Authentication

The API accepts 2 different authentication methods:

Api key auth (http_api_key)

These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: Authorization: ApiKey base64AccessApiKey

Basic auth (http)

Basic auth tokens are constructed with the Basic keyword, followed by a space, followed by a base64-encoded string of your username:password (separated by a : colon).

Example: send a Authorization: Basic aGVsbG86aGVsbG8= HTTP header with your requests to authenticate with the API.

Kibana spaces

Spaces enable you to organize your dashboards and other saved objects into meaningful categories. You can use the default space or create your own spaces.

To run APIs in non-default spaces, you must add s/{space_id}/ to the path. For example:

curl -X GET "http://localhost:5601/s/marketing/api/data_views"

If you use the Kibana console to send API requests, it automatically adds the appropriate space identifier.

To learn more, check out Spaces.


Get the alerting framework health

GET /api/alerting/_health

You must have read privileges for the Management > Stack Rules feature or for at least one of the Analytics > Discover, Analytics > Machine Learning, Observability, or Security features.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • Three substates identify the health of the alerting framework: decryption_health, execution_health, and read_health.

      Additional properties are allowed.

      Hide alerting_framework_health attributes Show alerting_framework_health attributes object
      • The timestamp and status of the rule decryption.

        Additional properties are allowed.

        Hide decryption_health attributes Show decryption_health attributes object
      • The timestamp and status of the rule run.

        Additional properties are allowed.

        Hide execution_health attributes Show execution_health attributes object
      • The timestamp and status of the rule reading events.

        Additional properties are allowed.

        Hide read_health attributes Show read_health attributes object
    • If false, the encrypted saved object plugin does not have a permanent encryption key.

    • If false, security is enabled but TLS is not.

  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/alerting/_health
curl \
 --request GET https://localhost:5601/api/alerting/_health
Response examples (200)
{
  "is_sufficiently_secure": true,
  "alerting_framework_health": {
    "read_health": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    },
    "execution_health": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    },
    "decryption_health": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    }
  },
  "has_permanent_encryption_key": true
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get the rule types

GET /api/alerting/rule_types

If you have read privileges for one or more Kibana features, the API response contains information about the appropriate rule types. For example, there are rule types associated with the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability features, and Security features. To get rule types associated with the Stack Monitoring feature, use the monitoring_user built-in role.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • action_groups array[object]

      An explicit list of groups for which the rule type can schedule actions, each with the action group's unique ID and human readable name. Rule actions validation uses this configuration to ensure that groups are valid.

      Hide action_groups attributes Show action_groups attributes object
    • A list of action variables that the rule type makes available via context and state in action parameter templates, and a short human readable description. When you create a rule in Kibana, it uses this information to prompt you for these variables in action parameter editors.

      Additional properties are allowed.

      Hide action_variables attributes Show action_variables attributes object
    • alerts object

      Details for writing alerts as data documents for this rule type.

      Additional properties are allowed.

      Hide alerts attributes Show alerts attributes object
      • context string

        The namespace for this rule type.

        Values are ml.anomaly-detection, observability.apm, observability.logs, observability.metrics, observability.slo, observability.threshold, observability.uptime, security, or stack.

      • dynamic string

        Indicates whether new fields are added dynamically.

        Values are false, runtime, strict, or true.

      • Indicates whether the alerts are space-aware. If true, space-specific alert indices are used.

      • mappings object

        Additional properties are allowed.

        Hide mappings attribute Show mappings attribute object
        • fieldMap object

          Mapping information for each field supported in alerts as data documents for this rule type. For more information about mapping parameters, refer to the Elasticsearch documentation.

          Hide fieldMap attribute Show fieldMap attribute object
          • * object Additional properties

            Additional properties are allowed.

            Hide * attributes Show * attributes object
            • array boolean

              Indicates whether the field is an array.

            • dynamic boolean

              Indicates whether it is a dynamic field mapping.

            • format string

              Indicates the format of the field. For example, if the type is date_range, the format can be epoch_millis||strict_date_optional_time.

            • Specifies the maximum length of a string field. Longer strings are not indexed or stored.

            • index boolean

              Indicates whether field values are indexed.

            • path string

              TBD

            • Details about the object properties. This property is applicable when type is object.

              Hide properties attribute Show properties attribute object
              • * object Additional properties

                Additional properties are allowed.

                Hide * attribute Show * attribute object
                • type string

                  The data type for each object property.

            • required boolean

              Indicates whether the field is required.

            • The scaling factor to use when encoding values. This property is applicable when type is scaled_float. Values will be multiplied by this factor at index time and rounded to the closest long value.

            • type string

              Specifies the data type for the field.

      • A secondary alias. It is typically used to support the signals alias for detection rules.

      • Indicates whether the rule should write out alerts as data.

      • useEcs boolean

        Indicates whether to include the ECS component template for the alerts.

      • Indicates whether to include the legacy component template for the alerts.

        Default value is false.

    • The list of the plugins IDs that have access to the rule type.

      Additional properties are allowed.

      Hide authorized_consumers attributes Show authorized_consumers attributes object
      • alerts object

        Additional properties are allowed.

        Hide alerts attributes Show alerts attributes object
      • apm object

        Additional properties are allowed.

        Hide apm attributes Show apm attributes object
      • discover object

        Additional properties are allowed.

        Hide discover attributes Show discover attributes object
      • Additional properties are allowed.

        Hide infrastructure attributes Show infrastructure attributes object
      • logs object

        Additional properties are allowed.

        Hide logs attributes Show logs attributes object
      • ml object

        Additional properties are allowed.

        Hide ml attributes Show ml attributes object
      • Additional properties are allowed.

        Hide monitoring attributes Show monitoring attributes object
      • siem object

        Additional properties are allowed.

        Hide siem attributes Show siem attributes object
      • slo object

        Additional properties are allowed.

        Hide slo attributes Show slo attributes object
      • Additional properties are allowed.

        Hide stackAlerts attributes Show stackAlerts attributes object
      • uptime object

        Additional properties are allowed.

        Hide uptime attributes Show uptime attributes object
    • category string

      The rule category, which is used by features such as category-specific maintenance windows.

      Values are management, observability, or securitySolution.

    • The default identifier for the rule type group.

    • Indicates whether the rule passes context variables to its recovery action.

    • Indicates whether the rule type is enabled or disabled based on the subscription.

    • Indicates whether the rule type has custom mappings for the alert data.

    • id string

      The unique identifier for the rule type.

    • Indicates whether the rule type is exportable in Stack Management > Saved Objects.

    • The subscriptions required to use the rule type.

    • name string

      The descriptive name of the rule type.

    • producer string

      An identifier for the application that produces this rule type.

    • An action group to use when an alert goes from an active state to an inactive one.

      Additional properties are allowed.

      Hide recovery_action_group attributes Show recovery_action_group attributes object
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/alerting/rule_types
curl \
 --request GET https://localhost:5601/api/alerting/rule_types
Response examples (200)
[
  {
    "id": "xpack.ml.anomaly_detection_alert",
    "name": "Anomaly detection alert",
    "alerts": {
      "context": "ml.anomaly-detection",
      "mappings": {
        "fieldMap": {
          "kibana.alert.job_id": {
            "type": "keyword",
            "array": false,
            "required": true
          },
          "kibana.alert.is_interim": {
            "type": "boolean",
            "array": false,
            "required": false
          },
          "kibana.alert.top_records": {
            "type": "object",
            "array": true,
            "dynamic": false,
            "required": false,
            "properties": {
              "actual": {
                "type": "double"
              },
              "job_id": {
                "type": "keyword"
              },
              "typical": {
                "type": "double"
              },
              "function": {
                "type": "keyword"
              },
              "timestamp": {
                "type": "date"
              },
              "field_name": {
                "type": "keyword"
              },
              "is_interim": {
                "type": "boolean"
              },
              "record_score": {
                "type": "double"
              },
              "by_field_name": {
                "type": "keyword"
              },
              "by_field_value": {
                "type": "keyword"
              },
              "detector_index": {
                "type": "integer"
              },
              "over_field_name": {
                "type": "keyword"
              },
              "over_field_value": {
                "type": "keyword"
              },
              "initial_record_score": {
                "type": "double"
              },
              "partition_field_name": {
                "type": "keyword"
              },
              "partition_field_value": {
                "type": "keyword"
              }
            }
          },
          "kibana.alert.anomaly_score": {
            "type": "double",
            "array": false,
            "required": false
          },
          "kibana.alert.top_influencers": {
            "type": "object",
            "array": true,
            "dynamic": false,
            "required": false,
            "properties": {
              "job_id": {
                "type": "keyword"
              },
              "timestamp": {
                "type": "date"
              },
              "is_interim": {
                "type": "boolean"
              },
              "influencer_score": {
                "type": "double"
              },
              "influencer_field_name": {
                "type": "keyword"
              },
              "influencer_field_value": {
                "type": "keyword"
              },
              "initial_influencer_score": {
                "type": "double"
              }
            }
          },
          "kibana.alert.anomaly_timestamp": {
            "type": "date",
            "array": false,
            "required": false
          }
        }
      },
      "shouldWrite": true
    },
    "category": "management",
    "producer": "ml",
    "action_groups": [
      {
        "id": "anomaly_score_match",
        "name": "Anomaly score matched the condition"
      },
      {
        "id": "recovered",
        "name": "Recovered"
      }
    ],
    "is_exportable": true,
    "action_variables": {
      "state": [],
      "params": [],
      "context": [
        {
          "name": "timestamp",
          "description": "The bucket timestamp of the anomaly"
        },
        {
          "name": "timestampIso8601",
          "description": "The bucket time of the anomaly in ISO8601 format"
        },
        {
          "name": "jobIds",
          "description": "List of job IDs that triggered the alert"
        },
        {
          "name": "message",
          "description": "Alert info message"
        },
        {
          "name": "isInterim",
          "description": "Indicate if top hits contain interim results"
        },
        {
          "name": "score",
          "description": "Anomaly score at the time of the notification action"
        },
        {
          "name": "topRecords",
          "description": "Top records"
        },
        {
          "name": "topInfluencers",
          "description": "Top influencers"
        },
        {
          "name": "anomalyExplorerUrl",
          "description": "URL to open in the Anomaly Explorer",
          "useWithTripleBracesInTemplates": true
        }
      ]
    },
    "rule_task_timeout": "5m",
    "enabled_in_license": true,
    "has_alerts_mappings": true,
    "authorized_consumers": {
      "ml": {
        "all": true,
        "read": true
      },
      "apm": {
        "all": true,
        "read": true
      },
      "slo": {
        "all": true,
        "read": true
      },
      "logs": {
        "all": true,
        "read": true
      },
      "siem": {
        "all": true,
        "read": true
      },
      "alerts": {
        "all": true,
        "read": true
      },
      "uptime": {
        "all": true,
        "read": true
      },
      "discover": {
        "all": true,
        "read": true
      },
      "monitoring": {
        "all": true,
        "read": true
      },
      "stackAlerts": {
        "all": true,
        "read": true
      },
      "infrastructure": {
        "all": true,
        "read": true
      }
    },
    "has_fields_for_a_a_d": false,
    "recovery_action_group": {
      "id": "recovered",
      "name": "Recovered"
    },
    "default_action_group_id": "anomaly_score_match",
    "minimum_license_required": "platinum",
    "does_set_recovery_context": true
  },
  {
    "id": "xpack.ml.anomaly_detection_jobs_health",
    "name": "Anomaly detection jobs health",
    "category": "management",
    "producer": "ml",
    "action_groups": [
      {
        "id": "anomaly_detection_realtime_issue",
        "name": "Issue detected"
      },
      {
        "id": "recovered",
        "name": "Recovered"
      }
    ],
    "is_exportable": true,
    "action_variables": {
      "state": [],
      "params": [],
      "context": [
        {
          "name": "results",
          "description": "Results of the rule execution"
        },
        {
          "name": "message",
          "description": "Alert info message"
        }
      ]
    },
    "rule_task_timeout": "5m",
    "enabled_in_license": true,
    "has_alerts_mappings": false,
    "authorized_consumers": {
      "ml": {
        "all": true,
        "read": true
      },
      "apm": {
        "all": true,
        "read": true
      },
      "slo": {
        "all": true,
        "read": true
      },
      "logs": {
        "all": true,
        "read": true
      },
      "siem": {
        "all": true,
        "read": true
      },
      "alerts": {
        "all": true,
        "read": true
      },
      "uptime": {
        "all": true,
        "read": true
      },
      "discover": {
        "all": true,
        "read": true
      },
      "monitoring": {
        "all": true,
        "read": true
      },
      "stackAlerts": {
        "all": true,
        "read": true
      },
      "infrastructure": {
        "all": true,
        "read": true
      }
    },
    "has_fields_for_a_a_d": false,
    "recovery_action_group": {
      "id": "recovered",
      "name": "Recovered"
    },
    "default_action_group_id": "anomaly_detection_realtime_issue",
    "minimum_license_required": "platinum",
    "does_set_recovery_context": true
  }
]
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}












