package_policies/delete \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"force":true,"packagePolicyIds":["string"]}'
# Headers
kbn-xsrf: true
# Payload
{
"force": true,
"packagePolicyIds": [
"string"
]
}
[
{
"body": {
"message": "string"
},
"id": "string",
"name": "string",
"output_id": "string",
"package": {
"experimental_data_stream_features": [
{
"data_stream": "string",
"features": {
"doc_value_only_numeric": true,
"doc_value_only_other": true,
"synthetic_source": true,
"tsdb": true
}
}
],
"name": "string",
"requires_root": true,
"title": "string",
"version": "string"
},
"policy_id": "string",
"policy_ids": [
"string"
],
"statusCode": 42.0,
"success": true
}
]
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
[Required authorization] Route required privileges: ALL of [fleet-settings-read].
curl \
--request GET https://localhost:5601/api/fleet/proxies
{
"items": [
{
"certificate": "string",
"certificate_authorities": "string",
"certificate_key": "string",
"id": "string",
"is_preconfigured": false,
"name": "string",
"proxy_headers": {},
"url": "string"
}
],
"page": 42.0,
"perPage": 42.0,
"total": 42.0
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Create a new Kibana role or update the attributes of an existing role. Kibana roles are stored in the Elasticsearch native realm.
The role name.
Minimum length is 1
, maximum length is 1024
.
When true, a role is not overwritten if it already exists.
Default value is false
.
A description for the role.
Maximum length is 2048
.
Additional properties are NOT allowed.
Additional properties are allowed.
curl \
--request PUT https://localhost:5601/api/security/role/{name} \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"kibana":[{"base":[],"spaces":["default"],"feature":{"discover":["all"],"dashboard":["all"]}},{"base":["read"],"spaces":["marketing","sales"]}],"metadata":{"version":1},"description":"Grant full access to discover and dashboard features in the default space. Grant read access in the marketing, and sales spaces.","elasticsearch":{"cluster":[],"indices":[]}}'
{
"kibana": [
{
"base": [],
"spaces": [
"default"
],
"feature": {
"discover": [
"all"
],
"dashboard": [
"all"
]
}
},
{
"base": [
"read"
],
"spaces": [
"marketing",
"sales"
]
}
],
"metadata": {
"version": 1
},
"description": "Grant full access to discover and dashboard features in the default space. Grant read access in the marketing, and sales spaces.",
"elasticsearch": {
"cluster": [],
"indices": []
}
}
{
"kibana": [
{
"base": [],
"spaces": [
"marketing"
],
"feature": {
"dashboard": [
"read"
]
}
}
],
"metadata": {
"version": 1
},
"description": "Grant dashboard access in the Marketing space.",
"elasticsearch": {
"cluster": [],
"indices": []
}
}
{
"kibana": [
{
"base": [
"all"
],
"spaces": [
"default"
],
"feature": {}
}
],
"metadata": {
"version": 1
},
"elasticsearch": {
"cluster": [],
"indices": []
}
}
{
"kibana": [
{
"base": [
"all"
],
"spaces": [
"default"
],
"feature": {}
}
],
"metadata": {
"version": 1
},
"description": "Grant all cluster privileges and full access to index1 and index2. Grant full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grant all Kibana privileges in the default space.",
"elasticsearch": {
"cluster": [
"all"
],
"indices": [
{
"names": [
"index1",
"index2"
],
"privileges": [
"all"
]
}
],
"remote_cluster": [
{
"clusters": [
"remote_cluster1"
],
"privileges": [
"monitor_enrich"
]
}
],
"remote_indices": [
{
"names": [
"remote_index1",
"remote_index2"
],
"clusters": [
"remote_cluster1"
],
"privileges": [
"all"
]
}
]
}
}
WARNING: When you delete a saved object, it cannot be recovered.
When true, force delete objects that exist in multiple namespaces. Note that the option applies to the whole request. Use the delete object API to specify per-object deletion behavior. TIP: Use this if you attempted to delete objects and received an HTTP 400 error with the following message: "Unable to delete saved object that exists in multiple namespaces, use the force option to delete it anyway". WARNING: When you bulk delete objects that exist in multiple namespaces, the API also deletes legacy url aliases that reference the object. These requests are batched to minimise the impact but they can place a heavy load on Kibana. Make sure you limit the number of objects that exist in multiple namespaces in a single bulk delete operation.
curl \
--request POST https://localhost:5601/api/saved_objects/_bulk_delete \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '[{}]'
# Headers
kbn-xsrf: string
# Payload
[
{}
]
{}
{
"error": "Bad Request",
"message": "string",
"statusCode": 400
}
Update the attributes for multiple Kibana saved objects.
curl \
--request POST https://localhost:5601/api/saved_objects/_bulk_update \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '[{}]'
# Headers
kbn-xsrf: string
# Payload
[
{}
]
{}
{
"error": "Bad Request",
"message": "string",
"statusCode": 400
}
Update the attributes for Kibana saved objects.
