Create a case

POST /api/cases

You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

application/json

Body Required

assignees array[object] | null

An array containing users that are assigned to the case.

Not more than 10 elements.
Hide assignees attribute Show assignees attribute object
- uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
category string

A word or phrase that categorizes the case.

Maximum length is 50.
connector object Required
One of:
Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object
Defines properties for connectors when type is .none.
Hide attributes Show attributes

fields string | null Required

An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

id string Required

The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

name string Required

The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

type string Required

The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

Value is .none.
Defines properties for connectors when type is .cases-webhook.
Hide attributes Show attributes

fields string | null Required

id string Required

The identifier for the connector. To retrieve connector IDs, use the find connectors API.

name string Required

The name of the connector.

type string Required

The type of connector.

Value is .cases-webhook.
Defines properties for connectors when type is .jira.
Hide attributes Show attributes

fields object Required

An object containing the connector fields. If you want to omit any individual field, specify null as its value.

Hide fields attributes Show fields attributes object

issueType string | null Required

The type of issue.

parent string | null Required

The key of the parent issue, when the issue type is sub-task.

priority string | null Required

The priority of the issue.

id string Required

The identifier for the connector. To retrieve connector IDs, use the find connectors API.

name string Required

The name of the connector.

type string Required

The type of connector.

Value is .jira.
Defines properties for connectors when type is .resilient.
Hide attributes Show attributes

fields object | null Required

An object containing the connector fields. If you want to omit any individual field, specify null as its value.

Hide fields attributes Show fields attributes object | null

issueTypes array[string] Required

The type of incident.

severityCode string Required

The severity code of the incident.

id string Required

The identifier for the connector.

name string Required

The name of the connector.

type string Required

The type of connector.

Value is .resilient.
Defines properties for connectors when type is .servicenow.
Hide attributes Show attributes

fields object Required

An object containing the connector fields. If you want to omit any individual field, specify null as its value.

Hide fields attributes Show fields attributes object

category string | null Required

The category of the incident.

impact string | null Required

The effect an incident had on business.

severity string | null Required

The severity of the incident.

subcategory string | null Required

The subcategory of the incident.

urgency string | null Required

The extent to which the incident resolution can be delayed.

id string Required

The identifier for the connector. To retrieve connector IDs, use the find connectors API.

name string Required

The name of the connector.

type string Required

The type of connector.

Value is .servicenow.
Defines properties for connectors when type is .servicenow-sir.
Hide attributes Show attributes

fields object Required

An object containing the connector fields. If you want to omit any individual field, specify null as its value.

Hide fields attributes Show fields attributes object

category string | null Required

The category of the incident.

destIp boolean | null Required

Indicates whether cases will send a comma-separated list of destination IPs.

malwareHash boolean | null Required

Indicates whether cases will send a comma-separated list of malware hashes.

malwareUrl boolean | null Required

Indicates whether cases will send a comma-separated list of malware URLs.

priority string | null Required

The priority of the issue.

sourceIp boolean | null Required

Indicates whether cases will send a comma-separated list of source IPs.

subcategory string | null Required

The subcategory of the incident.

id string Required

The identifier for the connector. To retrieve connector IDs, use the find connectors API.

name string Required

The name of the connector.

type string Required

The type of connector.

Value is .servicenow-sir.
Defines properties for connectors when type is .swimlane.
Hide attributes Show attributes

fields object Required

An object containing the connector fields. If you want to omit any individual field, specify null as its value.

Hide fields attribute Show fields attribute object

caseId string | null Required

The case identifier for Swimlane connectors.

id string Required

The identifier for the connector. To retrieve connector IDs, use the find connectors API.

name string Required

The name of the connector.

type string Required

The type of connector.

Value is .swimlane.
customFields array[object]

Custom field values for a case. Any optional custom fields that are not specified in the request are set to null.

At least 0 but not more than 10 elements.
Hide customFields attributes Show customFields attributes object
- key string Required
  
  The unique identifier for the custom field. The key value must exist in the case configuration settings.
- type string Required
  
  The custom field type. It must match the type specified in the case configuration settings.
  
  Values are text or toggle.
- value string | null | boolean Required
  
  The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.
  
  One of:
  string-1 string | null boolean-2 boolean
  
  Minimum length is 1, maximum length is 160.
description string Required

The description for the case.

Maximum length is 30000.
owner string Required

The application that owns the cases: Stack Management, Observability, or Elastic Security.

Values are cases, observability, or securitySolution.
settings object Required

An object that contains the case settings.
Hide settings attribute Show settings attribute object
- syncAlerts boolean Required
  
  Turns alert syncing on or off.
severity string

The severity of the case.

Values are critical, high, low, or medium. Default value is low.
tags array[string] Required

The words and phrases that help categorize cases. It can be an empty array.

Not more than 200 elements. Maximum length of each is 256.
title string Required

A title for the case.

Maximum length is 160.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
- category string | null
  
  The case category.
- closed_at string(date-time) | null Required
- closed_by object | null Required
  
  Hide closed_by attributes Show closed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- comments array[object] Required
  
  An array of comment objects for the case.
  
  Not more than 10000 elements.
  
  One of:
  Cases_alert_comment_response_properties object Cases_user_comment_response_properties object
  
  Hide attributes Show attributes
  
  alertId array[string]
  
  created_at string(date-time)
  
  created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  index array[string]
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  rule object
  
  Hide rule attributes Show rule attributes object
  
  id string
  
  The rule identifier.
  
  name string
  
  The rule name.
  
  type string Required Discriminator
  
  Value is alert.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
  
  Hide attributes Show attributes
  
  comment string
  
  created_at string(date-time)
  
  created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  id string
  
  owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
  
  pushed_at string(date-time) | null
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  type string Required Discriminator
  
  Value is user.
  
  updated_at string(date-time) | null
  
  updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
  
  version string
- connector object Required
  
  One of:
  Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object
  
  Defines properties for connectors when type is .none.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.
  
  id string Required
  
  The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  name string Required
  
  The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.
  
  type string Required Discriminator
  
  The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.
  
  Value is .none.
  
  Defines properties for connectors when type is .cases-webhook.
  
  Hide attributes Show attributes
  
  fields string | null Required
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .cases-webhook.
  
  Defines properties for connectors when type is .jira.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  issueType string | null Required
  
  The type of issue.
  
  parent string | null Required
  
  The key of the parent issue, when the issue type is sub-task.
  
  priority string | null Required
  
  The priority of the issue.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .jira.
  
  Defines properties for connectors when type is .resilient.
  
  Hide attributes Show attributes
  
  fields object | null Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object | null
  
  issueTypes array[string] Required
  
  The type of incident.
  
  severityCode string Required
  
  The severity code of the incident.
  
  id string Required
  
  The identifier for the connector.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .resilient.
  
  Defines properties for connectors when type is .servicenow.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  impact string | null Required
  
  The effect an incident had on business.
  
  severity string | null Required
  
  The severity of the incident.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  urgency string | null Required
  
  The extent to which the incident resolution can be delayed.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow.
  
  Defines properties for connectors when type is .servicenow-sir.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attributes Show fields attributes object
  
  category string | null Required
  
  The category of the incident.
  
  destIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of destination IPs.
  
  malwareHash boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware hashes.
  
  malwareUrl boolean | null Required
  
  Indicates whether cases will send a comma-separated list of malware URLs.
  
  priority string | null Required
  
  The priority of the issue.
  
  sourceIp boolean | null Required
  
  Indicates whether cases will send a comma-separated list of source IPs.
  
  subcategory string | null Required
  
  The subcategory of the incident.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .servicenow-sir.
  
  Defines properties for connectors when type is .swimlane.
  
  Hide attributes Show attributes
  
  fields object Required
  
  An object containing the connector fields. If you want to omit any individual field, specify null as its value.
  
  Hide fields attribute Show fields attribute object
  
  caseId string | null Required
  
  The case identifier for Swimlane connectors.
  
  id string Required
  
  The identifier for the connector. To retrieve connector IDs, use the find connectors API.
  
  name string Required
  
  The name of the connector.
  
  type string Required Discriminator
  
  The type of connector.
  
  Value is .swimlane.
- created_at string(date-time) Required
- created_by object Required
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- customFields array[object]
  
  Custom field values for the case.
  
  Hide customFields attributes Show customFields attributes object
  
  key string
  
  The unique identifier for the custom field. The key value must exist in the case configuration settings.
  
  type string
  
  The custom field type. It must match the type specified in the case configuration settings.
  
  Values are text or toggle.
  
  value string | null | boolean
  
  The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.
  
  One of:
  string-1 string | null boolean-2 boolean
  
  Minimum length is 1, maximum length is 160.
- description string Required
- duration integer | null Required
  
  The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.
- external_service object | null Required
  
  Hide external_service attributes Show external_service attributes object | null
  
  connector_id string
  
  connector_name string
  
  external_id string
  
  external_title string
  
  external_url string
  
  pushed_at string(date-time)
  
  pushed_by object | null
  
  Hide pushed_by attributes Show pushed_by attributes object | null
  
  email string | null
  
  full_name string | null
  
  profile_uid string
  
  username string | null
- id string Required
- owner string Required
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
- settings object Required
  
  An object that contains the case settings.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
- severity string Required
  
  The severity of the case.
  