Delete a rule

DELETE /api/alerting/rule/{id}

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • Indicates a successful call.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

  • Indicates a rule with the given ID does not exist.

DELETE /api/alerting/rule/{id}
curl \
 --request DELETE https://localhost:5601/api/alerting/rule/{id} \
 --header "kbn-xsrf: true"

Disable a rule

POST /api/alerting/rule/{id}/_disable

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

application/json

Body

  • untrack boolean

    Defines whether this rule's alerts should be untracked.

Responses

  • Indicates a successful call.

  • Indicates an invalid schema.

  • Indicates that this call is forbidden.

  • Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_disable
curl \
 --request POST https://localhost:5601/api/alerting/rule/{id}/_disable \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"untrack":true}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "untrack": true
}

Enable a rule

POST /api/alerting/rule/{id}/_enable

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • Indicates a successful call.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

  • Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_enable
curl \
 --request POST https://localhost:5601/api/alerting/rule/{id}/_enable \
 --header "kbn-xsrf: true"




Unmute all alerts

POST /api/alerting/rule/{id}/_unmute_all

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • Indicates a successful call.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

  • Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_unmute_all
curl \
 --request POST https://localhost:5601/api/alerting/rule/{id}/_unmute_all \
 --header "kbn-xsrf: true"

Update the API key for a rule

POST /api/alerting/rule/{id}/_update_api_key

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • Indicates a successful call.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

  • Indicates a rule with the given ID does not exist.

  • Indicates that the rule has already been updated by another user.

POST /api/alerting/rule/{id}/_update_api_key
curl \
 --request POST https://localhost:5601/api/alerting/rule/{id}/_update_api_key \
 --header "kbn-xsrf: true"

Mute an alert

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • rule_id string Required

    The identifier for the rule.

  • alert_id string Required

    The identifier for the alert.

Responses

  • Indicates a successful call.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

  • Indicates a rule or alert with the given ID does not exist.

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute
curl \
 --request POST https://localhost:5601/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute \
 --header "kbn-xsrf: true"

Unmute an alert

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • rule_id string Required

    The identifier for the rule.

  • alert_id string Required

    The identifier for the alert.

Responses

  • Indicates a successful call.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

  • Indicates a rule or alert with the given ID does not exist.

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute
curl \
 --request POST https://localhost:5601/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute \
 --header "kbn-xsrf: true"




APM agent configuration

Adjust APM agent configuration without need to redeploy your application.





Create or update agent configuration

PUT /api/apm/settings/agent-configuration

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

  • overwrite boolean

    If the config exists ?overwrite=true is required

application/json

Body Required

  • Agent name

  • service object Required

    Service

    Additional properties are allowed.

    Hide service attributes Show service attributes object
  • settings object Required

    Agent configuration settings

    Hide settings attribute Show settings attribute object
    • * string Additional properties

Responses

  • 200 application/json

    Successful response

    Additional properties are NOT allowed.

  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Forbidden response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
PUT /api/apm/settings/agent-configuration
curl \
 --request PUT https://localhost:5601/api/apm/settings/agent-configuration \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"agent_name":"string","service":{"environment":"prod","name":"node"},"settings":{"additionalProperty1":"string","additionalProperty2":"string"}}'
Request examples
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true

# Payload
{
  "agent_name": "string",
  "service": {
    "environment": "prod",
    "name": "node"
  },
  "settings": {
    "additionalProperty1": "string",
    "additionalProperty2": "string"
  }
}
Response examples (200)
{}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403)
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Delete agent configuration

DELETE /api/apm/settings/agent-configuration

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body Required

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Forbidden response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
DELETE /api/apm/settings/agent-configuration
curl \
 --request DELETE https://localhost:5601/api/apm/settings/agent-configuration \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"environment":"prod","name":"node"}'
Request examples
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true

# Payload
{
  "environment": "prod",
  "name": "node"
}
Response examples (200)
{
  "result": "string"
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403)
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Get agent name for service

GET /api/apm/settings/agent-configuration/agent_name

Retrieve agentName for a service.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
GET /api/apm/settings/agent-configuration/agent_name
curl \
 --request GET https://localhost:5601/api/apm/settings/agent-configuration/agent_name?serviceName=node \
 --header "elastic-api-version: 2023-10-31"
Response examples (200)
{
  "agentName": "nodejs"
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}








Get single agent configuration

GET /api/apm/settings/agent-configuration/view

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
GET /api/apm/settings/agent-configuration/view
curl \
 --request GET https://localhost:5601/api/apm/settings/agent-configuration/view \
 --header "elastic-api-version: 2023-10-31"
Response examples (200)
{
  "id": "string",
  "@timestamp": 1730194190636,
  "agent_name": "string",
  "applied_by_agent": true,
  "etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
  "service": {
    "environment": "prod",
    "name": "node"
  },
  "settings": {
    "additionalProperty1": "string",
    "additionalProperty2": "string"
  }
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Create an APM agent key

POST /api/apm/agent_keys

Create a new agent key for APM.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body Required

  • name string Required

    Agent name

  • privileges array[string] Required

    Privileges configuration

    Values are event:write or config_agent:read.

Responses

  • 200 application/json

    Agent key created successfully

    Hide response attribute Show response attribute object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Forbidden response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal Server Error response

    Hide response attributes Show response attributes object
POST /api/apm/agent_keys
curl \
 --request POST https://localhost:5601/api/apm/agent_keys \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"name":"string","privileges":["event:write"]}'
Request examples
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true

# Payload
{
  "name": "string",
  "privileges": [
    "event:write"
  ]
}
Response examples (200)
{
  "agentKey": {
    "api_key": "string",
    "encoded": "string",
    "expiration": 42,
    "id": "string",
    "name": "string"
  }
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403)
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (500)
{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}

Create a service annotation

POST /api/apm/services/{serviceName}/annotation

Create a new annotation for a specific service.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

application/json

Body Required

Responses

  • 200 application/json

    Annotation created successfully

    Hide response attributes Show response attributes object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Forbidden response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
POST /api/apm/services/{serviceName}/annotation
curl \
 --request POST https://localhost:5601/api/apm/services/{serviceName}/annotation \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"@timestamp":"string","message":"string","service":{"environment":"string","version":"string"},"tags":["string"]}'
Request examples
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true

# Payload
{
  "@timestamp": "string",
  "message": "string",
  "service": {
    "environment": "string",
    "version": "string"
  },
  "tags": [
    "string"
  ]
}
Response examples (200)
{
  "_id": "string",
  "_index": "string",
  "_source": {
    "@timestamp": "string",
    "annotation": {
      "title": "string",
      "type": "string"
    },
    "event": {
      "created": "string"
    },
    "message": "string",
    "service": {
      "environment": "string",
      "name": "string",
      "version": "string"
    },
    "tags": [
      "string"
    ]
  }
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403)
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}









APM sourcemaps

Configure APM source maps.