An identifier for the saved object.
Valid options include visualization
, dashboard
, search
, index-pattern
, config
.
curl \
--request PUT https://localhost:5601/api/saved_objects/{type}/{id} \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string"
# Headers
kbn-xsrf: string
# Payload
{}
{}
{}
{}
Get a list of all anonymization fields.
Search query
Field to sort by
Values are created_at
, anonymized
, allowed
, field
, or updated_at
.
Sort order
Values are asc
or desc
.
Page number
Minimum value is 1
. Default value is 1
.
AnonymizationFields per page
Minimum value is 0
. Default value is 20
.
curl \
--request GET https://localhost:5601/api/security_ai_assistant/anonymization_fields/_find
{
"data": [
{
"allowed": true,
"anonymized": true,
"createdAt": "string",
"createdBy": "string",
"field": "string",
"id": "string",
"namespace": "string",
"timestamp": "string",
"updatedAt": "string",
"updatedBy": "string"
}
],
"page": 42,
"perPage": 42,
"total": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Retrieve the status of all Elastic prebuilt detection rules and Timelines.
curl \
--request GET https://localhost:5601/api/detection_engine/rules/prepackaged/_status
{
"rules_custom_installed": 42,
"rules_installed": 42,
"rules_not_installed": 42,
"rules_not_updated": 42,
"timelines_installed": 42,
"timelines_not_installed": 42,
"timelines_not_updated": 42
}
Create an endpoint exception list, which groups endpoint exception list items. If an endpoint exception list already exists, an empty response is returned.
curl \
--request POST https://localhost:5601/api/endpoint_list
{
"_version": "string",
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"description": "This list tracks allowlisted values.",
"id": "9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85",
"immutable": true,
"list_id": "simple_list",
"meta": {},
"name": "My exception list",
"namespace_type": "agnostic",
"os_types": [
"linux"
],
"tags": [
"string"
],
"tie_breaker_id": "string",
"type": "detection",
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string",
"version": 42
}
{}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
Create an endpoint exception list item, and associate it with the endpoint exception list.
Exception list item's properties
Array of comment fields:
Describes the exception list.
Human readable string identifier, e.g. trusted-linux-processes
Minimum length is 1
.
Additional properties are allowed.
Exception list name.
Minimum length is 1
.
Use this field to specify the operating system.
Values are linux
, macos
, or windows
.
Value is simple
.
curl \
--request POST https://localhost:5601/api/endpoint_list/items \
--header "Content-Type: application/json" \
--data '{"comments":[{"comment":"string","created_at":"2025-05-04T09:42:00+00:00","created_by":"string","id":"string","updated_at":"2025-05-04T09:42:00+00:00","updated_by":"string"}],"description":"string","entries":[{"field":"string","operator":"excluded","type":"match","value":"string"}],"item_id":"simple_list_item","meta":{},"name":"string","os_types":["linux"],"tags":["string"],"type":"simple"}'
{
"comments": [
{
"comment": "string",
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"id": "string",
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string"
}
],
"description": "string",
"entries": [
{
"field": "string",
"operator": "excluded",
"type": "match",
"value": "string"
}
],
"item_id": "simple_list_item",
"meta": {},
"name": "string",
"os_types": [
"linux"
],
"tags": [
"string"
],
"type": "simple"
}
{
"_version": "string",
"comments": [
{
"comment": "string",
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"id": "string",
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string"
}
],
"created_at": "2025-05-04T09:42:00+00:00",
"created_by": "string",
"description": "string",
"entries": [
{
"field": "string",
"operator": "excluded",
"type": "match",
"value": "string"
}
],
"expire_time": "2025-05-04T09:42:00+00:00",
"id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
"item_id": "simple_list_item",
"list_id": "simple_list",
"meta": {},
"name": "string",
"namespace_type": "agnostic",
"os_types": [
"linux"
],
"tags": [
"string"
],
"tie_breaker_id": "string",
"type": "simple",
"updated_at": "2025-05-04T09:42:00+00:00",
"updated_by": "string"
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"error": "string",
"message": "string",
"statusCode": 42
}
{
"message": "string",
"status_code": 42
}
{
"message": "string",
"status_code": 42
}
The host agent type (optional). Defaults to endpoint.
Values are endpoint
, sentinel_one
, crowdstrike
, or microsoft_defender_endpoint
.
A list of alerts id
s.
At least 1
element. Minimum length of each is 1
.
Case IDs to be updated (cannot contain empty strings)
At least 1
element. Minimum length of each is 1
.
Optional comment
List of endpoint IDs (cannot contain empty strings)
At least 1
element. Minimum length of each is 1
.