  Values are critical, high, low, or medium. Default value is low.
- status string Required
  
  The status of the case.
  
  Values are closed, in-progress, or open.
- tags array[string] Required
- title string Required
- totalAlerts integer Required
- totalComment integer Required
- updated_at string(date-time) | null Required
- updated_by object | null Required
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- version string Required
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

POST /api/cases

curl \
 --request POST 'https://localhost:5601/api/cases' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"tags":["tag-1"],"owner":"cases","title":"Case title 1","settings":{"syncAlerts":true},"connector":{"id":"131d4448-abe0-4789-939d-8ef60680b498","name":"My connector","type":".jira","fields":{"parent":null,"priority":"High","issueType":"10006"}},"description":"A case description.","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"My field value"}]}'

Request example

{
  "tags": [
    "tag-1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "settings": {
    "syncAlerts": true
  },
  "connector": {
    "id": "131d4448-abe0-4789-939d-8ef60680b498",
    "name": "My connector",
    "type": ".jira",
    "fields": {
      "parent": null,
      "priority": "High",
      "issueType": "10006"
    }
  },
  "description": "A case description.",
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "My field value"
    }
  ]
}

Response examples (200)

{
  "id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzUzMiwxXQ==",
  "comments": [],
  "duration": null,
  "settings": {
    "syncAlerts": true
  },
  "severity": "low",
  "assignees": [],
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "131d4448-abe0-4789-939d-8ef60680b498",
    "name": "My connector",
    "type": ".jira",
    "fields": {
      "parent": null,
      "priority": "High",
      "issueType": "10006"
    }
  },
  "created_at": "2022-10-13T15:33:50.604Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": null,
  "updated_by": null,
  "description": "A case description.",
  "totalAlerts": 0,
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "My field value"
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "value": null
    }
  ],
  "totalComment": 0,
  "external_service": null
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get case settings

GET /api/cases/configure

Api key auth Basic auth

Get setting details such as the closure type, custom fields, templatse, and the default connector for cases. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on where the cases were created.

Query parameters

owner string | array[string]

A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- closure_type string
  
  Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).
  
  Values are close-by-pushing or close-by-user.
- connector object
  
  Hide connector attributes Show connector attributes object
  
  fields object | null
  
  The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.
  
  id string
  
  The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.
  
  name string
  
  The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.
  
  type string
  
  The type of connector.
  
  Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.
- created_at string(date-time)
- created_by object
  
  Hide created_by attributes Show created_by attributes object
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- customFields array[object]
  
  Custom fields configuration details.
  
  Hide customFields attributes Show customFields attributes object
  
  defaultValue string | boolean
  
  A default value for the custom field. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.
  
  One of:
  string-1 string boolean-2 boolean
  
  key string
  
  A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.
  
  Minimum length is 1, maximum length is 36.
  
  label string
  
  The custom field label that is displayed in the case.
  
  Minimum length is 1, maximum length is 50.
  
  type string
  
  The type of the custom field.
  
  Values are text or toggle.
  
  required boolean
  
  Indicates whether the field is required. If false, the custom field can be set to null or omitted when a case is created or updated.
- error string | null
- id string
- mappings array[object]
  
  Hide mappings attributes Show mappings attributes object
  
  action_type string
  
  source string
  
  target string
- owner string
  
  The application that owns the cases: Stack Management, Observability, or Elastic Security.
  
  Values are cases, observability, or securitySolution.
- templates array[object] Technical preview
  
  Hide templates attributes Show templates attributes object
  
  caseFields object
  
  Hide caseFields attributes Show caseFields attributes object
  
  assignees array[object] | null
  
  An array containing users that are assigned to the case.
  
  Not more than 10 elements.
  
  Hide assignees attribute Show assignees attribute object
  
  uid string Required
  
  A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.
  
  category string
  
  A word or phrase that categorizes the case.
  
  Maximum length is 50.
  
  connector object
  
  Hide connector attributes Show connector attributes object
  
  fields object | null
  
  The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.
  
  id string
  
  The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.
  
  name string
  
  The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.
  
  type string
  
  The type of connector.
  
  Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.
  
  customFields array[object] Technical preview
  
  Custom field values in the template.
  
  Hide customFields attributes Show customFields attributes object
  
  key string
  
  The unique key for the custom field.
  
  type string
  
  The type of the custom field.
  
  Values are text or toggle.
  
  value string | boolean
  
  The default value for the custom field when a case uses the template. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.
  
  One of:
  string-1 string boolean-2 boolean
  
  description string
  
  The description for the case.
  
  Maximum length is 30000.
  
  settings object
  
  An object that contains the case settings.
  
  Hide settings attribute Show settings attribute object
  
  syncAlerts boolean Required
  
  Turns alert syncing on or off.
  
  severity string
  
  The severity of the case.
  
  Values are critical, high, low, or medium. Default value is low.
  
  tags array[string]
  
  The words and phrases that help categorize cases. It can be an empty array.
  
  Not more than 200 elements. Maximum length of each is 256.
  
  title string
  
  A title for the case.
  
  Maximum length is 160.
  
  description string
  
  A description for the template.
  
  key string
  
  A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.
  
  name string
  
  The name of the template.
  
  tags array[string]
  
  The words and phrases that help categorize templates. It can be an empty array.
  
  Not more than 200 elements. Maximum length of each is 256.
- updated_at string(date-time) | null
- updated_by object | null
  
  Hide updated_by attributes Show updated_by attributes object | null
  
  email string | null Required
  
  full_name string | null Required
  
  profile_uid string
  
  username string | null Required
- version string
401 application/json

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
- message string
- statusCode integer

GET /api/cases/configure

curl \
 --request GET 'https://localhost:5601/api/cases/configure' \
 --header "Authorization: $API_KEY"

Response examples (200)

[
  {
    "id": "856ee650-6c82-11ee-a20a-6164169afa58",
    "error": null,
    "owner": "cases",
    "version": "WzEyLDNd",
    "mappings": [],
    "connector": {
      "id": "none",
      "name": "none",
      "type": ".none",
      "fields": null
    },
    "templates": [
      {
        "key": "505932fe-ee3a-4960-a661-c781b5acdb05",
        "name": "template-1",
        "tags": [
          "Template tag 1"
        ],
        "caseFields": {
          "tags": [
            "Default case tag"
          ],
          "title": "Default case title",
          "category": "Default-category",
          "settings": {
            "syncAlerts": false
          },
          "assignees": [
            {
              "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
            }
          ],
          "connector": {
            "id": "none",
            "name": "none",
            "type": ".none",
            "fields": null
          },
          "description": "A default description for cases.",
          "customFields": [
            {
              "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
              "type": "text",
              "value": "Default text field value."
            }
          ]
        },
        "description": "A description of the template."
      }
    ],
    "created_at": "2024-07-01T17:07:17.767Z",
    "created_by": {
      "email": null,
      "username": "elastic",
      "full_name": null
    },
    "updated_at": null,
    "updated_by": null,
    "closure_type": "close-by-user",
    "customFields": [
      {
        "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
        "type": "text",
        "label": "my-text-field",
        "required": false,
        "defaultValue": "Custom text field value."
      }
    ]
  }
]

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get a data view

GET /api/data_views/data_view/{viewId}

Api key auth Basic auth

Path parameters

viewId string Required

An identifier for the data view.

Responses

200 application/json

Indicates a successful call.
Hide response attribute Show response attribute object
- data_view object
  
  Hide data_view attributes Show data_view attributes object
  
  allowNoIndex boolean
  
  Allows the data view saved object to exist before the data is available.
  
  fieldAttrs object
  
  Hide fieldAttrs attribute Show fieldAttrs attribute object
  
  * object Additional properties
  
  A map of field attributes by field name.
  
  Hide * attributes Show * attributes object
  
  count integer
  
  Popularity count for the field.
  
  customDescription string
  
  Custom description for the field.
  
  Maximum length is 300.
  
  customLabel string
  
  Custom label for the field.
  
  fieldFormats object
  
  A map of field formats by field name.
  
  fields object
  
  id string
  
  name string
  
  The data view name.
  
  namespaces array[string]
  
  An array of space identifiers for sharing the data view between multiple spaces.
  
  Default value is default.
  
  runtimeFieldMap object
  
  Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
  
  * object Additional properties
  
  A map of runtime field definitions by field name.
  
  Hide * attributes Show * attributes object
  
  script object Required
  
  Hide script attribute Show script attribute object
  
  source string
  
  Script for the runtime field.
  
  type string Required
  
  Mapping type of the runtime field.
  
  sourceFilters array[object]
  
  The array of field names you want to filter out in Discover.
  