Get source maps

GET /api/apm/sourcemaps

Returns an array of Fleet artifacts, including source map uploads.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

Responses

GET /api/apm/sourcemaps
curl \
 --request GET https://localhost:5601/api/apm/sourcemaps \
 --header "elastic-api-version: 2023-10-31"
Response examples (200)
{
  "artifacts": [
    {
      "body": {
        "bundleFilepath": "string",
        "serviceName": "string",
        "serviceVersion": "string",
        "sourceMap": {
          "file": "string",
          "mappings": "string",
          "sourceRoot": "string",
          "sources": [
            "string"
          ],
          "sourcesContent": [
            "string"
          ],
          "version": 42.0
        }
      },
      "compressionAlgorithm": "string",
      "created": "string",
      "decodedSha256": "string",
      "decodedSize": 42.0,
      "encodedSha256": "string",
      "encodedSize": 42.0,
      "encryptionAlgorithm": "string",
      "id": "string",
      "identifier": "string",
      "packageName": "string",
      "relative_url": "string",
      "type": "string"
    }
  ]
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (500)
{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}
Response examples (501)
{
  "error": "Not Implemented",
  "message": "Not Implemented",
  "statusCode": 501
}

Upload source map

POST /api/apm/sourcemaps

Upload a source map for a specific service and version.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

multipart/form-data

Body Required

Responses

POST /api/apm/sourcemaps
curl \
 --request POST https://localhost:5601/api/apm/sourcemaps \
 --header "Content-Type: multipart/form-data" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --form "bundle_filepath=string" \
 --form "service_name=string" \
 --form "service_version=string" \
 --form "sourcemap=@file"
Response examples (200)
{
  "body": "string",
  "compressionAlgorithm": "string",
  "created": "string",
  "decodedSha256": "string",
  "decodedSize": 42.0,
  "encodedSha256": "string",
  "encodedSize": 42.0,
  "encryptionAlgorithm": "string",
  "id": "string",
  "identifier": "string",
  "packageName": "string",
  "relative_url": "string",
  "type": "string"
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403)
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (500)
{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}
Response examples (501)
{
  "error": "Not Implemented",
  "message": "Not Implemented",
  "statusCode": 501
}

Delete source map

DELETE /api/apm/sourcemaps/{id}

Delete a previously uploaded source map.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    Source map identifier

Responses

  • 200 application/json

    Successful response

    Additional properties are NOT allowed.

  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Forbidden response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal Server Error response

    Hide response attributes Show response attributes object
  • 501 application/json

    Not Implemented response

    Hide response attributes Show response attributes object
DELETE /api/apm/sourcemaps/{id}
curl \
 --request DELETE https://localhost:5601/api/apm/sourcemaps/{id} \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true"
Response examples (200)
{}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403)
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (500)
{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}
Response examples (501)
{
  "error": "Not Implemented",
  "message": "Not Implemented",
  "statusCode": 501
}





Delete cases

DELETE /api/cases

You must have read or all privileges and the delete sub-feature privilege for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Query parameters

  • ids array[string] Required

    The cases that you want to removed. All non-ASCII characters must be URL encoded.

Responses

  • Indicates a successful call.

  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
DELETE /api/cases
curl \
 --request DELETE https://localhost:5601/api/cases?ids=d4e7abb0-b462-11ec-9a8d-698504725a43 \
 --header "kbn-xsrf: string"
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}




Search cases

GET /api/cases/_find

You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.

Query parameters

  • assignees string | array[string]

    Filters the returned cases by assignees. Valid values are none or unique identifiers for the user profiles. These identifiers can be found by using the suggest user profile API.

  • category string | array[string]

    Filters the returned cases by category.

  • he default operator to use for the simple_query_string.

    Default value is OR.

  • from string

    Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression.

  • owner string | array[string]

    A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.

  • page integer

    The page number to return.

    Default value is 1.

  • perPage integer

    The number of items to return. Limited to 100 items.

    Maximum value is 100. Default value is 20.

  • reporters string | array[string]

    Filters the returned cases by the user name of the reporter.

  • searchFields string | array[string]

    The fields to perform the simple_query_string parsed query against.

  • severity string

    The severity of the case.

    Values are critical, high, low, or medium.

  • Determines which field is used to sort the results.

    Values are createdAt, updatedAt, closedAt, title, category, status, or severity. Default value is createdAt.

  • Determines the sort order.

    Values are asc or desc. Default value is desc.

  • status string

    Filters the returned cases by state.

    Values are closed, in-progress, or open.

  • tags string | array[string]

    Filters the returned cases by tags.

  • to string

    Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • cases array[object]

      Not more than 10000 elements.

      Hide cases attributes Show cases attributes object
      • assignees array[object] | null

        An array containing users that are assigned to the case.

        Not more than 10 elements.

        Hide assignees attribute Show assignees attribute object
        • uid string Required

          A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

      • category string | null

        The case category.

      • closed_at string(date-time) | null Required
      • closed_by object | null Required

        Additional properties are allowed.

        Hide closed_by attributes Show closed_by attributes object | null
      • comments array[object] Required

        An array of comment objects for the case.

        Not more than 10000 elements.

        One of:
        Hide attributes Show attributes
      • connector object Required

        One of:

        Defines properties for connectors when type is .none.

        Hide attributes Show attributes
        • fields string | null Required

          An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

        • id string Required

          The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

        • name string Required

          The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

        • type string Required Discriminator

          The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

          Value is .none.

      • created_at string(date-time) Required
      • created_by object Required

        Additional properties are allowed.

        Hide created_by attributes Show created_by attributes object
      • customFields array[object]

        Custom field values for the case.

        Hide customFields attributes Show customFields attributes object
        • key string

          The unique identifier for the custom field. The key value must exist in the case configuration settings.

        • type string

          The custom field type. It must match the type specified in the case configuration settings.

          Values are text or toggle.

        • value string | null | boolean

          The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

          One of:

          Minimum length is 1, maximum length is 160.

      • description string Required
      • duration integer | null Required

        The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

      • external_service object | null Required

        Additional properties are allowed.

        Hide external_service attributes Show external_service attributes object | null
      • id string Required
      • owner string Required

        The application that owns the cases: Stack Management, Observability, or Elastic Security.

        Values are cases, observability, or securitySolution.

      • settings object Required

        An object that contains the case settings.

        Additional properties are allowed.

        Hide settings attribute Show settings attribute object
        • syncAlerts boolean Required

          Turns alert syncing on or off.

      • severity string Required

        The severity of the case.

        Values are critical, high, low, or medium. Default value is low.

      • status string Required

        The status of the case.

        Values are closed, in-progress, or open.

      • tags array[string] Required
      • title string Required
      • totalAlerts integer Required
      • totalComment integer Required
      • updated_at string(date-time) | null Required
      • updated_by object | null Required

        Additional properties are allowed.

        Hide updated_by attributes Show updated_by attributes object | null
      • version string Required
    • page integer
    • per_page integer
    • total integer
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/_find
curl \
 --request GET https://localhost:5601/api/cases/_find
Response examples (200)
{
  "page": 1,
  "cases": [
    {
      "id": "abed3a70-71bd-11ea-a0b2-c51ea50a58e2",
      "tags": [
        "tag-1"
      ],
      "owner": "cases",
      "title": "Case title",
      "status": "open",
      "version": "WzExMCwxXQ==",
      "category": null,
      "comments": [],
      "duration": null,
      "settings": {
        "syncAlerts": true
      },
      "severity": "low",
      "assignees": [],
      "closed_at": null,
      "closed_by": null,
      "connector": {
        "id": "none",
        "name": "none",
        "type": ".none",
        "fields": null
      },
      "created_at": "2023-10-12T00:16:36.371Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      },
      "updated_at": "2023-10-12T00:27:58.162Z",
      "updated_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      },
      "description": "Case description",
      "totalAlerts": 0,
      "customFields": [
        {
          "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
          "type": "text",
          "value": "My field value"
        },
        {
          "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
          "type": "toggle",
          "value": null
        }
      ],
      "totalComment": 1,
      "external_service": null
    }
  ],
  "total": 1,
  "per_page": 5,
  "count_open_cases": 1,
  "count_closed_cases": 0,
  "count_in_progress_cases": 0
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}








Add a case comment or alert

POST /api/cases/{caseId}/comments

You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating. NOTE: Each case can have a maximum of 1,000 alerts.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

application/json

Body object Required

The add comment to case API request body varies depending on whether you are adding an alert or a comment.

One of:

Defines properties for case comment requests when type is alert.

  • alertId string | array[string] Required

    The alert identifiers. It is required only when type is alert. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; index must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

  • index string | array[string] Required

    The alert indices. It is required only when type is alert. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the alertId array. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

  • owner string Required

    The application that owns the cases: Stack Management, Observability, or Elastic Security.

    Values are cases, observability, or securitySolution.

  • rule object Required Technical preview

    The rule that is associated with the alerts. It is required only when type is alert. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

    Additional properties are allowed.

    Hide rule attributes Show rule attributes object
    • id string

      The rule identifier.

    • name string

      The rule name.

  • type string Required Discriminator

    The type of comment.

    Value is alert.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • assignees array[object] | null

      An array containing users that are assigned to the case.

      Not more than 10 elements.

      Hide assignees attribute Show assignees attribute object
      • uid string Required

        A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

    • category string | null

      The case category.

    • closed_at string(date-time) | null Required
    • closed_by object | null Required

      Additional properties are allowed.

      Hide closed_by attributes Show closed_by attributes object | null
    • comments array[object] Required

      An array of comment objects for the case.

      Not more than 10000 elements.

      One of:
      Hide attributes Show attributes
    • connector object Required

      One of:

      Defines properties for connectors when type is .none.

      Hide attributes Show attributes
      • fields string | null Required

        An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

      • id string Required

        The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • name string Required

        The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • type string Required Discriminator

        The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

        Value is .none.

    • created_at string(date-time) Required
    • created_by object Required

      Additional properties are allowed.

      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom field values for the case.

      Hide customFields attributes Show customFields attributes object
      • key string

        The unique identifier for the custom field. The key value must exist in the case configuration settings.

      • type string

        The custom field type. It must match the type specified in the case configuration settings.

        Values are text or toggle.

      • value string | null | boolean

        The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

        One of:

        Minimum length is 1, maximum length is 160.

    • description string Required
    • duration integer | null Required

      The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

    • external_service object | null Required

      Additional properties are allowed.

      Hide external_service attributes Show external_service attributes object | null
    • id string Required
    • owner string Required

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • settings object Required

      An object that contains the case settings.