Additional properties are allowed.
curl \
--request POST https://localhost:5601/api/endpoint/action/get_file \
--header "Content-Type: application/json" \
--data '{"agent_type":"endpoint","alert_ids":["string"],"case_ids":["string"],"comment":"string","endpoint_ids":["string"],"parameters":{"path":"string"}}'
{
"agent_type": "endpoint",
"alert_ids": [
"string"
],
"case_ids": [
"string"
],
"comment": "string",
"endpoint_ids": [
"string"
],
"parameters": {
"path": "string"
}
}
{}
Isolate an endpoint from the network. The endpoint remains isolated until it's released.
The host agent type (optional). Defaults to endpoint.
Values are endpoint
, sentinel_one
, crowdstrike
, or microsoft_defender_endpoint
.
A list of alerts id
s.
At least 1
element. Minimum length of each is 1
.
Case IDs to be updated (cannot contain empty strings)
At least 1
element. Minimum length of each is 1
.
Optional comment
List of endpoint IDs (cannot contain empty strings)
At least 1
element. Minimum length of each is 1
.
Optional parameters object
Additional properties are allowed.
curl \
--request POST https://localhost:5601/api/endpoint/action/isolate \
--header "Content-Type: application/json" \
--data '{"agent_type":"endpoint","alert_ids":["string"],"case_ids":["string"],"comment":"string","endpoint_ids":["string"],"parameters":{}}'
{
"agent_type": "endpoint",
"alert_ids": [
"string"
],
"case_ids": [
"string"
],
"comment": "string",
"endpoint_ids": [
"string"
],
"parameters": {}
}
{}
Get the asset criticality record for a specific entity.
The ID value of the asset.
The field representing the ID.
Values are host.name
, user.name
, service.name
, or related.entity
.
curl \
--request GET https://localhost:5601/api/asset_criticality?id_value=my_host&id_field=host.name
{
"host": {
"name": "my_host",
"asset": {
"criticality": "high_impact"
}
},
"asset": {
"criticality": "high_impact"
},
"id_field": "host.name",
"id_value": "my_host",
"@timestamp": "2024-08-02T11:15:34.290Z",
"criticality_level": "high_impact"
}
The entity type of the engine (either 'user' or 'host').
Values are user
, host
, service
, or universal
.
Schema for the engine initialization
The delay before the transform will run.
Format should match the following pattern: [smdh]$
. Default value is 1m
.
The number of documents per second to process.
Interval in which enrich policy runs. For example, "1h"
means the rule runs every hour.
Format should match the following pattern: ^[1-9]\d*[smh]$
.
The number of historical values to keep for each field.
Default value is 10
.
The frequency at which the transform will run.
Format should match the following pattern: [smdh]$
. Default value is 1m
.
The amount of time the transform looks back to calculate the aggregations.
Format should match the following pattern: [smdh]$
. Default value is 24h
.
The timeout for initializing the aggregating transform.
Format should match the following pattern: [smdh]$
. Default value is 180s
.
The field to use as the timestamp for the entity type.
Default value is @timestamp
.
curl \
--request POST https://localhost:5601/api/entity_store/engines/{entityType}/init \
--header "Content-Type: application/json" \
--data '{"delay":"1m","docsPerSecond":42,"enrichPolicyExecutionInterval":"1h","fieldHistoryLength":10,"filter":"string","frequency":"1m","indexPattern":"string","lookbackPeriod":"24h","timeout":"180s","timestampField":"@timestamp"}'
{
"delay": "1m",
"docsPerSecond": 42,
"enrichPolicyExecutionInterval": "1h",
"fieldHistoryLength": 10,
"filter": "string",
"frequency": "1m",
"indexPattern": "string",
"lookbackPeriod": "24h",
"timeout": "180s",
"timestampField": "@timestamp"
}
{
"delay": "1m",
"docsPerSecond": 42,
"error": {},
"fieldHistoryLength": 42,
"filter": "string",
"frequency": "1m",
"indexPattern": "string",
"lookbackPeriod": "24h",
"status": "installing",
"timeout": "180s",
"timestampField": "string",
"type": "user"
}
List entities records, paging, sorting and filtering as needed.
Values are asc
or desc
.
Minimum value is 1
.
Minimum value is 1
, maximum value is 10000
.
An ES query to filter by.