  Hide sourceFilters attribute Show sourceFilters attribute object
  
  value string Required
  
  timeFieldName string
  
  The timestamp field name, which you use for time-based data views.
  
  title string
  
  Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).
  
  typeMeta object | null
  
  When you use rollup indices, contains the field list for the rollup data view API endpoints.
  
  Hide typeMeta attributes Show typeMeta attributes object | null
  
  aggs object
  
  A map of rollup restrictions by aggregation type and field name.
  
  params object
  
  Properties for retrieving rollup fields.
  
  version string
404 application/json

Object is not found.
Hide response attributes Show response attributes object
- error string
  
  Value is Not Found.
- message string
- statusCode integer
  
  Value is 404.

GET /api/data_views/data_view/{viewId}

curl \
 --request GET 'https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "data_view": {
    "id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f",
    "name": "Kibana Sample Data eCommerce",
    "title": "kibana_sample_data_ecommerce",
    "fields": {
      "_id": {
        "name": "_id",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "_id"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "sku": {
        "name": "sku",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "type": {
        "name": "type",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "user": {
        "name": "user",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "email": {
        "name": "email",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "_index": {
        "name": "_index",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "_index"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "_score": {
        "name": "_score",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "isMapped": true,
        "scripted": false,
        "searchable": false,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "_source": {
        "name": "_source",
        "type": "_source",
        "count": 0,
        "format": {
          "id": "_source"
        },
        "esTypes": [
          "_source"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": false,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "category": {
        "name": "category",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "currency": {
        "name": "currency",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "order_id": {
        "name": "order_id",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "order_date": {
        "name": "order_date",
        "type": "date",
        "count": 0,
        "format": {
          "id": "date"
        },
        "esTypes": [
          "date"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_id": {
        "name": "customer_id",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "day_of_week": {
        "name": "day_of_week",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "manufacturer": {
        "name": "manufacturer",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products._id": {
        "name": "products._id",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.sku": {
        "name": "products.sku",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "day_of_week_i": {
        "name": "day_of_week_i",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "event.dataset": {
        "name": "event.dataset",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_phone": {
        "name": "customer_phone",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.location": {
        "name": "geoip.location",
        "type": "geo_point",
        "count": 0,
        "format": {
          "id": "geo_point",
          "params": {
            "transform": "wkt"
          }
        },
        "esTypes": [
          "geo_point"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.price": {
        "name": "products.price",
        "type": "number",
        "count": 1,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "total_quantity": {
        "name": "total_quantity",
        "type": "number",
        "count": 1,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_gender": {
        "name": "customer_gender",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.city_name": {
        "name": "geoip.city_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "category.keyword": {
        "name": "category.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "category"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.region_name": {
        "name": "geoip.region_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.category": {
        "name": "products.category",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.quantity": {
        "name": "products.quantity",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_full_name": {
        "name": "customer_full_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "customer_last_name": {
        "name": "customer_last_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.min_price": {
        "name": "products.min_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "taxful_total_price": {
        "name": "taxful_total_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.[00]"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_birth_date": {
        "name": "customer_birth_date",
        "type": "date",
        "count": 0,
        "format": {
          "id": "date"
        },
        "esTypes": [
          "date"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_first_name": {
        "name": "customer_first_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.base_price": {
        "name": "products.base_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.created_on": {
        "name": "products.created_on",
        "type": "date",
        "count": 0,
        "format": {
          "id": "date"
        },
        "esTypes": [
          "date"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.product_id": {
        "name": "products.product_id",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "long"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.tax_amount": {
        "name": "products.tax_amount",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "taxless_total_price": {
        "name": "taxless_total_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.continent_name": {
        "name": "geoip.continent_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "manufacturer.keyword": {
        "name": "manufacturer.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "manufacturer"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products._id.keyword": {
        "name": "products._id.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "products._id"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.manufacturer": {
        "name": "products.manufacturer",
        "type": "string",
        "count": 1,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.product_name": {
        "name": "products.product_name",
        "type": "string",
        "count": 1,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.taxful_price": {
        "name": "products.taxful_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "total_unique_products": {
        "name": "total_unique_products",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.country_iso_code": {
        "name": "geoip.country_iso_code",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.taxless_price": {
        "name": "products.taxless_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.base_unit_price": {
        "name": "products.base_unit_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.discount_amount": {
        "name": "products.discount_amount",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.category.keyword": {
        "name": "products.category.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "products.category"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_full_name.keyword": {
        "name": "customer_full_name.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "customer_full_name"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_last_name.keyword": {
        "name": "customer_last_name.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "customer_last_name"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_first_name.keyword": {
        "name": "customer_first_name.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "customer_first_name"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.discount_percentage": {
        "name": "products.discount_percentage",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.manufacturer.keyword": {
        "name": "products.manufacturer.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "products.manufacturer"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.product_name.keyword": {
        "name": "products.product_name.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "products.product_name"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.unit_discount_amount": {
        "name": "products.unit_discount_amount",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      }
    },
    "version": "WzUsMV0=",
    "typeMeta": {},
    "fieldAttrs": {
      "products.price": {
        "count": 1
      },
      "total_quantity": {
        "count": 1
      },
      "products.manufacturer": {
        "count": 1
      },
      "products.product_name": {
        "count": 1
      }
    },
    "namespaces": [
      "default"
    ],
    "allowNoIndex": false,
    "fieldFormats": {
      "products.price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "products.min_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "taxful_total_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.[00]"
        }
      },
      "products.base_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "taxless_total_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "products.taxful_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "products.taxless_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "products.base_unit_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      }
    },
    "sourceFilters": [],
    "timeFieldName": "order_date",
    "runtimeFieldMap": {}
  }
}

Response examples (404)

{
  "error": "Not Found",
  "message": "Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found",
  "statusCode": 404
}

Delete a Fleet Server host

DELETE /api/fleet/fleet_server_hosts/{itemId}

Api key auth Basic auth

Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

itemId string Required

Responses

200 application/json
Hide response attribute Show response attribute object
- id string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

DELETE /api/fleet/fleet_server_hosts/{itemId}

curl \
 --request DELETE 'https://localhost:5601/api/fleet/fleet_server_hosts/{itemId}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Response examples (200)

{
  "id": "string"
}

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Create a saved object Deprecated

POST /api/saved_objects/{type}/{id}

Api key auth Basic auth

Create a Kibana saved object and specify its identifier instead of using a randomly generated ID.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

id string Required

An identifier for the saved object.
type string Required

Valid options include visualization, dashboard, search, index-pattern, config.

Query parameters

overwrite boolean

If true, overwrites the document with the same identifier.

application/json

Body Required

attributes object Required

The data that you want to create. WARNING: When you create saved objects, attributes are not validated, which allows you to pass arbitrary and ill-formed data into the API that can break Kibana. Make sure any data that you send to the API is properly formed.
initialNamespaces array

Identifiers for the spaces in which this object is created. If this is provided, the object is created only in the explicitly defined spaces. If this is not provided, the object is created in the current space (default behavior). For shareable object types (registered with namespaceType: 'multiple'), this option can be used to specify one or more spaces, including the "All spaces" identifier (''). For isolated object types (registered with namespaceType: 'single' or namespaceType: 'multiple-isolated'), this option can only be used to specify a single space, and the "All spaces" identifier ('') is not allowed. For global object types (registered withnamespaceType: agnostic`), this option cannot be used.
references array

Identifiers for the spaces in which this object is created. If this is provided, the object is created only in the explicitly defined spaces. If this is not provided, the object is created in the current space (default behavior). For shareable object types (registered with namespaceType: 'multiple'), this option can be used to specify one or more spaces, including the "All spaces" identifier (''). For isolated object types (registered with namespaceType: 'single' or namespaceType: 'multiple-isolated'), this option can only be used to specify a single space, and the "All spaces" identifier ('') is not allowed. For global object types (registered withnamespaceType: agnostic`), this option cannot be used.

Responses

200 application/json

Indicates a successful call.
409 application/json

Indicates a conflict error.

POST /api/saved_objects/{type}/{id}

curl \
 --request POST 'https://localhost:5601/api/saved_objects/{type}/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"attributes":{},"initialNamespaces":[],"references":[]}'

Request examples

# Headers
kbn-xsrf: string

# Payload
{
  "attributes": {},
  "initialNamespaces": [],
  "references": []
}

Response examples (200)

{}

Response examples (409)

{}

Security detections

Use the detections APIs to create and manage detection rules. Detection rules search events and external alerts sent to Elastic Security and generate detection alerts from any hits. Alerts are displayed on the Alerts page and can be assigned and triaged, using the alert status to mark them as open, closed, or acknowledged.

This API supports both key-based authentication and basic authentication.

To use key-based authentication, create an API key, then specify the key in the header of your API calls.

To use basic authentication, provide a username and password; this automatically creates an API key that matches the current user’s privileges.

In both cases, the API key is subsequently used for authorization when the rule runs.

If the API key used for authorization has different privileges than the key that created or most recently updated a rule, the rule behavior might change.

If the API key that created a rule is deleted, or the user that created the rule becomes inactive, the rule will stop running.