      Additional properties are allowed.

      Hide settings attribute Show settings attribute object
      • syncAlerts boolean Required

        Turns alert syncing on or off.

    • severity string Required

      The severity of the case.

      Values are critical, high, low, or medium. Default value is low.

    • status string Required

      The status of the case.

      Values are closed, in-progress, or open.

    • tags array[string] Required
    • title string Required
    • totalAlerts integer Required
    • totalComment integer Required
    • updated_at string(date-time) | null Required
    • updated_by object | null Required

      Additional properties are allowed.

      Hide updated_by attributes Show updated_by attributes object | null
    • version string Required
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
POST /api/cases/{caseId}/comments
curl \
 --request POST https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"type":"user","owner":"cases","comment":"A new comment."}'
Request example
{
  "type": "user",
  "owner": "cases",
  "comment": "A new comment."
}
Response examples (200)
{
  "id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzIzMzgsMV0=",
  "category": null,
  "comments": [
    {
      "id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
      "type": "user",
      "owner": "cases",
      "comment": "A new comment.",
      "version": "WzIwNDMxLDFd",
      "created_at": "2022-10-02T00:49:47.716Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null
      }
    }
  ],
  "duration": null,
  "settings": {
    "syncAlerts": false
  },
  "severity": "low",
  "assignees": [],
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "none",
    "name": "none",
    "type": ".none",
    "fields": null
  },
  "created_at": "2022-03-24T00:37:03.906Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": "2022-06-03T00:49:47.716Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "description": "A case description.",
  "totalAlerts": 0,
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "Field value"
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "value": true
    }
  ],
  "totalComment": 1,
  "external_service": null
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}




Update a case comment or alert

PATCH /api/cases/{caseId}/comments

You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating. NOTE: You cannot change the comment type or the owner of a comment.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

application/json

Body object Required

The update case comment API request body varies depending on whether you are updating an alert or a comment.

One of:

Defines properties for case comment requests when type is alert.

  • alertId string | array[string] Required

    The alert identifiers. It is required only when type is alert. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; index must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

  • id string Required

    The identifier for the comment. To retrieve comment IDs, use the get comments API.

  • index string | array[string] Required

    The alert indices. It is required only when type is alert. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the alertId array. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

  • owner string Required

    The application that owns the cases: Stack Management, Observability, or Elastic Security.

    Values are cases, observability, or securitySolution.

  • rule object Required Technical preview

    The rule that is associated with the alerts. It is required only when type is alert. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

    Additional properties are allowed.

    Hide rule attributes Show rule attributes object
    • id string

      The rule identifier.

    • name string

      The rule name.

  • type string Required Discriminator

    The type of comment.

    Value is alert.

  • version string Required

    The current comment version. To retrieve version values, use the get comments API.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • assignees array[object] | null

      An array containing users that are assigned to the case.

      Not more than 10 elements.

      Hide assignees attribute Show assignees attribute object
      • uid string Required

        A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

    • category string | null

      The case category.

    • closed_at string(date-time) | null Required
    • closed_by object | null Required

      Additional properties are allowed.

      Hide closed_by attributes Show closed_by attributes object | null
    • comments array[object] Required

      An array of comment objects for the case.

      Not more than 10000 elements.

      One of:
      Hide attributes Show attributes
    • connector object Required

      One of:

      Defines properties for connectors when type is .none.

      Hide attributes Show attributes
      • fields string | null Required

        An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

      • id string Required

        The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • name string Required

        The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • type string Required Discriminator

        The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

        Value is .none.

    • created_at string(date-time) Required
    • created_by object Required

      Additional properties are allowed.

      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom field values for the case.

      Hide customFields attributes Show customFields attributes object
      • key string

        The unique identifier for the custom field. The key value must exist in the case configuration settings.

      • type string

        The custom field type. It must match the type specified in the case configuration settings.

        Values are text or toggle.

      • value string | null | boolean

        The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

        One of:

        Minimum length is 1, maximum length is 160.

    • description string Required
    • duration integer | null Required

      The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

    • external_service object | null Required

      Additional properties are allowed.

      Hide external_service attributes Show external_service attributes object | null
    • id string Required
    • owner string Required

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • settings object Required

      An object that contains the case settings.

      Additional properties are allowed.

      Hide settings attribute Show settings attribute object
      • syncAlerts boolean Required

        Turns alert syncing on or off.

    • severity string Required

      The severity of the case.

      Values are critical, high, low, or medium. Default value is low.

    • status string Required

      The status of the case.

      Values are closed, in-progress, or open.

    • tags array[string] Required
    • title string Required
    • totalAlerts integer Required
    • totalComment integer Required
    • updated_at string(date-time) | null Required
    • updated_by object | null Required

      Additional properties are allowed.

      Hide updated_by attributes Show updated_by attributes object | null
    • version string Required
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
PATCH /api/cases/{caseId}/comments
curl \
 --request PATCH https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"id":"8af6ac20-74f6-11ea-b83a-553aecdb28b6","type":"user","owner":"cases","comment":"An updated comment.","version":"Wzk1LDFd"}'
Request example
{
  "id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
  "type": "user",
  "owner": "cases",
  "comment": "An updated comment.",
  "version": "Wzk1LDFd"
}
Response examples (200)
{
  "id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzIwNjM2LDFd",
  "category": null,
  "comments": [
    {
      "id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
      "type": "user",
      "owner": "cases",
      "comment": "An updated comment.",
      "version": "WzIwNjM3LDFd",
      "pushed_at": null,
      "pushed_by": null,
      "created_at": "2023-10-24T00:37:10.832Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      },
      "updated_at": "2023-10-24T01:27:06.210Z",
      "updated_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      }
    }
  ],
  "duration": null,
  "settings": {
    "syncAlerts": false
  },
  "severity": "low",
  "assignees": [],
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "none",
    "name": "none",
    "type": ".none",
    "fields": null
  },
  "created_at": "2023-10-24T00:37:03.906Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": "2023-10-24T01:27:06.210Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "description": "A case description.",
  "totalAlerts": 0,
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "My new field value"
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "value": false
    }
  ],
  "totalComment": 1,
  "external_service": null
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}








Delete a case comment or alert

DELETE /api/cases/{caseId}/comments/{commentId}

You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

  • commentId string Required

    The identifier for the comment. To retrieve comment IDs, use the get case or find cases APIs.

Responses

  • Indicates a successful call.

  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
DELETE /api/cases/{caseId}/comments/{commentId}
curl \
 --request DELETE https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2 \
 --header "kbn-xsrf: string"
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}








Find case activity

GET /api/cases/{caseId}/user_actions/_find

Retrives a paginated list of user activity for a case. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

Query parameters

  • page integer

    The page number to return.

    Default value is 1.

  • perPage integer

    The number of items to return. Limited to 100 items.

    Maximum value is 100. Default value is 20.

  • Determines the sort order.

    Values are asc or desc. Default value is desc.

  • types array[string]

    Determines the types of user actions to return.

    Values are action, alert, assignees, attachment, comment, connector, create_case, description, pushed, settings, severity, status, tags, title, or user.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • page integer
    • perPage integer
    • total integer
    • userActions array[object]

      Not more than 10000 elements.

      Hide userActions attributes Show userActions attributes object
      • action string Required

        Values are add, create, delete, push_to_service, or update.

      • comment_id string | null Required
      • created_at string(date-time) Required
      • created_by object Required

        Additional properties are allowed.

        Hide created_by attributes Show created_by attributes object
      • id string Required
      • owner string Required

        The application that owns the cases: Stack Management, Observability, or Elastic Security.

        Values are cases, observability, or securitySolution.

      • payload object | null Required

        One of:
        Hide attribute Show attribute
      • type string Required

        The type of action.

        Values are assignees, create_case, comment, connector, description, pushed, tags, title, status, settings, or severity.

      • version string Required
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/{caseId}/user_actions/_find
curl \
 --request GET https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/user_actions/_find
Response examples (200)
{
  "page": 1,
  "total": 3,
  "perPage": 20,
  "userActions": [
    {
      "id": "b4cd0770-07c9-11ed-a5fd-47154cb8767e",
      "type": "create_case",
      "owner": "cases",
      "action": "create",
      "payload": {
        "tags": [
          "tag 1"
        ],
        "owner": "cases",
        "title": "Case title 1",
        "status": "open",
        "category": null,
        "settings": {
          "syncAlerts": false
        },
        "severity": "low",
        "assignees": [],
        "connector": {
          "id": "none",
          "name": "none",
          "type": ".none",
          "fields": null
        },
        "description": "A case description.",
        "customFields": [
          {
            "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
            "type": "text",
            "value": "My field value"
          },
          {
            "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
            "type": "toggle",
            "value": null
          }
        ]
      },
      "version": "WzM1ODg4LDFd",
      "comment_id": null,
      "created_at": "2023-10-20T01:17:22.150Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      }
    },
    {
      "id": "57af14a0-03b1-11ed-920c-974bfa104448",
      "type": "comment",
      "owner": "cases",
      "action": "create",
      "payload": {
        "type": "user",
        "owner": "cases",
        "comment": "A new comment"
      },
      "version": "WzM1ODg4LDFa",
      "comment_id": "578608d0-03b1-11ed-920c-974bfa104448",
      "created_at": "2023-10-14T20:12:53.354Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      }
    },
    {
      "id": "573c6980-6123-11ed-aa41-81a0a61fe447",
      "type": "assignees",
      "owner": "cases",
      "action": "add",
      "payload": {
        "assignees": {
          "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
        }
      },
      "version": "WzM1ODg4LDFb",
      "comment_id": null,
      "created_at": "2023-10-20T01:10:28.238Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      }
    }
  ]
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}




Get case settings

GET /api/cases/configure

Get setting details such as the closure type, custom fields, templatse, and the default connector for cases. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on where the cases were created.

Query parameters

  • owner string | array[string]

    A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).

      Values are close-by-pushing or close-by-user.

    • Additional properties are allowed.

      Hide connector attributes Show connector attributes object
      • fields object | null

        The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

        Additional properties are allowed.

      • id string

        The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

      • name string

        The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

      • type string

        The type of connector.

        Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

    • created_at string(date-time)
    • Additional properties are allowed.

      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom fields configuration details.

      Hide customFields attributes Show customFields attributes object
      • defaultValue string | boolean

        A default value for the custom field. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

      • key string

        A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.

        Minimum length is 1, maximum length is 36.

      • label string

        The custom field label that is displayed in the case.

        Minimum length is 1, maximum length is 50.

      • type string

        The type of the custom field.

        Values are text or toggle.

      • required boolean

        Indicates whether the field is required. If false, the custom field can be set to null or omitted when a case is created or updated.

    • error string | null
    • id string
    • mappings array[object]
      Hide mappings attributes Show mappings attributes object
    • owner string

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • templates array[object] Technical preview
      Hide templates attributes Show templates attributes object
      • Additional properties are allowed.

        Hide caseFields attributes Show caseFields attributes object
        • assignees array[object] | null

          An array containing users that are assigned to the case.

          Not more than 10 elements.

          Hide assignees attribute Show assignees attribute object
          • uid string Required

            A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

        • category string

          A word or phrase that categorizes the case.

          Maximum length is 50.

        • Additional properties are allowed.

          Hide connector attributes Show connector attributes object
          • fields object | null

            The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

            Additional properties are allowed.

          • id string

            The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

          • name string

            The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

          • type string

            The type of connector.

            Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

        • customFields array[object] Technical preview

          Custom field values in the template.

          Hide customFields attributes Show customFields attributes object
          • key string

            The unique key for the custom field.

          • type string

            The type of the custom field.

            Values are text or toggle.

          • value string | boolean

            The default value for the custom field when a case uses the template. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

        • The description for the case.

          Maximum length is 30000.

        • settings object

          An object that contains the case settings.

          Additional properties are allowed.

          Hide settings attribute Show settings attribute object
          • syncAlerts boolean Required

            Turns alert syncing on or off.

        • severity string

          The severity of the case.

          Values are critical, high, low, or medium. Default value is low.

        • tags array[string]

          The words and phrases that help categorize cases. It can be an empty array.

          Not more than 200 elements. Maximum length of each is 256.

        • title string

          A title for the case.

          Maximum length is 160.

      • A description for the template.

      • key string

        A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.

      • name string

        The name of the template.

      • tags array[string]

        The words and phrases that help categorize templates. It can be an empty array.

        Not more than 200 elements. Maximum length of each is 256.

    • updated_at string(date-time) | null
    • updated_by object | null

      Additional properties are allowed.

      Hide updated_by attributes Show updated_by attributes object | null
    • version string
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/configure
curl \
 --request GET https://localhost:5601/api/cases/configure
Response examples (200)
[
  {
    "id": "856ee650-6c82-11ee-a20a-6164169afa58",
    "error": null,
    "owner": "cases",
    "version": "WzEyLDNd",
    "mappings": [],
    "connector": {
      "id": "none",
      "name": "none",
      "type": ".none",
      "fields": null
    },
    "templates": [
      {
        "key": "505932fe-ee3a-4960-a661-c781b5acdb05",
        "name": "template-1",
        "tags": [
          "Template tag 1"
        ],
        "caseFields": {
          "tags": [
            "Default case tag"
          ],
          "title": "Default case title",
          "category": "Default-category",
          "settings": {
            "syncAlerts": false
          },
          "assignees": [
            {
              "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
            }
          ],
          "connector": {
            "id": "none",
            "name": "none",
            "type": ".none",
            "fields": null
          },
          "description": "A default description for cases.",
          "customFields": [
            {
              "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
              "type": "text",
              "value": "Default text field value."
            }
          ]
        },
        "description": "A description of the template."
      }
    ],
    "created_at": "2024-07-01T17:07:17.767Z",
    "created_by": {
      "email": null,
      "username": "elastic",
      "full_name": null
    },
    "updated_at": null,
    "updated_by": null,
    "closure_type": "close-by-user",
    "customFields": [
      {
        "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
        "type": "text",
        "label": "my-text-field",
        "required": false,
        "defaultValue": "Custom text field value."
      }
    ]
  }
]
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}




Update case settings

PATCH /api/cases/configure/{configurationId}

Updates setting details such as the closure type, custom fields, templates, and the default connector for cases. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on where the case was created.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

application/json

Body

  • Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).

    Values are close-by-pushing or close-by-user.

  • An object that contains the connector configuration.

    Additional properties are allowed.

    Hide connector attributes Show connector attributes object
    • fields object | null Required

      The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

      Additional properties are allowed.

    • id string Required

      The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

    • name string Required

      The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

    • type string Required

      The type of connector.

      Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

  • customFields array[object]

    Custom fields case configuration.

    Hide customFields attributes Show customFields attributes object
    • defaultValue string | boolean

      A default value for the custom field. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

    • key string Required

      A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.

      Minimum length is 1, maximum length is 36.

    • label string Required

      The custom field label that is displayed in the case.

      Minimum length is 1, maximum length is 50.

    • type string Required

      The type of the custom field.

      Values are text or toggle.

    • required boolean Required

      Indicates whether the field is required. If false, the custom field can be set to null or omitted when a case is created or updated.

  • templates array[object] Technical preview
    Hide templates attributes Show templates attributes object
    • Additional properties are allowed.

      Hide caseFields attributes Show caseFields attributes object
      • assignees array[object] | null

        An array containing users that are assigned to the case.

        Not more than 10 elements.

        Hide assignees attribute Show assignees attribute object
        • uid string Required

          A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

      • category string

        A word or phrase that categorizes the case.

        Maximum length is 50.

      • Additional properties are allowed.

        Hide connector attributes Show connector attributes object
        • fields object | null

          The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

          Additional properties are allowed.

        • id string

          The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

        • name string

          The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

        • type string

          The type of connector.

          Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

      • customFields array[object] Technical preview

        Custom field values in the template.

        Hide customFields attributes Show customFields attributes object
        • key string

          The unique key for the custom field.

        • type string

          The type of the custom field.

          Values are text or toggle.

        • value string | boolean

          The default value for the custom field when a case uses the template. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

      • The description for the case.

        Maximum length is 30000.

      • settings object

        An object that contains the case settings.

        Additional properties are allowed.

        Hide settings attribute Show settings attribute object
        • syncAlerts boolean Required

          Turns alert syncing on or off.

      • severity string

        The severity of the case.

        Values are critical, high, low, or medium. Default value is low.

      • tags array[string]

        The words and phrases that help categorize cases. It can be an empty array.

        Not more than 200 elements. Maximum length of each is 256.

      • title string

        A title for the case.

        Maximum length is 160.

    • A description for the template.

    • key string

      A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.

    • name string

      The name of the template.

    • tags array[string]

      The words and phrases that help categorize templates. It can be an empty array.

      Not more than 200 elements. Maximum length of each is 256.

  • version string Required

    The version of the connector. To retrieve the version value, use the get configuration API.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).

      Values are close-by-pushing or close-by-user.

    • Additional properties are allowed.

      Hide connector attributes Show connector attributes object
      • fields object | null

        The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

        Additional properties are allowed.

      • id string

        The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

      • name string

        The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

      • type string

        The type of connector.

        Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

    • created_at string(date-time)
    • Additional properties are allowed.

      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom fields configuration details.

      Hide customFields attributes Show customFields attributes object
      • defaultValue string | boolean

        A default value for the custom field. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

      • key string

        A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.

        Minimum length is 1, maximum length is 36.

      • label string

        The custom field label that is displayed in the case.

        Minimum length is 1, maximum length is 50.

      • type string

        The type of the custom field.

        Values are text or toggle.

      • required boolean

        Indicates whether the field is required. If false, the custom field can be set to null or omitted when a case is created or updated.

    • error string | null
    • id string
    • mappings array[object]
      Hide mappings attributes Show mappings attributes object
    • owner string

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • templates array[object] Technical preview
      Hide templates attributes Show templates attributes object
      • Additional properties are allowed.

        Hide caseFields attributes Show caseFields attributes object
        • assignees array[object] | null

          An array containing users that are assigned to the case.

          Not more than 10 elements.

          Hide assignees attribute Show assignees attribute object
          • uid string Required

            A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

        • category string

          A word or phrase that categorizes the case.

          Maximum length is 50.

        • Additional properties are allowed.

          Hide connector attributes Show connector attributes object
          • fields object | null

            The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

            Additional properties are allowed.

          • id string

            The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

          • name string

            The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

          • type string

            The type of connector.

            Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

        • customFields array[object] Technical preview

          Custom field values in the template.

          Hide customFields attributes Show customFields attributes object
          • key string

            The unique key for the custom field.

          • type string

            The type of the custom field.

            Values are text or toggle.

          • value string | boolean

            The default value for the custom field when a case uses the template. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

        • The description for the case.

          Maximum length is 30000.

        • settings object

          An object that contains the case settings.

          Additional properties are allowed.

          Hide settings attribute Show settings attribute object
          • syncAlerts boolean Required

            Turns alert syncing on or off.

        • severity string

          The severity of the case.

          Values are critical, high, low, or medium. Default value is low.

        • tags array[string]

          The words and phrases that help categorize cases. It can be an empty array.

          Not more than 200 elements. Maximum length of each is 256.

        • title string

          A title for the case.

          Maximum length is 160.

      • A description for the template.

      • key string

        A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.

      • name string

        The name of the template.

      • tags array[string]

        The words and phrases that help categorize templates. It can be an empty array.

        Not more than 200 elements. Maximum length of each is 256.

    • updated_at string(date-time) | null
    • updated_by object | null

      Additional properties are allowed.