Values are user
, host
, service
, or universal
.
curl \
--request GET https://localhost:5601/api/entity_store/entities/list?entity_types=user
{
"inspect": {
"dsl": [
"string"
],
"response": [
"string"
]
},
"page": 42,
"per_page": 42,
"records": [
{
"@timestamp": "2025-05-04T09:42:00+00:00",
"asset": {
"criticality": "low_impact"
},
"entity": {
"name": "string",
"source": "string"
},
"event": {
"ingested": "2025-05-04T09:42:00+00:00"
},
"user": {
"domain": [
"string"
],
"email": [
"string"
],
"full_name": [
"string"
],
"hash": [
"string"
],
"id": [
"string"
],
"name": "string",
"risk": {
"@timestamp": "2017-07-21T17:32:28Z",
"calculated_level": "Critical",
"calculated_score": 42.0,
"calculated_score_norm": 42.0,
"category_1_count": 42.0,
"category_1_score": 42.0,
"category_2_count": 42.0,
"category_2_score": 42.0,
"criticality_level": "low_impact",
"criticality_modifier": 42.0,
"id_field": "host.name",
"id_value": "example.host",
"inputs": [
{
"category": "category_1",
"contribution_score": 42.0,
"description": "Generated from Detection Engine Rule: Malware Prevention Alert",
"id": "91a93376a507e86cfbf282166275b89f9dbdb1f0be6c8103c6ff2909ca8e1a1c",
"index": ".internal.alerts-security.alerts-default-000001",
"risk_score": 42.0,
"timestamp": "2017-07-21T17:32:28Z"
}
],
"notes": [
"string"
]
},
"roles": [
"string"
]
}
}
],
"total": 42
}
Exceptions are associated with detection and endpoint rules, and are used to prevent a rule from generating an alert from incoming events, even when the rule's other criteria are met. They can help reduce the number of false positives and prevent trusted processes and network activity from generating unnecessary alerts.
Exceptions are made up of:
true
, the rule does not generate an alert.For detection rules, you can also use lists to define rule exceptions. A list holds multiple values of the same Elasticsearch data type, such as IP addresses. These values are used to determine when an exception prevents an alert from being generated.
You cannot use lists with endpoint rule exceptions.
Only exception containers can be associated with rules. You cannot directly associate an exception item or a list container with a rule. To use list exceptions, create an exception item that references the relevant list container.
Before you can start working with exceptions that use value lists, you must create the .lists
and .items
data streams for the relevant Kibana space. To do this, use the Create list data streams endpoint. Once these data streams are created, your role needs privileges to manage rules. For a complete list of requirements, refer to Enable and access detections.
Import value list items from a TXT or CSV file. The maximum file size is 9 million bytes.
You can import items to a new or existing list.
List's id.
Required when importing to an existing list.
Minimum length is 1
.
Type of the importing list.
Required when importing a new list whose list id
is not specified.
Values are binary
, boolean
, byte
, date
, date_nanos
, date_range
, double
, double_range
, float
, float_range
, geo_point
, geo_shape
, half_float
, integer
, integer_range
, ip
, ip_range
, keyword
, long
, long_range
, shape
, short
, or text
.
Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups:
(?<value>.+)
- Single value item types, such as ip, long, date, keyword, and text.(?<gte>.+)-(?<lte>.+)|(?<value>.+)
- Range value item types, such as date_range
, ip_range
, double_range
, float_range
, integer_range
, and long_range
.Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions:
{{{value}}}
- Single value item types, such as ip
, long
, date
, keyword
, and text
.{{{gte}}}-{{{lte}}}
- Range value item types, such as ip_range
, double_range
, float_range
, integer_range
, and long_range
.{{{gte}}},{{{lte}}}
- Date range values.Determines when changes made by the request are made visible to search.
Values are true
, false
, or wait_for
.
Successful response
Invalid input data response
Unsuccessful authentication response
Not enough privileges response
List with specified list_id does not exist response
Internal server error response
curl \
--request POST https://localhost:5601/api/lists/items/_import \
--header "Content-Type: multipart/form-data" \
--form "file=127.0.0.1
127.0.0.2
127.0.0.3
127.0.0.4
127.0.0.5
127.0.0.6
127.0.0.7
127.0.0.8
127.0.0.9
"
{
"id": "ip_list",
"name": "Simple list with an ip",
"type": "ip",
"version": 1,
"_version": "WzAsMV0=",
"immutable": false,
"@timestamp": "2025-01-08T04:47:34.273Z",
"created_at": "2025-01-08T04:47:34.273Z",
"created_by": "elastic",
"updated_at": "2025-01-08T04:47:34.273Z",
"updated_by": "elastic",
"description": "This list describes bad internet ip",
"tie_breaker_id": "f5508188-b1e9-4e6e-9662-d039a7d89899"
}
{
"message": "Either type or list_id need to be defined in the query",
"status_code": 400
}
{
"error": "Unauthorized",
"message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
"statusCode": 401
}
{
"error": "Forbidden",
"message": "API [POST /api/lists/items/_import?list_id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
"statusCode": 403
}
{
"message": "string",
"status_code": 42
}
{
"message": "Internal Server Error",
"status_code": 500
}
Run live queries, manage packs and saved queries.