To create and run rules, the user must meet specific requirements for the Kibana space. Refer to the Detections requirements for a complete list of requirements.

Install prebuilt detection rules and Timelines

PUT /api/detection_engine/rules/prepackaged

Api key auth Basic auth

Install and update all Elastic prebuilt detection rules and Timelines.

This endpoint allows you to install and update prebuilt detection rules and Timelines provided by Elastic. When you call this endpoint, it will:

Install any new prebuilt detection rules that are not currently installed in your system.
Update any existing prebuilt detection rules that have been modified or improved by Elastic.
Install any new prebuilt Timelines that are not currently installed in your system.
Update any existing prebuilt Timelines that have been modified or improved by Elastic.

This ensures that your detection engine is always up-to-date with the latest rules and Timelines, providing you with the most current and effective threat detection capabilities.

Responses

200 application/json

Indicates a successful call
Hide response attributes Show response attributes object
- rules_installed integer Required
  
  The number of rules installed
  
  Minimum value is 0.
- rules_updated integer Required
  
  The number of rules updated
  
  Minimum value is 0.
- timelines_installed integer Required
  
  The number of timelines installed
  
  Minimum value is 0.
- timelines_updated integer Required
  
  The number of timelines updated
  
  Minimum value is 0.

PUT /api/detection_engine/rules/prepackaged

curl \
 --request PUT 'https://localhost:5601/api/detection_engine/rules/prepackaged' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "rules_updated": 0,
  "rules_installed": 112,
  "timelines_updated": 2,
  "timelines_installed": 5
}

Retrieve the status of detection alert migrations Deprecated

GET /api/detection_engine/signals/migration_status

Api key auth Basic auth

Retrieve indices that contain detection alerts of a particular age, along with migration information for each of those indices.

Query parameters

from string(date-math) Required

Maximum age of qualifying detection alerts

Responses

200 application/json

Successful response
Hide response attribute Show response attribute object
- indices array[object] Required
  
  Hide indices attributes Show indices attributes object
  
  index string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  is_outdated boolean Required
  
  migrations array[object] Required
  
  Hide migrations attributes Show migrations attributes object
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  status string Required
  
  Values are success, failure, or pending.
  
  updated string(date-time) Required
  
  version integer Required
  
  signal_versions array[object] Required
  
  Hide signal_versions attributes Show signal_versions attributes object
  
  count integer Required
  
  version integer Required
  
  version integer Required
400 application/json

Invalid input data response
One of:
Security_Detections_API_PlatformErrorResponse object Security_Detections_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

GET /api/detection_engine/signals/migration_status

curl \
 --request GET 'https://localhost:5601/api/detection_engine/signals/migration_status?from=now-30d' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "indices": [
    {
      "index": ".siem-signals-default-000002",
      "version": 15,
      "migrations": [
        {
          "id": "924f7c50-505f-11eb-ae0a-3fa2e626a51d",
          "status": "pending",
          "updated": "2021-01-06T20:41:37.173Z",
          "version": 16
        }
      ],
      "is_outdated": true,
      "signal_versions": [
        {
          "count": 100,
          "version": 15
        },
        {
          "count": 87,
          "version": 16
        }
      ]
    },
    {
      "index": ".siem-signals-default-000003",
      "version": 16,
      "migrations": [],
      "is_outdated": false,
      "signal_versions": [
        {
          "count": 54,
          "version": 16
        }
      ]
    }
  ]
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

{
  "message": "string",
  "status_code": 42
}

Response examples (401)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (500)

{
  "message": "string",
  "status_code": 42
}

Get an endpoint exception list item

GET /api/endpoint_list/items

Api key auth Basic auth

Get the details of an endpoint exception list item using the id or item_id field.

Query parameters

id string(nonempty)

Either id or item_id must be specified

Minimum length is 1.
item_id string(nonempty)

Either id or item_id must be specified

Minimum length is 1.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- _version string
  
  The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
- comments array[object] Required
  
  Array of comment fields:
  
  comment (string): Comments about the exception item.
  
  Hide comments attributes Show comments attributes object
  
  comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  created_at string(date-time) Required
  
  Autogenerated date of object creation.
  
  created_by string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  updated_at string(date-time)
  
  Autogenerated date of last object update.
  
  updated_by string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- created_at string(date-time) Required
  
  Autogenerated date of object creation.
- created_by string Required
  
  Autogenerated value - user that created object.
- description string Required
  
  Describes the exception list.
- entries array[object] Required
  
  Any of:
  Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Endpoint_Exceptions_API_ExceptionListItemEntryList object Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists object Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  list object Required
  
  Hide list attributes Show list attributes object
  
  id string(nonempty) Required
  
  Value list's identifier.
  
  Minimum length is 1.
  
  type string Required
  
  Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:
  
  keyword: Many ECS fields are Elasticsearch keywords
  
  ip: IP addresses
  
  ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)
  
  Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is list.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is exists.
  
  Hide attributes Show attributes
  
  entries array[object] Required
  
  At least 1 element.
  
  One of:
  Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch object Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is exists.
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  type string Required Discriminator
  
  Value is nested.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is wildcard.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- expire_time string(date-time)
  
  The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
- id string(nonempty) Required
  
  Exception's identifier.
  
  Minimum length is 1.
- item_id string(nonempty) Required
  
  Human readable string identifier, e.g. trusted-linux-processes
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  Exception list's human readable string identifier, e.g. trusted-linux-processes.
  
  Minimum length is 1.
- meta object
  
  Additional properties are allowed.
- name string(nonempty) Required
  
  Exception list name.
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
  
  single: Only available in the Kibana space in which it is created.
  
  agnostic: Available in all Kibana spaces.
  
  Values are agnostic or single.
- os_types array[string]
  
  Use this field to specify the operating system.
  
  Values are linux, macos, or windows.
- tags array[string(nonempty)]
  
  String array containing words and phrases to help categorize exception items.
  
  Minimum length of each is 1.
- tie_breaker_id string Required
  
  Field used in search to ensure all containers are sorted and returned correctly.
- type string Required
  
  Value is simple.
- updated_at string(date-time) Required
  
  Autogenerated date of last object update.
- updated_by string Required
  
  Autogenerated value - user that last updated object.
400 application/json

Invalid input data
One of:
Security_Endpoint_Exceptions_API_PlatformErrorResponse object Security_Endpoint_Exceptions_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Insufficient privileges
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
404 application/json

Endpoint list item not found
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
500 application/json

Internal server error
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

GET /api/endpoint_list/items

curl \
 --request GET 'https://localhost:5601/api/endpoint_list/items' \
 --header "Authorization: $API_KEY"

Response examples (200)

[
  {
    "_version": "string",
    "comments": [
      {
        "comment": "string",
        "created_at": "2025-05-04T09:42:00Z",
        "created_by": "string",
        "id": "string",
        "updated_at": "2025-05-04T09:42:00Z",
        "updated_by": "string"
      }
    ],
    "created_at": "2025-05-04T09:42:00Z",
    "created_by": "string",
    "description": "string",
    "entries": [
      {
        "field": "string",
        "operator": "excluded",
        "type": "match",
        "value": "string"
      }
    ],
    "expire_time": "2025-05-04T09:42:00Z",
    "id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
    "item_id": "simple_list_item",
    "list_id": "simple_list",
    "meta": {},
    "name": "string",
    "namespace_type": "agnostic",
    "os_types": [
      "linux"
    ],
    "tags": [
      "string"
    ],
    "tie_breaker_id": "string",
    "type": "simple",
    "updated_at": "2025-05-04T09:42:00Z",
    "updated_by": "string"
  }
]

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

{
  "message": "string",
  "status_code": 42
}

Response examples (401)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (403)

{
  "error": "string",
  "message": "string",
  "statusCode": 42
}

Response examples (404)

{
  "message": "string",
  "status_code": 42
}

Response examples (500)

{
  "message": "string",
  "status_code": 42
}

Release an isolated endpoint

POST /api/endpoint/action/unisolate

Api key auth Basic auth

Release an isolated endpoint, allowing it to rejoin a network.

application/json

Body Required

agent_type string

List of agent types to retrieve. Defaults to endpoint.

Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.
alert_ids array[string(nonempty)]

A list of alerts ids.