      Hide updated_by attributes Show updated_by attributes object | null
    • version string
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
PATCH /api/cases/configure/{configurationId}
curl \
 --request PATCH https://localhost:5601/api/cases/configure/3297a0f0-b5ec-11ec-b141-0fdb20a7f9a9 \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"version":"WzExOSw0XQ==","connector":{"id":"5e656730-e1ca-11ec-be9b-9b1838238ee6","name":"my-jira-connector","type":".jira","fields":null},"closure_type":"close-by-user","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","label":"my-text-field","required":true,"defaultValue":"A new default value."},{"key":"fcc6840d-eb14-42df-8aaf-232201a705ec","type":"toggle","label":"my-toggle","required":false}]}'
Request example
{
  "version": "WzExOSw0XQ==",
  "connector": {
    "id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
    "name": "my-jira-connector",
    "type": ".jira",
    "fields": null
  },
  "closure_type": "close-by-user",
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "label": "my-text-field",
      "required": true,
      "defaultValue": "A new default value."
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "label": "my-toggle",
      "required": false
    }
  ]
}
Response examples (200)
{
  "id": "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
  "error": null,
  "owner": "cases",
  "version": "WzI2LDNd",
  "mappings": [
    {
      "source": "title",
      "target": "summary",
      "action_type": "overwrite"
    },
    {
      "source": "description",
      "target": "description",
      "action_type": "overwrite"
    },
    {
      "source": "tags",
      "target": "labels",
      "action_type": "overwrite"
    },
    {
      "source": "comments",
      "target": "comments",
      "action_type": "append"
    }
  ],
  "connector": {
    "id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
    "name": "my-jira-connector",
    "type": ".jira",
    "fields": null
  },
  "templates": [],
  "created_at": "2024-07-01T17:07:17.767Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": "2024-07-19T00:52:42.401Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "closure_type": "close-by-user",
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "label": "my-text-field",
      "required": true,
      "defaultValue": "A new default value."
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "label": "my-toggle",
      "required": false
    }
  ]
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get case connectors

GET /api/cases/configure/connectors/_find

Get information about connectors that are supported for use in cases. You must have read privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges.

Responses

GET /api/cases/configure/connectors/_find
curl \
 --request GET https://localhost:5601/api/cases/configure/connectors/_find
Response examples (200)
[
  {
    "id": "61787f53-4eee-4741-8df6-8fe84fa616f7",
    "name": "my-Jira",
    "config": {
      "apiUrl": "https://elastic.atlassian.net/",
      "projectKey": "ES"
    },
    "actionTypeId": ".jira",
    "isDeprecated": false,
    "isPreconfigured": false,
    "isMissingSecrets": false,
    "referencedByCount": 0
  }
]
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}








Connectors

Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met.

Get connector types

GET /api/actions/connector_types

You do not need any Kibana feature privileges to run this API.

Query parameters

  • A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases).

Responses

  • 200 application/json

    Indicates a successful call.

GET /api/actions/connector_types
curl \
 --request GET https://localhost:5601/api/actions/connector_types
Response examples (200)
[
  {
    "id": ".gen-ai",
    "name": "OpenAI",
    "enabled": true,
    "enabled_in_config": true,
    "enabled_in_license": true,
    "is_system_action_type": false,
    "supported_feature_ids": [
      "generativeAIForSecurity",
      "generativeAIForObservability",
      "generativeAIForSearchPlayground"
    ],
    "minimum_license_required": "enterprise"
  },
  {
    "id": ".bedrock",
    "name": "AWS Bedrock",
    "enabled": true,
    "enabled_in_config": true,
    "enabled_in_license": true,
    "is_system_action_type": false,
    "supported_feature_ids": [
      "generativeAIForSecurity",
      "generativeAIForObservability",
      "generativeAIForSearchPlayground"
    ],
    "minimum_license_required": "enterprise"
  },
  {
    "id": ".gemini",
    "name": "Google Gemini",
    "enabled": true,
    "enabled_in_config": true,
    "enabled_in_license": true,
    "is_system_action_type": false,
    "supported_feature_ids": [
      "generativeAIForSecurity"
    ],
    "minimum_license_required": "enterprise"
  }
]
















Run a connector

POST /api/actions/connector/{id}/_execute

You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    An identifier for the connector.

application/json

Body

  • params object Required

    One of:

    Test an action that acknowledges or resolves a PagerDuty alert.

    Hide attributes Show attributes
    • dedupKey string Required

      The deduplication key for the PagerDuty alert.

      Maximum length is 255.

    • eventAction string Required

      The type of event.

      Values are acknowledge or resolve.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • config object

      Additional properties are allowed.

    • connector_type_id string Required

      The connector type identifier.

    • id string Required

      The identifier for the connector.

    • is_deprecated boolean Required

      Indicates whether the connector is deprecated.

    • Indicates whether the connector is missing secrets.

    • is_preconfigured boolean Required

      Indicates whether the connector is preconfigured. If true, the config and is_missing_secrets properties are omitted from the response.

    • is_system_action boolean Required

      Indicates whether the connector is used for system actions.

    • name string Required

      The name of the rule.

POST /api/actions/connector/{id}/_execute
curl \
 --request POST https://localhost:5601/api/actions/connector/{id}/_execute \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"params":{"documents":[{"id":"my_doc_id","name":"my_doc_name","message":"hello, world"}]}}'
{
  "params": {
    "documents": [
      {
        "id": "my_doc_id",
        "name": "my_doc_name",
        "message": "hello, world"
      }
    ]
  }
}
{
  "params": {
    "subAction": "issueTypes"
  }
}
{
  "params": {
    "subAction": "getChoices",
    "subActionParams": {
      "fields": [
        "severity",
        "urgency"
      ]
    }
  }
}
{
  "params": {
    "subAction": "postMessage",
    "subActionParams": {
      "text": "A test message.",
      "channelIds": [
        "C123ABC456"
      ]
    }
  }
}
{
  "params": {
    "subAction": "pushToService",
    "subActionParams": {
      "comments": [
        {
          "comment": "A comment about the incident.",
          "commentId": 1
        }
      ],
      "incident": {
        "caseId": "1000",
        "caseName": "Case name",
        "description": "Description of the incident."
      }
    }
  }
}
{
  "data": {
    "took": 135,
    "items": [
      {
        "create": {
          "_id": "4JtvwYUBrcyxt2NnfW3y",
          "_index": "my-index",
          "result": "created",
          "status": 201,
          "_seq_no": 0,
          "_shards": {
            "total": 2,
            "failed": 0,
            "successful": 1
          },
          "_version": 1,
          "_primary_term": 1
        }
      }
    ],
    "errors": false
  },
  "status": "ok",
  "connector_id": "fd38c600-96a5-11ed-bb79-353b74189cba"
}
{
  "data": [
    {
      "id": 10024,
      "name": "Improvement"
    },
    {
      "id": 10006,
      "name": "Task"
    },
    {
      "id": 10007,
      "name": "Sub-task"
    },
    {
      "id": 10025,
      "name": "New Feature"
    },
    {
      "id": 10023,
      "name": "Bug"
    },
    {
      "id": 10000,
      "name": "Epic"
    }
  ],
  "status": "ok",
  "connector_id": "b3aad810-edbe-11ec-82d1-11348ecbf4a6"
}
{
  "status": "ok",
  "connector_id": "7fc7b9a0-ecc9-11ec-8736-e7d63118c907"
}
{
  "data": [
    {
      "label": "Critical",
      "value": 1,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "Major",
      "value": 2,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "Minor",
      "value": 3,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "Warning",
      "value": 4,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "OK",
      "value": 5,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "Clear",
      "value": 0,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "1 - High",
      "value": 1,
      "element": "urgency",
      "dependent_value": ""
    },
    {
      "label": "2 - Medium",
      "value": 2,
      "element": "urgency",
      "dependent_value": ""
    },
    {
      "label": "3 - Low",
      "value": 3,
      "element": "urgency",
      "dependent_value": ""
    }
  ],
  "status": "ok",
  "connector_id": "9d9be270-2fd2-11ed-b0e0-87533c532698"
}
{
  "data": {
    "ok": true,
    "ts": "1234567890.123456",
    "channel": "C123ABC456",
    "message": {
      "ts": "1234567890.123456",
      "team": "T01ABCDE2F",
      "text": "A test message",
      "type": "message",
      "user": "U12A345BC6D",
      "app_id": "A01BC2D34EF",
      "blocks": [
        {
          "type": "rich_text",
          "block_id": "/NXe",
          "elements": [
            {
              "type": "rich_text_section",
              "elements": [
                {
                  "text": "A test message.",
                  "type": "text"
                }
              ]
            }
          ]
        }
      ],
      "bot_id": "B12BCDEFGHI",
      "bot_profile": {
        "id": "B12BCDEFGHI",
        "name": "test",
        "icons": {
          "image_36": "https://a.slack-edge.com/80588/img/plugins/app/bot_36.png"
        },
        "app_id": "A01BC2D34EF",
        "deleted": false,
        "team_id": "T01ABCDE2F",
        "updated": 1672169705
      }
    }
  },
  "status": "ok",
  "connector_id": ".slack_api"
}
{
  "data": {
    "id": "aKPmBHWzmdRQtx6Mx",
    "url": "https://elastic.swimlane.url.us/record/aNcL2xniGHGpa2AHb/aKPmBHWzmdRQtx6Mx",
    "title": "TEST-457",
    "comments": [
      {
        "commentId": 1,
        "pushedDate": "2022-09-08T16:52:27.865Z"
      }
    ],
    "pushedDate": "2022-09-08T16:52:27.866Z"
  },
  "status": "ok",
  "connector_id": "a4746470-2f94-11ed-b0e0-87533c532698"
}












Update an existing dashboard Technical Preview

PUT /api/dashboards/dashboard/{id}

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    A unique identifier for the dashboard.

application/json

Body

  • attributes object Required

    Additional properties are NOT allowed.

    Hide attributes attributes Show attributes attributes object
    • Additional properties are NOT allowed.

      Hide controlGroupInput attributes Show controlGroupInput attributes object
      • Show apply selections button in controls.

        Default value is true.

      • The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".

        Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.

      • controls array[object]

        An array of control panels and their state in the control group.

        Default value is [] (empty).

        Hide controls attributes Show controls attributes object
        • Additional properties are allowed.

        • grow boolean

          Expand width of the control panel to fit available space.

          Default value is false.

        • id string

          The unique ID of the control.

        • order number Required

          The order of the control panel in the control group.

        • type string Required

          The type of the control panel.

        • width string

          Minimum width of the control panel in the control group.

          Values are small, medium, or large. Default value is medium.

      • Additional properties are allowed.

      • ignoreParentSettings object Required

        Additional properties are NOT allowed.

        Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
        • Ignore global filters in controls.

          Default value is false.

        • Ignore the global query bar in controls.

          Default value is false.

        • Ignore the global time range in controls.

          Default value is false.

        • Ignore validations in controls.

          Default value is false.

      • Position of the labels for controls. For example, "oneLine", "twoLine".

        Values are oneLine or twoLine. Default value is oneLine.

    • A short description.

      Default value is empty.

    • A container for various metadata

      Default value is {} (empty). Additional properties are NOT allowed.

      Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
      • Additional properties are allowed.

        Hide searchSource attributes Show searchSource attributes object
        • filter array[object]
          Hide filter attributes Show filter attributes object
          • $state object

            Additional properties are NOT allowed.

            Hide $state attribute Show $state attribute object
            • store string Required

              Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').

              Values are appState or globalState.

          • meta object Required

            Additional properties are allowed.

            Hide meta attributes Show meta attributes object
          • query object

            Additional properties are allowed.

        • query object

          Additional properties are NOT allowed.

          Hide query attributes Show query attributes object
        • sort array[object]
        • type string
    • options object Required

      Additional properties are NOT allowed.

      Hide options attributes Show options attributes object
      • Hide the panel titles in the dashboard.

        Default value is false.

      • syncColors boolean

        Synchronize colors between related panels in the dashboard.

        Default value is true.

      • syncCursor boolean

        Synchronize cursor position between related panels in the dashboard.

        Default value is true.

      • Synchronize tooltips between related panels in the dashboard.

        Default value is true.

      • useMargins boolean

        Show margins between panels in the dashboard layout.

        Default value is true.

    • panels array[object]

      Default value is [] (empty).

      Hide panels attributes Show panels attributes object
      • gridData object Required

        Additional properties are NOT allowed.

        Hide gridData attributes Show gridData attributes object
        • h number

          The height of the panel in grid units

          Minimum value is 1. Default value is 15.

        • i string

          The unique identifier of the panel

        • w number

          The width of the panel in grid units

          Minimum value is 1, maximum value is 48. Default value is 24.

        • x number Required

          The x coordinate of the panel in grid units

        • y number Required

          The y coordinate of the panel in grid units

      • id string

        The saved object id for by reference panels

      • panelConfig object Required

        Additional properties are allowed.

        Hide panelConfig attributes Show panelConfig attributes object
      • The unique ID of the panel.

      • title string

        The title of the panel

      • type string Required

        The embeddable type

      • version string Deprecated

        The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).

    • A container for various refresh interval settings

      Additional properties are NOT allowed.

      Hide refreshInterval attributes Show refreshInterval attributes object
      • display string Deprecated

        A human-readable string indicating the refresh frequency. No longer used.

      • pause boolean Required

        Whether the refresh interval is set to be paused while viewing the dashboard.

      • section number Deprecated

        No longer used.

      • value number Required

        A numeric value indicating refresh frequency in milliseconds.

    • timeFrom string

      An ISO string indicating when to restore time from

    • Whether to restore time upon viewing this dashboard

      Default value is false.

    • timeTo string

      An ISO string indicating when to restore time from

    • title string Required

      A human-readable title for the dashboard

    • version number Deprecated
  • references array[object]
    Hide references attributes Show references attributes object

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are allowed.

      Hide item attributes Show item attributes object
      • attributes object Required

        Additional properties are NOT allowed.

        Hide attributes attributes Show attributes attributes object
        • Additional properties are NOT allowed.

          Hide controlGroupInput attributes Show controlGroupInput attributes object
          • Show apply selections button in controls.

            Default value is true.

          • The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".

            Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.

          • controls array[object]

            An array of control panels and their state in the control group.

            Default value is [] (empty).

            Hide controls attributes Show controls attributes object
            • Additional properties are allowed.

            • grow boolean

              Expand width of the control panel to fit available space.

              Default value is false.

            • id string

              The unique ID of the control.

            • order number Required

              The order of the control panel in the control group.

            • type string Required

              The type of the control panel.

            • width string

              Minimum width of the control panel in the control group.

              Values are small, medium, or large. Default value is medium.

          • Additional properties are allowed.

          • ignoreParentSettings object Required

            Additional properties are NOT allowed.

            Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
            • Ignore global filters in controls.

              Default value is false.

            • Ignore the global query bar in controls.

              Default value is false.

            • Ignore the global time range in controls.

              Default value is false.

            • Ignore validations in controls.

              Default value is false.

          • Position of the labels for controls. For example, "oneLine", "twoLine".

            Values are oneLine or twoLine. Default value is oneLine.

        • A short description.

          Default value is empty.

        • A container for various metadata

          Default value is {} (empty). Additional properties are NOT allowed.

          Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
          • Additional properties are allowed.

            Hide searchSource attributes Show searchSource attributes object
            • filter array[object]
              Hide filter attributes Show filter attributes object
              • $state object

                Additional properties are NOT allowed.

                Hide $state attribute Show $state attribute object
                • store string Required

                  Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').

                  Values are appState or globalState.

              • meta object Required

                Additional properties are allowed.

                Hide meta attributes Show meta attributes object
              • query object

                Additional properties are allowed.

            • query object

              Additional properties are NOT allowed.

              Hide query attributes Show query attributes object
            • sort array[object]
            • type string
        • options object Required

          Additional properties are NOT allowed.

          Hide options attributes Show options attributes object
          • Hide the panel titles in the dashboard.

            Default value is false.

          • syncColors boolean

            Synchronize colors between related panels in the dashboard.

            Default value is true.

          • syncCursor boolean

            Synchronize cursor position between related panels in the dashboard.

            Default value is true.

          • Synchronize tooltips between related panels in the dashboard.

            Default value is true.

          • useMargins boolean

            Show margins between panels in the dashboard layout.

            Default value is true.

        • panels array[object]

          Default value is [] (empty).

          Hide panels attributes Show panels attributes object
          • gridData object Required

            Additional properties are NOT allowed.

            Hide gridData attributes Show gridData attributes object
            • h number

              The height of the panel in grid units

              Minimum value is 1. Default value is 15.

            • i string Required
            • w number

              The width of the panel in grid units

              Minimum value is 1, maximum value is 48. Default value is 24.

            • x number Required

              The x coordinate of the panel in grid units

            • y number Required

              The y coordinate of the panel in grid units

          • id string

            The saved object id for by reference panels

          • panelConfig object Required

            Additional properties are allowed.

            Hide panelConfig attributes Show panelConfig attributes object
          • panelIndex string Required
          • title string

            The title of the panel

          • type string Required

            The embeddable type

          • version string Deprecated

            The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).

        • A container for various refresh interval settings

          Additional properties are NOT allowed.

          Hide refreshInterval attributes Show refreshInterval attributes object
          • display string Deprecated

            A human-readable string indicating the refresh frequency. No longer used.

          • pause boolean Required

            Whether the refresh interval is set to be paused while viewing the dashboard.

          • section number Deprecated

            No longer used.

          • value number Required

            A numeric value indicating refresh frequency in milliseconds.

        • timeFrom string

          An ISO string indicating when to restore time from

        • Whether to restore time upon viewing this dashboard

          Default value is false.