At least 1 element. Minimum length of each is 1.
case_ids array[string]

Case IDs to be updated (cannot contain empty strings)

At least 1 element. Minimum length of each is 1.
comment string

Optional comment
endpoint_ids array[string] Required

List of endpoint IDs (cannot contain empty strings)

At least 1 element. Minimum length of each is 1.
parameters object

Optional parameters object

Responses

200 application/json

OK

POST /api/endpoint/action/unisolate

curl \
 --request POST 'https://localhost:5601/api/endpoint/action/unisolate' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"comment":"Benign process identified, releasing group","endpoint_ids":["9972d10e-4b9e-41aa-a534-a85e2a28ea42","bc0e4f0c-3bca-4633-9fee-156c0b505d16","fa89271b-b9d4-43f2-a684-307cffddeb5a"]}'

Request examples

{
  "comment": "Benign process identified, releasing group",
  "endpoint_ids": [
    "9972d10e-4b9e-41aa-a534-a85e2a28ea42",
    "bc0e4f0c-3bca-4633-9fee-156c0b505d16",
    "fa89271b-b9d4-43f2-a684-307cffddeb5a"
  ]
}

{
  "endpoint_ids": [
    "ed518850-681a-4d60-bb98-e22640cae2a8"
  ]
}

{
  "comment": "Remediation complete, restoring network",
  "case_ids": [
    "4976be38-c134-4554-bd5e-0fd89ce63667"
  ],
  "endpoint_ids": [
    "1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0",
    "b30a11bf-1395-4707-b508-fbb45ef9793e"
  ]
}

Response examples (200)

{
  "data": {
    "id": "233db9ea-6733-4849-9226-5a7039c7161d",
    "agents": [
      "ed518850-681a-4d60-bb98-e22640cae2a8"
    ],
    "errors": [],
    "command": "suspend-process",
    "comment": "suspend the process",
    "outputs": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "type": "json",
        "content": {
          "key": "value"
        }
      }
    },
    "agentType": "endpoint",
    "createdBy": "myuser",
    "isExpired": false,
    "startedAt": "2022-07-29T19:08:49.126Z",
    "parameters": {
      "entity_id": "abc123"
    },
    "completedAt": "2022-07-29T19:09:44.961Z",
    "isCompleted": true,
    "wasSuccessful": true
  },
  "action": "233db9ea-6733-4849-9226-5a7039c7161d"
}

Get the status of the Entity Store

GET /api/entity_store/status

Api key auth Basic auth

Query parameters

include_components boolean

If true returns a detailed status of the engine including all it's components

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- engines array[object] Required
  
  Hide engines attributes Show engines attributes object
  
  delay string
  
  Format should match the following pattern: [smdh]$. Default value is 1m.
  
  docsPerSecond integer
  
  error object
  
  Hide error attributes Show error attributes object
  
  action string Required
  
  Value is init.
  
  message string Required
  
  fieldHistoryLength integer Required
  
  filter string
  
  frequency string
  
  Format should match the following pattern: [smdh]$. Default value is 1m.
  
  indexPattern string Required
  
  lookbackPeriod string
  
  Format should match the following pattern: [smdh]$. Default value is 24h.
  
  status string Required
  
  Values are installing, started, stopped, updating, or error.
  
  timeout string
  
  Format should match the following pattern: [smdh]$. Default value is 180s.
  
  timestampField string
  
  type string Required
  
  Values are user, host, service, or generic.
  
  components array[object]
  
  Hide components attributes Show components attributes object
  
  errors array[object]
  
  Hide errors attributes Show errors attributes object
  
  message string
  
  title string
  
  health string
  
  Values are green, yellow, red, or unknown.
  
  id string Required
  
  installed boolean Required
  
  metadata object
  
  Hide metadata attributes Show metadata attributes object
  
  delete_time_in_ms integer
  
  documents_deleted integer
  
  documents_indexed integer Required
  
  documents_processed integer Required
  
  exponential_avg_checkpoint_duration_ms integer Required
  
  exponential_avg_documents_indexed integer Required
  
  exponential_avg_documents_processed integer Required
  
  index_failures integer Required
  
  index_time_in_ms integer Required
  
  index_total integer Required
  
  pages_processed integer Required
  
  processing_time_in_ms integer Required
  
  processing_total integer Required
  
  search_failures integer Required
  
  search_time_in_ms integer Required
  
  search_total integer Required
  
  trigger_count integer Required
  
  resource string Required
  
  Values are entity_engine, entity_definition, index, component_template, index_template, ingest_pipeline, enrich_policy, task, or transform.
- status string Required
  
  Values are not_installed, installing, running, stopped, or error.

GET /api/entity_store/status

curl \
 --request GET 'https://localhost:5601/api/entity_store/status' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "engines": [
    {
      "delay": "1m",
      "docsPerSecond": 42,
      "error": {
        "action": "init",
        "message": "string"
      },
      "fieldHistoryLength": 42,
      "filter": "string",
      "frequency": "1m",
      "indexPattern": "string",
      "lookbackPeriod": "24h",
      "status": "installing",
      "timeout": "180s",
      "timestampField": "string",
      "type": "user",
      "components": [
        {
          "errors": [
            {
              "message": "string",
              "title": "string"
            }
          ],
          "health": "green",
          "id": "string",
          "installed": true,
          "metadata": {
            "delete_time_in_ms": 42,
            "documents_deleted": 42,
            "documents_indexed": 42,
            "documents_processed": 42,
            "exponential_avg_checkpoint_duration_ms": 42,
            "exponential_avg_documents_indexed": 42,
            "exponential_avg_documents_processed": 42,
            "index_failures": 42,
            "index_time_in_ms": 42,
            "index_total": 42,
            "pages_processed": 42,
            "processing_time_in_ms": 42,
            "processing_total": 42,
            "search_failures": 42,
            "search_time_in_ms": 42,
            "search_total": 42,
            "trigger_count": 42
          },
          "resource": "entity_engine"
        }
      ]
    }
  ],
  "status": "not_installed"
}

Security exceptions

Exceptions are associated with detection and endpoint rules, and are used to prevent a rule from generating an alert from incoming events, even when the rule's other criteria are met. They can help reduce the number of false positives and prevent trusted processes and network activity from generating unnecessary alerts.

Exceptions are made up of:

Exception containers: A container for related exceptions. Generally, a single exception container contains all the exception items relevant for a subset of rules. For example, a container can be used to group together network-related exceptions that are relevant for a large number of network rules. The container can then be associated with all the relevant rules.
Exception items: The query (fields, values, and logic) used to prevent rules from generating alerts. When an exception item's query evaluates to true, the rule does not generate an alert.

For detection rules, you can also use lists to define rule exceptions. A list holds multiple values of the same Elasticsearch data type, such as IP addresses. These values are used to determine when an exception prevents an alert from being generated.

You cannot use lists with endpoint rule exceptions.

Only exception containers can be associated with rules. You cannot directly associate an exception item or a list container with a rule. To use list exceptions, create an exception item that references the relevant list container.

Exceptions requirements

Before you can start working with exceptions that use value lists, you must create the .lists and .items data streams for the relevant Kibana space. To do this, use the Create list data streams endpoint. Once these data streams are created, your role needs privileges to manage rules. For a complete list of requirements, refer to Enable and access detections.

Create an exception list

POST /api/exception_lists

Api key auth Basic auth

An exception list groups exception items and can be associated with detection rules. You can assign exception lists to multiple detection rules.

All exception items added to the same list are evaluated using OR logic. That is, if any of the items in a list evaluate to true, the exception prevents the rule from generating an alert. Likewise, OR logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the AND operator, you can define multiple clauses (entries) in a single exception item.

application/json

Body Required

Exception list's properties

description string Required

Describes the exception list.
list_id string(nonempty)

Exception list's human readable string identifier, e.g. trusted-linux-processes.

Minimum length is 1.
meta object

Placeholder for metadata about the list container.

Additional properties are allowed.
name string Required

The name of the exception list.
namespace_type string
Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
- single: Only available in the Kibana space in which it is created.
- agnostic: Available in all Kibana spaces.
Values are agnostic or single. Default value is single.
os_types array[string]

Use this field to specify the operating system. Only enter one value.

Values are linux, macos, or windows.
tags array[string]

String array containing words and phrases to help categorize exception containers.
type string Required

The type of exception list to be created. Different list types may denote where they can be utilized.

Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
version integer

The document version, automatically increasd on updates.

Minimum value is 1.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- _version string
  
  The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
- created_at string(date-time) Required
  
  Autogenerated date of object creation.
- created_by string Required
  
  Autogenerated value - user that created object.
- description string Required
  
  Describes the exception list.
- id string(nonempty) Required
  
  Exception list's identifier.
  
  Minimum length is 1.
- immutable boolean Required
- list_id string(nonempty) Required
  
  Exception list's human readable string identifier, e.g. trusted-linux-processes.
  
  Minimum length is 1.
- meta object
  
  Placeholder for metadata about the list container.
  
  Additional properties are allowed.
- name string Required
  
  The name of the exception list.
- namespace_type string Required
  
  Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
  
  single: Only available in the Kibana space in which it is created.
  
  agnostic: Available in all Kibana spaces.
  
  Values are agnostic or single. Default value is single.
- os_types array[string]
  
  Use this field to specify the operating system. Only enter one value.
  
  Values are linux, macos, or windows.
- tags array[string]
  
  String array containing words and phrases to help categorize exception containers.
- tie_breaker_id string Required
  
  Field used in search to ensure all containers are sorted and returned correctly.
- type string Required
  
  The type of exception list to be created. Different list types may denote where they can be utilized.
  
  Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.
- updated_at string(date-time) Required
  
  Autogenerated date of last object update.
- updated_by string Required
  
  Autogenerated value - user that last updated object.
- version integer Required
  
  The document version, automatically increasd on updates.
  
  Minimum value is 1.
400 application/json

Invalid input data response
One of:
Security_Exceptions_API_PlatformErrorResponse object Security_Exceptions_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Not enough privileges response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
409 application/json

Exception list already exists response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

POST /api/exception_lists

curl \
 --request POST 'https://localhost:5601/api/exception_lists' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"name":"Sample Detection Exception List","tags":["malware"],"type":"detection","list_id":"simple_list","os_types":["linux"],"description":"This is a sample detection type exception list.","namespace_type":"single"}'

Request example

{
  "name": "Sample Detection Exception List",
  "tags": [
    "malware"
  ],
  "type": "detection",
  "list_id": "simple_list",
  "os_types": [
    "linux"
  ],
  "description": "This is a sample detection type exception list.",
  "namespace_type": "single"
}

Response examples (200)

{
  "id": "28243c2f-624a-4443-823d-c0b894880931",
  "name": "Sample Detection Exception List",
  "tags": [
    "malware"
  ],
  "type": "detection",
  "list_id": "8c1aae4c-1ef5-4bce-a2e3-16584b501783",
  "version": 1,
  "_version": "WzMsMV0=",
  "os_types": [],
  "immutable": false,
  "created_at": "2025-01-09T01:05:23.019Z",
  "created_by": "elastic",
  "updated_at": "2025-01-09T01:05:23.020Z",
  "updated_by": "elastic",
  "description": "This is a sample detection type exception with an autogenerated list_id.",
  "namespace_type": "single",
  "tie_breaker_id": "ad94de31-39f7-4ad7-b8e4-988bfa95f338"
}

{
  "id": "1a744e77-22ca-4b6b-9085-54f55275ebe5",
  "name": "Sample Agnostic Endpoint Exception List",
  "tags": [
    "malware"
  ],
  "type": "endpoint",
  "list_id": "b935eb55-7b21-4c1c-b235-faa1df23b3d6",
  "version": 1,
  "_version": "WzUsMV0=",
  "os_types": [
    "linux"
  ],
  "immutable": false,
  "created_at": "2025-01-09T01:10:36.369Z",
  "created_by": "elastic",
  "updated_at": "2025-01-09T01:10:36.369Z",
  "updated_by": "elastic",
  "description": "This is a sample agnostic endpoint type exception.",
  "namespace_type": "agnostic",
  "tie_breaker_id": "49ea0adc-a2b8-4d83-a8f3-2fb98301dea3"
}

{
  "id": "9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85",
  "name": "Sample Detection Exception List",
  "tags": [
    "malware"
  ],
  "type": "detection",
  "list_id": "simple_list",
  "version": 1,
  "_version": "WzIsMV0=",
  "os_types": [
    "linux"
  ],
  "immutable": false,
  "created_at": "2025-01-07T19:34:27.942Z",
  "created_by": "elastic",
  "updated_at": "2025-01-07T19:34:27.942Z",
  "updated_by": "elastic",
  "description": "This is a sample detection type exception list.",
  "namespace_type": "single",
  "tie_breaker_id": "78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3"
}

{
  "id": "a79f4730-6e32-4278-abfc-349c0add7d54",
  "name": "Sample Endpoint Exception List",
  "tags": [
    "malware"
  ],
  "type": "endpoint",
  "list_id": "endpoint_list",
  "version": 1,
  "_version": "WzQsMV0=",
  "os_types": [
    "linux"
  ],
  "immutable": false,
  "created_at": "2025-01-09T01:07:49.658Z",
  "created_by": "elastic",
  "updated_at": "2025-01-09T01:07:49.658Z",
  "updated_by": "elastic",
  "description": "This is a sample endpoint type exception list.",
  "namespace_type": "single",
  "tie_breaker_id": "94a028af-8f47-427a-aca5-ffaf829e64ee"
}

Response examples (400)

{
  "error": "Bad Request",
  "message": "[request body]: list_id: Expected string, received number",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (403)

{
  "error": "Forbidden",
  "message": "API [POST /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
  "statusCode": 403
}

Response examples (409)

{
  "message": "exception list id: \"simple_list\" already exists",
  "status_code": 409
}

Response examples (500)

{
  "message": "Internal Server Error",
  "status_code": 500
}

Get exception list items

GET /api/exception_lists/items/_find

Api key auth Basic auth

Get a list of all exception list items in the specified list.

Query parameters

list_id array[string(nonempty)] Required

The list_ids of the items to fetch.

Minimum length of each is 1.
filter array[string(nonempty)]

Filters the returned results according to the value of the specified field, using the <field name>:<field value> syntax.

Minimum length of each is 1. Default value is [] (empty).
namespace_type array[string]

Determines whether the returned containers are Kibana associated with a Kibana space or available in all spaces (agnostic or single)

Values are agnostic or single. Default value is ["single"].
search string
page integer

The page number to return

Minimum value is 0.
per_page integer

The number of exception list items to return per page

Minimum value is 0.
sort_field string(nonempty)

Determines which field is used to sort the results.

Minimum length is 1.
sort_order string

Determines the sort order, which can be desc or asc.

Values are desc or asc.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- data array[object] Required
  
  Hide data attributes Show data attributes object
  
  _version string
  
  The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
  
  comments array[object] Required
  
  Array of comment fields:
  
  comment (string): Comments about the exception item.
  
  Hide comments attributes Show comments attributes object
  
  comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  created_at string(date-time) Required
  
  Autogenerated date of object creation.
  
  created_by string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  updated_at string(date-time)
  
  Autogenerated date of last object update.
  
  updated_by string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  created_at string(date-time) Required
  
  Autogenerated date of object creation.
  
  created_by string Required
  
  Autogenerated value - user that created object.
  
  description string Required
  
  Describes the exception list.
  
  entries array[object] Required
  
  Any of:
  Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryList object Security_Exceptions_API_ExceptionListItemEntryExists object Security_Exceptions_API_ExceptionListItemEntryNested object Security_Exceptions_API_ExceptionListItemEntryMatchWildcard object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  list object Required
  
  Hide list attributes Show list attributes object
  
  id string(nonempty) Required
  
  Value list's identifier.
  
  Minimum length is 1.
  
  type string Required
  
  Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:
  
  keyword: Many ECS fields are Elasticsearch keywords
  
  ip: IP addresses
  
  ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)
  
  Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is list.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is exists.
  
  Hide attributes Show attributes
  
  entries array[object] Required
  
  At least 1 element.
  
  One of:
  Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryExists object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is exists.
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  type string Required Discriminator
  
  Value is nested.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is wildcard.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  expire_time string(date-time)
  
  The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
  
  id string(nonempty) Required
  
  Exception's identifier.
  
  Minimum length is 1.
  
  item_id string(nonempty) Required
  
  Human readable string identifier, e.g. trusted-linux-processes
  
  Minimum length is 1.
  
  list_id string(nonempty) Required
  
  Exception list's human readable string identifier, e.g. trusted-linux-processes.
  
  Minimum length is 1.
  
  meta object
  
  Additional properties are allowed.
  
  name string(nonempty) Required
  
  Exception list name.
  
  Minimum length is 1.
  
  namespace_type string Required
  
  Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
  
  single: Only available in the Kibana space in which it is created.
  
  agnostic: Available in all Kibana spaces.
  
  Values are agnostic or single. Default value is single.
  
  os_types array[string]
  
  Use this field to specify the operating system.
  
  Values are linux, macos, or windows. Default value is [] (empty).
  
  tags array[string(nonempty)]
  
  String array containing words and phrases to help categorize exception items.
  
  Minimum length of each is 1. Default value is [] (empty).
  
  tie_breaker_id string Required
  
  Field used in search to ensure all containers are sorted and returned correctly.
  
  type string Required
  
  Value is simple.
  
  updated_at string(date-time) Required
  
  Autogenerated date of last object update.
  
  updated_by string Required
  
  Autogenerated value - user that last updated object.
- page integer Required
  
  Minimum value is 1.
- per_page integer Required
  
  Minimum value is 1.
- pit string
- total integer Required
  
  Minimum value is 0.
400 application/json

Invalid input data response
One of:
Security_Exceptions_API_PlatformErrorResponse object Security_Exceptions_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Not enough privileges response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
404 application/json

Exception list not found response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

GET /api/exception_lists/items/_find

curl \
 --request GET 'https://localhost:5601/api/exception_lists/items/_find?list_id=simple_list' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "data": [
    {
      "id": "459c5e7e-f8b2-4f0b-b136-c1fc702f72da",
      "name": "Sample Exception List Item",
      "tags": [
        "malware"
      ],
      "type": "simple",
      "entries": [
        {
          "type": "exists",
          "field": "actingProcess.file.signer",
          "operator": "excluded"
        },
        {
          "type": "match_any",
          "field": "host.name",
          "value": [
            "jupiter",
            "saturn"
          ],
          "operator": "included"
        }
      ],
      "item_id": "simple_list_item",
      "list_id": "simple_list",
      "_version": "WzgsMV0=",
      "comments": [],
      "os_types": [
        "linux"
      ],
      "created_at": "2025-01-07T21:12:25.512Z",
      "created_by": "elastic",
      "updated_at": "2025-01-07T21:12:25.512Z",
      "updated_by": "elastic",
      "description": "This is a sample exception item.",
      "namespace_type": "single",
      "tie_breaker_id": "ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0"
    }
  ],
  "page": 1,
  "total": 1,
  "per_page": 20
}

Response examples (400)

{
  "error": "Bad Request",
  "message": "[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (403)

{
  "error": "Forbidden",
  "message": "API [GET /api/exception_lists/items/_find?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]",
  "statusCode": 403
}

Response examples (404)

{
  "message": "exception list list_id: \"foo\" does not exist",
  "status_code": 404
}

Response examples (500)

{
  "message": "Internal Server Error",
  "status_code": 500
}

Get value list details

GET /api/lists

Api key auth Basic auth

Get the details of a value list using the list ID.