        • timeTo string

          An ISO string indicating when to restore time from

        • title string Required

          A human-readable title for the dashboard

        • version number Deprecated
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
      • id string Required
      • managed boolean
      • namespaces array[string]
      • originId string
      • references array[object] Required
        Hide references attributes Show references attributes object
      • type string Required
      • version string
PUT /api/dashboards/dashboard/{id}
curl \
 --request PUT https://localhost:5601/api/dashboards/dashboard/{id} \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"attributes":{"controlGroupInput":{"autoApplySelections":true,"chainingSystem":"HIERARCHICAL","controls":[{"controlConfig":{},"grow":false,"id":"string","order":42.0,"type":"string","width":"medium"}],"enhancements":{},"ignoreParentSettings":{"ignoreFilters":false,"ignoreQuery":false,"ignoreTimerange":false,"ignoreValidations":false},"labelPosition":"oneLine"},"description":"","kibanaSavedObjectMeta":{"searchSource":{"filter":[{"$state":{"store":"appState"},"meta":{"alias":"string","controlledBy":"string","disabled":true,"field":"string","group":"string","index":"string","isMultiIndex":true,"key":"string","negate":true,"type":"string","value":"string"},"query":{}}],"query":{"language":"string","query":"string"},"sort":[{}],"type":"string"}},"options":{"hidePanelTitles":false,"syncColors":true,"syncCursor":true,"syncTooltips":true,"useMargins":true},"panels":[{"gridData":{"h":15,"i":"string","w":24,"x":42.0,"y":42.0},"id":"string","panelConfig":{"description":"string","enhancements":{},"hidePanelTitles":true,"savedObjectId":"string","title":"string","version":"string"},"panelIndex":"string","panelRefName":"string","title":"string","type":"string","version":"string"}],"refreshInterval":{"display":"string","pause":true,"section":42.0,"value":42.0},"timeFrom":"string","timeRestore":false,"timeTo":"string","title":"string","version":42.0},"references":[{"id":"string","name":"string","type":"string"}]}'
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "attributes": {
    "controlGroupInput": {
      "autoApplySelections": true,
      "chainingSystem": "HIERARCHICAL",
      "controls": [
        {
          "controlConfig": {},
          "grow": false,
          "id": "string",
          "order": 42.0,
          "type": "string",
          "width": "medium"
        }
      ],
      "enhancements": {},
      "ignoreParentSettings": {
        "ignoreFilters": false,
        "ignoreQuery": false,
        "ignoreTimerange": false,
        "ignoreValidations": false
      },
      "labelPosition": "oneLine"
    },
    "description": "",
    "kibanaSavedObjectMeta": {
      "searchSource": {
        "filter": [
          {
            "$state": {
              "store": "appState"
            },
            "meta": {
              "alias": "string",
              "controlledBy": "string",
              "disabled": true,
              "field": "string",
              "group": "string",
              "index": "string",
              "isMultiIndex": true,
              "key": "string",
              "negate": true,
              "type": "string",
              "value": "string"
            },
            "query": {}
          }
        ],
        "query": {
          "language": "string",
          "query": "string"
        },
        "sort": [
          {}
        ],
        "type": "string"
      }
    },
    "options": {
      "hidePanelTitles": false,
      "syncColors": true,
      "syncCursor": true,
      "syncTooltips": true,
      "useMargins": true
    },
    "panels": [
      {
        "gridData": {
          "h": 15,
          "i": "string",
          "w": 24,
          "x": 42.0,
          "y": 42.0
        },
        "id": "string",
        "panelConfig": {
          "description": "string",
          "enhancements": {},
          "hidePanelTitles": true,
          "savedObjectId": "string",
          "title": "string",
          "version": "string"
        },
        "panelIndex": "string",
        "panelRefName": "string",
        "title": "string",
        "type": "string",
        "version": "string"
      }
    ],
    "refreshInterval": {
      "display": "string",
      "pause": true,
      "section": 42.0,
      "value": 42.0
    },
    "timeFrom": "string",
    "timeRestore": false,
    "timeTo": "string",
    "title": "string",
    "version": 42.0
  },
  "references": [
    {
      "id": "string",
      "name": "string",
      "type": "string"
    }
  ]
}
Response examples (200)
{
  "item": {
    "attributes": {
      "controlGroupInput": {
        "autoApplySelections": true,
        "chainingSystem": "HIERARCHICAL",
        "controls": [
          {
            "controlConfig": {},
            "grow": false,
            "id": "string",
            "order": 42.0,
            "type": "string",
            "width": "medium"
          }
        ],
        "enhancements": {},
        "ignoreParentSettings": {
          "ignoreFilters": false,
          "ignoreQuery": false,
          "ignoreTimerange": false,
          "ignoreValidations": false
        },
        "labelPosition": "oneLine"
      },
      "description": "",
      "kibanaSavedObjectMeta": {
        "searchSource": {
          "filter": [
            {
              "$state": {
                "store": "appState"
              },
              "meta": {
                "alias": "string",
                "controlledBy": "string",
                "disabled": true,
                "field": "string",
                "group": "string",
                "index": "string",
                "isMultiIndex": true,
                "key": "string",
                "negate": true,
                "type": "string",
                "value": "string"
              },
              "query": {}
            }
          ],
          "query": {
            "language": "string",
            "query": "string"
          },
          "sort": [
            {}
          ],
          "type": "string"
        }
      },
      "options": {
        "hidePanelTitles": false,
        "syncColors": true,
        "syncCursor": true,
        "syncTooltips": true,
        "useMargins": true
      },
      "panels": [
        {
          "gridData": {
            "h": 15,
            "i": "string",
            "w": 24,
            "x": 42.0,
            "y": 42.0
          },
          "id": "string",
          "panelConfig": {
            "description": "string",
            "enhancements": {},
            "hidePanelTitles": true,
            "savedObjectId": "string",
            "title": "string",
            "version": "string"
          },
          "panelIndex": "string",
          "panelRefName": "string",
          "title": "string",
          "type": "string",
          "version": "string"
        }
      ],
      "refreshInterval": {
        "display": "string",
        "pause": true,
        "section": 42.0,
        "value": 42.0
      },
      "timeFrom": "string",
      "timeRestore": false,
      "timeTo": "string",
      "title": "string",
      "version": 42.0
    },
    "createdAt": "string",
    "createdBy": "string",
    "error": {
      "error": "string",
      "message": "string",
      "metadata": {},
      "statusCode": 42.0
    },
    "id": "string",
    "managed": true,
    "namespaces": [
      "string"
    ],
    "originId": "string",
    "references": [
      {
        "id": "string",
        "name": "string",
        "type": "string"
      }
    ],
    "type": "string",
    "updatedAt": "string",
    "updatedBy": "string",
    "version": "string"
  }
}




Delete a dashboard Technical Preview

DELETE /api/dashboards/dashboard/{id}

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    A unique identifier for the dashboard.

DELETE /api/dashboards/dashboard/{id}
curl \
 --request DELETE https://localhost:5601/api/dashboards/dashboard/{id} \
 --header "kbn-xsrf: true"




Get data streams

GET /api/fleet/epm/data_streams

[Required authorization] Route required privileges: ANY of [integrations-read OR fleet-setup OR fleet-all].

Query parameters

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • items array[object] Required
      Hide items attribute Show items attribute object
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/epm/data_streams
curl \
 --request GET https://localhost:5601/api/fleet/epm/data_streams
Response examples (200)
{
  "items": [
    {
      "name": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Data views

Data view APIs enable you to manage data views, formerly known as Kibana index patterns.

Get all data views

GET /api/data_views

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
GET /api/data_views
curl \
 --request GET https://localhost:5601/api/data_views
Response examples (200)
{
  "data_view": [
    {
      "id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f",
      "name": "Kibana Sample Data eCommerce",
      "title": "kibana_sample_data_ecommerce",
      "typeMeta": {},
      "namespaces": [
        "default"
      ]
    },
    {
      "id": "d3d7af60-4c81-11e8-b3d7-01146121b73d",
      "name": "Kibana Sample Data Flights",
      "title": "kibana_sample_data_flights",
      "namespaces": [
        "default"
      ]
    },
    {
      "id": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "name": "Kibana Sample Data Logs",
      "title": "kibana_sample_data_logs",
      "namespaces": [
        "default"
      ]
    }
  ]
}
Response examples (400)
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Create a data view

POST /api/data_views/data_view

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json

Body Required

  • data_view object Required

    The data view object.

    Additional properties are allowed.

    Hide data_view attributes Show data_view attributes object
    • Allows the data view saved object to exist before the data is available.

    • Hide fieldAttrs attribute Show fieldAttrs attribute object
      • * object Additional properties

        A map of field attributes by field name.

        Additional properties are allowed.

        Hide * attributes Show * attributes object
    • A map of field formats by field name.

      Additional properties are allowed.

    • fields object

      Additional properties are allowed.

    • id string
    • name string

      The data view name.

    • namespaces array[string]

      An array of space identifiers for sharing the data view between multiple spaces.

      Default value is default.

    • Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
      • * object Additional properties

        A map of runtime field definitions by field name.

        Additional properties are allowed.

        Hide * attributes Show * attributes object
        • script object Required

          Additional properties are allowed.

          Hide script attribute Show script attribute object
          • source string

            Script for the runtime field.

        • type string Required

          Mapping type of the runtime field.

    • sourceFilters array[object]

      The array of field names you want to filter out in Discover.

      Hide sourceFilters attribute Show sourceFilters attribute object
    • The timestamp field name, which you use for time-based data views.

    • title string Required

      Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).

    • type string

      When set to rollup, identifies the rollup data views.

    • typeMeta object

      When you use rollup indices, contains the field list for the rollup data view API endpoints.

      Additional properties are allowed.

      Hide typeMeta attributes Show typeMeta attributes object
      • aggs object Required

        A map of rollup restrictions by aggregation type and field name.

        Additional properties are allowed.

      • params object Required

        Properties for retrieving rollup fields.

        Additional properties are allowed.

    • version string
  • override boolean

    Override an existing data view if a data view with the provided title already exists.

    Default value is false.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
    • Additional properties are allowed.

      Hide data_view attributes Show data_view attributes object
      • Allows the data view saved object to exist before the data is available.

      • Hide fieldAttrs attribute Show fieldAttrs attribute object
        • * object Additional properties

          A map of field attributes by field name.

          Additional properties are allowed.

          Hide * attributes Show * attributes object
      • A map of field formats by field name.

        Additional properties are allowed.

      • fields object

        Additional properties are allowed.

      • id string
      • name string

        The data view name.

      • namespaces array[string]

        An array of space identifiers for sharing the data view between multiple spaces.

        Default value is default.

      • Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
        • * object Additional properties

          A map of runtime field definitions by field name.

          Additional properties are allowed.

          Hide * attributes Show * attributes object
          • script object Required

            Additional properties are allowed.

            Hide script attribute Show script attribute object
            • source string

              Script for the runtime field.

          • type string Required

            Mapping type of the runtime field.

      • sourceFilters array[object]

        The array of field names you want to filter out in Discover.

        Hide sourceFilters attribute Show sourceFilters attribute object
      • The timestamp field name, which you use for time-based data views.

      • title string

        Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).

      • typeMeta object | null

        When you use rollup indices, contains the field list for the rollup data view API endpoints.

        Additional properties are allowed.

        Hide typeMeta attributes Show typeMeta attributes object | null
        • aggs object

          A map of rollup restrictions by aggregation type and field name.

          Additional properties are allowed.

        • params object

          Properties for retrieving rollup fields.

          Additional properties are allowed.

      • version string
  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
POST /api/data_views/data_view
curl \
 --request POST https://localhost:5601/api/data_views/data_view \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"data_view":{"name":"My Logstash data view","title":"logstash-*","runtimeFieldMap":{"runtime_shape_name":{"type":"keyword","script":{"source":"emit(doc['shape_name'].value)"}}}}}'
Request example
{
  "data_view": {
    "name": "My Logstash data view",
    "title": "logstash-*",
    "runtimeFieldMap": {
      "runtime_shape_name": {
        "type": "keyword",
        "script": {
          "source": "emit(doc['shape_name'].value)"
        }
      }
    }
  }
}
Response examples (200)
{
  "data_view": {
    "allowNoIndex": true,
    "fieldAttrs": {
      "additionalProperty1": {
        "count": 42,
        "customDescription": "string",
        "customLabel": "string"
      },
      "additionalProperty2": {
        "count": 42,
        "customDescription": "string",
        "customLabel": "string"
      }
    },
    "fieldFormats": {},
    "fields": {},
    "id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f",
    "name": "string",
    "namespaces": [
      "default"
    ],
    "runtimeFieldMap": {
      "additionalProperty1": {
        "script": {
          "source": "string"
        },
        "type": "string"
      },
      "additionalProperty2": {
        "script": {
          "source": "string"
        },
        "type": "string"
      }
    },
    "sourceFilters": [
      {
        "value": "string"
      }
    ],
    "timeFieldName": "string",
    "title": "string",
    "typeMeta": {
      "aggs": {},
      "params": {}
    },
    "version": "WzQ2LDJd"
  }
}
Response examples (400)
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}