Query parameters

id string(nonempty) Required

Value list's identifier.

Minimum length is 1.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- _version string
  
  The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.
- @timestamp string(date-time)
- created_at string(date-time) Required
  
  Autogenerated date of object creation.
- created_by string Required
  
  Autogenerated value - user that created object.
- description string(nonempty) Required
  
  Describes the value list.
  
  Minimum length is 1.
- deserializer string
  
  Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions:
  
  {{{value}}} - Single value item types, such as ip, long, date, keyword, and text.
  
  {{{gte}}}-{{{lte}}} - Range value item types, such as ip_range, double_range, float_range, integer_range, and long_range.
  
  {{{gte}}},{{{lte}}} - Date range values.
- id string(nonempty) Required
  
  Value list's identifier.
  
  Minimum length is 1.
- immutable boolean Required
- meta object
  
  Placeholder for metadata about the value list.
  
  Additional properties are allowed.
- name string(nonempty) Required
  
  Value list's name.
  
  Minimum length is 1.
- serializer string
  
  Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups:
  
  (?<value>.+) - Single value item types, such as ip, long, date, keyword, and text.
  
  (?<gte>.+)-(?<lte>.+)|(?<value>.+) - Range value item types, such as date_range, ip_range, double_range, float_range, integer_range, and long_range.
- tie_breaker_id string Required
  
  Field used in search to ensure all containers are sorted and returned correctly.
- type string Required
  
  Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:
  
  keyword: Many ECS fields are Elasticsearch keywords
  
  ip: IP addresses
  
  ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)
  
  Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.
- updated_at string(date-time) Required
  
  Autogenerated date of last object update.
- updated_by string Required
  
  Autogenerated value - user that last updated object.
- version integer Required
  
  The document version number.
  
  Minimum value is 1.
400 application/json

Invalid input data response
One of:
Security_Lists_API_PlatformErrorResponse object Security_Lists_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Not enough privileges response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
404 application/json

List not found response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

GET /api/lists

curl \
 --request GET 'https://localhost:5601/api/lists?id=21b01cfb-058d-44b9-838c-282be16c91cd' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "id": "ip_list",
  "name": "My bad ips",
  "type": "ip",
  "version": 1,
  "_version": "WzEsMV0=",
  "immutable": false,
  "@timestamp": "2025-01-08T04:47:34.273Z",
  "created_at": "2025-01-08T04:47:34.273Z",
  "created_by": "elastic",
  "updated_at": "2025-01-08T05:21:53.843Z",
  "updated_by": "elastic",
  "description": "This list describes bad internet ip",
  "tie_breaker_id": "f5508188-b1e9-4e6e-9662-d039a7d89899"
}

Response examples (400)

{
  "error": "Bad Request",
  "message": "[request query]: id: Required",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (403)

{
  "error": "Forbidden",
  "message": "API [GET /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]",
  "statusCode": 403
}

Response examples (404)

{
  "message": "list id: \\\"foo\\\" not found",
  "status_code": 404
}

Response examples (500)

{
  "message": "Internal Server Error",
  "status_code": 500
}

Delete a value list

DELETE /api/lists

Api key auth Basic auth

Delete a value list using the list ID.

When you delete a list, all of its list items are also deleted.

Query parameters

id string(nonempty) Required

Value list's identifier.

Minimum length is 1.
deleteReferences boolean

Determines whether exception items referencing this value list should be deleted.

Default value is false.
ignoreReferences boolean

Determines whether to delete value list without performing any additional checks of where this list may be utilized.

Default value is false.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- _version string
  
  The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.
- @timestamp string(date-time)
- created_at string(date-time) Required
  
  Autogenerated date of object creation.
- created_by string Required
  
  Autogenerated value - user that created object.
- description string(nonempty) Required
  
  Describes the value list.
  
  Minimum length is 1.
- deserializer string
  
  Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions:
  
  {{{value}}} - Single value item types, such as ip, long, date, keyword, and text.
  
  {{{gte}}}-{{{lte}}} - Range value item types, such as ip_range, double_range, float_range, integer_range, and long_range.
  
  {{{gte}}},{{{lte}}} - Date range values.
- id string(nonempty) Required
  
  Value list's identifier.
  
  Minimum length is 1.
- immutable boolean Required
- meta object
  
  Placeholder for metadata about the value list.
  
  Additional properties are allowed.
- name string(nonempty) Required
  
  Value list's name.
  
  Minimum length is 1.
- serializer string
  
  Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups:
  
  (?<value>.+) - Single value item types, such as ip, long, date, keyword, and text.
  
  (?<gte>.+)-(?<lte>.+)|(?<value>.+) - Range value item types, such as date_range, ip_range, double_range, float_range, integer_range, and long_range.
- tie_breaker_id string Required
  
  Field used in search to ensure all containers are sorted and returned correctly.
- type string Required
  
  Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:
  
  keyword: Many ECS fields are Elasticsearch keywords
  
  ip: IP addresses
  
  ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)
  
  Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.
- updated_at string(date-time) Required
  
  Autogenerated date of last object update.
- updated_by string Required
  
  Autogenerated value - user that last updated object.
- version integer Required
  
  The document version number.
  
  Minimum value is 1.
400 application/json

Invalid input data response
One of:
Security_Lists_API_PlatformErrorResponse object Security_Lists_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Not enough privileges response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
404 application/json

List not found response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

DELETE /api/lists

curl \
 --request DELETE 'https://localhost:5601/api/lists?id=21b01cfb-058d-44b9-838c-282be16c91cd' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "id": "21b01cfb-058d-44b9-838c-282be16c91cd",
  "name": "Bad ips",
  "type": "ip",
  "version": 3,
  "_version": "WzIsMV0=",
  "immutable": false,
  "@timestamp": "2025-01-08T04:47:34.273Z",
  "created_at": "2025-01-08T04:47:34.273Z",
  "created_by": "elastic",
  "updated_at": "2025-01-08T05:39:39.292Z",
  "updated_by": "elastic",
  "description": "List of bad internet ips.",
  "tie_breaker_id": "f5508188-b1e9-4e6e-9662-d039a7d89899"
}

Response examples (400)

{
  "error": "Bad Request",
  "message": "[request query]: id: Required",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (403)

{
  "error": "Forbidden",
  "message": "API [DELETE /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
  "statusCode": 403
}

Response examples (404)

{
  "message": "list id: \\\"ip_list\\\" was not found",
  "status_code": 404
}

Response examples (500)

{
  "message": "Internal Server Error",
  "status_code": 500
}

Patch a value list item

PATCH /api/lists/items

Api key auth Basic auth

Update specific fields of an existing value list item using the item id.

application/json

Body Required

Value list item's properties

_version string

The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.
id string(nonempty) Required

Value list item's identifier.

Minimum length is 1.
meta object

Placeholder for metadata about the value list item.

Additional properties are allowed.
refresh string

Determines when changes made by the request are made visible to search.

Values are true, false, or wait_for.
value string(nonempty)

The value used to evaluate exceptions.

Minimum length is 1.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- _version string
  
  The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.
- @timestamp string(date-time)
- created_at string(date-time) Required
  
  Autogenerated date of object creation.
- created_by string Required
  
  Autogenerated value - user that created object.
- deserializer string
  
  Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions:
  
  {{{value}}} - Single value item types, such as ip, long, date, keyword, and text.
  
  {{{gte}}}-{{{lte}}} - Range value item types, such as ip_range, double_range, float_range, integer_range, and long_range.
  
  {{{gte}}},{{{lte}}} - Date range values.
- id string(nonempty) Required
  
  Value list item's identifier.
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  Value list's identifier.
  
  Minimum length is 1.
- meta object
  
  Placeholder for metadata about the value list item.
  
  Additional properties are allowed.
- serializer string
  
  Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups:
  
  (?<value>.+) - Single value item types, such as ip, long, date, keyword, and text.
  
  (?<gte>.+)-(?<lte>.+)|(?<value>.+) - Range value item types, such as date_range, ip_range, double_range, float_range, integer_range, and long_range.
- tie_breaker_id string Required
  
  Field used in search to ensure all containers are sorted and returned correctly.
- type string Required
  
  Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:
  
  keyword: Many ECS fields are Elasticsearch keywords
  
  ip: IP addresses
  
  ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)
  
  Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.
- updated_at string(date-time) Required
  
  Autogenerated date of last object update.
- updated_by string Required
  
  Autogenerated value - user that last updated object.
- value string(nonempty) Required
  
  The value used to evaluate exceptions.
  
  Minimum length is 1.
400 application/json

Invalid input data response
One of:
Security_Lists_API_PlatformErrorResponse object Security_Lists_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Not enough privileges response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
404 application/json

List item not found response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

PATCH /api/lists/items

curl \
 --request PATCH 'https://localhost:5601/api/lists/items' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"id":"pd1WRJQBs4HAK3VQeHFI","value":"255.255.255.255"}'

Request example

{
  "id": "pd1WRJQBs4HAK3VQeHFI",
  "value": "255.255.255.255"
}

Response examples (200)

{
  "id": "pd1WRJQBs4HAK3VQeHFI",
  "type": "ip",
  "value": "255.255.255.255",
  "list_id": "ip_list",
  "_version": "WzE5LDFd",
  "@timestamp": "2025-01-08T05:15:05.159Z",
  "created_at": "2025-01-08T05:15:05.159Z",
  "created_by": "elastic",
  "updated_at": "2025-01-08T05:23:37.602Z",
  "updated_by": "elastic",
  "tie_breaker_id": "eee41dc7-1666-4876-982f-8b0f7b59eca3"
}

Response examples (400)

{
  "message": "{\"took\":15,\"timed_out\":false,\"total\":1,\"updated\":0,\"deleted\":0,\"batches\":1,\"version_conflicts\":0,\"noops\":0,\"retries\":{\"bulk\":0,\"search\":0},\"throttled_millis\":0,\"requests_per_second\":-1,\"throttled_until_millis\":0,\"failures\":[{\"index\":\".ds-.items-default-2025.01.09-000001\",\"id\":\"ip_item\",\"cause\":{\"type\":\"document_parsing_exception\",\"reason\":\"[1:107] failed to parse field [ip] of type [ip] in document with id ip_item. Preview of fields value: 2\",\"caused_by\":{\"type\":\"illegal_argument_exception\",\"reason\":\"2 is not an IP string literal.\"}},\"status\":400}]}",
  "status_code": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (403)

{
  "error": "Forbidden",
  "message": "API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
  "statusCode": 403
}

Response examples (404)

{
  "message": "list item id: \\\"foo\\\" not found",
  "status_code": 404
}

Response examples (500)

{
  "message": "Internal Server Error",
  "status_code": 500
}

Export value list items

POST /api/lists/items/_export

Api key auth Basic auth

Export list item values from the specified value list.

Query parameters

list_id string(nonempty) Required

Value list's id to export.

Minimum length is 1.

Responses

200 application/ndjson

Successful response

A .txt file containing list items from the specified list
400 application/json

Invalid input data response
One of:
Security_Lists_API_PlatformErrorResponse object Security_Lists_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json

Not enough privileges response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
404 application/json

List not found response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

POST /api/lists/items/_export

curl \
 --request POST 'https://localhost:5601/api/lists/items/_export?list_id=21b01cfb-058d-44b9-838c-282be16c91cd' \
 --header "Authorization: $API_KEY"

Response examples (200)

127.0.0.1
127.0.0.2
127.0.0.3
127.0.0.4
127.0.0.5
127.0.0.6
127.0.0.7
127.0.0.8
127.0.0.9

Response examples (400)

{
  "error": "Bad Request\",\"message\":\"[request query]: list_id: Required",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (403)

{
  "error": "Forbidden",
  "message": "API [POST /api/lists/items/_export?list_id=ips.txt] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]",
  "statusCode": 403
}

Response examples (404)

{
  "message": "string",
  "status_code": 42
}

Response examples (500)

{
  "message": "Internal Server Error",
  "status_code": 500
}

Import Timelines

POST /api/timeline/_import

Api key auth Basic auth

Import Timelines.

application/json

Body Required

The Timelines to import as a readable stream.

isImmutable string

Whether the Timeline should be immutable

Values are true or false.

Responses

200 application/json

Indicates the import of Timelines was successful.
Hide response attributes Show response attributes object
- errors array[object]
  
  The list of failed Timeline imports
  
  Hide errors attributes Show errors attributes object
  
  error object
  
  The error containing the reason why the timeline could not be imported
  
  Hide error attributes Show error attributes object
  
  message string
  
  The reason why the timeline could not be imported
  
  status_code number
  
  The HTTP status code of the error
  
  id string
  
  The ID of the timeline that failed to import
- success boolean
  
  Indicates whether any of the Timelines were successfully imports
- success_count number
  
  The amount of successfully imported/updated Timelines
- timelines_installed number
  
  The amount of successfully installed Timelines
- timelines_updated number
  
  The amount of successfully updated Timelines
400 application/json

Indicates the import of Timelines was unsuccessful because of an invalid file extension.
Hide response attributes Show response attributes object
- body string
  
  The error message
- statusCode number
404 application/json

Indicates that we were unable to locate the saved object client necessary to handle the import.
Hide response attributes Show response attributes object
- body string
  
  The error message
- statusCode number
409 application/json

Indicates the import of Timelines was unsuccessful.
Hide response attributes Show response attributes object
- body string
  
  The error message
- statusCode number

POST /api/timeline/_import

curl \
 --request POST 'https://localhost:5601/api/timeline/_import' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"isImmutable":"true"}'

Request examples

{
  "isImmutable": "true"
}

Response examples (200)

{
  "errors": [
    {
      "error": {
        "message": "Malformed JSON",
        "status_code": 400
      },
      "id": "6ce1b592-84e3-4b4a-9552-f189d4b82075"
    }
  ],
  "success": true,
  "success_count": 99,
  "timelines_installed": 80,
  "timelines_updated": 19
}

Response examples (400)

{
  "body": "Invalid file extension",
  "statusCode": 400
}

Response examples (404)

{
  "body": "Unable to find saved object client",
  "statusCode": 404
}

Response examples (409)

{
  "body": "Could not import timelines",
  "statusCode": 409
}

Get stream dashboards Technical Preview

GET /api/streams/{name}/dashboards

Api key auth Basic auth

Fetches all dashboards linked to a stream that are visible to the current user in the current space.

Path parameters

name string Required

application/json

Body

object

Additional properties are NOT allowed.

GET /api/streams/{name}/dashboards

curl \
 --request GET 'https://localhost:5601/api/streams/{name}/dashboards' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json"

Request examples

{}

Upsert a query to a stream Technical Preview

PUT /api/streams/{name}/queries/{queryId}

Api key auth Basic auth

Adds a query to a stream. Noop if the query is already present on the stream.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

name string Required
queryId string Required

application/json

Body

kql object Required

Additional properties are NOT allowed.
Hide kql attribute Show kql attribute object
- query string Required
  
  Minimum length is 1.
title string Required

Minimum length is 1.

PUT /api/streams/{name}/queries/{queryId}

curl \
 --request PUT 'https://localhost:5601/api/streams/{name}/queries/{queryId}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"kql":{"query":"string"},"title":"string"}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "kql": {
    "query": "string"
  },
  "title": "string"
}

Delete monitors

POST /api/synthetics/monitors/_bulk_delete

Api key auth Basic auth

Delete multiple monitors by sending a list of config IDs.

application/json

Body Required

ids array[string] Required

An array of monitor IDs to delete.

Responses

200 application/json
Hide response attributes Show response attributes object
- deleted boolean
  
  If it is true, the monitor was successfully deleted If it is false, the monitor was not deleted.
- ids string
  
  The unique identifier of the deleted monitor.

POST /api/synthetics/monitors/_bulk_delete

curl \
 --request POST 'https://localhost:5601/api/synthetics/monitors/_bulk_delete' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"ids\": [\n    \"monitor1-id\",\n    \"monitor2-id\"\n  ]\n}"'

Request example

Run `POST /api/synthetics/monitors/_bulk_delete` to delete a list of monitors.

{
  "ids": [
    "monitor1-id",
    "monitor2-id"
  ]
}

Response examples (200)

A response from successfully deleting multiple monitors.

[
  {
    "id": "monitor1-id",
    "deleted": true
  },
  {
    "id": "monitor2-id",
    "deleted": true
  }
]

Body Required

connector object Required

value string | null | boolean Required

connector object Required

value string | null | boolean

defaultValue string | boolean

value string | boolean

Create a saved object Deprecated

Body Required

Retrieve the status of detection alert migrations Deprecated

Body Required

Body Required

Body Required

Body Required

Spaces Dismiss highlight

Get stream dashboards Technical Preview

Upsert a query to a stream Technical Preview

Body Required

Spaces